Email Encryption

Digital Background - DKIM blog
What is DKIM for DataMotion SecureMail? 1000 395 Alex Mushkin

What is DKIM for DataMotion SecureMail?

As of November 13, 2019, DataMotion SecureMail and SecureMail Gateway support DKIM so outgoing email messages sent via SMTP are delivered to intended recipients and not rejected or quarantined by anti-spam and anti-spoofing protection measures deployed on recipients’ mail servers. SPF and DMARC are also supported, and defined below.

DKIM, or ‘DomainKeys Identified Mail’ is an internet standard email authentication method designed to combat email spoofing. It allows receiving SMTP servers to check whether an email which came from a specific domain (@xyz.com) was in fact authorized by the owner of that domain. DKIM involves signing each outgoing email message with a private key linked to the sender’s domain name. The recipient system verifies the digital signature by looking up the associated public key published in DNS. Put simply, the DKIM signer uses the private key and the DKIM verifier uses the corresponding public key.  In order for it to work, the sending SMTP servers must insert DKIM-Signature email header fields on outgoing email messages. The owner of the sending domain must also create a DKIMDNS TXT public record.

As stated in the IETF (Internet Engineering Task Force) RFC 6376:

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

SPF is an email authentication method which is also supported, to combat email spoofing. It allows receiving SMTP servers to check whether an email which came from a specific domain was in fact from an IP address authorized by the owner of that domain. The owner of the domain must create an SPF DNS TXT record. The sending SMTP servers do not need to do additional work for SPF.

DMARC is an email authentication protocol (set of rules) to combat email spoofing, also supported by SecureMail. It allows receiving SMTP servers to authenticate based upon instructions published by the owner of a specific domain. The owner of the domain must create a DMARC DNS TXT record which specifies which email authentication methods (DKIM, SPF, or both) are supported for that domain. The sending SMTP servers do not need to do additional work for DMARC.

For information on enabling DKIM, SPF and /or DMARC, please visit our knowledge base, or contact support.

Learn More about DataMotion SecureMail
Learn More
Learn More about DataMotion SecureMail Gateway
Learn More
Code Header - Email Encryption API Blog
3 Things to Look for When Selecting Email Encryption APIs 600 237 Alex Mushkin

3 Things to Look for When Selecting Email Encryption APIs

If your business process and workflow applications handle sensitive data or are in industries subject to privacy laws and regulations, adding encrypted email functionality can give you an edge. By incorporating secure email technology, you can reduce the risks associated with data theft, accidental exposure and regulatory compliance audits. An easy and fast way to add this functionality is to leverage email encryption application programming interfaces (APIs).

Application programming interfaces, or APIs, can be a blessing – or a nightmare. Use the right one and your application just expanded its reach and functionality, adding to your bottom line.  Use the wrong one, and you’ll be in development for perpetuity – or worse.

Here are three things to look for when selecting email encryption APIs for securely moving data:

1. API depth and breadth. Depth and breadth give you control over more aspects of how the API works with your app. Look for multiple types of APIs and, ones that can operate at multiple levels including:

    • Secure Messaging APIs. These are the APIs that send and retrieve data, usually by leveraging a standard email address or an internal one derived from a user’s account number. Look for APIs that can handle multiple types of data, including encrypted email, files and form data.
    • Administrative APIs. Capabilities to look for here include things like password reset, managing users and their account settings, and integrating with Single Sign-On (SSO).
    • Provisioning APIs. When the use of your application takes off and grows, so must your API. Look for the ability to programmatically provision service and on-board new users.
Check out our API developer site CTA

2. Full support from the API provider. In addition to standard consulting and ongoing technical guidance, look for:

    • Software Development Kits (SDK) with multiple language support, including C#, VB.Net, Java and PHP, along with SOAP and REST protocols.
    • Technical reference guides that accurately document each API function and data structure. Sloppy documentation could indicate subpar operations.
    • Demos for each supported programming language, including working sample applications with documented source code that demonstrates the implementation.

3. Pre-production sandbox environment. A full service, fully contained, pre-production environment allows you to quickly and safely create, test and preview your application.

Look for these three things and you’ll be well on your way to a successful API integration.

Ready for a Free API Trial?

Free Trial
Email API
Email Encryption As a Solution or A Feature? 600 237 Bob Janacek

Email Encryption As a Solution or A Feature?

