ZixCorp EMail Encryption
-
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
Two customers who both use Zix don't have to use the secure website, as the Zix appliances take care of that layer and sends the email unencrypted back to your email box.
So the email is unsecured? What's the point?
This just depends on how you look at it.
Let's assume both sender and receiver have Exchange. Assuming both are using secure connections between their email client and the Exchange server (default for Outlook). The email is send securely to Exchange, which is sent securely to the local/sender Zix black box, which is sent securely to the receiver's Zix black box, which is sent securely to the receiver's Exchange server, which is send securely to the receiver's Outlook.
Of course, the admin of either side can normally see all of the email on their own systems if needed - so is that what you mean by not secure?
-
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
Two customers who both use Zix don't have to use the secure website, as the Zix appliances take care of that layer and sends the email unencrypted back to your email box.
So the email is unsecured? What's the point?
This just depends on how you look at it.
Let's assume both sender and receiver have Exchange. Assuming both are using secure connections between their email client and the Exchange server (default for Outlook). The email is send securely to Exchange, which is sent securely to the local/sender Zix black box, which is sent securely to the receiver's Zix black box, which is sent securely to the receiver's Exchange server, which is send securely to the receiver's Outlook.
Of course, the admin of either side can normally see all of the email on their own systems if needed - so is that what you mean by not secure?
Right, Exchange has X security to begin with. We presume that the goal of Zix is to add more security. But nothing more is added. The places where Exchange is secure remain secure and the places where it is not, remain insecure (the resting mailbox storage.) So other than milking the coffers, what is Zix even doing here? It appears to do literally nothing. In any situation where you have Exchange and Zix, you have end to end encryption of the transport as an option already without Zix.
-
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
Two customers who both use Zix don't have to use the secure website, as the Zix appliances take care of that layer and sends the email unencrypted back to your email box.
So the email is unsecured? What's the point?
This just depends on how you look at it.
Let's assume both sender and receiver have Exchange. Assuming both are using secure connections between their email client and the Exchange server (default for Outlook). The email is send securely to Exchange, which is sent securely to the local/sender Zix black box, which is sent securely to the receiver's Zix black box, which is sent securely to the receiver's Exchange server, which is send securely to the receiver's Outlook.
Of course, the admin of either side can normally see all of the email on their own systems if needed - so is that what you mean by not secure?
Right, Exchange has X security to begin with. We presume that the goal of Zix is to add more security. But nothing more is added. The places where Exchange is secure remain secure and the places where it is not, remain insecure (the resting mailbox storage.) So other than milking the coffers, what is Zix even doing here? It appears to do literally nothing. In any situation where you have Exchange and Zix, you have end to end encryption of the transport as an option already without Zix.
Well it doesn't do litterally nothing - it scans the out going messages and prevents data that is identified as protected from being transmitted over an unencrypted line to an outside party (i.e. another email server). If both parties have Zix, there is 'nothing' to worry about the data is sent between the two customers through Zix encryption over the internet, but, if one side doesn't have Zix, then it sends the receiptiant an email telling them to log into the web portal for delivery of the message.
-
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
Two customers who both use Zix don't have to use the secure website, as the Zix appliances take care of that layer and sends the email unencrypted back to your email box.
So the email is unsecured? What's the point?
This just depends on how you look at it.
Let's assume both sender and receiver have Exchange. Assuming both are using secure connections between their email client and the Exchange server (default for Outlook). The email is send securely to Exchange, which is sent securely to the local/sender Zix black box, which is sent securely to the receiver's Zix black box, which is sent securely to the receiver's Exchange server, which is send securely to the receiver's Outlook.
Of course, the admin of either side can normally see all of the email on their own systems if needed - so is that what you mean by not secure?
Right, Exchange has X security to begin with. We presume that the goal of Zix is to add more security. But nothing more is added. The places where Exchange is secure remain secure and the places where it is not, remain insecure (the resting mailbox storage.) So other than milking the coffers, what is Zix even doing here? It appears to do literally nothing. In any situation where you have Exchange and Zix, you have end to end encryption of the transport as an option already without Zix.
