Sending Secure E-Mail?

JasGot

I have a customer that needs to send e-mail to a company.
This customer does not want ANYONE other than the intended recipient to view the contents.

What are the options to do this, and what complexities do they impose?

I am aware of these methods and their problems:

1. send the info in an encrypted document that is attached
   1a) Some anti virus software will block encrypted attachments.
   1b) You still have to communicate the decryption password to the end user who is only available via e-mail.

2. Sites that allow you to send a document into their service/system and then the recipient has to go there to retrieve it
   2a) Recipient may refuse to go to a web site to retrieve an e-mail.
   2b) Recipient may not have web access with a browser.

Any other options? The key elements are 1) E-mail based and 2) cannot be read by anyone other than the recipient.

gjacobse

What is your current email system?

JaredBusch

@JasGot Flat not possible because of

1 would work except for 1b.
If the encrypted document and the password are both in email, it is not possible to not let anyone else (System Administrators) potentially have access to it.

2 would never work because the link and how to access it all come to the same email and (System Administrators) potentially have access to it.

JaredBusch

Once you get that told to them, you can then to get to the reason for such a stupid request. Likely a misunderstanding of some compliance need.

JasGot

@JaredBusch said in Sending Secure E-Mail?:

Once you get that told to them, you can then to get to the reason for such a stupid request. Likely a misunderstanding of some compliance need.

Here's the request from the customer. It makes sense. But is also difficult to overcome. Especially with state workers who will likely say "Not our process, FU"

<snip>

I’m looking for options for secure email transmissions of sensitive data.

The dept is engaged in a grant program with the State Department of Environment…, which requires us to include our banking information on every reimbursement application.

Because the Governor has closed the State offices, forcing the staff to work from home, The Grant Office has directed us to submit our applications via email or take the risk of having our applications sit unreviewed for a month, since the staff only go to the office once each month to pick up their mail. Even then, they are scanning the documents and emailing them, via unsecured email, to other staff members.

I have refused to include the banking information on documentation submitted via email, opting instead to email “incomplete” documentation to the staff and mailing the “complete” documentation to State’s office.

Is there a relatively inexpensive option for secure email transmission available to protect our banking info?

DustinB3403

Additional to what Jared said, what if the recipient left their computer unlocked or prints the email and leaves it about.

This sounds like a misunderstanding of the technology.

JaredBusch

So yeah, this ANYONE requirement is invalid. That is not how anything works.

Your client simply needs to force encryption on outbound email to the domain that these emails are sent to. End of story, everything secured. This is simple to do in O365 and not super hard with Exchange on prem. GSuite is also not hard to set this up.

They have zero control over how the government handles their data after it is delivered. They never did and sending it over email does not change this. In the past, the dropped off forms were likely scanned and then emailed around aslo.

scottalanmiller

@JasGot said in Sending Secure E-Mail?:

Is there a relatively inexpensive option for secure email transmission available to protect our banking info?

Check if the government is using TLS. If not, nothing is going to make that org secure, nothing. If it is, you are already secure.

This is really simple. Don't read too much into it. It's just communications between two people.

scottalanmiller

@JaredBusch said in Sending Secure E-Mail?:

In the past, the dropped off forms were likely scanned and then emailed around aslo.

Or faxed, much like sticking on a bulletin board somewhere.

scottalanmiller

@JaredBusch said in Sending Secure E-Mail?:

Your client simply needs to force encryption on outbound email to the domain that these emails are sent to. End of story, everything secured. This is simple to do in O365 and not super hard with Exchange on prem. GSuite is also not hard to set this up.

Yup, simply decide to not send unencrypted and voila, done. Email is incredibly secure by default these days.

brandon220

@scottalanmiller Try telling that to the auditors. Dealing with those folks make me want to drink.

jt1001001

What about PGP? Just did this for one of our users. Basic instructions here for PGP on Outlook.
https://www.comparitech.com/blog/information-security/pgp-encryption-with-outlook/

JaredBusch

@jt1001001 said in Sending Secure E-Mail?:

What about PGP?

The only communication method is email. so the key will be in email too. SO an admin will have access.

scottalanmiller

@brandon220 said in Sending Secure E-Mail?:

@scottalanmiller Try telling that to the auditors. Dealing with those folks make me want to drink.

If your auditors aren't competent, they aren't auditors, they are security breaches getting paid.

scottalanmiller

@jt1001001 said in Sending Secure E-Mail?:

What about PGP? Just did this for one of our users. Basic instructions here for PGP on Outlook.
https://www.comparitech.com/blog/information-security/pgp-encryption-with-outlook/

PGP is a great tool, but doesn't add anything beyond the existing TLS.

