encrypted email options?
-
@Dashrender said in encrypted email options?:
@Obsolesce said in encrypted email options?:
@Dashrender said in encrypted email options?:
The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.
I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.
Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.
Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.Thoughts?
I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.
-
@Dashrender said in encrypted email options?:
We'll ignore this option primarily because forcing this as an exclusive connection method does not provide error of failure for a minimum of 4 hours, if not more like 2 days.
24 hours is what I see on this right now for multiple tenants.
-
@JaredBusch said in encrypted email options?:
@Obsolesce said in encrypted email options?:
that takes you to a portal to decrypt it.
No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.
That's what I meant.... it's basically a link you are sent.
-
@Obsolesce said in encrypted email options?:
@JaredBusch said in encrypted email options?:
@Obsolesce said in encrypted email options?:
that takes you to a portal to decrypt it.
No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.
That's what I meant.... it's basically a link you are sent.
Yeah, but we are answering @Dashrender.. He likes to conflate shit if you are not extremely specific..
-
@JaredBusch said in encrypted email options?:
@Dashrender said in encrypted email options?:
We'll ignore this option primarily because forcing this as an exclusive connection method does not provide error of failure for a minimum of 4 hours, if not more like 2 days.
24 hours is what I see on this right now for multiple tenants.
I couldn't recall what you said before - but I did recall you were the last to post about it.
-
@Obsolesce said in encrypted email options?:
@JaredBusch said in encrypted email options?:
@Obsolesce said in encrypted email options?:
that takes you to a portal to decrypt it.
No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.
That's what I meant.... it's basically a link you are sent.
I knew what you meant.
-
For your industry and use case, OME or a similar solution is definitely the route you need to go. None of the other options make any sense.
-
@Dashrender said in encrypted email options?:
OME - this works like most other secure email solutions out in the market today (I'm looking at you Zix), email contents are sent to a webportal, an email is sent to the recipient with a link to the webportal, they create a logon to the webport for now and future use of message retrieval.
This is the most common option... when this isn't what you want. You have to understand this is NOT email. So this is the same as "not doing what we were told to do." Now 99% of the time, the job is to treat end users as confused and do what they want, not what they say, but it's also important to know when you are doing that. This is no different, except it is automated, than moving people to DropBox or NextCloud, that's all that it is. It's cloud storage with a web interface, not email.
If your doctors asks you for secure email, the answer is "he's an idiot, just do this." If I ask you for secure email and you give me this, it's insubordination for intentionally avoiding the only requirement.
-
@Obsolesce said in encrypted email options?:
@Dashrender said in encrypted email options?:
@Obsolesce said in encrypted email options?:
@Dashrender said in encrypted email options?:
The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.
I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.
Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.
Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.Thoughts?
I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.
You likely get it 90% of the time. In Zoho it's just a little "secure" flag that shows up. Normal mail is already secure, but not generally enforced. But secure email is the universal default today.
-
@Pete-S said in encrypted email options?:
Of the options you listed, S/MIME is the only one that is standard. Meaning you can send secure mails to others as well.
And is generally far, far stronger security than other methods. But generally doesn't matter.
-
@scottalanmiller said in encrypted email options?:
@Obsolesce said in encrypted email options?:
@Dashrender said in encrypted email options?:
@Obsolesce said in encrypted email options?:
@Dashrender said in encrypted email options?:
The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.
I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.
Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.
Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.Thoughts?
I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.
You likely get it 90% of the time. In Zoho it's just a little "secure" flag that shows up. Normal mail is already secure, but not generally enforced. But secure email is the universal default today.
Are you talking about something else? This "Secure Email" is not what we are referring to. Zoho "secure email" is just that it uses TLS in transit and is encrypted at rest on Zoho servers. This is all transparent and is the case with every major email service.
I think what is being asked here isn't obvious to you, but that the mail itself is encrypted, not just the transport of it. Basically in a way the OME and S/MIME ensures.
