Re: Secure File and Email Transfer

["Clark, Sean" <Sean.Clark () UCDENVER EDU>]

Daniel,

I've been an email guy for a lot longer than I've been a security guy, so I will focus my suggestions on email-centric 
solutions.

Our university is using Ironport for email encryption and spam/virus checking on the mail gateways.  I can't say enough 
good things about the Ironport product: it is at least 10x more efficient at mail handling than our previous systems 
(currently handling ~15 million inbound messages a day on two Ironport appliances) -- and much better at detecting spam 
(blocking over 98% of the inbound traffic with false positives approaching zero).  Those two Ironport appliances 
replaced 14 physical and virtual mail gateways that were running Sendmail and Sophos' Puremessage -- AND two Tumbleweed 
servers that were handling email encryption duties.  I'm a big fan of simplification.  Replacing 16 servers with 2 
servers that actually do a better job of fulfilling their required duties is priceless!  The Ironport email encryption 
is easy to setup and easy for end users to use: internal email users who are sending to addresses outside of our 
affiliate network can trigger the encryption by simply putting a predefined trigger word in the subject line -- and 
Ironport does the rest.

TLS (Transport Layer Security) may also be a good option for gateway-to-gateway email encryption, depending on the 
receiving institutions ability to implement TLS on their end.  We originally setup TLS to ensure a secure connection 
between researchers at our university and a drug company.  After we setup TLS and configured our mail gateways to 
preferentially use TLS for mail transfer (ie when the other mail server was TLS-enabled), we found that quite a bit of 
our email traffic to other institutions was being encrypted.  TLS is supported by Sendmail, Postfix, Exchange -- and 
Ironport.
;)

Basic info on TLS:  http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1111138,00.html


Sean Clark
Manager, IT Security/Email/UNIX Systems
UCDenver IT Services
Sean.Clark () UCDenver edu
303-724-0486
**Please note my new email address!**

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel 
Bennett
Sent: Wednesday, November 12, 2008 6:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Secure File and Email Transfer

Hello All,

I am conducting some research to determine the route that other universities are taking in securing files/emails when 
needed.  I have found three solutions and I am wondering which of them other universities are implementing or if they 
are using other methods.

The three are:

1.       Public Key Infrastructure, issuing public/private keys to all employees.  This is time consuming and requires 
key exchanges.  I find this to require lots of time which translates into money to maintain and support.

2.       Third party mediator.  This is where an institution sends a file/email to a third party over a secure channel. 
 Then the receiver is told by the third party that a file/email is waiting and they log into a site to download/view 
through a secure https connection.

3.       Use secure ftp.  Setup a secure ftp server and give vendors a username and password and they are notified when 
something is waiting for them.

Any insight would be appreciated.

Thank You,

Daniel R. Bennett
Pennsylvania College of Technology
IT Security Analyst
CompTIA Security+
570.329.4989