Educause Security Discussion mailing list archives
Re: Email Encryption
From: David C Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Mon, 25 Jul 2011 19:16:01 +0000
Kevin - Having worked in the financial/insurance industry prior to higher education, I'm in agreement with Dave Curry's assessment. While it appears to be "sound" advice to encrypt everything ("just in case"), not every bit of info requires it AND it can get very expensive in terms of licensing and required resources. - Dave Dave Kovarik Northwestern University 847-467-5930 Beware of Phishing asking you for your PASSWORD From: David Curry <David.Curry () NEWSCHOOL EDU<mailto:David.Curry () NEWSCHOOL EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Mon, 25 Jul 2011 15:07:43 -0400 To: <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Email Encryption That's pretty extreme, even for banks. Encrypted e-mail is a huge hassle from a management perspective: * How do you get the keys to the recipients? Symmetric keys (shared secret) is unmanageable for all but a handful of users, but do you really want to set up a PKI? * If you solve the key distribution problem, what about software? All the world is not Windows, and not all Windows users use Outlook, either. What do you do with recipients on Macs, Linux, Gmail, AOL, etc.? * E-mail is subject to e-Discovery, which means you may have to be able to decrypt it later, even if whoever encrypted it isn't here any more and didn't leave you the key. * Oh, and you may want to decrypt it in cases of employee misconduct, etc., too. When I worked in financial services (insurance and broker/dealer), we required e-mail that contained personally identifiable information (HIPAA, GLBA, Social Security numbers, etc.) to be encrypted, but nothing else. And we used a third-party service (ZixCorp is one example) to do it, so that we didn't have to mess with the keys. I'm sure there's a bank somewhere that encrypts all their e-mail, but I would be surprised if your vendor could name more than one in the Top 20 that do it. --Dave -- David A. Curry, CISSP • Director, Information Security The New School • 55 West 13th St. • New York, NY 10011 Tel: +1 212 229-5300 x4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>
Kevin Casey <CaseyK () HUSSON EDU<mailto:CaseyK () HUSSON EDU>> 7/25/2011 2:52 PM >>>
We've been encouraged by an outside security firm to encrypt every blessed note that passes through our Exchange server. This firm deals largely with entities such as banks, and I'm wondering if this is over-kill in the context of higher ed. Any thoughts regarding "best practices" on this? Thanks, Kevin __________________________________________ Kevin Casey Executive Director Information Resources Phone: (207) 941-7123 Fax: (207) 941-7988 caseyk () husson edu<mailto:caseyk () husson edu> Husson University www.husson.edu<http://www.husson.edu/>
Current thread:
- Email Encryption Kevin Casey (Jul 25)
- Re: Email Encryption David Curry (Jul 25)
- Re: Email Encryption David C Kovarik (Jul 25)
- Re: Email Encryption McClenon, Braden (Jul 25)
- Re: Email Encryption Russ Leathe (Jul 25)
- Re: Email Encryption Matthew Gracie (Jul 25)
- Re: Email Encryption Lang, Matthew (Jul 25)
- Re: Email Encryption Valdis Kletnieks (Jul 25)
- Re: Email Encryption Tim Doty (Jul 25)
- Re: Email Encryption Valdis Kletnieks (Jul 25)
- Re: Email Encryption Jones, Dan (Jul 25)
- Re: Email Encryption Richard Applebee (Jul 25)
- Re: Email Encryption SCHALIP, MICHAEL (Jul 25)
- Re: Email Encryption David Opitz (Jul 25)
(Thread continues...)
- Re: Email Encryption David Curry (Jul 25)