ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    O365 and encrypted mail to other email systems

    Scheduled Pinned Locked Moved IT Discussion
    office365audithipaaocr
    169 Posts 9 Posters 78.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre @Dashrender
      last edited by

      @Dashrender said in O365 and encrypted mail to other email systems:

      So I mentioned the TLS only option to my boss yesterday.

      I broke it down and told her there are basically two options:

      1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

      2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

      She left the conversation saying that I always leave her between a rock and a hard place. 😞

      It becomes a simple choice, though... Spend money for a third-party product... or use standards based stuff and not spend money...

      scottalanmillerS 1 Reply Last reply Reply Quote 2
      • JaredBuschJ
        JaredBusch @Dashrender
        last edited by

        @Dashrender said in O365 and encrypted mail to other email systems:

        So I mentioned the TLS only option to my boss yesterday.

        I broke it down and told her there are basically two options:

        1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

        2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

        She left the conversation saying that I always leave her between a rock and a hard place. 😞

        Because you described it poorly. I need more coffee to phrase something better, but you could certainly have sold it better.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in O365 and encrypted mail to other email systems:

          @scottalanmiller said in O365 and encrypted mail to other email systems:

          The only question is... who is on hosted, insecure email? My guess is, no one that you can find.

          Those aren't the people I'm worried about - at least not the free hosted ones for sure.

          I'm more concerned with hospital, lawyers, small clinics, etc and what they are using for email. As discussed here and elsewhere for years, these guys move at a glacial pace. Many of them are super cheap too, so they look at subscription plans like O365 and it's forever payments, and make the sometimes invalid assumption that it costs more than a self hosted solution (now personally - there many times where self hosted is cheaper, but it's also riskier) so they refuse to move. It's these people that we have no idea if they have TLS implemented or not. Of course we'd love to hope that they are, but until we try, we have no clue.

          If they are self hosted, TLS is at their own discretion.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in O365 and encrypted mail to other email systems:

            So I mentioned the TLS only option to my boss yesterday.

            I broke it down and told her there are basically two options:

            1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

            2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

            She left the conversation saying that I always leave her between a rock and a hard place. 😞

            That's not a rock and a hard place. It's a great option and a horrible one.

            It is more like:

            1. Buy a non-email proprietary product that doesn't work at all unless you force every remote users to join up with the product that you have forced down their throats. This isn't email and doesn't satisfy any requirement for email and if doing this, you could do any number of random non-email things like running your own FTP server, that's all that they are doing.

            2. Use TLS and provide an awesome, transparent, fully secure option that is email based and works for anyone with the slightest care OR anyone that uses free systems. Force it and "maybe" some places that have done ridiculous things to not have TLS "might" not get your email.

            3. Use TLS opportunistically and let customers decide if they want security on or off.

            Two good options, one bad one. If she feels like choice 1 is a valid option, it's because she is confused. Why does she feel that there is even a reason to be choosing? How is choice one even being considered once you explained it?

            DashrenderD 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @dafyre
              last edited by

              @dafyre said in O365 and encrypted mail to other email systems:

              @Dashrender said in O365 and encrypted mail to other email systems:

              So I mentioned the TLS only option to my boss yesterday.

              I broke it down and told her there are basically two options:

              1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

              2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

              She left the conversation saying that I always leave her between a rock and a hard place. 😞

              It becomes a simple choice, though... Spend money for a third-party product... or use standards based stuff and not spend money...

              All of the caveats of the TLS option apply to the third party one, too. So I think that the nature of the logic simply rules choice one out because of that.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                Frame it more like this, at least to yourself:

                TLS Pros Compared to Zix: Cheaper, Standard, Nearly all customers get an effortless experience.

                Zix Pros Compared to TLS: None

                DashrenderD 1 Reply Last reply Reply Quote 1
                • DashrenderD
                  Dashrender @JaredBusch
                  last edited by

                  @JaredBusch said in O365 and encrypted mail to other email systems:

                  @Dashrender said in O365 and encrypted mail to other email systems:

                  So I mentioned the TLS only option to my boss yesterday.

                  I broke it down and told her there are basically two options:

                  1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                  2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                  She left the conversation saying that I always leave her between a rock and a hard place. 😞

                  Because you described it poorly. I need more coffee to phrase something better, but you could certainly have sold it better.

                  Please - maestro - amaze me with your wordsmithing!

