ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    O365 and encrypted mail to other email systems

    Scheduled Pinned Locked Moved IT Discussion
    office365audithipaaocr
    169 Posts 9 Posters 78.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @Mike Davis
      last edited by

      @Mike-Davis said in O365 and encrypted mail to other email systems:

      The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.

      Preach it brother!!!!

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @Mike Davis
        last edited by

        @Mike-Davis said in O365 and encrypted mail to other email systems:

        The thing I don't like about the third party options is we have been telling our users for years not to click or run stuff inside of emails... This forces them to do that to get their message. In that regard it makes the users less secure because now they are a little more click happy.

        That's an excellent point. It makes the users unable to determine what is and is not safe.

        And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

        If you request the data by email, I don't feel that these fulfil that obligation.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in O365 and encrypted mail to other email systems:

          And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

          This is something few others than Scott would say.

          scottalanmillerS 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in O365 and encrypted mail to other email systems:

            @scottalanmiller said in O365 and encrypted mail to other email systems:

            And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

            This is something few others than Scott would say.

            And that's why other people get socially engineered into ransomware attacks so easilyl

            DashrenderD 1 Reply Last reply Reply Quote 2
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in O365 and encrypted mail to other email systems:

              @scottalanmiller said in O365 and encrypted mail to other email systems:

              And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

              This is something few others than Scott would say.

              Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?

              Why do people treat it differently there?

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in O365 and encrypted mail to other email systems:

                @Dashrender said in O365 and encrypted mail to other email systems:

                @scottalanmiller said in O365 and encrypted mail to other email systems:

                And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                This is something few others than Scott would say.

                And that's why other people get socially engineered into ransomware attacks so easilyl

                You get a +1 and a Thumbs up for that!

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in O365 and encrypted mail to other email systems:

                  @Dashrender said in O365 and encrypted mail to other email systems:

                  @scottalanmiller said in O365 and encrypted mail to other email systems:

                  And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                  This is something few others than Scott would say.

                  Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?

                  Why do people treat it differently there?

                  I don't think that's a good example. If you want to use mail - then I'd say something close would be the note left on your door that the package wasn't left because your porch wasn't a secure location, so we left it at the PO for you to pick up.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Dashrender
                    last edited by JaredBusch

                    @Dashrender said in O365 and encrypted mail to other email systems:

                    @scottalanmiller said in O365 and encrypted mail to other email systems:

                    @TAHIN said in O365 and encrypted mail to other email systems:

                    @scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)

                    Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.

                    Yeah, I don't like that "a third party owns your data" thing. It is the same with Zix and everyone else. I'd find that very distasteful as a customer. It's my data, you have a secure way to send it to me already, why do I have to make an account with a third party to get my own data over a channel that is already secure?

                    Because it's not really secure. The admins of the system of email you use have full access to that data.

                    You are contradicting yourself. You just said a few posts up that Zix does exactly this anyway it the recipient's domain is also a Zix customer. What is on the other end simply does not matter. We all keep telling you that. It only matters that you send from your server to theirs are encrypted.

                    1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @Kelly
                      last edited by

                      @Kelly said in O365 and encrypted mail to other email systems:

                      @Dashrender Just get hit by a Cryptowall variant. Everything is encrypted at rest then. Problem solved.

                      fc7e1b09bcb54f86aa53394b8047e95261357c74410860202c8d6f3ea2787b53.jpg

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in O365 and encrypted mail to other email systems:

                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                        @Dashrender said in O365 and encrypted mail to other email systems:

                        @scottalanmiller said in O365 and encrypted mail to other email systems:

                        And honestly, if you said "well I emailed you the info" I'd say "Um, no, you emailed me an announcement that I could get the info elsewhere, that's not the same."

                        This is something few others than Scott would say.

                        Imagine if I call you and tell you that a package is in the mail. It would be insane to say that I sent you the info over the phone, right?

                        Why do people treat it differently there?

