4

I am evaluating a service provider that performs the following functions with email:

  • A user logs in to a web based application over an SSL connection.
  • Email is composed in a web browser over the SSL connection.
  • The email is then sent to the recipient's account with the same service provider.
  • The original email stays on the service provider's systems, and a notification email is sent to an email address that is associated with the recipient's account.
  • Recipient logs into their account and reads the email over an SSL connection in their web browser.
  • All encryption keys (one-way) are stored on the service provider's systems and are secured with the users' password.

I've come up with a few questions to ask already, such as:

  • Can I bring my own keys.
  • How can I migrate away from the service provider if need be?
  • Are you SOC-2, SOC-3 and/or SAS70 compliant? (Thanks to Jeff Ferland for that!)
  • How are the physical grounds of the service's backend secured?
  • Are the backend systems disk-level or volume-level secured?

What are some other good questions that an email security provider such as this should be asked?

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
Wesley
  • 305
  • 4
  • 13

2 Answers2

3

This sounds like a closed communication system where the content isn't actually "sent" from their system. You mention that data is encrypted once entered and that:

"All encryption keys (one-way) are stored on the service provider's systems and are secured with the users' password."

I'm not certain what you mean by "one-way" here, but I'll assume you're referring to symmetric encryption which uses a single key such as AES. My questions here would be what encryption algorithm they're using, and how are the keys generated and stored. Are they using password-based key derivation? If so, are the generated keys stored anywhere? If not, how are they storing the keys they're generating? As for the account itself, what processes are in place to reset a lost password and how difficult would it be to impersonate a user on their system?

As for a scenario, if a FBI were to walk into the data center and roll out a rack of servers and theirs happened to be among those taken (whatever the reason), would they be able to access the stored data with physical access to the equipment? What procedures are in place to protect data in the event of a physical security breach?

Also, how are they backing up their data? On-site? Off-site? Is the backup encrypted and who has access to it?

Justin Scott
  • 131
  • 3
2

You have some great questions there already. Without knowing your depth of knowledge on the subject it is kinda difficult to say which questions could be added that can be of value to you. Instead, I would prefer to just make sure your evaluation process is good enough to find the solution that will work for your organization.

I would start off and let them give you their six slide intro then let them know that, that marketing stuff is for the VPs and CIO level folks and we're here to talk technically about how your solution fits into my environment. Start off with making sure they have a solid understanding of the basic theory of the product. If they can at least tell you what the risk is in transferring the secrecy of the data from itself to key. You know just some litmus test that can prove to you that they know the product somewhat, not just reading from a script.

I would start with how do they protect your data in transit once it has left your border, how is it protected at rest on their servers and how is it protected and what are your options once data is in use. This should be very interactive with you exploring a bunch of avenues as the questions come to you.

Also be sure to ask questions for which you already know the answer, you want to validate their statements ... it's also good to bust chops a little bit. Even if it's so bad that you don't want to do business they will at least be a little more prepared for their next engagement. Also perhaps it'll strengthen your hand which you go to negotiate terms. Lastly, they will undoubtedly still try to throw marketing dribble at you, make sure you make then qualify generalities. Nothing is quite like seeing those headlights coming head on when you ask them to explain why "It's generally known that our product is the best ... " A couple of those and they WILL stop the marketing speak, 'you can take that to the bank.'

Maybe someone goes about it a different way, would be great to see that perspective, if it's better I would love to incorporate it myself.

M15K
  • 1,182
  • 6
  • 7