Solved

secure mail

Posted on 2013-06-04
6
506 Views
Last Modified: 2013-06-06
We are looking into secure email solutions for sending sensitive/restricted information via email to external recipients. Our email platform is exchange 2010 and on the computers outlook 2010. What I don't understand is if one of our internal employees wants to send email to an external recipient in another organisation via whichever secure mail solution we decide on, do they (the recipient) also need to invest in some compatible secure email software, or not really? Please keep answers low tech management friendly. I cant see that going down well with recipients ("we can only send you secure email if you invest in a $$$ software package from your side also").

There also seems to be many solutions for secure email ranging from free products to quite expensive products? Are there more expensive solutions " more secure", or if not why they difference in price? If it is because they are more secure, can you elaborate what exactly is more secure, and the risks associated with the free/cheap options? I cant understand why anyone would pay for a solution if there is a free alternative, so please enlighten me (again in management friendly low tech terms) why the paid options are often more desired.

\if you wish to recommend some products and pros and cons on the various options then that would be great...
0
Comment
Question by:pma111
6 Comments
 
LVL 41

Assisted Solution

by:Amit
Amit earned 100 total points
ID: 39220208
You can look for software like voltage
http://www.voltage.com/products/securemail/

Free i haven't tried so cannot comment.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39220284
Email was not designed for security in mind. It also has the limitation of being a send and forget technology.  A technology like www.sharefile.com allows a secure transfer of files of any size, and you get manageability of the file i.e. who has access, when accessed, you can delete the file and so forth.

Disclaimer: I don't use this product but know many lawyers that do use it for secure discovery material transmission.

If one encrypts a file then the recipient must have the applicable software to unencrypt the file. Another way is to have the file / message sent to a secure webmail page but this requires both parties to have an account .. and this does not integrate very well with current email technology.. As I mentioned before, email was not designed with security in mind, but the free transfer of information from one party to another.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39220639
The most common method I have seen this implemented is to use a service that takes the message, wraps it up on a web page and then the recipient gets an email saying there is an email for them. They then visit the special link, where the contents of the email is displayed.

The main solution I have seen here is Microsoft's solution Forefront Hosted Encryption.
Technical details here:

http://technet.microsoft.com/en-us/library/exchange-hosted-email-encryption-service-subscription-in-fope.aspx

That is about your only option.
You can sign emails, but that will only prove they haven't been tampered with.
You could look at something like PGP, but that will require key exchange in many cases.

Simon.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39221183
The common saying is "If it is easy, it isn't secure."  Yes, both ends have to have compatible encryption software.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 100 total points
ID: 39221738
Ok, there are two different ways to do this (and lots of subsections)

First, the email crypto world is divided into two fields -
preshared key solutions (where the recipient must first set up and deliver to you a key to be used for encryption)
Oracle based solutions (where the user must log into a device or portal and then either stored mail is delivered over https, or encrypted mail is decrypted using a passed key obtained from the service)

For the first, there are two major encryption schemes to consider.
The first is the easiest - s/mime (called by microsoft a "digital ID") - this is the same system used for securing HTTPS webservers, and consists of a private key (used to digitally sign outgoing messages or decrypt incoming messages) and a public certificate (used to verify digital signatures and encrypt outbound mails) - all digitally signed messages include this certificate, so the fastest key distribution technique is to send a digitally signed message to all potential correspondents.
Downside is key management. each cert expires (typically after 1 year, but you can configure this) and unless you want to manually verify certificates every time you update, you need to buy them from a commercial CA - and that isn't cheap.
  Upside? everything you need (other than your personal key and cert) is already built into your email client. Outlook+Exchange users can also have their certs generated and pushed to them automatically via autosubscription (this requires the exchange to be configured to do so, and for there to be an Enterprise CA set up on a windows server to fulfil these requests)
  For test or smaller scale solutions, you can generate the required key/cert pair manually using the free xca package.

  The other competing solution is called openpgp (note, that is the standard, not the name of the software). This is typically NOT built into an email client, but instead you will need to configure plugins or desktop software at both ends to support the system.  Typical packages are "Pretty Good Privacy" and "GNU Privacy Guard" - the former commerical, the latter less polished but free/open source.  Openpgp is functionally similar to s/mime, so I won't go into further detail, other than to note that it doesn't use x509 certificates but its own key format based on adding "trust" signatures to keys, so that you can decide if a key is valid based on those willing to assert validity by signing whose keys you already have.

  Moving on then, the other major subcategory is oracle based crypto.

There are four big players in this market.

First and oldest is cisco - their [URL=https://res.cisco.com/websafe/about]CRES[/URL] solution was an early runner (albeit, under a different ownership - they bought the original company called Ironport). For this, you need an Ironport email security appliance (not cheap!) with the encryption subscription service and flag messages (with configurable rules, most sites use the "confidential" flag from outlook and/or the presence of [encrypt] in the subject line) that need to be encrypted.  Recipients are presented with an attachment that renders (in javascript) a pretty envelope that allows them to select which recipient they are, and links (in the background) to the CRES site. new users are required to sign up, but that's one signup for each user for the whole of CRES (user accounts are not specific to sender). The same messages can be used to reply securely, again via CRES.

Second oldest is [URL=http://www.zixcorp.com/email-encryption/zixmail/]ZixMail[/URL] - similar to CRES, but using a software solution (although there are on-premise server solutions).

Third oldest is [URL=http://www.symantec.com/en/uk/gateway-email-encryption]PGP Universal Gateway[/URL] - This is very much an afterthought from PGPinc, as they originally wanted to concentrate on their openpgp based offerings - but works similarly, other than the fact the server is an on-premise applicance and signups therefore per-site.  Offers much more control than off-premise though (note, there have been occasions where access to "secure" email has been granted by CRES to law enforcement in the USA, due to the fact that the encryption keys are stored by them, not the user; PGPinc is unable to comply with such "requests" which is of course only a factor if you don't want the american government reading your email :)

Newest is Microsoft's [URL=http://technet.microsoft.com/en-us/library/exchange-hosted-email-encryption-service-subscription-in-fope.aspx]Exchange Hosted Encryption[/URL] (part of their [URL=http://office.microsoft.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam-FX103763969.aspx]FOPE[/URL] offering and only available to FOPE customers. This is similar to CRES (again) and is similarly a solution where the company controls the encryption keys.
0
 
LVL 3

Author Comment

by:pma111
ID: 39222123
Thanks all most helpful
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now