Well it doesn't do litterally nothing - it scans the out going messages and prevents data that is identified as protected from being transmitted over an unencrypted line to an outside party (i.e. another email server). If both parties have Zix, there is 'nothing' to worry about the data is sent between the two customers through Zix encryption over the internet, but, if one side doesn't have Zix, then it sends the receiptiant an email telling them to log into the web portal for delivery of the message.
Okay, but you should not rely on Zix to determine what needs to be secure, right? Just make everything secure and then the Zix appliance is pointless. Seems like a lot of money (it's not cheap, right?) and effort and cumbersome when just setting Exchange to TLS only will do a better job more reliably?
-
Yes making Exchange only send via TLS would be one option to make Zix pointless. The only thing of concern is what about any email domains you send to that don't support TLS connections - this might be a non issue, it might be a huge one, no way to know until you try I guess.
-
@Dashrender said in ZixCorp EMail Encryption:
Yes making Exchange only send via TLS would be one option to make Zix pointless. The only thing of concern is what about any email domains you send to that don't support TLS connections - this might be a non issue, it might be a huge one, no way to know until you try I guess.
Well a couple of things there...
- If you run into issues, tell those people to turn on security as it is obviously an issue.
- Do you want to be communicating with people when things are not secure?
- Generally this is not a problem at all; all major email systems are secure.
-
I get the impression that this is scratching an itch that no one had. Is Zix deployed to fix an "assumed" issue that was never investigated?
-
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
Yes making Exchange only send via TLS would be one option to make Zix pointless. The only thing of concern is what about any email domains you send to that don't support TLS connections - this might be a non issue, it might be a huge one, no way to know until you try I guess.
Well a couple of things there...
- If you run into issues, tell those people to turn on security as it is obviously an issue.
- Do you want to be communicating with people when things are not secure?
- Generally this is not a problem at all; all major email systems are secure.
Most hospitals don't use major email systems (nor do clinics of any size).
Do I want to be communicating with people when they aren't secure? I'm faxing so I guess the answer is, yes, yes I do want to communicate when it's not secure.
I can tell someone until I'm blue in the face, I can't force them to do anything about it. -
@scottalanmiller said in ZixCorp EMail Encryption:
I get the impression that this is scratching an itch that no one had. Is Zix deployed to fix an "assumed" issue that was never investigated?
Zix and other are selling a HIPAA solution that allows non HIPAA data to still flow with no portal/TLS connection.
-
@Dashrender said in ZixCorp EMail Encryption:
Most hospitals don't use major email systems (nor do clinics of any size).
So are you saying....
- That they run their own and secure it?
- Are insecure and don't protect patient data?
- Don't run their own email and use little mom and pop shops?
-
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
I get the impression that this is scratching an itch that no one had. Is Zix deployed to fix an "assumed" issue that was never investigated?
Zix and other are selling a HIPAA solution that allows non HIPAA data to still flow with no portal/TLS connection.
Didn't question that. I asked if you were running something to fix a problem that had not been identified.
-
@Dashrender said in ZixCorp EMail Encryption:
I can tell someone until I'm blue in the face, I can't force them to do anything about it.
Doesn't change the base question... is there anyone out there to tell? I think not. Sounds fanciful to suggest that the hospitals that you are dealing with won't accept secure email. Are you really saying that they would block that? You honestly think that?
-
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
I get the impression that this is scratching an itch that no one had. Is Zix deployed to fix an "assumed" issue that was never investigated?
Zix and other are selling a HIPAA solution that allows non HIPAA data to still flow with no portal/TLS connection.
Didn't question that. I asked if you were running something to fix a problem that had not been identified.
I guess I don't understand the question -
The problem as I see it is - HIPAA says you can't transmit PHI over an public connection unencrypted. Email is unencrypted by default. The use of TLS for email is probably 3 or so years old as a common thing. Google didn't even for the use of HTTPS for gmail at the beginning. So yes, there was a problem many years ago. Is it still a problem today? I have no clue.
-
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
I can tell someone until I'm blue in the face, I can't force them to do anything about it.
Doesn't change the base question... is there anyone out there to tell? I think not. Sounds fanciful to suggest that the hospitals that you are dealing with won't accept secure email. Are you really saying that they would block that? You honestly think that?