You'll need to show exactly where in Zoho you turn on this feature you speak of.
-
We have been using ZixMail for years and haven't had any issues to speak of. Support is responsive if you need them.
-
-
@Obsolesce said in encrypted email options?:
Are you talking about something else? This "Secure Email" is not what we are referring to. Zoho "secure email" is just that it uses TLS in transit and is encrypted at rest on Zoho servers. This is all transparent and is the case with every major email service.
That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure. These gimmicks and whatever are just that. Gimmicks. They pretend regular email isn't already encrypted end to end to sell things that almost no one needs based on the public's mistaken belief that email is plain text under normal conditions.
Not only do they prey on this misconception, then they generally sell something that isn't even email. Which is fine, except their entire point of selling it is... that it is email! Every piece of the process is around trickery and preying on the confused.
Are there cases where cloud storage with a web interface is a good idea and better than email for delivering files? Absolutely. Is there ever a time that we should pretend email isn't encrypted normally or that dropbox-style systems are just email? No.
There's no reason that normal email can't just be used, it's secure. The issue that many places have is that they refuse to require this security and/or to understand IT and so feel, because of marketing, that they have to pay for something that isn't email to fix their "email", which obviously, makes no sense.
-
@Obsolesce said in encrypted email options?:
I think what is being asked here isn't obvious to you, but that the mail itself is encrypted, not just the transport of it. Basically in a way the OME and S/MIME ensures.
That's not actually being asked. That's the solution that is generally proposed, but is not needed in really any situation normally. What value is there to that? HIPAA doesn't care, the users don't care, it's not to anyone's benefit. And, guess what, if you use any of these services, it's decrypted and displayed remotely. ZixMail, O365, and others do exactly the same thing and only the transport is encrypted, not the payload. I use some of these services and it's no different than Zoho mail - only its a webpage not email so it confuses people again to make it "feel" like the payload is encrypted, but it isn't.
S/MIME does that, but Zix and all standard services, do not. They just repeat the very solution we already had - TLS.
-
@VoIP_n00b said in encrypted email options?:
@scottalanmiller said in encrypted email options?:
But secure email is the universal default today.
GMail, Zoho, O365, Yahoo... all business class, and all serious consumer, and nearly all totally crappy services today are encrypted by default. It's almost exclusively "punish end users for being total idiots and never listening to anyone" systems like Cox "freebie email for cable subscribers" that there is absolutely no excuse for anyone to ever have used, let alone to still use, that once in a while don't encrypt. And really, that's the least of the problems there.
-
@Dashrender well there you have it. The solution is to do nothing, because your email is already secure and encrypted LOL!
-
@scottalanmiller said in encrypted email options?:
That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.
Well, it doesn't prevent your email provider from reading your emails. Google and their ilk will use your emails to profile you and whomever you email. So when your doctor sends an email about your cancer treatment, you are going to start seeing ads about that on every site.
You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.
OpenPGP for instance requires both a private key and a passphrase to be able to decrypt emails. Works great with native emails clients that support OpenPGP. But I wouldn't want to be the guy supporting that for general end users.
-
@Pete-S said in encrypted email options?:
@scottalanmiller said in encrypted email options?:
That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.
Well, it doesn't prevent your email provider from reading your emails. Google and their ilk will use your emails to profile you and whomever you email. So when your doctor sends an email about your cancer treatment, you are going to start seeing ads about that on every site.
You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.
OpenPGP for instance requires both a private key and a passphrase to be able to decrypt emails. Works great with native emails clients that support OpenPGP. But I wouldn't want to be the guy supporting that for general end users.
Yeah, it doesn't prevent an attacker from reading emails that manage to get your email credentials.
-
@Pete-S said in encrypted email options?:
@scottalanmiller said in encrypted email options?:
That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.
You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.
You can do BYOK (Bring your own key) with OME.
It can use azure key vault storage. So you could even use a hardware module of your choosing that you host and connect to azure.
