Re: Secure Email

[Matthew Keller <kellermg () POTSDAM EDU>]

Neal,

First let me apologize. My reply to your original message was on the
heels of a discussion had with a "web developer" who was arguing they
made a "secure web form" because it required a valid campus e-mail
address in the "from" field.

As a more direct, and useful, answer to your question: while we don't
have compliance issues, currently, we have dabbled with a couple
different solutions in this space- Some commercial, some not, including
Entrust's Secure * Solutions as well as RSA's SecurID/Keon/Federated
Identity- Both very interesting products that can go much further than
just e-mail and meet or exceed current and expected regulations.

End-to-end encryption couple with storage-level security, as noted
below, is a great first step, and I believe is an acceptably compliant
solution for all current federal regulations, and the more stringent
State regulations that I am aware of.

On Mon, 2004-10-04 at 13:46, Clonts, Neal D. (HSC) wrote:
> We have compliance issues that we are trying to meet.  Are we looking
> for the technical solution that will resolve all of our security issues
> with e-mail? Probably not...  Some of the applications that we have
> looked at are Sigaba, Zipcorp, Entrust and so on.  Right now we are more
> interested in if anyone is using any type of product for secure email
> not the technical specifications of what truly is secure e-mail.
>
> ---------------------------------------------
> Neal Clonts, CISSP, MCP
> Information Security Services
> University of Oklahoma Health Sciences Center
> Office Phone: 405-271-2476, Option 2
> Cell Phone: 405-255-2999
> Website: http://security.ouhsc.edu
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Keller
> Sent: Monday, October 04, 2004 11:59 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Secure Email
>
> "Secure e-mail" is a neat myth. I'm assuming you mean end-to-end
> encryption via SMTPS for sending and IMAPS/POPS for receiving? Please
> keep in mind that this does nothing for "securing" the mail during
> storage, nor does it "secure" mail from "non-S" clients that use SMTP or
> IMAP/POP, and transfer that allegedly secured e-mail over the wire(s) en
> claire.
>
> If you're referring to another mechanism, feel free to elaborate.
>
> On Mon, 2004-10-04 at 11:59, Clonts, Neal D. (HSC) wrote:
> > Currently we are looking at a secure email solution for our campus.
> > Does anyone currently use a secure email solution in their
> environment?
> > Does your campus environment consist of a health science center?
> >
> > ---------------------------------------------
> > Neal Clonts, CISSP, MCP
> > Information Security Services
> > University of Oklahoma Health Sciences Center
> > Office Phone: 405-271-2476, Option 2
> > Cell Phone: 405-255-2999
> > Website: http://security.ouhsc.edu
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.
> --
> Matthew Keller
> signat-url: http://mattwork.potsdam.edu/signat-url/
> "No one ever says, 'I can't read that ASCII E-mail you sent me.'"
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/groups/.
--
Matthew Keller
signat-url: http://mattwork.potsdam.edu/signat-url/
"No one ever says, 'I can't read that ASCII E-mail you sent me.'"

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.