Educause Security Discussion mailing list archives

Re: Email Security Policies/Practices for Staff

From: Mark Poepping <poepping () CMU EDU>
Date: Sat, 2 Dec 2006 13:15:12 -0500

And regarding PKI technologies, experience, and deployments, I'd highly
recommend the materials and discussions of the EduCause and Internet2 HEPKI
efforts.  A good place to start:
        http://middleware.internet2.edu/hepki-tag/

The PKI implementers workshop on Monday at the I2 member meeting is an
example of the kinds of stuff available.
        
http://events.internet2.edu/2006/fall-mm/sessionDetails.cfm?session=2981&eve
nt=258

mark.

-----Original Message-----
From: Curt Wilson [mailto:curtw () SIU EDU]
Sent: Friday, December 01, 2006 5:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Email Security Policies/Practices for Staff

We have made selective use of Mozilla Thunderbird + Enigmail plugin for
GPG with good success. However, for a larger rollout such procedures
have been deemed too complex by some portions of our university
community. The users want something to be simple and easily managed, and
of course it needs to be enterprise ready, scalable and inexpensive too!

Is anyone leveraging PKI for email encryption? The state of Illinois
offers PKI resources that our campus is intending to leverage, first for
electronic signature verification and then later for other security
purposes. Even with the actual technical infrastructure being provided
by an entity such as this, it's my basic understanding that managing a
campus PKI is generally a full-time position, if not more. I'm curious
to hear your experiences with PKI on or off-list.

Thanks.
Curt Wilson
SIUC IT

Mike Wiseman wrote:


Hello,

I'm interested to find out if institutions are implementing
policies/practices/services on using email with sensitive or
confidential content. I'm thinking of staff working in HR,
administration, financial, admissions, network operations, etc. who want
to (or do) use email and need end-to-end security services to
reduce exposure to forgery and information compromise. Services such
as email authentication (digital signing via S/MIME or PGP) and/or
encryption (S/MIME, encrypted archives, key storage).

The issue comes up occasionally and people like me give the usual 'don't
do it - it's not secure' line. I'd like to look at recommending products
and/or providing the services required.

Mike


Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto



--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc

Current thread:

Email Security Policies/Practices for Staff Mike Wiseman (Nov 28)
- <Possible follow-ups>
- Re: Email Security Policies/Practices for Staff Jeff Giacobbe (Nov 28)
- Re: Email Security Policies/Practices for Staff Brian Epstein (Nov 28)
- Re: Email Security Policies/Practices for Staff Paul Russell (Nov 28)
- Re: Email Security Policies/Practices for Staff Curt Wilson (Dec 01)
- Re: Email Security Policies/Practices for Staff Mark Poepping (Dec 02)