ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    O365 and encrypted mail to other email systems

    Scheduled Pinned Locked Moved IT Discussion
    office365audithipaaocr
    169 Posts 9 Posters 78.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in O365 and encrypted mail to other email systems:

      @Kelly said in O365 and encrypted mail to other email systems:

      If this is a consistent and regular communication would setting up S/MIME be an option?

      That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

      How is S/MIME tantamount to GPG?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in O365 and encrypted mail to other email systems:

        @scottalanmiller said in O365 and encrypted mail to other email systems:

        @Kelly said in O365 and encrypted mail to other email systems:

        If this is a consistent and regular communication would setting up S/MIME be an option?

        That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

        How is S/MIME tantamount to GPG?

        By being essentially the same thing...

        https://www.imc.org/smime-pgpmime.html

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          I'm now on the hunt for others who are suggesting, or agreeing that TLS is enough to get the OCR auditors off your back if/when you get one.

          I found http://www.hitechanswers.net/7-hipaa-compliant-assumptions-can-trip/

          Our email provider offers TLS encryption, so we’re secure in sending email attachments.
          TLS encryption is a great tool to help secure emails in transit, but only works if both sides of the email transaction are configured properly. Many consumer email providers aren’t equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesn’t support TLS, emails with PHI could be transmitted with no encryption at all. You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.

          So this is promising. Disable opportunistic TLS, i.e. require TLS and the problem is solved. I really do wonder how many systems we email that don't support TLS?

          Time to look at the logs I guess - but that will have to wait until June - Deploying Win10 now.

          1 Reply Last reply Reply Quote 1
          • DashrenderD
            Dashrender
            last edited by

            Here's a vendor that basically makes it's living off TLS only connections for HIPAA compliant email delivery.

            https://luxsci.com/blog/level-ssl-tls-required-hipaa.html

            1 Reply Last reply Reply Quote 1
            • DashrenderD
              Dashrender
              last edited by

              And I found instructions on how to implement TLS required (aka Forced TLS) on an Exchange server.
              http://o365info.com/configuring-the-option-of-force-tls-in-exchange-on-premises-environment-part-4-12-tls/

              1 Reply Last reply Reply Quote 1
              • DashrenderD
                Dashrender
                last edited by

                Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.

                http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

                It's about 1/3rd the way down.

                frankly I see a lot of things I don't like/agree with in this writeup.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in O365 and encrypted mail to other email systems:

                  Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.

                  http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

                  It's about 1/3rd the way down.

                  frankly I see a lot of things I don't like/agree with in this writeup.

                  He claims that GMail doesn't have TLS. That's definitely not true. His whole theory is based on assuming that no one does TLS, but who doesn't do TLS?

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    Overall, I skimmed, but he had a lot of good points and even points to us over on SW. But the TLS bit, and he admits he just researched it and might not know, seems to rest on the theory that no one offers TLS for the end users.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in O365 and encrypted mail to other email systems:

                      @Dashrender said in O365 and encrypted mail to other email systems:

                      Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.

                      http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

                      It's about 1/3rd the way down.

                      frankly I see a lot of things I don't like/agree with in this writeup.

                      He claims that GMail doesn't have TLS. That's definitely not true. His whole theory is based on assuming that no one does TLS, but who doesn't do TLS?

                      Well today, many do, But I won't say most do.
                      That write up is 3+ years ago.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                        Overall, I skimmed, but he had a lot of good points and even points to us over on SW. But the TLS bit, and he admits he just researched it and might not know, seems to rest on the theory that no one offers TLS for the end users.

                        I agree, this part is majorly outdated - three years ago, They might not have. I'd have to dig through and find the blog posts when Google, etc, enabled it by default.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @Dashrender
                          last edited by

                          @Dashrender said in O365 and encrypted mail to other email systems:

                          @scottalanmiller said in O365 and encrypted mail to other email systems:

                          Overall, I skimmed, but he had a lot of good points and even points to us over on SW. But the TLS bit, and he admits he just researched it and might not know, seems to rest on the theory that no one offers TLS for the end users.

                          I agree, this part is majorly outdated - three years ago, They might not have. I'd have to dig through and find the blog posts when Google, etc, enabled it by default.

                          Google has had opportunistic TLS enabled since 2012 at least because I set up forced TLS with a single domain back in 2012 at a client that uses what ever Google calls the old Postini product.

                          1 Reply Last reply Reply Quote 2
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            @scottalanmiller said in O365 and encrypted mail to other email systems:

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.

                            http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

                            It's about 1/3rd the way down.

                            frankly I see a lot of things I don't like/agree with in this writeup.

                            He claims that GMail doesn't have TLS. That's definitely not true. His whole theory is based on assuming that no one does TLS, but who doesn't do TLS?

                            Well today, many do, But I won't say most do.
                            That write up is 3+ years ago.

                            The real question is... who doesn't?

                            According to PC World, GMail was 100% by 2010, Yahoo offered it at the time of the above article and forced everyone to it by 2014: http://www.pcworld.com/article/2085700/as-yahoo-makes-encryption-standard-for-email-weak-implementation-seen.html

                            We know that Microsoft does. Rackspace does, I guarantee that Amazon does. Unless we are worried about the Zix kinds of companies avoiding it just to create insecurity in order to implement it again at high cost another way... who is there to not have TLS? Basically every major free player and anyone running their own systems either have it by force or must not have it by intention - in either case, not our concern.