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in O365 and encrypted mail to other email systems:

                    @Dashrender said in O365 and encrypted mail to other email systems:

                    So I mentioned the TLS only option to my boss yesterday.

                    I broke it down and told her there are basically two options:

                    1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                    2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                    She left the conversation saying that I always leave her between a rock and a hard place. 😞

                    That's not a rock and a hard place. It's a great option and a horrible one.

                    It is more like:

                    1. Buy a non-email proprietary product that doesn't work at all unless you force every remote users to join up with the product that you have forced down their throats. This isn't email and doesn't satisfy any requirement for email and if doing this, you could do any number of random non-email things like running your own FTP server, that's all that they are doing.

                    2. Use TLS and provide an awesome, transparent, fully secure option that is email based and works for anyone with the slightest care OR anyone that uses free systems. Force it and "maybe" some places that have done ridiculous things to not have TLS "might" not get your email.

                    3. Use TLS opportunistically and let customers decide if they want security on or off.

                    Two good options, one bad one. If she feels like choice 1 is a valid option, it's because she is confused. Why does she feel that there is even a reason to be choosing? How is choice one even being considered once you explained it?

                    First the easy one, #3 isn't HIPAA compliant, so it's out.

                    #2 is a pain, because when it fails a different solution will have to be found/used to communicate with that contact.

                    #1 while potentially painful, is more ensuring that there will never be a failure. The use of non TLS email is mitigated by sending an no PHI containing notice that informs the receiver that there is a message for them, but it must be picked up through a secure means.

                    Now #1 being said, I don't believe that Zix will actually allow for the use of TLS only based encryption - assuming it's available, so all encrypted communications would be the painful type.

                    scottalanmillerS coliverC 4 Replies Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in O365 and encrypted mail to other email systems:

                      Frame it more like this, at least to yourself:

                      TLS Pros Compared to Zix: Cheaper, Standard, Nearly all customers get an effortless experience.

                      Zix Pros Compared to TLS: None

                      Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.

                      scottalanmillerS JaredBuschJ 2 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in O365 and encrypted mail to other email systems:

                        First the easy one, #3 isn't HIPAA compliant, so it's out.

                        That's not true. If that were true, faxing would be out. You know that faxing is okay, so you know that this is okay. It's that easy.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • coliverC
                          coliver @Dashrender
                          last edited by coliver

                          @Dashrender said in O365 and encrypted mail to other email systems:

                          @scottalanmiller said in O365 and encrypted mail to other email systems:

                          @Dashrender said in O365 and encrypted mail to other email systems:

                          So I mentioned the TLS only option to my boss yesterday.

                          I broke it down and told her there are basically two options:

                          1. get a third party bolt on product like Zix, Barracuda, etc. This will be a subscription service that we have to pay for all of our users forever, but this option does allow for on/off of encrypted user to user email.

                          2. Force our email server to use TLS for all connections. If we try to send an email to someone who's server doesn't support TLS, we simply can't send to them. Period. This is the free option.

                          She left the conversation saying that I always leave her between a rock and a hard place. 😞

                          That's not a rock and a hard place. It's a great option and a horrible one.

                          It is more like:

                          1. Buy a non-email proprietary product that doesn't work at all unless you force every remote users to join up with the product that you have forced down their throats. This isn't email and doesn't satisfy any requirement for email and if doing this, you could do any number of random non-email things like running your own FTP server, that's all that they are doing.

                          2. Use TLS and provide an awesome, transparent, fully secure option that is email based and works for anyone with the slightest care OR anyone that uses free systems. Force it and "maybe" some places that have done ridiculous things to not have TLS "might" not get your email.

                          3. Use TLS opportunistically and let customers decide if they want security on or off.

                          Two good options, one bad one. If she feels like choice 1 is a valid option, it's because she is confused. Why does she feel that there is even a reason to be choosing? How is choice one even being considered once you explained it?

                          First the easy one, #3 isn't HIPAA compliant, so it's out.

                          #2 is a pain, because when it fails a different solution will have to be found/used to communicate with that contact.

                          #1 while potentially painful, is more ensuring that there will never be a failure. The use of non TLS email is mitigated by sending an no PHI containing notice that informs the receiver that there is a message for them, but it must be picked up through a secure means.

                          Now #1 being said, I don't believe that Zix will actually allow for the use of TLS only based encryption - assuming it's available, so all encrypted communications would be the painful type.

