ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    O365 and encrypted mail to other email systems

    Scheduled Pinned Locked Moved IT Discussion
    office365audithipaaocr
    169 Posts 9 Posters 78.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in O365 and encrypted mail to other email systems:

      @Dashrender said in O365 and encrypted mail to other email systems:

      No, that doesn't hold up. Encryption at rest is yet a third issue. Both of these mechanisms decrypt along the chain. Only the recipient, literally only they, can decide to be encrypted at rest. That's never something that you can force. You can force it on the sender's side, and this isn't doing that here. But you have to trust the recipient to store it in an encrypted fashion and... none will.

      Eh? That's not how I understand how it works - most systems, the way I have seen it work, work as you mentioned - think GPG/PGP, the file is encrypted by me, emailed to them, then they can enter a password to open the file. Opening the file effectively takes it out of email. The original file inside email is still encrypted, unless the end user removes it from email and puts the unencrypted version back into their own system, therefore you'll still have email encrypted at rest.

      If you send me an email and I open it to read it, GPG, Zix, PDF, 7Zip, doesn't matter... once I am opening that file, it is unencrypted. For me to save it and use it, I'm not going to save it encrypted, that's ridiculous. The natural progression of things means that you've forced me to use a system that is complicated and heavy in effort and actually caused me to save the file locally to be able to access it. So instead of the naturally more secure "storing it in email" system, it's not pushed me to store it locally.

      If your goal is secure at rest, you've effectively social engineered that out of the system. In no case are you responsible for it at rest and in no case can you force it, but by doing this you are going dramatically out of your way to make it the least likely to happen.

      LOL, pushed you out of that system, While I agree if you store it locally unencrypted, which I agree, everyone would do, it's definitely on the end user at that point.

      But I will capitulate to the fact that once the email is delivered to the remote server, it's no longer my concern, the question is.. is it my responsibility to ensure that the admin of the remote server can't read it as well? If the answer is yes, then you still can't send plain text messages through the TLS pipe.. it still needs to be encrypted itself so that only the receiver can open it.

      which brings about some questions - in a Zix setup, can the admin open the messages? How about the MS solution? Scott was claiming that if it's O365 to O365 it's basically useless, but is it really? Perhaps the messages sits encrypted on the server so O365 admins can't read it, but the decryption code is used as part of the end user's logon process.

      T scottalanmillerS 4 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @TAHIN
        last edited by

        @TAHIN said in O365 and encrypted mail to other email systems:

        @Dashrender said in O365 and encrypted mail to other email systems:

        how is this any different than setting up a Zix account? or a Barracuda one?

        You get a barracuda account so you can log in to un-encrypt your email. You get a MS account so you can be tracked/get sold/receive spam.

        Do you know for a fact that Barracuda isn't doing the same?

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in O365 and encrypted mail to other email systems:

          @Dashrender said in O365 and encrypted mail to other email systems:

          I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.

          It literally cannot be. If they did that, every medical practice would just back up and be done. You can't control data at rest for transferred data, ever. Period, it's actually a crime to try to do that as you'd have to hack their systems.

          Data at rest on my side, of course I can't force their side.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • T
            TAHIN @Dashrender
            last edited by

            @Dashrender said in O365 and encrypted mail to other email systems:

            But I will capitulate to the fact that once the email is delivered to the remote server, it's no longer my concern, the question is.. is it my responsibility to ensure that the admin of the remote server can't read it as well? If the answer is yes, then you still can't send plain text messages through the TLS pipe.. it still needs to be encrypted itself so that only the receiver can open it.

            The answer is no. It made to a receiving SMTP gateway with all the proper TLS stamps. Your job is 100% done.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in O365 and encrypted mail to other email systems:

              @TAHIN said in O365 and encrypted mail to other email systems:

              I believe Barracuda, from their web interface after you log in and decrypt you email, gives you a Deliver option, that will deliver the unencrypted version to the original destination.

              Totally bypassing the whole point and tricking the sender into thinking that they secured something that they did not.

              yeah, that's a pretty horrible option if it's really there.

              T scottalanmillerS 2 Replies Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in O365 and encrypted mail to other email systems:

                LOL, pushed you out of that system, While I agree if you store it locally unencrypted, which I agree, everyone would do, it's definitely on the end user at that point.

                But it is definitely on them, no matter what. Period. It's equally on them in all cases. That's my whole point.

                1 Reply Last reply Reply Quote 0
                • T
                  TAHIN @Dashrender
                  last edited by

                  @Dashrender said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-

                  I believe Barracuda, from their web interface after you log in and decrypt you email, gives you a Deliver option, that will deliver the unencrypted version to the original destination.