Technology products often evolve over time from standalone solutions to integrated features. This can take years, or even decades to occur, depending on the sophistication of the solution, and how easily it fits into an existing application to add value in a broad set of use cases.

The most obvious examples are on the smartphone where we have long ago (in tech years) absorbed our digital cameras and GPS devices, and perhaps more subtly, photo editing software and directory services.

Email Encryption – from product to feature

Email encryption has been an adjunct service and solution that overlays and complements most email services and UIs, Microsoft Exchange and Outlook as prime examples. Virtually all email encryption solutions work with the Microsoft email server and client, even as it migrated to the cloud as part of Office 365. Microsoft introduced its own email encryption solution, Office Message Encryption, as an option and integrated feature of Office 365 in 2014. It has been improved since introduction, and while it still has some limitations (link to Osterman webinar), for many users that need an ad hoc solution for HR and legal departments – it is quite sufficient, and eliminates the need for a specialty vendor (DataMotion included). While it’s not without cost, it is appealing to organizations seeking to reduce the number of 3rdparty solutions and vendors in their IT mix.

Also, in the cloud email service provider space, Gmail has implemented a widely enabled encryption technique as a default (TLS), and in so doing, provides opportunistic security for all email traffic originating from their service. While it doesn’t assure compliance, it does take a significant step towards ‘email encryption as a standard feature’ vs an overlaid 3rd party solution.

Email Encryption as a feature – benefit

As noted – most email encryption solutions already integrated very well with Outlook and Exchange, which in effect make them a plug-in toolbar button feature of Outlook, invoked with a click. So it has already been reduced to a feature of email in this way for most ad hoc, desktop requirements. Yet, the use of email for messaging and file exchange is not always a desktop ad hoc function.

Email Encryption, CRM, Contact Centers and Mobile Apps

In fact – where it matters most – in high volume business processes handling regulated information, Outlook (or any webmail interface for that matter), is not the best place to send and receive messages and files. CRMs, contact centers, practice management software, electronic health record systems, and custom database applications are the applications that often house the data and track the interactions with customers, partners (or patients). Shouldn’t email encryption be a standard feature of those solutions? And for situations where the customer, client or patient need to initiate an inquiry – shouldn’t a secure email channel be a feature easily accessible to them too through customer facing interfaces and apps such as websites, portals and mobile apps?

Enter the EMAIL ENCRYPTION API

While email encryption vendors can extend the existing Outlook style ‘plug-in’ model of creating applets to expose their email encryption service as a ‘toolbar button’ in popular CRM UI’s (Salesforce for instance) – this approach doesn’t scale well, and doesn’t always accommodate the use case at hand, or fit into customer facing services such as self-service portals or mobile apps. In these cases, a native solution is best, using web service email encryption APIs to provide secure messaging, file and form exchange to support high volume applications with trusted security and verifiable compliance.

This application of email encryption APIs lends itself best to healthcare, financial services, insurance and government applications, at enterprise scale. These organizations are best positioned to migrate off standalone email encryption solutions, and leverage the benefits of email encryption as a feature thru the use of APIs.

Email Encryption APIs for Mid-Market Solution Providers

While enterprise class organizations have the resources and transaction volumes to leverage APIs for integrating email encryption as a feature into their workflow process and enterprise apps, broader market benefits are derived from integration with platforms that provide core utility in the healthcare, insurance, financial services and government sectors. Digital banking platforms, digital insurance platforms, electronic health record systems, chronic care management systems, practice management systems – all can benefit from a robust secure messaging and file exchange feature – and email encryption APIs deliver both a ubiquitous method of sending and receiving messages (and files) as a toolbar feature of the application’s UI.

Email Encryption APIs: innovation and disruption

Viewed thru this lens – the email encryption API is both an innovation and a disruption to the existing email encryption product status quo. There are dozens of companies offering email encryption as a subscription service, with very little differentiation, and frankly – very little end user love. Most email encryption solutions are burdened with cumbersome, multi-step processes either for the recipient, the sender, or both. It is a mature solution – most organizations that need it have a subscription (SaaS). It is a software solution that is ripe for disruption, and ready to be consumed as a feature instead of a separate product. Email encryption APIs can deliver that disruption – and yield a better tool for moving sensitive business communications and processes forward.

Are our APIs right for your email encryption solution?

