Security Basics mailing list archives
RE: Email Encryption Between Servers
From: "dave" <dave () netmedic net>
Date: Fri, 4 Apr 2003 20:04:01 -0500
A simply solution would be to utilize a system like Securit-e-Doc. http://www.securit-e-doc.com/ http://www.securit-e-doc.com/pdf/securit_e_doc_tm_white_paper.pdf It allows you to have a secure File and Messaging system. Instead of you sending out these e-mails or files/documents, you simply post them on the server and an e-mail alert goes out to the recipients, they login and read the message or download the files. It is all done through SSL and the files/messages are encrypted using standard methods (i.e. Blowfish etc...) both during transport and while stored on the server. The system is FIPS-140 compliant and GSA approved so it will meet all the HIPAA requirements. http://www.securit-e-doc.com/pdf/securit-e-doc_press_release_110102.pdf Just my $.02 _____________________ Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Thursday, April 03, 2003 12:37 To: security-basics () securityfocus com Subject: RE: Email Encryption Between Servers There are some interesting ideas and solutions depending upon your specific situation. I really like some of the ideas that are being presented. Each one has pros and cons and needs to be evaluated based on your environment and your need. VPN is all well and good for your major business partners providing you take certain precautions and mitigate risks and admin overhead. Each environment and company is different but I don't think I would want too many VPN connections. Overhead could become cumbersome depending of course on a number of factors. Remember - each company is different and there are risks associated with each solution. Also, it's not just confidentiality you have to worry about, there's integrity and authentication you have to think about too. So, if the e-mail is decrypted at the other gateway, how can you ensure that no one else has read it and that only the intended recipient has received it? Also, can I send a secure e-mail to ANYONE or just selected people? Here are some scenarios to think about when you are evaluating your solutions. Scenario 1: You are a healthcare company and you need to send PHI,in an e-mail for arguments sake, to a business company (hospital in this case). How would you do it? VPN connection? Secure E-mail, PGP, secure web server, secure compatible hardware? What kind of overhead and support for them and us will I need? Who is exchanging keys? Is everything encrypted? Only stuff with PHI? Scenario 2: Same as 1 but now you are just transferring a list of all your members and their coverage? VPN? Dial up? Secure Ftp? Secure web server? Is there a difference for e-mail versus non-e-mail? What about e-mail with a file attached that has a client list? Scenario 3: You are a healthcare company and you need to send PHI to a number of your members/patients. They don't have VPN and don't have the slightest clue how to set one up nor would most want to. How do send them encrypted e-mail? PGP? Perhaps. But who is going to support PGP for those people. Who is going to buy it for them and/or install it? Remember a lot of people who need to receive these e-mails are not technically savvy and key exchange between 100's, 1000's and 1,000,000's of users can be a monumental task. Think about e-mailing them their Claims Statements and the potential # of users you may have to deal with. Great ROI can be achieved but it has to be secure. Your members may only have to deal with 2 or 3 entities who want to send them secure e-mail. Sceanrio 4: Same as above but now you are contacting your member doctors. Are the doctors going to have separate keys for each provider, doctor, hospital, pharmacy, insurance company they deal with? Are you going to require them to install software on their PC's? Who will install and support this? Are you going to show their admin/nurses how to manage the keys? What if they forget their passphrase? Will I, as the provider, be able to manager all of THEIR keys myself since potentially I may have well over a million keys to deal with? Will my users be able to or will I have to train them on multiple packages myself since they will be receiving encrypted e-mail from external entitites as well? Scenario 5: I'm a doctor. I provide healthcare to my patients. Here is my dilemma: I deal with 5 insurance companies all with different solutions. I deal with hospitals, pharmcies ,etc who also have different solutions. VPN, desktop e-mail encryption, enterprise e-mail encryption. How am I going to manage key exchange (if their solution requires it), staff training, software installations, etc.? Can they really impose their solution on me and my business processes? My staff is not trained for this type of thing. What is encryption and keys? Who do I call to get a key? Where is it stored? What if I can't get it to work? Who will support me? What if I lose the key? Do I have to a have a key for each of my employees? I'm not trying to endorse any solution, any product or any vendor, just trying to get a dialog going on solutions for other than major business partners. These are some of the things my company has thought about during our solutions. Multiple solutions may also be necessary. These are issues that we all need to think about. DISCLAIMER: This is not necessarily the opinion of my company, blah blah blah Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 in the ports there is pgpsendmail. Havn't tried it yet, but what that will do for you is automagicly pgp encrypt and decrypt email for anyone that you have there public key in your keyring. that way the users do not have to worry about it. also. look into sendmail's TLS that might help also. I was looking at pgpsendmail for the same reason, HIPAA but didn't want to have to retrain the whole staff. Please let me know what you find that works for you.
We are attempting to set up secure e-mail with our partner companies to comply with the upcoming HIPAA requirements. I would like to find a way to encrypt all e-mail going between our mail server and our partners. We are using Exchange. Some of our partners are also using Exchange and some are using other SMTP servers. Is there a way to automatically force all e-mail between our two e-mail servers (either Exchange to Exchange or Exchange to SMTP) to be encrypted then decrypted on arrival with no end user intervention? If there are, what affect, if any will these encryption methods have on our overall network security.
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- StartTLS (was: Email Encryption Between Servers), (continued)
- StartTLS (was: Email Encryption Between Servers) Bear Giles (Apr 03)
- RE: Email Encryption Between Servers Robinson, Sonja (Apr 01)
- RE: Email Encryption Between Servers Michael Osten (Apr 02)
- RE: Email Encryption Between Servers Garbrecht, Frederick (Apr 01)
- RE: Email Encryption Between Servers PWBakker (Apr 02)
- Re: Email Encryption Between Servers Chris Berry (Apr 01)
- RE: Email Encryption Between Servers Craig Humphrey (Apr 02)
- RE: Email Encryption Between Servers Michael Leigh (Apr 02)
- FW: Email Encryption Between Servers check (Apr 02)
- RE: Email Encryption Between Servers Robinson, Sonja (Apr 04)
- RE: Email Encryption Between Servers dave (Apr 07)
- RE: Email Encryption Between Servers Brent Woodard (Apr 07)