Re: Email Encryption

[David C Kovarik <david-kovarik () NORTHWESTERN EDU>]

Kevin -
Having worked in the financial/insurance industry prior to higher education,
I'm in agreement with Dave Curry's assessment.  While it appears to be "sound"
advice to encrypt everything ("just in case"), not every bit of info requires it AND it can get very
expensive in terms of licensing and required resources.
- Dave
Dave Kovarik
Northwestern University
847-467-5930

Beware of Phishing asking you for your PASSWORD


From: David Curry <David.Curry () NEWSCHOOL EDU<mailto:David.Curry () NEWSCHOOL EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Mon, 25 Jul 2011 15:07:43 -0400
To: <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Email Encryption

That's pretty extreme, even for banks. Encrypted e-mail is a huge hassle from a management perspective:

  *   How do you get the keys to the recipients? Symmetric keys (shared secret) is unmanageable for all but a handful 
of users, but do you really want to set up a PKI?
  *   If you solve the key distribution problem, what about software? All the world is not Windows, and not all Windows 
users use Outlook, either. What do you do with recipients on Macs, Linux, Gmail, AOL, etc.?
  *   E-mail is subject to e-Discovery, which means you may have to be able to decrypt it later, even if whoever 
encrypted it isn't here any more and didn't leave you the key.
  *   Oh, and you may want to decrypt it in cases of employee misconduct, etc., too.

When I worked in financial services (insurance and broker/dealer), we required e-mail that contained personally 
identifiable information (HIPAA, GLBA, Social Security numbers, etc.) to be encrypted, but nothing else. And we used a 
third-party service (ZixCorp is one example) to do it, so that we didn't have to mess with the keys.

I'm sure there's a bank somewhere that encrypts all their e-mail, but I would be surprised if your vendor could name 
more than one in the Top 20 that do it.

--Dave

--
David A. Curry, CISSP • Director, Information Security
The New School • 55 West 13th St. • New York, NY 10011
Tel: +1 212 229-5300 x4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>

> > > Kevin Casey <CaseyK () HUSSON EDU<mailto:CaseyK () HUSSON EDU>> 7/25/2011 2:52 PM >>>
We've been encouraged by an outside security firm to encrypt every blessed note that passes through our Exchange 
server.  This firm deals largely with entities such as banks, and I'm wondering if this is over-kill in the context of 
higher ed.

Any thoughts regarding "best practices" on this?

Thanks,

Kevin

__________________________________________
Kevin Casey
Executive Director
Information Resources
Phone:  (207) 941-7123
Fax:  (207) 941-7988
caseyk () husson edu<mailto:caseyk () husson edu>




 Husson University

 www.husson.edu<http://www.husson.edu/>