Try them out with our free, 14 day trial.

Free Trial
Is Encryption Enough to Protect Yourself? 1024 403 Bob Janacek

Is Encryption Enough to Protect Yourself?

With the increase in cybercrime over the past few years, many internet users have turned to encryption in an effort to protect themselves online. Businesses are no exclusion; well-known companies have experienced data breaches within the same time frame and have been trying to ensure their employees are taking preventative action. A lack of security can drive customers away, so it’s especially important for businesses to implement procedures to safeguard the data of both their company and clients.

Though businesses have some extra interests to protect, data breaches are serious for any internet user, as individuals are still at risk of having their personal information leaked or their identities stolen. Whether you’re the average internet user or you have a business to maintain, it’s likely you’ve used encryption before.

Security services such as a Virtual Private Network (VPN) encrypt your internet connection at the very least. Though these services that are used for online safety are helpful, is encryption really enough to protect yourself?

Limited Protection

Encryption converts data into ciphertext, preventing hackers from accessing it in most cases. Though they certainly can try to bypass it, it could take several years if you’re using 256-bit AES encryption. Luckily, most software uses this level of encryption. Unless you’re a person of extreme interest, it’s unlikely any hacker is going to spend time even trying.

The downside, though, is that hackers can seek out other ways to access your data. Encryption only protects whatever is encrypted, such as your internet connection, email or files, but it does nothing to protect you from other online threats. For example, you could use a VPN to encrypt your internet connection, but your online accounts could still get hacked.

Email is particularly vulnerable as it can be intercepted and read. Most services, including popular ones such as Google, can’t guarantee their email is encrypted from every angle.

If, for instance, you’re sending mail from a Gmail account to another Gmail account, great; if you’re sending it “out of network,” their encryption no longer works. Third-party services such as SafeTLS are available to help fully encrypt your email messages, something you won’t find included as a default in just regular old email.

If encryption is putting a roadblock in the way for hackers, they simply have to find another access point. It’s important to understand that using encryption is still helpful, but you’ll also need to use other methods to prevent data breaches if you want to protect yourself online.

Online Threats

Encryption doesn’t safeguard against clicking on malicious hyperlinks or inadvertently leaving your accounts open to attacks. A VPN can protect you against malware that is injected onto your device by a hack via your internet connection, but you will still need to avoid visiting risky sites and downloading potentially harmful files.

It’s also easy to forget that mobile devices are at risk. Luckily, you can often use apps that encrypt your internet connection or other files, but accessing the internet on any mobile device poses nearly the same risk it would as if you were on a computer. Some ways you can avoid malware in particular is to avoid visiting unfamiliar websites, clicking on links or ads, and avoiding downloading any files you aren’t certain about.

Basic Net Security

Even though complete immunity from cyberattacks doesn’t exist, learning about basic net security is likely to keep you much safer online compared to the average internet user. When you are aware of the risks of completing certain tasks on the net and know how to spot subtle details, you’ll eventually be able to notice suspicious ads, websites, links, messages and scams in advance.

If you’re running a business, be sure to train your employees so they too can prevent cyberattacks from occurring. Having your employees properly educated on internet security is especially important if they have access to customer data or any devices that contain personal information of any kind.

For starters, consider installing an anti-virus program if you don’t already have one, as it will allow you to scan for malware and remove it if need be. It would be a good idea to use other security software as well, particularly ones that serve different purposes so you have a higher level of protection overall.

Keeping Yourself Safe

So what exactly are the risks of using the net, and how can you keep yourself safe? Some of the main risks include data being leaked and deleted from your device and database, accounts being compromised, your device being affected by malware, identity theft because of leaked information, and the downfall of your company if you have one (for example, relationships with your clients can quickly sour if their personal details are acquired by a hacker, and the reputation of your business may become less than favorable as a result).

Some basic ways you can keep yourself safe (other than using security software) is to secure your accounts, avoid clicking on every link or ad you come across, stop yourself from oversharing, avoid storing passwords on your web browser and log out of your accounts when you’re done using them.

To secure your accounts, you need to know how to create strong passwords. A strong password is a combination of numbers, uppercase and lowercase letters and symbols. Your passwords should exclude any personal information, single words found in the dictionary and anything that could be linked to your identity. Avoid reusing passwords too, as it makes it easier for a hacker to access more than one of your accounts if you’re using the same password for multiple logins.

