O365 and encrypted mail to other email systems
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
You're assuming that that Zix, MS and Barracuda solutions allow you to reset them.
It's account based. And MS at least allows account resets.
What is account based? the encryption? so what? The account could have a key inside it that is lost if there is a forced reset by admins - Damn I'll have to dig up the dialog boxes that say this. Just because you can reset the password does not mean you have access to the past stuff, only future stuff.
True, but that brings up my other disaster comment. Need a standard reset that people do all of the time and suddenly your data is getting scraped. That's a really bad process. I know why they need to do it to be really secure, but boy is that bad.
You definitely have a point here, but it does remove the counter point you made earlier.
-
The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.
-
@Mike-Davis said in O365 and encrypted mail to other email systems:
The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.
Preach it brother!!!!
-
@Mike-Davis said in O365 and encrypted mail to other email systems:
The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.
That's an excellent point. It makes the users unable to determine what is and is not safe.
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
If you request the data by email, I don't feel that these fulfil that obligation.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
This is something few others than Scott would say.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
This is something few others than Scott would say.
And that's why other people get socially engineered into ransomware attacks so easilyl
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
This is something few others than Scott would say.
Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?
Why do people treat it differently there?
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
This is something few others than Scott would say.
And that's why other people get socially engineered into ransomware attacks so easilyl
You get a +1 and a Thumbs up for that!
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
This is something few others than Scott would say.
Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?
Why do people treat it differently there?
I don't think that's a good example. If you want to use mail - then I'd say something close would be the note left on your door that the package wasn't left because your porch wasn't a secure location, so we left it at the PO for you to pick up.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)
Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.
Yeah, I don't like that "a third party owns your data" thing. It is the same with Zix and everyone else. I'd find that very distasteful as a customer. It's my data, you have a secure way to send it to me already, why do I have to make an account with a third party to get my own data over a channel that is already secure?
Because it's not really secure. The admins of the system of email you use have full access to that data.
You are contradicting yourself. You just said a few posts up that Zix does exactly this anyway it the recipient's domain is also a Zix customer. What is on the other end simply does not matter. We all keep telling you that. It only matters that you send from your server to theirs are encrypted.
-
@Kelly said in O365 and encrypted mail to other email systems:
@Dashrender Just get hit by a Cryptowall variant. Everything is encrypted at rest then. Problem solved.
http://s2.quickmeme.com/img/fc/fc7e1b09bcb54f86aa53394b8047e95261357c74410860202c8d6f3ea2787b53.jpg
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."
This is something few others than Scott would say.
Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?
Why do people treat it differently there?
I don't think that's a good example. If you want to use mail - then I'd say something close would be the note left on your door that the package wasn't left because your porch wasn't a secure location, so we left it at the PO for you to pick up.
No, that's nothing like it. You did NOT try to make a delivery and fail, you refused the agreed upon delivery method, went with a different one and only used the agreed upon one to notify me of the other one and then use terminology to sound like you did what we had agreed on.
It is exactly the phone example and nothing like your "you weren't home" example.
-
If this is a consistent and regular communication would setting up S/MIME be an option?
-
@Kelly said in O365 and encrypted mail to other email systems:
If this is a consistent and regular communication would setting up S/MIME be an option?
That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Kelly said in O365 and encrypted mail to other email systems:
If this is a consistent and regular communication would setting up S/MIME be an option?
That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.
How is S/MIME tantamount to GPG?
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Kelly said in O365 and encrypted mail to other email systems:
If this is a consistent and regular communication would setting up S/MIME be an option?
That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.
How is S/MIME tantamount to GPG?
By being essentially the same thing...
-
I'm now on the hunt for others who are suggesting, or agreeing that TLS is enough to get the OCR auditors off your back if/when you get one.
I found http://www.hitechanswers.net/7-hipaa-compliant-assumptions-can-trip/
Our email provider offers TLS encryption, so we’re secure in sending email attachments.
TLS encryption is a great tool to help secure emails in transit, but only works if both sides of the email transaction are configured properly. Many consumer email providers aren’t equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesn’t support TLS, emails with PHI could be transmitted with no encryption at all. You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.So this is promising. Disable opportunistic TLS, i.e. require TLS and the problem is solved. I really do wonder how many systems we email that don't support TLS?
Time to look at the logs I guess - but that will have to wait until June - Deploying Win10 now.
-
Here's a vendor that basically makes it's living off TLS only connections for HIPAA compliant email delivery.
-
And I found instructions on how to implement TLS required (aka Forced TLS) on an Exchange server.
http://o365info.com/configuring-the-option-of-force-tls-in-exchange-on-premises-environment-part-4-12-tls/ -
Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.
http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/
It's about 1/3rd the way down.
frankly I see a lot of things I don't like/agree with in this writeup.
