ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    encrypted email options?

    IT Discussion
    email encryption o365 m365
    10
    63
    513
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Dashrender
      Dashrender last edited by Dashrender

      Well - it finally happened - enough requests to send emails containing sensitive data have flowed through management to make it at least worth looking at implementing a secure email solution.

      First things first - We are migrating to O365 at some point in the sorta near future.

      With that in mind - what options for secure email do you all like?

      O365 has three options built in:
      OME - this works like most other secure email solutions out in the market today (I'm looking at you Zix), email contents are sent to a webportal, an email is sent to the recipient with a link to the webportal, they create a logon to the webport for now and future use of message retrieval.
      IRM - Using Azure Rights Management, these secure messages can prevent the message from being printed/forwarded, etc.
      S/IME - This requires both sides to setup PKI and share keys (typically only used when gov't is involved)

      There is a technical 4th option - TLS, but O365 does this by default on all email sent, assuming the receiving side supports it. We'll ignore this option primarily because forcing this as an exclusive connection method does not provide error of failure for a minimum of 4 hours, if not more like 2 days. At last check, this was not changeable.

      Other options:

      Zix - third party handles outbound messages and works like OME above

      Here's a quick list I found on google
      https://www.expertinsights.com/insights/the-top-email-encryption-platforms/

      So - what is the community's thoughts on these or other options?

      Pete.S Obsolesce JaredBusch scottalanmiller 5 Replies Last reply Reply Quote 0
      • Pete.S
        Pete.S @Dashrender last edited by Pete.S

        Of the options you listed, S/MIME is the only one that is standard. Meaning you can send secure mails to others as well.

        scottalanmiller 1 Reply Last reply Reply Quote 1
        • Obsolesce
          Obsolesce @Dashrender last edited by Obsolesce

          @Dashrender said in encrypted email options?:

          S/MIME - This requires both sides to setup PKI and share keys (typically only used when gov't is involved)

          This is the solution I successfully implemented in a hybrid AD / AAD & O365 + Outlook environment, for exactly the same reason... all employee to employee emails required to be signed and any emails containing sensitive data to be encrypted on-demand.

          This was when and why I set up the 2-tier PKI globally, with option to obtain certs via the web for guests so they could also send/receive encrypted emails.

          1 Reply Last reply Reply Quote 0
          • Dashrender
            Dashrender last edited by

            The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

            I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

            Obsolesce 1 Reply Last reply Reply Quote 0
            • Obsolesce
              Obsolesce @Dashrender last edited by

              @Dashrender said in encrypted email options?:

              The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

              I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

              Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.

              Dashrender JaredBusch 2 Replies Last reply Reply Quote 0
              • Dashrender
                Dashrender @Obsolesce last edited by

                @Obsolesce said in encrypted email options?:

                @Dashrender said in encrypted email options?:

                The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

                I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

                Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.

                Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
                Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.

                Thoughts?

                Obsolesce 1 Reply Last reply Reply Quote 2
                • JaredBusch
                  JaredBusch @Obsolesce last edited by

                  @Obsolesce said in encrypted email options?:

                  that takes you to a portal to decrypt it.

                  No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.

                  Obsolesce 1 Reply Last reply Reply Quote 1
                  • Obsolesce
                    Obsolesce @Dashrender last edited by

                    @Dashrender said in encrypted email options?:

                    @Obsolesce said in encrypted email options?:

                    @Dashrender said in encrypted email options?:

                    The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

                    I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

                    Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.

                    Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
                    Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.

                    Thoughts?

                    I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.

                    scottalanmiller 1 Reply Last reply Reply Quote 0
                    • JaredBusch
                      JaredBusch @Dashrender last edited by

                      @Dashrender said in encrypted email options?:

                      We'll ignore this option primarily because forcing this as an exclusive connection method does not provide error of failure for a minimum of 4 hours, if not more like 2 days.

                      24 hours is what I see on this right now for multiple tenants.

                      Dashrender 1 Reply Last reply Reply Quote 0
                      • Obsolesce
                        Obsolesce @JaredBusch last edited by

                        @JaredBusch said in encrypted email options?:

                        @Obsolesce said in encrypted email options?:

                        that takes you to a portal to decrypt it.

                        No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.

                        That's what I meant.... it's basically a link you are sent.

                        JaredBusch Dashrender 2 Replies Last reply Reply Quote 0
                        • JaredBusch
                          JaredBusch @Obsolesce last edited by

                          @Obsolesce said in encrypted email options?:

                          @JaredBusch said in encrypted email options?:

                          @Obsolesce said in encrypted email options?:

                          that takes you to a portal to decrypt it.

                          No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.

                          That's what I meant.... it's basically a link you are sent.

                          Yeah, but we are answering @Dashrender.. He likes to conflate shit if you are not extremely specific..