OH, Now I didn't say that - I just said that they aren't using mainstream email services, like O365. At the hospital level, I'm sure they do accept TLS connections to receive email over. But the ones around here ARE using Zix to send outgoing secure email, instead of just turning all of their email server onto TLS only outbound email, which would be just as good, as long as the receiving side accepts TLS connections.
I have no idea what percentage of email systems today don't accept TLS based email.
-
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
I get the impression that this is scratching an itch that no one had. Is Zix deployed to fix an "assumed" issue that was never investigated?
Zix and other are selling a HIPAA solution that allows non HIPAA data to still flow with no portal/TLS connection.
Didn't question that. I asked if you were running something to fix a problem that had not been identified.
I guess I don't understand the question -
The problem as I see it is - HIPAA says you can't transmit PHI over an public connection unencrypted. Email is unencrypted by default. The use of TLS for email is probably 3 or so years old as a common thing. Google didn't even for the use of HTTPS for gmail at the beginning. So yes, there was a problem many years ago. Is it still a problem today? I have no clue.
TLS for email is pretty old. Google's HTTPS is a red herring.
The assumption in the industry is that this problem does not exist today or for a while. Your use of Zix is predicated on a security problem that, while totally possible, seems almost implausible, at very least unlikely. All major email hosts and email platforms have this by default. Only a shop making an effort to disable security, a literal effort, would be expected to not have TLS long before today.
-
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
I can tell someone until I'm blue in the face, I can't force them to do anything about it.
Doesn't change the base question... is there anyone out there to tell? I think not. Sounds fanciful to suggest that the hospitals that you are dealing with won't accept secure email. Are you really saying that they would block that? You honestly think that?
OH, Now I didn't say that - I just said that they aren't using mainstream email services, like O365. At the hospital level, I'm sure they do accept TLS connections to receive email over. But the ones around here ARE using Zix to send outgoing secure email, instead of just turning all of their email server onto TLS only outbound email, which would be just as good, as long as the receiving side accepts TLS connections.
I have no idea what percentage of email systems today don't accept TLS based email.
THat they ARE using Zix, though, is a red herring, right? All that you care about is that they have TLS. If they do, you get to save that money. Zix is just there to duplicate what Exchange already does.
-
Easy enough to find out...
-
@scottalanmiller said in ZixCorp EMail Encryption:
Easy enough to find out...
nice, but that's not what I meant.. that only let's you test one at a time, or buy a subscription to still do it manually.
I mean, I wonder if someone has done a scan of the internet to see what percentage of email servers only allow non TLS enabled communications?
-
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
@Dashrender said in ZixCorp EMail Encryption:
@scottalanmiller said in ZixCorp EMail Encryption:
I get the impression that this is scratching an itch that no one had. Is Zix deployed to fix an "assumed" issue that was never investigated?
Zix and other are selling a HIPAA solution that allows non HIPAA data to still flow with no portal/TLS connection.
Didn't question that. I asked if you were running something to fix a problem that had not been identified.
I guess I don't understand the question -
The problem as I see it is - HIPAA says you can't transmit PHI over an public connection unencrypted. Email is unencrypted by default. The use of TLS for email is probably 3 or so years old as a common thing. Google didn't even for the use of HTTPS for gmail at the beginning. So yes, there was a problem many years ago. Is it still a problem today? I have no clue.
TLS for email is pretty old. Google's HTTPS is a red herring.
Yes I know it's a red herring - but it was an example of how long the technology has been there compared to when it was actually put into service.
The assumption in the industry is that this problem does not exist today or for a while. Your use of Zix is predicated on a security problem that, while totally possible, seems almost implausible, at very least unlikely. All major email hosts and email platforms have this by default. Only a shop making an effort to disable security, a literal effort, would be expected to not have TLS long before today.
Zix was deployed what it WAS a problem, when there was a 50/50 shot that someone might NOT have TLS enabled. and those customers just continue to use it.
-
What needs to happen is email servers just need to move to a default of not sending unless TLS is enabled - you could have the email system then send a note back to the user who can then decide if they want it sent unencrypted or not.