ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    O365 and encrypted mail to other email systems

    Scheduled Pinned Locked Moved IT Discussion
    office365audithipaaocr
    169 Posts 9 Posters 78.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in O365 and encrypted mail to other email systems:

      @Dashrender said in O365 and encrypted mail to other email systems:

      @scottalanmiller said in O365 and encrypted mail to other email systems:

      @Dashrender said in O365 and encrypted mail to other email systems:

      I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.

      It literally cannot be. If they did that, every medical practice would just back up and be done. You can't control data at rest for transferred data, ever. Period, it's actually a crime to try to do that as you'd have to hack their systems.

      Data at rest on my side, of course I can't force their side.

      You don't need this for that. You encrypt at rest using disk encryption, not payload encryption. You are getting less security for more work. Disk encryption would protect even the email addresses and transaction history.

      No matter what your security goal is, these weird half assed account encryption things don't solve it.

      Agreed, I wouldn't use this for encryption on my side, never said I would though either.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in O365 and encrypted mail to other email systems:

        I know in the case of encrypted files under a single user in Windows, if you reset the password, all files encrypted under the old one will no longer unencrypt. They are lost. Only through a proper normal password change can the user change their password and not loose access to the encrypted files.

        Zix, etc could do the same. Fine unlock the account for future messages, but not past ones.

        So your better hope is that an admin could delete ALL of your data without your permission. Yeah, that sounds like a great idea.

        Forget your email password, all of your data is scrapped automatically. Total fail. This isn't the CIA, we don't want to burn our data like that.

        1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @TAHIN
          last edited by

          @TAHIN said in O365 and encrypted mail to other email systems:

          @Dashrender said in O365 and encrypted mail to other email systems:

          @TAHIN , so - you guys are using a Barracuda appliance - why? According to Scott's and your arguments, it's completely unnecessary.

          I did at my last job in the medical sector, but not any more. This is where Scott and my philosophies may differ a little bit. Even though we weren't required to maintain security on the other end, we did fall into the 'best effort' mindset. If we were sending stuff to a lawyer or doctor's office that we didn't have a close relationship with, we did what we could to guarantee security knowing that their email system may have flaws, especially if we had the means. Would we have done it if it weren't a free feature from our anti-spam provider? Probably not.

          My philosophy is different in that I feel that the additional effort is a huge negative and causes people to do really insecure things or just give up and may often give a false sense of security, like to the auditor in question here.

          If I needed to secure to the recipient for sure, GPG every time.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said in O365 and encrypted mail to other email systems:

            @Dashrender said in O365 and encrypted mail to other email systems:

            You're assuming that that Zix, MS and Barracuda solutions allow you to reset them.

            It's account based. And MS at least allows account resets.

            What is account based? the encryption? so what? The account could have a key inside it that is lost if there is a forced reset by admins - Damn I'll have to dig up the dialog boxes that say this. Just because you can reset the password does not mean you have access to the past stuff, only future stuff.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in O365 and encrypted mail to other email systems:

              @scottalanmiller said in O365 and encrypted mail to other email systems:

              @Dashrender said in O365 and encrypted mail to other email systems:

              You're assuming that that Zix, MS and Barracuda solutions allow you to reset them.

              It's account based. And MS at least allows account resets.

              What is account based? the encryption? so what? The account could have a key inside it that is lost if there is a forced reset by admins - Damn I'll have to dig up the dialog boxes that say this. Just because you can reset the password does not mean you have access to the past stuff, only future stuff.

              True, but that brings up my other disaster comment. Need a standard reset that people do all of the time and suddenly your data is getting scraped. That's a really bad process. I know why they need to do it to be really secure, but boy is that bad.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in O365 and encrypted mail to other email systems:

                @Dashrender said in O365 and encrypted mail to other email systems:

                @scottalanmiller said in O365 and encrypted mail to other email systems:

                @Dashrender said in O365 and encrypted mail to other email systems:

                You're assuming that that Zix, MS and Barracuda solutions allow you to reset them.

                It's account based. And MS at least allows account resets.

                What is account based? the encryption? so what? The account could have a key inside it that is lost if there is a forced reset by admins - Damn I'll have to dig up the dialog boxes that say this. Just because you can reset the password does not mean you have access to the past stuff, only future stuff.

                True, but that brings up my other disaster comment. Need a standard reset that people do all of the time and suddenly your data is getting scraped. That's a really bad process. I know why they need to do it to be really secure, but boy is that bad.

                You definitely have a point here, but it does remove the counter point you made earlier.

                1 Reply Last reply Reply Quote 0
                • Mike DavisM
                  Mike Davis
                  last edited by

                  The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.