Lastly, pay attention to news about internet security in general. If there is a common scam going around the net, you’ll likely hear about it so long as you keep up with news on the topic. Remember to keep an eye out for subtle differences in the text and appearance of sites or emails as well, since there are a lot of ways an internet user can be easily tricked into handing over personal information. The main way this is done is by the scammer posing as something or someone they’re not.

So Is Encryption Enough?

Encryption is an excellent choice for select purposes, but it isn’t enough on its own. It can keep your email from being intercepted and read, but it can’t stop your account from being stolen by phishing. An encrypted connection can keep hackers out, but it doesn’t prevent you from manually downloading malware.

There’s no doubt that it can be helpful in protecting your privacy and data at the very least, but a varied approach to internet security is often the best choice. Most of all, you will have to do your part to keep yourself (or your business) safe and that means knowing what to look for and avoid.

About the Author: Cassie Phillips is an independent blogger whose main focus is online security. As a long-time internet user, she has tried just about every available method of safeguarding her data. She uses encryption on a regular basis and often encourages the use of security software that can encrypt one’s internet connection at the very least, though she stresses the importance of additional protection as well. Cassie is also a contributing writer at SecureThoughts.com.

Want to learn more about securing your communications?

Learn about DataMotion SecureMail today

Learn More
Gmail TLS Email Encryption – is it good enough? 1024 403 Alex Mushkin

Gmail TLS Email Encryption – is it good enough?

Major cloud email services such as Gmail and Yahoo Mail announced their use of TLS about two years ago (TLS is transport layer security – a type of encryption that can be applied to email transmissions). Both services announced they would send email (and attachments) using TLS whenever possible – which means – whenever the receiving email service or server is configured to accept TLS encrypted email.

For the average user – this is a good thing. We certainly hear enough these days about unsecure email and exposure of private conversations – so we should all be thinking about using a secure email service just to keep our communications private. After all – if we wanted them to be public – we could always post them on Facebook! And private conversations can cause harm if exposed to the wrong people – even if there’s nothing nefarious being disclosed regarding our business or personal dealings.

As noted – TLS has been the default transmission policy for Gmail for at least two years – but it was just brought to my attention that you can check if a Gmail message is sent or received using TLS by clicking on the ‘details’ of the message. It looks like this:

Gmail offers details of what TLS encryption is and how it is applied – ‘Learn More’ will take you to a page that describes what is happening when Standard (TLS) encryption is being used:

“TLS is being adopted as the standard for secure email. While it’s not a perfect solution, if everyone uses it, snooping on email will be more difficult and costly than it is today.”

‘While it’s not a perfect solution’ – this means it’s applied ‘opportunistically’. If the far end email service/server is configured to accept TLS – great – everything is secure end-to-end. If not – it drops back to unsecure delivery – and the risks of exposure that presents.

Gmail links to another page that goes into more detail about how TLS works – and again notes that it’s not going to work all the time:

 “Whenever possible, Gmail protects your info by using Transport Layer Security (TLS) to automatically encrypt emails you send or receive. TLS doesn’t work with messages from some email services. 

If you’re on a computer or Android device, you’ll know an email is not encrypted when you see the No TLS icon No TLS . It looks like an open red padlock.”

SafeTLS Trumps Opportunistic TLS Email Encryption

Where Gmail’s ‘opportunistic TLS’ is good, DataMotion SafeTLS is better.  As an overlay to virtually any email service or address, SafeTLS checks the availability of TLS email encryption before it send the message – and if it is not available, it falls back to an alternative email encryption method that is not dependent on the recipient’s email service or server – so it always works.

SafeTLS gives users and recipients the best of both worlds. TLS is great because it is virtually transparent to the sender and recipient – it just works, and there’s no complexity to receiving the message or attachments. But to be really confident your message is secure (READ COMPLIANT!) – SafeTLS is the way to go. Yes – there’s a small cost to have it. But exposing your secrets, or the regulated information of a patient, partner, or business associate – can cost a whole lot more – in reputation, notification costs, fines or intellectual property loss.

Be confident that your communications are secure with DataMotion SecureMail

Learn More
Is TLS email encryption good enough? 1024 403 Alex Mushkin

Is TLS email encryption good enough?

