Solved

Protecting Client/Sensitive Data

Posted on 2014-03-10
4
277 Views
Last Modified: 2014-03-27
Trying to get an idea of what people are using at present for general data security, email, encryption, etc.

Currently we use a cloud provider for email, but this still has its limits in terms of what users are sending out to clients/partners.
One of my colleagues suppliers are using TLS to encrypt emails.   I see the benefit of this, however there are more issues here from users sending email to incorrect recipients my mistake, sending corporate emails/data on purpose, etc etc.

I see DLP is becoming more common.

I'd like to be able to filter out data and have a user authorise the content being sent, but also have ability to encrypt all emails that we are sending out..

Must make it easy and reliable from all sides..
Not sure where to start!

Ideas?
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 39918622
Most email traffic these days is encrypted through Opportunistic TLS, since most email servers have this enabled by default, but you can't rely on Opportunistic TLS as an encryption system since there is always a chance that the server you are sending to doesn't support TLS. Domain Authenticated TLS is another option that forces email to be encrypted under certain conditions. Both are available for most email servers and security appliances.

Another option is secure stubbing, which is likely what you get through your cloud solution, where a user sends an email and the recipient receives an email telling them to log in to a secure server to retrieve the message. It's a fairly reliable solution that will allow you to define conditions under which email is encrypted. You can set it up to encrypt all mail to a specific domain or have it scan the contents of a message for specific strings that could match a type of personally identifiable information (Driver's licenses, SSNs, CCNs, etc).

S/MIME is another option that utilizes a Public Key Infrastructure, where each user is provided with a certificate containing a public and private key that is used to encrypt emails. Encrypted emails can only be decrypted if the recipient has a copy of the sender's public key, which is emailed to the recipient before the encrypted message and installed by the recipient on their computer. This is a complex and fairly unwieldy solution, but it's supported by most email clients (Including outlook) and will protect email even if it is sent to the wrong person, unless that wrong person has a copy of the sender's public key.

Rights Management server in Windows server is also something you can use to ensure only specific recipients have the ability to open attachments, but it does not encrypt emails, only the attachments that are included with emails. Most DLP solutions will work like that.

And that's most of the email encryption systems available these days. There really isn't a perfect solution, but combinations of the above can help, since a layered approach is usually a good idea, but some of these solutions can't be combined. S/MIME won't work with stubbing, but will work with Opportunistic and Domain Auth TLS, and other such things.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39920285
okay, they have decided ALL emails should be encrypted.  How best to achieve this?

Im thinking of a cloud solution that they must use for attachments with client data on, and when the file has been read and or printed the document is deleted permanently and the recipient cannot read the email ever again.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 39956963
Internal emails are encrypted by Exchange by default, so those are fine. Forcing encryption on all External emails can be very problematic, because you may end up communicating with a mail server that just doesn't support TLS, which is something you have no control over. You can mitigate this with email stubbing, where recipients are directed to log in to a secure portal to view emails, but that is unwieldy in the extreme. DLP is an option, but it's still a tricky thing to deal with. Rights Management Server may be able to help you with that, but you're going to run into headaches using the type of protection you're speaking of, since recipients could end up reading a file, accidentally closing it, and needing to have it resent to them.  Enforcing encryption on *all* emails requires a staggering amount of administrative overhead, and typically results in significantly decreased efficiency and productivity as people deal with the security measures. This is why most environments only enforce encryption for specific individuals, types of emails, or to specific recipient domains, all of which is much simpler to accomplish and require *much* less administrative effort.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39958410
ok thanks for your response.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question