RE: Email Encryption

["Daniel I. Didier" <ddidier () netsecureia com>]

> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Preston Kutzner
> Sent: Wednesday, May 14, 2008 12:09 PM
> To: pete.hill () sit-up tv
> Cc: security-basics () securityfocus com
> Subject: Re: Email Encryption
>
> On 14 May 2008 08:08:07 -0000
> pete.hill () sit-up tv wrote:
>
> > Hi there,
> >
> > I am currently running through a PCI program at my company and am
> looking for recommendations on an email encryption tool.
> > We currently use a licensed version of Winzip, but I have heard that
> this may not be up to job as far as passing a PCI DSS audit is
concerned.
> > Is Winzip good enough?  and if not, what should we be using to get a
> pass on this?
> > Many thanks
> > Pete
> More information would be handy to help give a reasonable answer.
What
> OS are you using?  What MUA are you using?  What are you trying to
> encrypt in your email?  If you're using WinZip currently, I would
> assume you're just looking to encrypt the attachment.  Are you also
> looking to be able to encrypt (and sign) the entire email message?  Is
> compression necessary for your application?
>
> As far as email encryption is concerned, typical methods for this
> application usually consist of either SSL certificates or PGP/GPG
> encryption.

Pete,
You may also want to look into a centralized secure email gateway.  They
typically work as an add-on, or in conjunction with your existing MUA.
They work by intercepting email messages based on any number of criteria
and then simply send a notification to the recipient that a secure email
is waiting for them.  The recipient then follows a link in the email and
connects to the secure web front-end to retrieve the message.  Solutions
exist from organizations such as tumbleweed, rsa, pgp and others.  I
hope this helps.

Dan Didier
www.NetSecureIA.com