As most people are aware, the need for secure messaging, email encryption or email compliance is on the mind (or should be) of almost all managers inside every business. The need for TLS (Transport Layer Security) can vary from avoiding a data leak, ensuring there are no prying eyes on confidential information or even something as simple as validating that someone received your message.

Working for an email encryption and security company I constantly get questions and inquiries about TLS  and why using TLS isn’t “good enough”. Most of the time these questions are immediately followed by statements like “It’s good enough, and it’s free!” Free? Sure, but remember there is no such thing as a free lunch!

Here are a few different points that should be considered before making a decision on whether TLS is “good enough” for you and your organization’s email needs.

What is TLS?

Before any comparisons or pro’s and con’s discussion, we need to establish what TLS actually is and where it is used. TLS stands for Transport Layer Security and is intended to secure the communications between two points. When we talk about TLS in relation to a web browser we have the little “lock” icon on our URL bar showing a secure connection from the web server to your browser. This means when you submit a form with your credit card information on it, no one can snatch that data if they intercepted your web session.

Same thing for email. When you have one email server send a message to another email server over TLS, the connection itself is encrypted so no one can intercept the payload information. But, the actual data itself is still unencrypted. It’s secure and compliant because it was sent over an encrypted channel.

When we talk about encryption in every day talk, we have openly accepted and use the “TLS” acronym to imply that it only applies to email and “SSL” as it applies to the web. In reality you can apply TLS encryption to a variety of protocols, including HTTP for the web and SMTP for email. For clarity, the predecessor of TLS is SSL or Secure Socket Layer, which was more commonly used on the web before email so hence the common associations of the acronyms. Now that we have a bit of a primer we can take a deeper dive and talk about workflows as they relate to email.

TLS and SPAM/Anti-Virus Workflows

When we talk about servers we know that if TLS is used between servers then that connection is secure. It’s assumed that if two servers have TLS then the message is secure and they don’t need to worry about anything. This is a VERY common misconception that while mostly accurate needs to have some additional questions asked of the recipient mail server.

Most companies have some kind of SPAM and Anti-Virus service implemented. We know that those services or appliances look at messages and if they are deemed “OK” they are then delivered to the receiving mail server. The question needs to be asked does SPAM or Anti-Virus service actually sends messages to the receiving server over TLS or not. Just because a sender sent the message and something received it via TLS does not mean that the whole connection to the receiving server is encrypted. This is a potential point for a breach. So it is important to ask recipients where auto TLS delivery or a forced TLS delivery is in place, to see if true end-to-end TLS is implemented, or if there is a gap.

TLS and Replies

As an email recipient sending a reply, we can have a scenario where the recipient needs to reply securely. Just because a message is received from someone over TLS there is no guarantee that the recipient’s sending email server will use TLS to send a reply. The question that needs to be asked of the recipient’s IT team is about priority of use. For example, will TLS always be used? Is there a fallback to an encryption or delivery provider in situations where TLS is not available or is there even support of TLS for sending messages?

The number of organizations that I see where they accept TLS due to having some kind of email SPAM or AV service but don’t have TLS in use for inbound or outbound email on their server is more than I would like to admit. So if you are adopting TLS as your primary method for security it’s important to establish trusted relationships with the people you send messages to and ensure that you (as the sender) have your email server forced to send messages only to those recipients via TLS.

Special Considerations

Another point to be considered as a sender is to determine if you want your message to be available to the recipient in their own mailbox with no secondary level of protection. Traditionally the answer is yes, but what if you are sending a confidential document or sensitive information like a routing or account number and the someone you are sending to has a traditional email account from a provider like Gmail. We traditionally would feel OK since we know that Gmail does support TLS. However we often don’t consider the risk of have the account itself breached. Putting it simply, if someone has their public email account compromised then in all cases the confidential information you sent them is also compromised.

Yes, in the eyes of compliance you are covered but there are certain ethical and best practice issues that you should take into account. By forcing people to use two-factor authentication, or to log into a portal with a separate password, or even have a message exist for a finite amount of time, you can ensure security for confidential information regardless of whether the recipient’s primary account is compromised.

As a recipient there isn’t too much you can do. In situations where you are the one receiving content, you can insist that people send you confidential messages through their own secure portal system. In many cases you can leverage a custom portal or messaging center if made available by your vendor. A best practice should always be to not send sensitive information unless it is encrypted. Most secure email providers (DataMotion included) provide a means for you to reply to the sender securely. Alternatively you could initiate a new secure message so that your recipient can reply to you securely as well.

