Educause Security Discussion mailing list archives
Re: E-mail and Data Privacy Issues around Law School and Professional Clinics
From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Wed, 12 Aug 2009 10:28:08 -0400
This subject has been tossed about around here occasionally. There are a number of vulnerabilities in higher risk content email usage, here's a few: privacy for stored email sitting on an Exchange or IMAP server, privacy during SMTP transmission, and stronger authentication of email eg. using digital signatures. There are products to handle the first two - SecureMail from Voltage comes to mind. I looked at this and liked the concept of providing end-to-end encryption using enterprise authentication systems and not having to manage cert or key deployment for users. Mike Mike Wiseman Information + Technology Services University of Toronto From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gregg, Christopher S. Sent: August-11-09 2:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] E-mail and Data Privacy Issues around Law School and Professional Clinics I apologize if this has been covered, but I didn't see anything in the archives. Have any of you run into the issue of trying to provide additional levels of data privacy, or running a separate e-mail service for professional clinics, law schools, or similar entities at your institutions? We're a centralized Exchange shop for the entire university for e-mail and we're being asked about providing separate e-mail for our professional clinics and law school as a means of segregating the data from e-discovery and being able to enforce a different (read that higher) level of data privacy. The concerns stem from issues of faculty and at times law students working as attorney's using university systems for communications and the need to maintain attorney/client privacy. The scenarios we're coming up with are not very attractive, and I am curious to hear if others have already tackled this or opted to address this in other ways (like living with the risk). Our scenarios so far are: 1. Outsource this e-mail another provider - lose control to a degree and cannot retain school domain name 2. Setup a second non-Exchange system (iMail or something like that) - separate system to manage and not hooked into automated account process 3. Run a separate Exchange environment - costly, overkill, and may not even be possible in our architecture (at least with our school domain name) I am also curious if we fall in a unique niche of having a law school and professional clinic, but being small enough that we have a single centralized e-mail and account infrastructure. Thanks in advance for any feedback you're willing to share, Chris Chris Gregg Director of Information Technology Information Resources and Technologies University of St. Thomas 2115 Summit Avenue St. Paul, Minnesota 55105 csgregg () stthomas edu
Current thread:
- Re: E-mail and Data Privacy Issues around Law School and Professional Clinics Plesco, Todd (Aug 11)
- <Possible follow-ups>
- Re: E-mail and Data Privacy Issues around Law School and Professional Clinics Gregg, Christopher S. (Aug 12)
- Re: E-mail and Data Privacy Issues around Law School and Professional Clinics Mike Wiseman (Aug 12)