ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    O365 and encrypted mail to other email systems

    Scheduled Pinned Locked Moved IT Discussion
    office365audithipaaocr
    169 Posts 9 Posters 78.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • coliverC
      coliver
      last edited by

      Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

      DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in O365 and encrypted mail to other email systems:

        Check this out

        https://blogs.office.com/2013/11/21/introducing-office-365-message-encryption-send-encrypted-emails-to-anyone/

        Apparently we have it now, but we don't use it. Email is already secure to anyone who wants it to be secure, doing things like this don't really increase the security when it matters (either legally or as desired) since anyone how needs or cares would always get it encrypted and the legal responsibility ends at offering them the security at best. This type of stuff is really just marketing fluff for the non-IT types, IMHO. It adds effort and complications, raises cost and lowers the usability of email.

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @coliver
          last edited by Dashrender

          @coliver said in O365 and encrypted mail to other email systems:

          Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

          Correct, I do understand this, but this is not my goal.

          My goal is to, for example, send an email to you, at your email address (which isn't on my email server, or part of my domain) so that even your IT admin can't read it. Full end to end encryption.

          Of course the huge failing is the initial setup of the credentials - because if the admin intercepts the original mail, he can setup the account at first time access and read at least that first message, but we'll ignore this problem for now.

          coliverC 1 Reply Last reply Reply Quote 0
          • coliverC
            coliver @Dashrender
            last edited by

            @Dashrender said in O365 and encrypted mail to other email systems:

            @coliver said in O365 and encrypted mail to other email systems:

            Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

            Correct, I do understand this, but this is not my goal.

            The goal isn't user-to-user encryption? I thought that was what you had stated a few posts earlier.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @coliver
              last edited by

              @coliver said in O365 and encrypted mail to other email systems:

              Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

              More importantly, it is encrypted end to end with any normal user on the other side, as well. Basically all business and most consumer email domains are secured end to end today. So you'd have to find someone who has seriously opted out of the security to not have end to end, user to user security for email today and it would always be at the discretion of the other party. That's what's great about email today, for all intents and purposes, it is totally secure. The "email security" concerns of the past have been solved because of TLS and web interfaces.

              1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @coliver
                last edited by

                @coliver said in O365 and encrypted mail to other email systems:

                @Dashrender said in O365 and encrypted mail to other email systems:

                @coliver said in O365 and encrypted mail to other email systems:

                Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

                Correct, I do understand this, but this is not my goal.

                The goal isn't user-to-user encryption? I thought that was what you had stated a few posts earlier.

                I think that he stated incorrectly. That's what he has. What he actually wants is a non-transparently, individually encrypted payload that has to be decrypted manually by the end user. Like GPG.

                coliverC DashrenderD 2 Replies Last reply Reply Quote 0
                • coliverC
                  coliver @scottalanmiller
                  last edited by

                  @scottalanmiller said in O365 and encrypted mail to other email systems:

                  @coliver said in O365 and encrypted mail to other email systems:

                  @Dashrender said in O365 and encrypted mail to other email systems:

                  @coliver said in O365 and encrypted mail to other email systems:

                  Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

                  Correct, I do understand this, but this is not my goal.

                  The goal isn't user-to-user encryption? I thought that was what you had stated a few posts earlier.

                  I think that he stated incorrectly. That's what he has. What he actually wants is a non-transparently, individually encrypted payload that has to be decrypted manually by the end user. Like GPG.

                  Ah, so the goal is to make email impossible to use so your users go to some other insecure method of communication.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    Which is not actually email encryption, that's part of why these discussions go this way.

                    Email IS encrypted and incredibly secure. The issue here isn't based on security.

                    What Zix, Microsoft's solution or GPG do, actually, is encrypt a separate file that the already secure email delivery system delivers. It's payload encryption, but as the payload itself isn't actually email, the term email encryption makes this confusing. It's literally no different than using 7zip to encrypt want you want to send, just more convenient (barely.)

                    1 Reply Last reply Reply Quote 0
                    • T
                      TAHIN
                      last edited by

                      This compares to something like Barracuda Mail Encryption. It's shining point isn't really around mail in transit, but mail at rest at the destination. TLS is great until that email sits unencrypted in a recipients gmail box that 80 hackers and your kids have the password to. It's a legitimate concern as a business owner... you want it to be secure end to end.

                      That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.

                      scottalanmillerS DashrenderD 3 Replies Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                        @coliver said in O365 and encrypted mail to other email systems:

                        @Dashrender said in O365 and encrypted mail to other email systems:

                        @coliver said in O365 and encrypted mail to other email systems:

                        Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

                        Correct, I do understand this, but this is not my goal.