In closing, TLS is great for making sure that messages and data between servers and systems are encrypted from prying eyes. However, it is only part of a somewhat potentially complex equation and it is in your best interest as a sender or a recipient to ask some key questions around how your information is sent, stored and delivered to its final destination. In many cases just because there are open standards or something may be free, it is commonly not the full answer to your needs. TLS is the foundation for solutions but may not be a solution in itself. So, TLS email encryption is not always “good enough”, that’s why if your organization frequently handles sensitive information you need a solution that is more reliable. To learn more about how DataMotion’s solutions can solve your organization’s needs, contact us.

Need to ensure that your communications are sent and received securely?

Look to DataMotion SecureMail

Contact Us
Achieve Office 365 CJIS Compliance 1024 403 Christian Grunkemeyer

Achieve Office 365 CJIS Compliance

Moving from an on-premises Exchange server to Microsoft Office 365 (O365) can have numerous benefits. Microsoft promotes its cloud productivity suite to yield better collaboration, increased productivity and a reduced cost of ownership.  Many state and local government agencies eager for those benefits are making a move to the cloud with O365. According to Microsoft, approximately 5.2 million people use Microsoft Cloud for Government services including Azure Government, Office 365 Government, and Dynamics CRM Online Government, an impressive figure. However some government agencies need to access the FBI’s Criminal Justice Information Systems (CJIS) database to fulfill their mission. These agencies must achieve Office 365 CJIS compliance for security rules that restrict their ability to use O365 to exchange CJIS information, or CJI for short. This information must be protected in motion and at rest whenever it is outside a secure CJIS datacenter.  Specific rules and the entire FBI CJIS Security Policy are posted here.

According to its website, Microsoft will sign a CJIS Security Addendum for Office 365 CJIS compliance in states where they have established CJIS Information Agreements. At this time there are 26 states where Microsoft has a signed CJIS Security Addendum – the most recent being with Missouri (February 2017).   States that don’t have CJIS approval for O365 as of March 2017 include Alabama, Connecticut, Florida, Idaho, Indiana, Iowa, Louisiana, Maine, Maryland, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Vermont, West Virginia, Wisconsin and Wyoming.

While these states are not prohibited from using cloud services, they must be able to demonstrate Office 365 CJIS compliance if using those services.   For them to use O365 to transmit CJI and PII (Personally Identifiable Information), the following CJIS security policy sections must be addressed.

“5.8        Policy Area 8: Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

5.8.1      Media Storage and Access

The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.

5.8.2      Media Transport

The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

5.8.2.1   Digital Media during Transport

 Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of the data isn’t possible then each agency shall institute physical controls to ensure the security of the data.”

When an agency moves from an on premise secure Exchange server to O365, emails containing CJI must be protected – and that is commonly done through encryption. While O365 does contain an email encryption capability, that encryption occurs after the O365 cloud receives the unencrypted data.  For those 24 states without a Microsoft CJIS Security Addendum, this is a violation of CJIS security policy. To achieve Office 365 CJIS compliance, the email must be encrypted before it arrives in the O365 cloud, and must remain encrypted until it is received or retrieved by the intended recipient.

One solution to this issue is to employ a third party email encryption solution designed to enhance the security of O365 and address the CJIS security policy issues.  Such solutions offer more depth in encryption features and capabilities and integrate well with the Office 365 suite of applications. To achieve this end-to-end encryption requirement, the email can be encrypted at the Outlook client using an encryption plug-in, and routed through O365 to the recipient, or to an email encryption platform in a CJIS compliant datacenter to await recipient retrieval. In this way – O365 can be adopted, while maintaining CJIS compliance for PII and CJI. You can learn more about securing email in Office 365 here.

Office 365 is a great tool and can offer state and local agencies many benefits – and with proper implementation can meet the stringent requirements for CJIS security.

Learn more about how we can help state and local agencies meet CJIS compliance requirements

Learn More
How safe are HTTPS connections? Not as safe as you think. 1024 403 Alex Mushkin

How safe are HTTPS connections? Not as safe as you think.

While using the internet, there’s a chance that you’ve noticed some websites using HTTP connections while others use HTTPS ones. The major difference between these is that HTTPS connections are considered “secure” while HTTP ones are not. This begs the question, how safe really are HTTPS connections?