                            The only question is... who is on hosted, insecure email? My guess is, no one that you can find.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in O365 and encrypted mail to other email systems:

                              The only question is... who is on hosted, insecure email? My guess is, no one that you can find.

                              Those aren't the people I'm worried about - at least not the free hosted ones for sure.

                              I'm more concerned with hospital, lawyers, small clinics, etc and what they are using for email. As discussed here and elsewhere for years, these guys move at a glacial pace. Many of them are super cheap too, so they look at subscription plans like O365 and it's forever payments, and make the sometimes invalid assumption that it costs more than a self hosted solution (now personally - there many times where self hosted is cheaper, but it's also riskier) so they refuse to move. It's these people that we have no idea if they have TLS implemented or not. Of course we'd love to hope that they are, but until we try, we have no clue.

                              scottalanmillerS 1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender
                                last edited by

                                So I mentioned the TLS only option to my boss yesterday.

                                I broke it down and told her there are basically two options:

                                1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                                2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                                She left the conversation saying that I always leave her between a rock and a hard place. 😞

                                dafyreD JaredBuschJ scottalanmillerS 3 Replies Last reply Reply Quote 0
                                • dafyreD
                                  dafyre @Dashrender
                                  last edited by

                                  @Dashrender said in O365 and encrypted mail to other email systems:

                                  So I mentioned the TLS only option to my boss yesterday.

                                  I broke it down and told her there are basically two options:

                                  1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                                  2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                                  She left the conversation saying that I always leave her between a rock and a hard place. 😞

                                  It becomes a simple choice, though... Spend money for a third-party product... or use standards based stuff and not spend money...

                                  scottalanmillerS 1 Reply Last reply Reply Quote 2
                                  • JaredBuschJ
                                    JaredBusch @Dashrender
                                    last edited by

                                    @Dashrender said in O365 and encrypted mail to other email systems:

                                    So I mentioned the TLS only option to my boss yesterday.

                                    I broke it down and told her there are basically two options:

                                    1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                                    2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                                    She left the conversation saying that I always leave her between a rock and a hard place. 😞

                                    Because you described it poorly. I need more coffee to phrase something better, but you could certainly have sold it better.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in O365 and encrypted mail to other email systems:

                                      @scottalanmiller said in O365 and encrypted mail to other email systems:

                                      The only question is... who is on hosted, insecure email? My guess is, no one that you can find.

                                      Those aren't the people I'm worried about - at least not the free hosted ones for sure.

                                      I'm more concerned with hospital, lawyers, small clinics, etc and what they are using for email. As discussed here and elsewhere for years, these guys move at a glacial pace. Many of them are super cheap too, so they look at subscription plans like O365 and it's forever payments, and make the sometimes invalid assumption that it costs more than a self hosted solution (now personally - there many times where self hosted is cheaper, but it's also riskier) so they refuse to move. It's these people that we have no idea if they have TLS implemented or not. Of course we'd love to hope that they are, but until we try, we have no clue.

                                      If they are self hosted, TLS is at their own discretion.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in O365 and encrypted mail to other email systems:

                                        So I mentioned the TLS only option to my boss yesterday.

                                        I broke it down and told her there are basically two options:

                                        1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                                        2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                                        She left the conversation saying that I always leave her between a rock and a hard place. 😞

                                        That's not a rock and a hard place. It's a great option and a horrible one.

                                        It is more like:

                                        1. Buy a non-email proprietary product that doesn't work at all unless you force every remote users to join up with the product that you have forced down their throats. This isn't email and doesn't satisfy any requirement for email and if doing this, you could do any number of random non-email things like running your own FTP server, that's all that they are doing.

                                        2. Use TLS and provide an awesome, transparent, fully secure option that is email based and works for anyone with the slightest care OR anyone that uses free systems. Force it and "maybe" some places that have done ridiculous things to not have TLS "might" not get your email.

                                        3. Use TLS opportunistically and let customers decide if they want security on or off.

                                        Two good options, one bad one. If she feels like choice 1 is a valid option, it's because she is confused. Why does she feel that there is even a reason to be choosing? How is choice one even being considered once you explained it?

                                        DashrenderD 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @dafyre
                                          last edited by

                                          @dafyre said in O365 and encrypted mail to other email systems:

                                          @Dashrender said in O365 and encrypted mail to other email systems:

                                          So I mentioned the TLS only option to my boss yesterday.

                                          I broke it down and told her there are basically two options:

                                          1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                                          2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                                          She left the conversation saying that I always leave her between a rock and a hard place. 😞

                                          It becomes a simple choice, though... Spend money for a third-party product... or use standards based stuff and not spend money...

                                          All of the caveats of the TLS option apply to the third party one, too. So I think that the nature of the logic simply rules choice one out because of that.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            Frame it more like this, at least to yourself:

                                            TLS Pros Compared to Zix: Cheaper, Standard, Nearly all customers get an effortless experience.

                                            Zix Pros Compared to TLS: None

                                            DashrenderD 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 6 / 9
                                            • First post
                                              Last post