?
Solved

Protecting Client/Sensitive Data

Posted on 2014-03-10
4
Medium Priority
?
282 Views
Last Modified: 2014-03-27
Trying to get an idea of what people are using at present for general data security, email, encryption, etc.

Currently we use a cloud provider for email, but this still has its limits in terms of what users are sending out to clients/partners.
One of my colleagues suppliers are using TLS to encrypt emails.   I see the benefit of this, however there are more issues here from users sending email to incorrect recipients my mistake, sending corporate emails/data on purpose, etc etc.

I see DLP is becoming more common.

I'd like to be able to filter out data and have a user authorise the content being sent, but also have ability to encrypt all emails that we are sending out..

Must make it easy and reliable from all sides..
Not sure where to start!

Ideas?
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 39918622
Most email traffic these days is encrypted through Opportunistic TLS, since most email servers have this enabled by default, but you can't rely on Opportunistic TLS as an encryption system since there is always a chance that the server you are sending to doesn't support TLS. Domain Authenticated TLS is another option that forces email to be encrypted under certain conditions. Both are available for most email servers and security appliances.

Another option is secure stubbing, which is likely what you get through your cloud solution, where a user sends an email and the recipient receives an email telling them to log in to a secure server to retrieve the message. It's a fairly reliable solution that will allow you to define conditions under which email is encrypted. You can set it up to encrypt all mail to a specific domain or have it scan the contents of a message for specific strings that could match a type of personally identifiable information (Driver's licenses, SSNs, CCNs, etc).

S/MIME is another option that utilizes a Public Key Infrastructure, where each user is provided with a certificate containing a public and private key that is used to encrypt emails. Encrypted emails can only be decrypted if the recipient has a copy of the sender's public key, which is emailed to the recipient before the encrypted message and installed by the recipient on their computer. This is a complex and fairly unwieldy solution, but it's supported by most email clients (Including outlook) and will protect email even if it is sent to the wrong person, unless that wrong person has a copy of the sender's public key.

Rights Management server in Windows server is also something you can use to ensure only specific recipients have the ability to open attachments, but it does not encrypt emails, only the attachments that are included with emails. Most DLP solutions will work like that.

And that's most of the email encryption systems available these days. There really isn't a perfect solution, but combinations of the above can help, since a layered approach is usually a good idea, but some of these solutions can't be combined. S/MIME won't work with stubbing, but will work with Opportunistic and Domain Auth TLS, and other such things.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39920285
okay, they have decided ALL emails should be encrypted.  How best to achieve this?

Im thinking of a cloud solution that they must use for attachments with client data on, and when the file has been read and or printed the document is deleted permanently and the recipient cannot read the email ever again.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39956963
Internal emails are encrypted by Exchange by default, so those are fine. Forcing encryption on all External emails can be very problematic, because you may end up communicating with a mail server that just doesn't support TLS, which is something you have no control over. You can mitigate this with email stubbing, where recipients are directed to log in to a secure portal to view emails, but that is unwieldy in the extreme. DLP is an option, but it's still a tricky thing to deal with. Rights Management Server may be able to help you with that, but you're going to run into headaches using the type of protection you're speaking of, since recipients could end up reading a file, accidentally closing it, and needing to have it resent to them.  Enforcing encryption on *all* emails requires a staggering amount of administrative overhead, and typically results in significantly decreased efficiency and productivity as people deal with the security measures. This is why most environments only enforce encryption for specific individuals, types of emails, or to specific recipient domains, all of which is much simpler to accomplish and require *much* less administrative effort.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39958410
ok thanks for your response.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question