                  DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 1
                  • DashrenderD
                    Dashrender @Mike Davis
                    last edited by

                    @Mike-Davis said in O365 and encrypted mail to other email systems:

                    The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.

                    Preach it brother!!!!

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @Mike Davis
                      last edited by

                      @Mike-Davis said in O365 and encrypted mail to other email systems:

                      The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.

                      That's an excellent point. It makes the users unable to determine what is and is not safe.

                      And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                      If you request the data by email, I don't feel that these fulfil that obligation.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                        And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                        This is something few others than Scott would say.

                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in O365 and encrypted mail to other email systems:

                          @scottalanmiller said in O365 and encrypted mail to other email systems:

                          And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                          This is something few others than Scott would say.

                          And that's why other people get socially engineered into ransomware attacks so easilyl

                          DashrenderD 1 Reply Last reply Reply Quote 2
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in O365 and encrypted mail to other email systems:

                            @scottalanmiller said in O365 and encrypted mail to other email systems:

                            And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                            This is something few others than Scott would say.

                            Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?

                            Why do people treat it differently there?

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in O365 and encrypted mail to other email systems:

                              @Dashrender said in O365 and encrypted mail to other email systems:

                              @scottalanmiller said in O365 and encrypted mail to other email systems:

                              And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                              This is something few others than Scott would say.

                              And that's why other people get socially engineered into ransomware attacks so easilyl

                              You get a +1 and a Thumbs up for that!

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in O365 and encrypted mail to other email systems:

                                @Dashrender said in O365 and encrypted mail to other email systems:

                                @scottalanmiller said in O365 and encrypted mail to other email systems:

                                And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                                This is something few others than Scott would say.

                                Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?

                                Why do people treat it differently there?

                                I don't think that's a good example. If you want to use mail - then I'd say something close would be the note left on your door that the package wasn't left because your porch wasn't a secure location, so we left it at the PO for you to pick up.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch @Dashrender
                                  last edited by JaredBusch

                                  @Dashrender said in O365 and encrypted mail to other email systems:

                                  @scottalanmiller said in O365 and encrypted mail to other email systems:

                                  @TAHIN said in O365 and encrypted mail to other email systems:

                                  @scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)

                                  Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.

                                  Yeah, I don't like that "a third party owns your data" thing. It is the same with Zix and everyone else. I'd find that very distasteful as a customer. It's my data, you have a secure way to send it to me already, why do I have to make an account with a third party to get my own data over a channel that is already secure?

                                  Because it's not really secure. The admins of the system of email you use have full access to that data.

                                  You are contradicting yourself. You just said a few posts up that Zix does exactly this anyway it the recipient's domain is also a Zix customer. What is on the other end simply does not matter. We all keep telling you that. It only matters that you send from your server to theirs are encrypted.

                                  1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @Kelly
                                    last edited by

                                    @Kelly said in O365 and encrypted mail to other email systems:

                                    @Dashrender Just get hit by a Cryptowall variant. Everything is encrypted at rest then. Problem solved.

                                    fc7e1b09bcb54f86aa53394b8047e95261357c74410860202c8d6f3ea2787b53.jpg

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in O365 and encrypted mail to other email systems:

                                      @scottalanmiller said in O365 and encrypted mail to other email systems:

                                      @Dashrender said in O365 and encrypted mail to other email systems:

                                      @scottalanmiller said in O365 and encrypted mail to other email systems:

                                      And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                                      This is something few others than Scott would say.

                                      Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?

                                      Why do people treat it differently there?

                                      I don't think that's a good example. If you want to use mail - then I'd say something close would be the note left on your door that the package wasn't left because your porch wasn't a secure location, so we left it at the PO for you to pick up.

                                      No, that's nothing like it. You did NOT try to make a delivery and fail, you refused the agreed upon delivery method, went with a different one and only used the agreed upon one to notify me of the other one and then use terminology to sound like you did what we had agreed on.

                                      It is exactly the phone example and nothing like your "you weren't home" example.

                                      1 Reply Last reply Reply Quote 0
                                      • KellyK
                                        Kelly
                                        last edited by

                                        If this is a consistent and regular communication would setting up S/MIME be an option?

                                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @Kelly
                                          last edited by

                                          @Kelly said in O365 and encrypted mail to other email systems:

                                          If this is a consistent and regular communication would setting up S/MIME be an option?

                                          That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

                                          DashrenderD 1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in O365 and encrypted mail to other email systems:

                                            @Kelly said in O365 and encrypted mail to other email systems:

                                            If this is a consistent and regular communication would setting up S/MIME be an option?

                                            That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

                                            How is S/MIME tantamount to GPG?

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 5 / 9
                                            • First post
                                              Last post