Solved

Protecting Client/Sensitive Data

Posted on 2014-03-10
4
275 Views
Last Modified: 2014-03-27
Trying to get an idea of what people are using at present for general data security, email, encryption, etc.

Currently we use a cloud provider for email, but this still has its limits in terms of what users are sending out to clients/partners.
One of my colleagues suppliers are using TLS to encrypt emails.   I see the benefit of this, however there are more issues here from users sending email to incorrect recipients my mistake, sending corporate emails/data on purpose, etc etc.

I see DLP is becoming more common.

I'd like to be able to filter out data and have a user authorise the content being sent, but also have ability to encrypt all emails that we are sending out..

Must make it easy and reliable from all sides..
Not sure where to start!

Ideas?
0
Comment
Question by:CHI-LTD
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 39918622
Most email traffic these days is encrypted through Opportunistic TLS, since most email servers have this enabled by default, but you can't rely on Opportunistic TLS as an encryption system since there is always a chance that the server you are sending to doesn't support TLS. Domain Authenticated TLS is another option that forces email to be encrypted under certain conditions. Both are available for most email servers and security appliances.

Another option is secure stubbing, which is likely what you get through your cloud solution, where a user sends an email and the recipient receives an email telling them to log in to a secure server to retrieve the message. It's a fairly reliable solution that will allow you to define conditions under which email is encrypted. You can set it up to encrypt all mail to a specific domain or have it scan the contents of a message for specific strings that could match a type of personally identifiable information (Driver's licenses, SSNs, CCNs, etc).

S/MIME is another option that utilizes a Public Key Infrastructure, where each user is provided with a certificate containing a public and private key that is used to encrypt emails. Encrypted emails can only be decrypted if the recipient has a copy of the sender's public key, which is emailed to the recipient before the encrypted message and installed by the recipient on their computer. This is a complex and fairly unwieldy solution, but it's supported by most email clients (Including outlook) and will protect email even if it is sent to the wrong person, unless that wrong person has a copy of the sender's public key.

Rights Management server in Windows server is also something you can use to ensure only specific recipients have the ability to open attachments, but it does not encrypt emails, only the attachments that are included with emails. Most DLP solutions will work like that.

And that's most of the email encryption systems available these days. There really isn't a perfect solution, but combinations of the above can help, since a layered approach is usually a good idea, but some of these solutions can't be combined. S/MIME won't work with stubbing, but will work with Opportunistic and Domain Auth TLS, and other such things.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39920285
okay, they have decided ALL emails should be encrypted.  How best to achieve this?

Im thinking of a cloud solution that they must use for attachments with client data on, and when the file has been read and or printed the document is deleted permanently and the recipient cannot read the email ever again.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39956963
Internal emails are encrypted by Exchange by default, so those are fine. Forcing encryption on all External emails can be very problematic, because you may end up communicating with a mail server that just doesn't support TLS, which is something you have no control over. You can mitigate this with email stubbing, where recipients are directed to log in to a secure portal to view emails, but that is unwieldy in the extreme. DLP is an option, but it's still a tricky thing to deal with. Rights Management Server may be able to help you with that, but you're going to run into headaches using the type of protection you're speaking of, since recipients could end up reading a file, accidentally closing it, and needing to have it resent to them.  Enforcing encryption on *all* emails requires a staggering amount of administrative overhead, and typically results in significantly decreased efficiency and productivity as people deal with the security measures. This is why most environments only enforce encryption for specific individuals, types of emails, or to specific recipient domains, all of which is much simpler to accomplish and require *much* less administrative effort.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39958410
ok thanks for your response.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
Resolve DNS query failed errors for Exchange
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now