Educause Security Discussion mailing list archives

Re: Email Encryption

From: David Curry <David.Curry () NEWSCHOOL EDU>
Date: Mon, 25 Jul 2011 15:07:43 -0400

That's pretty extreme, even for banks. Encrypted e-mail is a huge hassle
from a management perspective:
How do you get the keys to the recipients? Symmetric keys (shared
secret) is unmanageable for all but a handful of users, but do you
really want to set up a PKI?
If you solve the key distribution problem, what about software? All the
world is not Windows, and not all Windows users use Outlook, either.
What do you do with recipients on Macs, Linux, Gmail, AOL, etc.?
E-mail is subject to e-Discovery, which means you may have to be able
to decrypt it later, even if whoever encrypted it isn't here any more
and didn't leave you the key.
Oh, and you may want to decrypt it in cases of employee misconduct,
etc., too.
When I worked in financial services (insurance and broker/dealer), we
required e-mail that contained personally identifiable information
(HIPAA, GLBA, Social Security numbers, etc.) to be encrypted, but
nothing else. And we used a third-party service (ZixCorp is one example)
to do it, so that we didn't have to mess with the keys.
 
I'm sure there's a bank somewhere that encrypts all their e-mail, but I
would be surprised if your vendor could name more than one in the Top 20
that do it.
 
--Dave
 

--
David A. Curry, CISSP • Director, Information Security
The New School • 55 West 13th St. • New York, NY 10011
Tel: +1 212 229-5300 x4728 • david.curry () newschool edu

Kevin Casey <CaseyK () HUSSON EDU> 7/25/2011 2:52 PM >>>


We've been encouraged by an outside security firm to encrypt every
blessed note that passes through our Exchange server.  This firm deals
largely with entities such as banks, and I'm wondering if this is
over-kill in the context of higher ed.
 
Any thoughts regarding "best practices" on this?
 
Thanks,
 
Kevin
 

__________________________________________
Kevin Casey 
Executive Director
Information Resources

Phone:  (207) 941-7123

Fax:  (207) 941-7988

caseyk () husson edu

 

 Husson University

 www.husson.edu ( http://www.husson.edu/ )

Current thread:

Email Encryption Kevin Casey (Jul 25)
- Re: Email Encryption David Curry (Jul 25)
  - Re: Email Encryption David C Kovarik (Jul 25)
- Re: Email Encryption McClenon, Braden (Jul 25)
- Re: Email Encryption Russ Leathe (Jul 25)
- Re: Email Encryption Matthew Gracie (Jul 25)
- Re: Email Encryption Lang, Matthew (Jul 25)
  - Re: Email Encryption Valdis Kletnieks (Jul 25)
    - Re: Email Encryption Tim Doty (Jul 25)
- Re: Email Encryption Jones, Dan (Jul 25)
  - Re: Email Encryption Richard Applebee (Jul 25)
- Re: Email Encryption SCHALIP, MICHAEL (Jul 25)

(Thread continues...)