                          1 Reply Last reply Reply Quote 0
                          • Dashrender
                            Dashrender @JaredBusch last edited by

                            @JaredBusch said in encrypted email options?:

                            @Dashrender said in encrypted email options?:

                            We'll ignore this option primarily because forcing this as an exclusive connection method does not provide error of failure for a minimum of 4 hours, if not more like 2 days.

                            24 hours is what I see on this right now for multiple tenants.

                            I couldn't recall what you said before - but I did recall you were the last to post about it.

                            1 Reply Last reply Reply Quote 0
                            • Dashrender
                              Dashrender @Obsolesce last edited by

                              @Obsolesce said in encrypted email options?:

                              @JaredBusch said in encrypted email options?:

                              @Obsolesce said in encrypted email options?:

                              that takes you to a portal to decrypt it.

                              No it does not. It makes you log in before showing you the data within a webpage. There is never anything sent encrypted.

                              That's what I meant.... it's basically a link you are sent.

                              I knew what you meant.

                              1 Reply Last reply Reply Quote 0
                              • IRJ
                                IRJ last edited by IRJ

                                For your industry and use case, OME or a similar solution is definitely the route you need to go. None of the other options make any sense.

                                1 Reply Last reply Reply Quote 2
                                • scottalanmiller
                                  scottalanmiller @Dashrender last edited by

                                  @Dashrender said in encrypted email options?:

                                  OME - this works like most other secure email solutions out in the market today (I'm looking at you Zix), email contents are sent to a webportal, an email is sent to the recipient with a link to the webportal, they create a logon to the webport for now and future use of message retrieval.

                                  This is the most common option... when this isn't what you want. You have to understand this is NOT email. So this is the same as "not doing what we were told to do." Now 99% of the time, the job is to treat end users as confused and do what they want, not what they say, but it's also important to know when you are doing that. This is no different, except it is automated, than moving people to DropBox or NextCloud, that's all that it is. It's cloud storage with a web interface, not email.

                                  If your doctors asks you for secure email, the answer is "he's an idiot, just do this." If I ask you for secure email and you give me this, it's insubordination for intentionally avoiding the only requirement.

                                  Dashrender 1 Reply Last reply Reply Quote 1
                                  • scottalanmiller
                                    scottalanmiller @Obsolesce last edited by

                                    @Obsolesce said in encrypted email options?:

                                    @Dashrender said in encrypted email options?:

                                    @Obsolesce said in encrypted email options?:

                                    @Dashrender said in encrypted email options?:

                                    The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

                                    I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

                                    Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.

                                    Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
                                    Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.

                                    Thoughts?

                                    I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.

                                    You likely get it 90% of the time. In Zoho it's just a little "secure" flag that shows up. Normal mail is already secure, but not generally enforced. But secure email is the universal default today.

                                    Obsolesce V 2 Replies Last reply Reply Quote 0
                                    • scottalanmiller
                                      scottalanmiller @Pete.S last edited by

                                      @Pete-S said in encrypted email options?:

                                      Of the options you listed, S/MIME is the only one that is standard. Meaning you can send secure mails to others as well.

                                      And is generally far, far stronger security than other methods. But generally doesn't matter.

                                      1 Reply Last reply Reply Quote 0
                                      • Obsolesce
                                        Obsolesce @scottalanmiller last edited by

                                        @scottalanmiller said in encrypted email options?:

                                        @Obsolesce said in encrypted email options?:

                                        @Dashrender said in encrypted email options?:

                                        @Obsolesce said in encrypted email options?:

                                        @Dashrender said in encrypted email options?:

                                        The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

                                        I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

                                        Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.

                                        Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
                                        Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.

                                        Thoughts?

                                        I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.

                                        You likely get it 90% of the time. In Zoho it's just a little "secure" flag that shows up. Normal mail is already secure, but not generally enforced. But secure email is the universal default today.

                                        Are you talking about something else? This "Secure Email" is not what we are referring to. Zoho "secure email" is just that it uses TLS in transit and is encrypted at rest on Zoho servers. This is all transparent and is the case with every major email service.

                                        I think what is being asked here isn't obvious to you, but that the mail itself is encrypted, not just the transport of it. Basically in a way the OME and S/MIME ensures.

                                        You'll need to show exactly where in Zoho you turn on this feature you speak of.

                                        scottalanmiller Dashrender 3 Replies Last reply Reply Quote 0
                                        • brandon220
                                          brandon220 last edited by

                                          We have been using ZixMail for years and haven't had any issues to speak of. Support is responsive if you need them.

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            VoIP_n00b @scottalanmiller last edited by

                                            @scottalanmiller said in encrypted email options?:

                                            But secure email is the universal default today.

                                            🤔

                                            scottalanmiller Dashrender 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post