Tag Archives: secure email

risk-driven medical device security

Picking Your Way Through the Mime Field

Picking Your Way Through the Mime Field

We’re a professional software security consultancy and  experienced software developers. Almost 10 years, one of our partners proposed that we develop a utility to encrypt Microsoft Outlook email messages.   A prototype was developed – but an interesting thing happened when we started talking to potential beta customers – lawyers who had sensitive client information and technology development companies who have valuable intellectual property that they need to protect.

When we asked senior executives what they thought about encrypted email – the answer was universally – “We don’t really care”

Fast forward 10 years and the situation has changed dramatically.  We routinely counsel clients to carefully read the terms and conditions of their cloud  email service providers. For this reason we generally recommend to our medical and healthcare customers not to use Microsoft Skydrive due to their problematic privacy policy.

Today – encrypted email is an option you must consider.

Google Does What?

Online security in particular email security just got a whole lot more interesting with Google’s revelation that it does read emails it handles. Apparently Google have stated this fact in their submissions to hopefully dismiss a class action lawsuit that accuses them of breaking wire tap laws. I have always maintained that writing to someone via email is akin to writing them a postcard. The content of the email just like a postcard can be read on route. Now it’s a bit of a stretch of the imagination to think of the Post Office having someone read all of our postcards that we send but we still would not write to a friend of colleague about private matters on a postcard. We would seal it in an envelope.

Google in their defense of their position regarding the reading of our emails say; “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS (electronic communications service) provider in the course of delivery.” Using this analogy fails to acknowledge the fact that when an assistant opens their bosses mail they do so with the prior consent of their boss and they are subject to confidentiality agreements, if not specific most certainly implied by their position. Google on the other hand can make no such claim, because they explicitly then share that scanned information with the National Security Agency’s (NSA) under the provisions of the Patriot Act. Privacy does not exist when communicating by email, if this is news to you and you want to do something about it today read on.

Sealing Your Email

If you want to continue using email to send your private communications via any web-based communication service you are going to have to make use of encryption. Now this isn’t the time to stop reading because you think I can’t be asked to learn all about that malarkey. Modern email encryption can be extremely easy take a look at Egress Switch. It’s not like back in the day, when both sender and recipient needed to have bought into the same product, nowadays you can send a friend an encrypted email without having to have previously set the whole thing up!

Where Do I Sign-up?

Finding the right product for you is important; if you are looking for a corporate solution for private messaging and encrypted mail then it becomes a little more involved.

Software Associates are an experienced IT security consultancy with top flight consultants and has been operating since 2003 serving large publicly traded companies and small startups with the same care and highest level of attention to providing cost-effective security countermeasures.if you don’t mind corporate America and big brother reading all of your mail do nothing, however if that’s not how you want things to play out you need to adopt email encryption right now!


Tell your friends and colleagues about us. Thanks!
Share this

When should you encrypt email?

A while back, a colleague asked me what is the best way to encrypt internal email.

My first question to him was – what is the threat,  who is  the attacker and what is the asset you are protecting? Are you trying to encrypt business communications between employees and vendors/customers to protect from eavesdroppers or do you want to encrypt the message repository and protect it from attackers?  Before  applying encryption as a security countermeasure do a little threat analysis first.
My experience with data loss prevention with systems that monitor millions of transactions and hundreds of violations a year has shown the following:

a. It’s  better to use outgoing email in clear text because

1) you can monitor what people are doing  and

2) having  a business partner decrypt/encrypt is generally a pain in the ass that is greater than the value of the business transaction.

There is little reason to encrypt internal email in my experience. Let’s say that Mike in sales has an insider tip on company  stock options and he wants to tell Candace in HR.  Encryption doesn’t mitigate that threat. Let’s say that Joe has a secret algorithm he wants to sell to Gene who works the dark side. Encrypting internal email won’t mitigate that threat either. If there are confidential files being sent by email to external destinations – encrypt the files and give the key to the recipient.

If you’re concerned about data leakage then your cheapest and most effective countermeasure is monitoring email transmission for particular data types and destinations.

b. If you have high-value business communications between your company and vendors – you are better off just encrypting  the file (for example a sensitive contract or product design doc) and sending  the encrypted attachment.  This will enable you to monitor who is sending and who is receiving and with the right monitoring system – you will be able to detect that an encrypted file was sent which is interesting information in it’s own right.

Read my blog entry on this topic http://www.software.co.il/blog/2007/06/secure_communications_without_1.html

Tell your friends and colleagues about us. Thanks!
Share this