sunhux
asked on
Opinions on email encryption & Voltage
Our organization currently is on MS Exchange 2010 (with Outlook clients) without encryption.
We are contemplating to embark on encryption using Voltage.
a)Voltage allows users to choose to encrypt & it can also not let the users have the option but
enforce encryption for all emails. Can Voltage be set (or is it smart enough) that if emails
don't go through Internet, then it doesn't encrypt them but otherwise encrypt them?
b)if users can't be trusted to decide to encrypt emails even if users is fully aware the content
of the emails is sensitive, I suppose this means we ought to enforce encryption regardless
of the email's sensitivity. What if the emails are only sent within the organization's LAN (ie
don't go thru Internet nor point-to-point WAN links), is encryption still essential?
My view is it is essential because if there are highly-sensitive emails (say news by the top
to acquire another company at a certain share price), we don't want a staff who has a
sniffing device or Wireshark to intercept such emails (though the local LAN is a 'trusted'
network but internal staff who is not supposed to know certain info tapped onto the
LAN to intercept)
c)If unencrypted emails travel between our various offices in different countries via point-to
-point leased circuits (ie not thru Internet) & the links are not encrypted (say by site-to-site
VPN or using hardware encryption at both ends), can it be intercepted or subject to MITMA
by external parties (say Telco staff or people who have access to the telcos' exchanges) ?
d)If emails are sent from trusted source to trusted destination but the emails go thru the Internet,
what's the best practice out there? I suppose currently most people don't encrypt but the
extent of unencrypted emails being intercepted by MITMA on the Internet must be quite
prevalent
e)For encryption & decryption at the other end, does both ends need to use Voltage? If the
emails are between our various branches in different countries, we can make both ends
use this same product but if it's with our suppliers & customers, can encryption using such
appliances still be feasible? Or we are only left with the option that users have to zip (with
a password) sensitive data into an attachment & send them as this is the most universal
encryption/decryption method or am I mistaken (ie different vendors appliances at both
ends could still allow encryption & decryption as long as they adhere to a certain protocol,
say AES-256)? In this case how does the keys exchange work ?
We are contemplating to embark on encryption using Voltage.
a)Voltage allows users to choose to encrypt & it can also not let the users have the option but
enforce encryption for all emails. Can Voltage be set (or is it smart enough) that if emails
don't go through Internet, then it doesn't encrypt them but otherwise encrypt them?
b)if users can't be trusted to decide to encrypt emails even if users is fully aware the content
of the emails is sensitive, I suppose this means we ought to enforce encryption regardless
of the email's sensitivity. What if the emails are only sent within the organization's LAN (ie
don't go thru Internet nor point-to-point WAN links), is encryption still essential?
My view is it is essential because if there are highly-sensitive emails (say news by the top
to acquire another company at a certain share price), we don't want a staff who has a
sniffing device or Wireshark to intercept such emails (though the local LAN is a 'trusted'
network but internal staff who is not supposed to know certain info tapped onto the
LAN to intercept)
c)If unencrypted emails travel between our various offices in different countries via point-to
-point leased circuits (ie not thru Internet) & the links are not encrypted (say by site-to-site
VPN or using hardware encryption at both ends), can it be intercepted or subject to MITMA
by external parties (say Telco staff or people who have access to the telcos' exchanges) ?
d)If emails are sent from trusted source to trusted destination but the emails go thru the Internet,
what's the best practice out there? I suppose currently most people don't encrypt but the
extent of unencrypted emails being intercepted by MITMA on the Internet must be quite
prevalent
e)For encryption & decryption at the other end, does both ends need to use Voltage? If the
emails are between our various branches in different countries, we can make both ends
use this same product but if it's with our suppliers & customers, can encryption using such
appliances still be feasible? Or we are only left with the option that users have to zip (with
a password) sensitive data into an attachment & send them as this is the most universal
encryption/decryption method or am I mistaken (ie different vendors appliances at both
ends could still allow encryption & decryption as long as they adhere to a certain protocol,
say AES-256)? In this case how does the keys exchange work ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gee, thanks for the excellent reply.
Glad to hear that only 1 unit of Voltage is needed to allow encryption+decryption of
our country's outgoing email (ie our suppliers & customers' organizations dont need it)
In the different countries' branches, they have their individual Exchange servers and AD server
(ie different domains), so are emails still encrypted? My guess is even with Exchange 2010,
it has to be a common Exchange server (shared by all branches) for emails to be encrypted?
So Exchange emails between john@abc.com.nz & neil@abc.com.au are not encrypted?
Glad to hear that only 1 unit of Voltage is needed to allow encryption+decryption of
our country's outgoing email (ie our suppliers & customers' organizations dont need it)
In the different countries' branches, they have their individual Exchange servers and AD server
(ie different domains), so are emails still encrypted? My guess is even with Exchange 2010,
it has to be a common Exchange server (shared by all branches) for emails to be encrypted?
So Exchange emails between john@abc.com.nz & neil@abc.com.au are not encrypted?
ASKER
f) Assuming we have a firewall, an antispam (which also do AV scan on emails) device, a
DLP device (to screen for sensitive & block emails containing sensitive data from going
out but don't screen for incoming emails), a bluecoat proxy (to block social networking,
public emails like yahoo), a Network IPS/IDS, a WAF, an encryption gateway & MS
Exchange server, how should they be inter-connected?
I think WAF is not required as it's only web servers that sit behind the WAF though
Exchange server sits in DMZ.
I think it's:
external firewall - proxy - Netwk IPS/IDS - antispam - DLP - encryption gateway -
internal firewall (or it's not applicable for DMZ, only for App & DB zones?) -
Exchange server
g)if we are moving our MS Exchange to MS' Office365 in the cloud, do we port our
existing antispam, DLP, encryption gateway over to O365?