When making an online purchase, any reputable website will require a secure HTTPS connection before requesting payment information and completing the transaction.  HTTPS is the ubiquitous method used by browsers and websites to securely exchange sensitive data.  Its underlying encryption has historically been provided by SSL, which is a familiar term to many Internet users.  SSL uses digital certificates and strong encryption to create a secure tunnel between a web browser and web server.  For online purchases, it allows you to safely enter your account details, provide your credit card payment information and complete the transaction.

Unfortunately, weaknesses have been discovered in SSL encryption, making HTTPS connections not as safe as you’d expect. Hackers have used these exploits to break through its security projection.  So that sensitive data you exchanged over an HTTPS connection may not be as protected as you think.  Fortunately, HTTPS can use additional encryptions algorithms that don’t have the weaknesses uncovered in SSL.  Specifically, the TLS or Transport Layer Security algorithm can be used, and it’s already supported by a wide range of web browsers and websites.

But which web sites support TLS, and better yet, which ones have disabled SSL altogether so that only more secure TLS algorithms can be used?  Unfortunately, without running complicated third-party cryptography tools, it’s almost impossible to tell.

In many ways, you place your trust in those vendors that you do business with.  DataMotion specializes in data security and compliance with privacy regulations.  Being a trusted supplier to thousands of organizations over the past 16 years, we do not take that trust lightly.  As part of our continuous security operations, we stay informed of emerging threats like the SSL vulnerability and apply immediate corrective action.  While the security changes occurs behind the scenes, invisible to our users, the relationships we form with our customers are visible in everything that we do.

While many web browsers, websites, and email services use TLS encryption, is it really good enough?

Learn More
Opportunistic TLS – Two Good Ways to Put Your Email at Risk 1024 403 Bob Janacek

Opportunistic TLS – Two Good Ways to Put Your Email at Risk

Email encryption allows organizations to protect sensitive messages and increase their compliance with privacy regulations.  One common encryption method, known as opportunistic TLS, automatically tries to secure the path that messages take when they travel to recipient email systems.  Since this type of encryption is completely transparent to users, organizations often utilize opportunistic TLS to comply with privacy and security regulations.

Unfortunately, compliance strategies based on opportunistic TLS result in frequent breaches where sensitive data is sent over the public internet without encryption.

There are two main scenarios where breaches can occur.

First, and the most common case, is when recipient email systems do not support TLS encryption.  As a result, encrypted paths are not established for sensitive messages to travel.  Opportunistic TLS systems will then step down to standard delivery, and send messages to those systems without any encryption.

The second case, also frequently encountered, is when the recipient utilizes a cloud-based anti-virus and anti-spam service.  These services often support TLS when receiving email, so a sending system configured for opportunistic TLS believes it has delivered the message securely to the recipient’s email server.  Actually, the message was delivered securely to an intermediary.  There is no way for the sending system to know if the next leg of the message’s journey, from the cloud service down to the recipient’s email system, is actually secure.  Unfortunately, in most cases, this leg of the message’s journey is not TLS enabled, so messages travel over the public internet in unencrypted form.  And as a result, a breach in compliance regulations has occurred.

Despite the problems of opportunistic TLS, when possible, delivering messages by TLS is still a good method to protect sensitive data.  However it should only be enabled on a case by case basis when end to end encryption between email systems can be confirmed.  As the holistic secure data delivery system, DataMotion SecureMail ensures that all of your messages are delivered with end to end security.  It does this by supporting a variety of delivery methods including TLS.  This allows your organization to easily exchange sensitive data with the widest range of customers, partners and vendors while maintaining compliance with privacy regulations.

Learn more about how we can help your business ensure that all communications are sent with end-to-end security.

Learn More
Salesforce Service Cloud and HIPAA Compliance 1024 403 Hugh Gilenson

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance story because it only covers the data while it’s residing within the Salesforce ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

Get some tips on how you can protect data at rest, in use, and in motion button

So let’s take a look at your scenario:  Suppose you’re a CSR using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds logging and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility.  Your company needs to ensure those messages are encrypted between Salesforce and your customers.  If not, you’re subject to fines, penalties and loss of reputation.

Contact us to learn how DataMotion SecureMail can integrate with Salesforce to ensure compliance with HIPAA regulations.

Contact Us