                        I don't think that's a good example. If you want to use mail - then I'd say something close would be the note left on your door that the package wasn't left because your porch wasn't a secure location, so we left it at the PO for you to pick up.

                        No, that's nothing like it. You did NOT try to make a delivery and fail, you refused the agreed upon delivery method, went with a different one and only used the agreed upon one to notify me of the other one and then use terminology to sound like you did what we had agreed on.

                        It is exactly the phone example and nothing like your "you weren't home" example.

                        1 Reply Last reply Reply Quote 0
                        • KellyK
                          Kelly
                          last edited by

                          If this is a consistent and regular communication would setting up S/MIME be an option?

                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @Kelly
                            last edited by

                            @Kelly said in O365 and encrypted mail to other email systems:

                            If this is a consistent and regular communication would setting up S/MIME be an option?

                            That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

                            DashrenderD 1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in O365 and encrypted mail to other email systems:

                              @Kelly said in O365 and encrypted mail to other email systems:

                              If this is a consistent and regular communication would setting up S/MIME be an option?

                              That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

                              How is S/MIME tantamount to GPG?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in O365 and encrypted mail to other email systems:

                                @scottalanmiller said in O365 and encrypted mail to other email systems:

                                @Kelly said in O365 and encrypted mail to other email systems:

                                If this is a consistent and regular communication would setting up S/MIME be an option?

                                That's tantamount to GPG. So I would agree, when you get to that level, that kind of thing makes sense.

                                How is S/MIME tantamount to GPG?

                                By being essentially the same thing...

                                https://www.imc.org/smime-pgpmime.html

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender
                                  last edited by

                                  I'm now on the hunt for others who are suggesting, or agreeing that TLS is enough to get the OCR auditors off your back if/when you get one.

                                  I found http://www.hitechanswers.net/7-hipaa-compliant-assumptions-can-trip/

                                  Our email provider offers TLS encryption, so we’re secure in sending email attachments.
                                  TLS encryption is a great tool to help secure emails in transit, but only works if both sides of the email transaction are configured properly. Many consumer email providers aren’t equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesn’t support TLS, emails with PHI could be transmitted with no encryption at all. You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.

                                  So this is promising. Disable opportunistic TLS, i.e. require TLS and the problem is solved. I really do wonder how many systems we email that don't support TLS?

                                  Time to look at the logs I guess - but that will have to wait until June - Deploying Win10 now.

                                  1 Reply Last reply Reply Quote 1
                                  • DashrenderD
                                    Dashrender
                                    last edited by

                                    Here's a vendor that basically makes it's living off TLS only connections for HIPAA compliant email delivery.

                                    https://luxsci.com/blog/level-ssl-tls-required-hipaa.html

                                    1 Reply Last reply Reply Quote 1
                                    • DashrenderD
                                      Dashrender
                                      last edited by

                                      And I found instructions on how to implement TLS required (aka Forced TLS) on an Exchange server.
                                      http://o365info.com/configuring-the-option-of-force-tls-in-exchange-on-premises-environment-part-4-12-tls/

                                      1 Reply Last reply Reply Quote 1
                                      • DashrenderD
                                        Dashrender
                                        last edited by

                                        Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.

                                        http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

                                        It's about 1/3rd the way down.

                                        frankly I see a lot of things I don't like/agree with in this writeup.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in O365 and encrypted mail to other email systems:

                                          Well this is three years old but this guy really doesn't like only using TLS - but he doesn't specifically mention locking your server down to sending TLS only.

                                          http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

                                          It's about 1/3rd the way down.

                                          frankly I see a lot of things I don't like/agree with in this writeup.

                                          He claims that GMail doesn't have TLS. That's definitely not true. His whole theory is based on assuming that no one does TLS, but who doesn't do TLS?

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            Overall, I skimmed, but he had a lot of good points and even points to us over on SW. But the TLS bit, and he admits he just researched it and might not know, seems to rest on the theory that no one offers TLS for the end users.

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 8
                                            • 9
                                            • 3 / 9
                                            • First post
                                              Last post