                  Totally bypassing the whole point and tricking the sender into thinking that they secured something that they did not.

                  yeah, that's a pretty horrible option if it's really there.

                  Right, it would be more like 2-step authentication and less about maintaining consistent security.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender
                    last edited by

                    @TAHIN , so - you guys are using a Barracuda appliance - why? According to Scott's and your arguments, it's completely unnecessary.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in O365 and encrypted mail to other email systems:

                      But I will capitulate to the fact that once the email is delivered to the remote server, it's no longer my concern, the question is.. is it my responsibility to ensure that the admin of the remote server can't read it as well? If the answer is yes, then you still can't send plain text messages through the TLS pipe.. it still needs to be encrypted itself so that only the receiver can open it.

                      Agreed, how do Zix or MS or Barracuda handle that? Anything that uses an account doesn't work. Because, for example, @Minion-Queen can access my O365 account, reset it and access my data. So the MS option does NOT protect against admin access to the data, which was my point earlier. The account admin still has access to everything, just like the Exchange admin did before. So... the whole thing is smoke and mirrors to trick people looking for a "security checkbox" but not looking for actual security.

                      GPG is what really does what you are looking for and trust me NO end user will do it.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                        @Dashrender said in O365 and encrypted mail to other email systems:

                        OK - this ^. Sadly the lawyer only consider this to be "secure email" Without this layer, sending an email is not considered secure, and fails audits.

                        Here is the bigger concern... this means that you have a social engineer in your midst that should not have access to the systems. So much bigger than your concerns around email security is letting someone who is actively scamming your business in to do an audit. This is, to me, an active criminal of sorts allowed in to look at these systems. That person AND whoever let them in are security vulnerabilities that you need to address.

                        As another auditor... I would flag those two people as serious issues that should not be allowed access to the records.

                        OK I'll admit that I tossed the lawyer thing out there for a point - I'm not actually being audited nor have I gone to a lawyer to ask (or my company hasn't asked). But i have read plenty - and you're going to tell me it's all wrong - on the internet that this is the requirement.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in O365 and encrypted mail to other email systems:

                          Perhaps the messages sits encrypted on the server so O365 admins can't read it, but the decryption code is used as part of the end user's logon process.

                          Here is my thought there. If my boss can access my account, then their admins can access my boss' account since they can reset it. They've got great processes to make sure that no one does that, yes. But you have the security of that, again, just using TLS.

                          This just goes to show why the TLS end to end system is the only one that makes sense until you jump to GPG. This silly in between stuff is all just for show.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            @scottalanmiller said in O365 and encrypted mail to other email systems:

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.

                            It literally cannot be. If they did that, every medical practice would just back up and be done. You can't control data at rest for transferred data, ever. Period, it's actually a crime to try to do that as you'd have to hack their systems.

                            Data at rest on my side, of course I can't force their side.

                            You don't need this for that. You encrypt at rest using disk encryption, not payload encryption. You are getting less security for more work. Disk encryption would protect even the email addresses and transaction history.

                            No matter what your security goal is, these weird half assed account encryption things don't solve it.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @TAHIN
                              last edited by

                              @TAHIN said in O365 and encrypted mail to other email systems:

                              @Dashrender said in O365 and encrypted mail to other email systems:

                              But I will capitulate to the fact that once the email is delivered to the remote server, it's no longer my concern, the question is.. is it my responsibility to ensure that the admin of the remote server can't read it as well? If the answer is yes, then you still can't send plain text messages through the TLS pipe.. it still needs to be encrypted itself so that only the receiver can open it.

                              The answer is no. It made to a receiving SMTP gateway with all the proper TLS stamps. Your job is 100% done.

                              Exactly. If you want to be as sure as possible, encrypt at rest on your side on disk and require TLS. Done, wash your hands. It doesn't get to be "less your problem" than that.

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in O365 and encrypted mail to other email systems:

                                @Dashrender said in O365 and encrypted mail to other email systems:

                                But I will capitulate to the fact that once the email is delivered to the remote server, it's no longer my concern, the question is.. is it my responsibility to ensure that the admin of the remote server can't read it as well? If the answer is yes, then you still can't send plain text messages through the TLS pipe.. it still needs to be encrypted itself so that only the receiver can open it.