Dashrender

If you were allowed a one time phone call with the receiving person beforehand, you could provide the password to them. Or you could mail the password to them.

Obsolesce

@JasGot said in Sending Secure E-Mail?:

I have a customer that needs to send e-mail to a company.
This customer does not want ANYONE other than the intended recipient to view the contents.

What are the options to do this, and what complexities do they impose?

I am aware of these methods and their problems:

1. send the info in an encrypted document that is attached
   1a) Some anti virus software will block encrypted attachments.
   1b) You still have to communicate the decryption password to the end user who is only available via e-mail.

2. Sites that allow you to send a document into their service/system and then the recipient has to go there to retrieve it
   2a) Recipient may refuse to go to a web site to retrieve an e-mail.
   2b) Recipient may not have web access with a browser.

Any other options? The key elements are 1) E-mail based and 2) cannot be read by anyone other than the recipient.

Tell the recipients not to let anyone else have access to their email or their username and password. Tell recipients to enable MFA on their email. Tell recipients to secure the devices that have access to their email.

Then only they can see their email.

Dashrender

@Obsolesce said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

I have a customer that needs to send e-mail to a company.
This customer does not want ANYONE other than the intended recipient to view the contents.

What are the options to do this, and what complexities do they impose?

I am aware of these methods and their problems:

1. send the info in an encrypted document that is attached
   1a) Some anti virus software will block encrypted attachments.
   1b) You still have to communicate the decryption password to the end user who is only available via e-mail.

2. Sites that allow you to send a document into their service/system and then the recipient has to go there to retrieve it
   2a) Recipient may refuse to go to a web site to retrieve an e-mail.
   2b) Recipient may not have web access with a browser.

Any other options? The key elements are 1) E-mail based and 2) cannot be read by anyone other than the recipient.

Tell the recipients not to let anyone else have access to their email or their username and password. Tell recipients to enable MFA on their email. Tell recipients to secure the devices that have access to their email.

Then only they can see their email.

How does this keep the admin on the system from seeing the email?

Obsolesce

@Dashrender said in Sending Secure E-Mail?:

@Obsolesce said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

I have a customer that needs to send e-mail to a company.
This customer does not want ANYONE other than the intended recipient to view the contents.

What are the options to do this, and what complexities do they impose?

I am aware of these methods and their problems:

1. send the info in an encrypted document that is attached
   1a) Some anti virus software will block encrypted attachments.
   1b) You still have to communicate the decryption password to the end user who is only available via e-mail.

2. Sites that allow you to send a document into their service/system and then the recipient has to go there to retrieve it
   2a) Recipient may refuse to go to a web site to retrieve an e-mail.
   2b) Recipient may not have web access with a browser.

Any other options? The key elements are 1) E-mail based and 2) cannot be read by anyone other than the recipient.

Tell the recipients not to let anyone else have access to their email or their username and password. Tell recipients to enable MFA on their email. Tell recipients to secure the devices that have access to their email.

Then only they can see their email.

How does this keep the admin on the system from seeing the email?

Why would anyone other than the user have admin privileges on the system?

Dashrender

@Obsolesce said in Sending Secure E-Mail?:

@Dashrender said in Sending Secure E-Mail?:

@Obsolesce said in Sending Secure E-Mail?:

@JasGot said in Sending Secure E-Mail?:

I have a customer that needs to send e-mail to a company.
This customer does not want ANYONE other than the intended recipient to view the contents.

What are the options to do this, and what complexities do they impose?

I am aware of these methods and their problems:

1. send the info in an encrypted document that is attached
   1a) Some anti virus software will block encrypted attachments.
   1b) You still have to communicate the decryption password to the end user who is only available via e-mail.

2. Sites that allow you to send a document into their service/system and then the recipient has to go there to retrieve it
   2a) Recipient may refuse to go to a web site to retrieve an e-mail.
   2b) Recipient may not have web access with a browser.

Any other options? The key elements are 1) E-mail based and 2) cannot be read by anyone other than the recipient.

Tell the recipients not to let anyone else have access to their email or their username and password. Tell recipients to enable MFA on their email. Tell recipients to secure the devices that have access to their email.

Then only they can see their email.

How does this keep the admin on the system from seeing the email?

Why would anyone other than the user have admin privileges on the system?

the email admin.