                        The goal isn't user-to-user encryption? I thought that was what you had stated a few posts earlier.

                        I think that he stated incorrectly. That's what he has. What he actually wants is a non-transparently, individually encrypted payload that has to be decrypted manually by the end user. Like GPG.

                        OK - this ^. Sadly the lawyer only consider this to be "secure email" Without this layer, sending an email is not considered secure, and fails audits.

                        Yes I understand all the other stated things, but they don't matter, sadly - only the audit matters.

                        coliverC scottalanmillerS T 4 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          I think that the sole benefit of a system like this is that you can secure the email so that your own and their own (sender and receiver) admins cannot view the mail. However, that shifts the entire burden of security management onto the receiver of the email. So it causes huge management issues because the users cannot turn to their IT departments to enable this for them and, if they do, it disables the only goal that the system can have because it reverts it to the same security as TLS before.

                          1 Reply Last reply Reply Quote 0
                          • coliverC
                            coliver @Dashrender
                            last edited by

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            @scottalanmiller said in O365 and encrypted mail to other email systems:

                            @coliver said in O365 and encrypted mail to other email systems:

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            @coliver said in O365 and encrypted mail to other email systems:

                            Exchange Online is encrypted from the endpoint to the server. So when a user sends an email from inside your domain to another user inside your domain it is encrypted end-to-end.

                            Correct, I do understand this, but this is not my goal.

                            The goal isn't user-to-user encryption? I thought that was what you had stated a few posts earlier.

                            I think that he stated incorrectly. That's what he has. What he actually wants is a non-transparently, individually encrypted payload that has to be decrypted manually by the end user. Like GPG.

                            OK - this ^. Sadly the lawyer only consider this to be "secure email" Without this layer, sending an email is not considered secure, and fails audits.

                            Yes I understand all the other stated things, but they don't matter, sadly - only the audit matters.

                            That's fine, thanks for clarifying your goal. We have similar issues here.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in O365 and encrypted mail to other email systems:

                              Yes I understand all the other stated things, but they don't matter, sadly - only the audit matters.

                              In that case your question should be worded around that specific context. The issue at hand is not security, email or encryption. It's tricking a lawyer who is unethically doing a job far over his head.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @TAHIN
                                last edited by

                                @TAHIN said in O365 and encrypted mail to other email systems:

                                This compares to something like Barracuda Mail Encryption. It's shining point isn't really around mail in transit, but mail at rest at the destination.

                                No, that doesn't hold up. Encryption at rest is yet a third issue. Both of these mechanisms decrypt along the chain. Only the recipient, literally only they, can decide to be encrypted at rest. That's never something that you can force. You can force it on the sender's side, and this isn't doing that here. But you have to trust the recipient to store it in an encrypted fashion and... none will.

                                T DashrenderD 2 Replies Last reply Reply Quote 0
                                • T
                                  TAHIN @Dashrender
                                  last edited by

                                  @Dashrender see my note above regarding compliance. You can compare it to FAX.
                                  If I send PHI over fax to a fax machine in a remote location, it is the responsibility of the remote party to keep it secure.

                                  DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @TAHIN
                                    last edited by

                                    @TAHIN said in O365 and encrypted mail to other email systems:

                                    That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem.

                                    Exactly, offer it to them securely, after that, it is ALL their problem.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @TAHIN
                                      last edited by

                                      @TAHIN said in O365 and encrypted mail to other email systems:

                                      That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.

                                      Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.

                                      But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

                                      coliverC scottalanmillerS T 4 Replies Last reply Reply Quote 0
                                      • coliverC
                                        coliver @Dashrender
                                        last edited by

                                        @Dashrender said in O365 and encrypted mail to other email systems:

                                        But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

                                        Is there precedence for this? I've never heard of this.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @coliver
                                          last edited by

                                          @coliver said in O365 and encrypted mail to other email systems:

                                          @Dashrender said in O365 and encrypted mail to other email systems:

                                          But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

                                          Is there precedence for this? I've never heard of this.

                                          No, not yet... I was simply ranting 🙂

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @TAHIN
                                            last edited by

                                            @TAHIN said in O365 and encrypted mail to other email systems:

                                            @Dashrender see my note above regarding compliance. You can compare it to FAX.
                                            If I send PHI over fax to a fax machine in a remote location, it is the responsibility of the remote party to keep it secure.

                                            See my reply/rant 🙂

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 6 / 9
                                            • First post
                                              Last post