Educause Security Discussion mailing list archives
Re: Zip encryption
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 14 Jun 2010 18:04:51 -0400
On Mon, 14 Jun 2010 17:00:29 EDT, Clifford Collins said:
So, how do you prevent data leakage if you allow uninspectable, sensitive content to be sent off campus via e-mail? Currently, our inbound and outbound mail filters block encrypted attachments. It's painful for some but necessary until we can find a suitable solution. It is certainly not perfect. Your thoughts?
My thoughts? Turn it around 180 degrees - if your outbound mail filter *was* able to introspect the encrypted data (or you prohibit the sending of encrypted data), you'd probably *still* have a problem, just in the opposite direction (you'd no longer be able to claim that any data you were transmitting was in fact secured against snooping). Remember - those users are probably sending an encrypted zip file for a good reason. You can somewhat finesse this by using a site-wide PKI and give the mail scanner access to the appropriate encryption keys, except for two ugly issues: 1) A mail scanner is a terrible place to have both single point of failure and access to a lot of keys, especially when you don't control what people are throwing at it (is there a mail scanner solution that *hasn't* had a security issue in the last 2-3 years?) 2) If you're doing this on an outbound mail scanner, you just bought all the PKI headaches of having to deal with external keys issued by some other CA. Yee-hah. Bottom line - in general, you *can't* both ensure there's no data leakage in mail going to external sites, *and* ensure that the data is secured against snooping. At some point, you'll have to decide which is the more important given your organization's threat model (and it will quite likely end up different for different business units within the organization).
Attachment:
_bin
Description:
Current thread:
- Re: Zip encryption Clifford Collins (Jun 14)
- Re: Zip encryption Valdis Kletnieks (Jun 14)
- Re: Zip encryption Jeffrey Schiller (Jun 14)