Re: Purchases

["Clemens, Dan" <Dan.Clemens () healthsouth com>]

Paul,

I thought I would put in a few cents into this conversation to extend
the thread.
Most of the replies in this email have been jotted down when time
permits.

> P2P encryption creates some serious problems for med/large companies,
enough so as to actually keep companies from
> purchasing or even deploying it widely.  Here's why:

> 1. Point-to-point encryption undoes all of the expensive, scalable
security that companies have deployed in their server >rooms.  No more
ClamAV/Sendmail proxy or NAV on the Exchange server.  No more Postini or
MXLogic.  No more Ciphertrust or >Tumbleweed.  They'd be reduced to
expensive points of failure.

Hrm. I don't know if I am totally following this. Would SMTP-TLS be
point-to-point encryption if we are looking at originating transmission
points or are we focusing primarily on public/private key
(point-to-point)?

If we are talking about public/private key encryption I don't think the
use of this technology reduces the solutions you noted upon to
'expensive points of failure'. 

> 2. It also prevents compliance monitoring.  HIPAA, GLB, and other laws
and regulations require that companies take
> measures to prevent disclosure of certain types of information.
Encrypted e-mail that cannot be monitored by the
> company is a big fiscal and PR (which is again fiscal) risk.

If we are looking only at the HIPAA regulation there is neither an
'addressable item, nor a required item' within the regulation that
requires encrypted email to be monitored nor does it require email to be
monitored. If anything the regulation states something along the lines
of ..(paraphrased) - electronic transmissions that hold electronic
patient information (ephi) should be encrypted if the company has the
ability to do so (please see the difference between required and
addressable items in HIPAA) when they leave the perimeter of your
network. Could unencrypted email transmissions lead to a large financial
impact - yes, but is is required by the spirit of this law in practice ?
- no.

Now if you're a large company and you have to conform to SOX you may
need to comply to section 409(pretty soon) for speedy incident response
to a possible contraband transmission..(which could lead to a financial
impact IF the information leaked was encrypted, but then how would you
identify the information leaked was the information you are worried
about if its encrypted if all your watching is email transmissions)..

Mixing and matching regulations is only suitable for companies that have
strange regulatory or doj restrictions placed on them. :P

> 3. It won't stop spam.  In order for P2P email encryption to actually
stop spam, the end user must know who they will 
> communicate with via e-mail.  For many employees this impossible by
definition.

? I think the point Dave may have been making was if everyone 1) signed
their email with a pgp signature and 2) the email was encrypted to the
recipiant's public key from a known senders public key email could be
trusted a bit more since the recipiant would be validated by their key.

The end user usually know who they communicate with via email. This is
why there is an address book. :)
How many times have you received email from an unknown person that you
haven't already met in person?
What if you took 5 - 10 minutes for every new business or email contact
and asked them to send you their public key, then you validated it?
Wouldn't that help validating what email was spam and what email wasn't
spam if you validated the signer of each email message from known
parties?

>  If some random person can retrieve your >public key and send you a
message and you can retrieve their public key and
> decrypt their message without any heavy 
> lifting, then there's nothing to prevent spam.  

I think this is a given in the problem, but if you have an
infrastructure with some of the 'levels of defense' mentioned in point
#1 and you performed content filtering, host based ids, av (name the
rest of your host based defense mechanisms), and you validated incoming
email via pgp signatures along with performing inbound/outbound network
content filtering I am willing to bet some of the vectors of attack that
would help someone steal your private key would be fairly limited to a
point where spam was somewhat managable.

Anyhow, these are just some thoughts and notes,
-Daniel Clemens


-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave