1

As per recent updates in UK data protection legislation I have been trying to find ways of encrypting all outbound emails from my server and was considering moving all our emails from a basic email host over to a Windows Server with exchange.

My question is, using an Exchange Server, what is the best way of encrypting all outbound emails and attachments without the need for the recipient to install third party tools to take them to their website to view (i.e. products like Virtru).

Tom K.
  • 7,913
  • 3
  • 30
  • 53
Connor Simpson
  • 121
  • 2
  • 1
    To get a more detailed answer, it would be good to know your use cases. For instance: what emails do you send to whom with what content? Are you in a position where you can give out S/MIME certificates? – Tom K. May 04 '18 at 08:09
  • And, do you want end-to-end encryption, or what legs of the transmission do you want to encrypt? – schroeder May 04 '18 at 09:22
  • @schroeder Pretty much a secure platform to use to ensure protection of their data based on its sensitivity. – Connor Simpson May 04 '18 at 11:21

1 Answers1

1

There is little you can do. While encryption is supported every step of the way, the only part under your control is your client to your server.

To use encryption when sending from your server to other server, both servers have to support encryption and the receiver client server connection is completely out of your control.

  • You should disallow unencrypted connections to your server (from your clients). There is no reason not to.
  • You may refuse to connect to other servers without encryption, but this will cause e-mails not to be delivered to people, who use servers that don't support encryption.
  • There is no way you can force encryption between recipients server and client, that part is out of your control.

That is why end-to-end encryption (using third party tools such as enigmail) is much superior when communicating using e-mail. E-mail is inehrently insecure, because it has to support variety if legacy servers and clients.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • I understand; when I looked at third party encrypting for e.g. Virtru, the email it pre-sends to the client looks suspicious anyway. – Connor Simpson May 04 '18 at 07:20
  • From the question I understand this is required by the UK data protection legislation? If this is the case how can they demand this if it is impossible to guarantee? – toom May 04 '18 at 07:24
  • PS: Wow. Virtu seems sketchy AF. Not even a hint what their software actually does anywhere on their site, just filled with buzzwords. An when I finally dug through to a White-Paper, they want me to fill in some shenanigans like number of employees to access it. All and all, would certainly not recommend Virtu. – Peter Harmann May 04 '18 at 07:42
  • 1
    @toom not required at all, but email encryption does satisfy some elements of the regulation, if the org chooses to use it – schroeder May 04 '18 at 09:24
  • @schroeder Oh alright that makes alot of sense, thank you – toom May 04 '18 at 10:06
  • @schroeder that's not entirely true. For FCA (UK Financial Conduct Authority) accredited bodies, GDPR also comes with changes in compliance. FCA compliance asks that all bodies to encrypt outbound emails and attachments. – Connor Simpson May 04 '18 at 10:23
  • @ConnorSimpson But that's still not GDPR or DPA, that's FCA. And for customer data, not all communications. This still leaves us with all of our questions: what do you want to encrypt, to whom, on which legs, etc.? – schroeder May 04 '18 at 10:49
  • @schroeder Where as: 83, GDPR: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf says that the controller needs to ensure that, based on the sensitivity of the data a sufficient level of encryption. The question is what is the best method of encrypting emails and attachments on Exchange Servers. Business to client. – Connor Simpson May 04 '18 at 11:20
  • @ConnorSimpson right, which is why sending sensitive data over email is not the accepted solution, but to link to the sensitive and protected data on the Controller's systems. You cannot ensure end-to-end encryption on one end (Exchange) only. – schroeder May 04 '18 at 11:22
  • The method in practice to do what you ask is to send encrypted files that have passwords. – schroeder May 04 '18 at 11:24
  • 1
    I am with schroeder here, the best solution is to put a link to your site in the email and have them authenticate to you on the link before showing the data. This way, you are in control of the whole thing instead of relying on the mail servers. PS: Or send encrypted files but using your web would be more versatile. – Peter Harmann May 04 '18 at 11:24
  • Right~ so, it could be as simple as archiving a an attachment and ensuring it it password protected? @schroeder and Pete? – Connor Simpson May 04 '18 at 11:26
  • @ConnorSimpson Pretty much yes. But two things to be said: I am not sure about the security of WinRar and requiring your users to download archiving software with support for good encryption is not very user friendly. As I wrote, IMO, it is best to put all the data on your website, protect it with standard login (all the 2FA bells and whistles you want) and just email them a link. – Peter Harmann May 04 '18 at 11:41