                                Agreed, how do Zix or MS or Barracuda handle that? Anything that uses an account doesn't work. Because, for example, @Minion-Queen can access my O365 account, reset it and access my data. So the MS option does NOT protect against admin access to the data, which was my point earlier. The account admin still has access to everything, just like the Exchange admin did before. So... the whole thing is smoke and mirrors to trick people looking for a "security checkbox" but not looking for actual security.

                                GPG is what really does what you are looking for and trust me NO end user will do it.

                                You're assuming that that Zix, MS and Barracuda solutions allow you to reset them.

                                I know in the case of encrypted files under a single user in Windows, if you reset the password, all files encrypted under the old one will no longer unencrypt. They are lost. Only through a proper normal password change can the user change their password and not loose access to the encrypted files.

                                Zix, etc could do the same. Fine unlock the account for future messages, but not past ones.

                                scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in O365 and encrypted mail to other email systems:

                                  @scottalanmiller said in O365 and encrypted mail to other email systems:

                                  @TAHIN said in O365 and encrypted mail to other email systems:

                                  I believe Barracuda, from their web interface after you log in and decrypt you email, gives you a Deliver option, that will deliver the unencrypted version to the original destination.

                                  Totally bypassing the whole point and tricking the sender into thinking that they secured something that they did not.

                                  yeah, that's a pretty horrible option if it's really there.

                                  Right, which is why I see it as nearly social engineering and being passed through the lawyer making it negligent to push it.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    TAHIN
                                    last edited by

                                    @Dashrender said in O365 and encrypted mail to other email systems:

                                    @TAHIN , so - you guys are using a Barracuda appliance - why? According to Scott's and your arguments, it's completely unnecessary.

                                    I did at my last job in the medical sector, but not any more. This is where Scott and my philosophies may differ a little bit. Even though we weren't required to maintain security on the other end, we did fall into the 'best effort' mindset. If we were sending stuff to a lawyer or doctor's office that we didn't have a close relationship with, we did what we could to guarantee security knowing that their email system may have flaws, especially if we had the means. Would we have done it if it weren't a free feature from our anti-spam provider? Probably not.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in O365 and encrypted mail to other email systems:

                                      You're assuming that that Zix, MS and Barracuda solutions allow you to reset them.

                                      It's account based. And MS at least allows account resets.

                                      DashrenderD 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                                        @Dashrender said in O365 and encrypted mail to other email systems:

                                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                                        @Dashrender said in O365 and encrypted mail to other email systems:

                                        I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.

                                        It literally cannot be. If they did that, every medical practice would just back up and be done. You can't control data at rest for transferred data, ever. Period, it's actually a crime to try to do that as you'd have to hack their systems.

                                        Data at rest on my side, of course I can't force their side.

                                        You don't need this for that. You encrypt at rest using disk encryption, not payload encryption. You are getting less security for more work. Disk encryption would protect even the email addresses and transaction history.

                                        No matter what your security goal is, these weird half assed account encryption things don't solve it.

                                        Agreed, I wouldn't use this for encryption on my side, never said I would though either.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in O365 and encrypted mail to other email systems:

                                          I know in the case of encrypted files under a single user in Windows, if you reset the password, all files encrypted under the old one will no longer unencrypt. They are lost. Only through a proper normal password change can the user change their password and not loose access to the encrypted files.

                                          Zix, etc could do the same. Fine unlock the account for future messages, but not past ones.

                                          So your better hope is that an admin could delete ALL of your data without your permission. Yeah, that sounds like a great idea.

                                          Forget your email password, all of your data is scrapped automatically. Total fail. This isn't the CIA, we don't want to burn our data like that.

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @TAHIN
                                            last edited by

                                            @TAHIN said in O365 and encrypted mail to other email systems:

                                            @Dashrender said in O365 and encrypted mail to other email systems:

                                            @TAHIN , so - you guys are using a Barracuda appliance - why? According to Scott's and your arguments, it's completely unnecessary.

                                            I did at my last job in the medical sector, but not any more. This is where Scott and my philosophies may differ a little bit. Even though we weren't required to maintain security on the other end, we did fall into the 'best effort' mindset. If we were sending stuff to a lawyer or doctor's office that we didn't have a close relationship with, we did what we could to guarantee security knowing that their email system may have flaws, especially if we had the means. Would we have done it if it weren't a free feature from our anti-spam provider? Probably not.

                                            My philosophy is different in that I feel that the additional effort is a huge negative and causes people to do really insecure things or just give up and may often give a false sense of security, like to the auditor in question here.

                                            If I needed to secure to the recipient for sure, GPG every time.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 4 / 9
                                            • First post
                                              Last post