                          #1 is always more painful. You're forcing all users to do this thing, whatever it happens to be, for every customer. Instead of using an industry standard mechanism that may not work for 1-5% of customers... So #2 will work 95% of the time.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.

                            Nope, you can make rules for TLS that allow you to send notification but not the payload.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in O365 and encrypted mail to other email systems:

                              #1 while potentially painful, is more ensuring that there will never be a failure.

                              No, it ensures that there is almost always a failure. I know places using these systems right now (hospital) that can't get prompt IT support because they have to send emails to third parties, get them to unencrypt and then transfer over TLS on their behalf because the systems aren't reliable. I deal with this every few days. Reliable is the last thing that these systems are.

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in O365 and encrypted mail to other email systems:

                                #2 is a pain, because when it fails a different solution will have to be found/used to communicate with that contact.

                                Use non TLS email for that if you want. but you can just send the payload, still safer than faxing. So totally HIPAA compliant.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in O365 and encrypted mail to other email systems:

                                  @Dashrender said in O365 and encrypted mail to other email systems:

                                  First the easy one, #3 isn't HIPAA compliant, so it's out.

                                  That's not true. If that were true, faxing would be out. You know that faxing is okay, so you know that this is okay. It's that easy.

                                  Seriously bro! we need to have a face to face on this one! I understand the insecure portions you talk about, but for some deity's sake - you have yet to convenience me why faxing is so much more insanely insecure than email - But that's for another time!

                                  Leave faxing out of this conversation and give me another example why #3 would be compliant?

                                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in O365 and encrypted mail to other email systems:

                                    Seriously bro! we need to have a face to face on this one! I understand the insecure portions you talk about, but for some deity's sake - you have yet to convenience me why faxing is so much more insanely insecure than email - But that's for another time!

                                    We have. It's covered. Faxing is the well known least secure possible option. Every aspect of it, every one, is the least security possible. You can't make a system less secure without resorting to public broadcast systems like bulletin boards.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in O365 and encrypted mail to other email systems:

                                      Leave faxing out of this conversation and give me another example why #3 would be compliant?

                                      What do you mean? It's not my burden to bear. You have to show why it is NOT compliant as you made the claim. I know that it's safer than faxing, by a LOT. So... either faxing isn't allowed (it is) or email is okay (based on being more secure.) It's that simple.

                                      DashrenderD 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                                        @Dashrender said in O365 and encrypted mail to other email systems:

                                        Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.

                                        Nope, you can make rules for TLS that allow you to send notification but not the payload.

                                        You just repeated what I said. Now, since Zix doesn't give a shit about TLS, it only ever uses it's secure portal (to the best of my knowledge) all secure messages are sent using their painful method, but a notice about that message is sent via to the client over whatever, TLS or not is available to the server.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • JaredBuschJ
                                          JaredBusch @Dashrender
                                          last edited by

                                          @Dashrender said in O365 and encrypted mail to other email systems:

                                          @scottalanmiller said in O365 and encrypted mail to other email systems:

                                          Frame it more like this, at least to yourself:

                                          TLS Pros Compared to Zix: Cheaper, Standard, Nearly all customers get an effortless experience.

                                          Zix Pros Compared to TLS: None

                                          Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.

                                          Regarding failure to send TLS. Just because it fails does not mean you have no way to communicate the need to contact the office. You have a couple of options here.

                                          With the sole purpose of being used to send an email to failed parties telling them that you were unable to securely email them and that they need to contact the office, you can do this:
                                          2.a Setup a simply Gmail/Outlook.com account for the practice
                                          2.b Setup a basic Linux box and make use of the built in Postfix to send email (via some application probably) from your own domain. Basically a second email server that does not have the TLS restriction.
                                          2.c Possibly have a single email account on your Exchange server that is immune form the TLS requirements. Not even sure if this is possible when you set TLS as wildcard required.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            You are making the mistake of thinking that HIPAA dictates specifics, it does not. The only reason that unencrypted email is ever questioned is because encrypting it is so easy. That's why faxing is given a free pass... there is no means of securing it. So no one cares. Same with postal mail. Totally insecure, no one cares. Email is simple to secure, so you are expected to secure it - and you can. If the other party does not, that's after your role is complete.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 5 / 9
                                            • First post
                                              Last post