Solved

How to use Outlook Email Encryption

Posted on 2013-01-08
6
1,179 Views
Last Modified: 2013-01-31
I'm trying to see whats required to get email encryption setup in Outlook.  We have a client who is a home health agency and needs to encrypt all emails coming from their Exchange 2003 server containing confidential information in order to meet HIPAA compliance and send emails to companies.  We actually did get some pretty strong encryption setup through Barracuda, but this company that the client is sending emails to apparently lacks the mental capacity to log into a web portal and retrieve emails.  So now I'm trying to get outlook to encrypt emails so that they don't have to think much more past "click, open email".  The thing I'm not understanding is how these digital ID's work, I was reading an article online but it didn't tell me everything that's required for Outlook to encrypt emails.  The things I'm wondering are:

Does the recipient also need to purchase a digital ID to encrypt the message? (if the answer to this question is yes then solution isn't viable anyways)

Does each computer thats going to send encrypted emails have to have their seperate digital ID?

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

Also does having exchange affect things at all.
The client is running SBS 2003 with Exchange 2003

Any help is greatly appreciated, any other suggestions are welcome, and if I left anything out let me know.  Thanks.
0
Comment
Question by:ctagle
6 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 167 total points
ID: 38758166
Ok, from the top then. I am going to assume by "digital ID" you mean s/mime email encryption (as built into outlook)

Does the recipient also need to purchase a digital ID to encrypt the message? (if the answer to this question is yes then solution isn't viable anyways)

Technically, no. each actor in the exchange must have a Digital ID; this is functionally identical to the HTTPS certificates used on web pages and to the certificates used for encrypting LDAPS, TLS/smtp, and so forth.  That ID must be valid and match the email(s) of the account using it.  Once acquired, the Digital ID comes in two parts - a "public" certificate, which can be used to encrypt messages to the Digital ID's matching account, and a private key, which can be used both to digitally Sign messages and decrypt messages signed with the public certificate.

It need not be a commercial cert, but in order to show as valid any machine using it must have a copy of the signing cert.  However, within those constraints, you can use the MS CA or something like xca (http://sourceforge.net/projects/xca) to issue or even create valid certificates, in which case, the "issuing" cert from the CA must also be installed on the end node machines (the only benefit to using a commercial CA is that this is already done for you)

Does each computer thats going to send encrypted emails have to have their seperate digital ID?

Again, technically No.
Only the recipient of an encrypted mail need have a Digital ID. the Owner of a Digital ID may receive encrypted mails *and* send digitally signed mails.  The sender of encrypted mails needs only the recipient's cert, or to verify a digitally signed mail (which *includes* the cert) only the issuing CA cert.

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

No, that's not how it works, however, to *send* an encrypted message/reply, they will need a valid cert for the intended recipient (not the whole digital ID, just the cert) - if they/you are in an exchange environment, they/you should be able to add this to the GAL as an external contact - much easier than adding each individually to each agent needing to send encrypted mail to the recipient. you can also push out the signing CA to the machines using Group Policy, to avoid having to do that per-node either.  There was no pretty GUI tool to do the GAL cert addition though in Exchange 2003, you need to use CertUtil with the dspublish flag, which is a moderate admin task (as in, it scares anyone who is lost without a gui :)
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 167 total points
ID: 38758192
Does the recipient also need to purchase a digital ID to encrypt the message?
Yes.  You can get them for free, but the recipient and the sender will both need a digital ID.  S/MIME is a Public Key Infrastructure application using asymmetric cryptography with public/private key pairs.  As such both sender and the recipient will need a certificate / digital ID.

Does each computer thats going to send encrypted emails have to have their seperate digital ID?
No.  The digital ID authenticates the sender, not the sending device.  Each email address that will be sent from requires its own digital ID.  You would add your digital ID to each of the email clients that will send as you.

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

EDIT - No, each of the 20 receiving agents would require a digital ID.

I'm trying to see whats required to get email encryption setup in Outlook.  We have a client who is a home health agency and needs to encrypt all emails coming from their Exchange 2003 server containing confidential information in order to meet HIPAA compliance and send emails to companies.
You can enforce encryption at Exchange level by only sending email out over TLS only.  The massive disadvantage with this is that not all organisations support secure SMTP.  If they don't your only remedy would be to not send to those organisations...

Hope that helps.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 166 total points
ID: 38758560
The experts have covered them well, and I shall not repeat but primarily, you should be looking at S/MIME, signature and encryption. [0] All this eventually leads to common PKI encryption based using digital ID. This identity is important as it represents the identity of the end user which is typically represented as "subject name" field stated in the digital (x509v3) certificate issued by your trusted CA (internal or external).

[0] http://office.microsoft.com/en-sg/outlook-help/encrypt-e-mail-messages-HP001230536.aspx

[0] http://office.microsoft.com/en-sg/outlook-help/overview-of-certificates-and-cryptographic-e-mail-messaging-in-outlook-HP001230534.aspx?CTT=5&origin=HP001230536#BM2
 
But the challenge (or maybe tedious part) has been also well known to be the key management aspects especially if you (or IT team) managed the internal CA and its entire PKI infrastructure. Even then, using a 3rd party certificate issued from trusted CA like verisign, thawte etc lessen the load but not remove all. The cost is cumulative with more user be it tangible (infrastructure suppt) or intangible (operational cost, helpdesk). Also not forgetting to assess existing backend exchange system to beef up security with network security device giving that additioanl anti-spam, email reputation checks etc. All is well and understood as you tread this the HIPPA compliance needs

Would be good to check out other alteratives [1] (inclusive of PKI encryption) as awareness to make informed decision. But noting we do not want to compromise the security posture required. You may see IBE over PKI [2]. PS, I am not a vendor :)

[1] @ http://www.trusttone.com/blog/viewpost/120#Solution%20Approaches
[2] @ http://www.trusttone.com/blog/viewpost/120#Identity%20based%20encryption%20over%20PKI
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 38758570
BlueCompute has a good point. exchange (note NOT 2003, but later editions) can be set to *require* TLS for a custom smtp bridgehead, and even if you don't have the later edition, the installation of a simple copy of EXIM or similar open source MTA as an intermediary can allow the state of TLS required; by ensuring:

1) for a list of recipient domains, TLS is required
2) for a list of recipient domains, direct delivery is required

you can achieve a situation where mail between yourselves and an external customer is *always* sent over an encrypted channel, so additional encryption per-message is unnecessary; this may require (or at least work better) if you buy a commercial cert for your SMTP bridgehead, but that's just one cert.

note this won't work well if you "front" your mail via another provider (such as mimecast or symantec) for antivirus/antispam filtering.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38758580
Oh, and note that a correctly constructed SAN certificate can reduce the number of Digital IDs required from one per email to one per domain :)
0
 

Author Closing Comment

by:ctagle
ID: 38841679
Thanks for all your help, turns out in this scenario all we needed was a send connector with TLS configured and a valid ssl cert, all I needed to was create a send connector for their domain and use our existing cert and it was all good to go.  Now if only they had told me that from the beginning......>:O
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
If you don't know how to downgrade, my instructions below should be helpful.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now