Help us practice what we preach.
December 28, 2010 7:11 PM Subscribe
How should a business that's about security set up its own secure communications?
My brand-new consulting company is all about confidentiality and protecting information. We'd like to actually embody these ideals by setting up secure email and data sharing systems. We're small (four founders), we can't afford to set up our own IT systems, and even if we had the money, we are a ways away from hiring someone to build and run it for us.
So what are our options for very secure cloud-based email and data storage solutions? Here's our wishlist:
* Secure email and secure email attachments
* Secure faxes, if that's even possible
* The ability to extend that secure email communication to our clients while we are working with them
* Secure online storage and file sharing with compartmentation and access control
* Platform independence, so we can use our Macs, PCs, iPhones, Blackberries, whatever
* Minimal invasiveness -- no proprietary email clients or browsers
* Minimal intrusion on our branding -- no requirement to go through another company's web portal
* Ease of use -- no multiple steps to zip/encrypt/package messages and files
* Reasonable security posture -- we're seeking high-quality security and reliability without putting on tinfoil hats
I'm very aware that one stuff hits a person's laptop, all bets may be off, and we can't control what our clients do with their own hardware. But I'd like to understand what the state of the art is for the Internet leg of the communications route. I'm familiar with Google Apps but feel like we need to make an effort to get beyond SSL connections and into real data privacy. We're happy to pay for quality service and support; we're also happy to face up to reality if there is no cloud solution for this and we need to make an IT investment.
So, AskMeFites, what's out there? What works for real day-to-day business use? What broadcasts to clients that you care about data and communications security? What strikes the right balance between cost and benefit?
Thank you!
My brand-new consulting company is all about confidentiality and protecting information. We'd like to actually embody these ideals by setting up secure email and data sharing systems. We're small (four founders), we can't afford to set up our own IT systems, and even if we had the money, we are a ways away from hiring someone to build and run it for us.
So what are our options for very secure cloud-based email and data storage solutions? Here's our wishlist:
* Secure email and secure email attachments
* Secure faxes, if that's even possible
* The ability to extend that secure email communication to our clients while we are working with them
* Secure online storage and file sharing with compartmentation and access control
* Platform independence, so we can use our Macs, PCs, iPhones, Blackberries, whatever
* Minimal invasiveness -- no proprietary email clients or browsers
* Minimal intrusion on our branding -- no requirement to go through another company's web portal
* Ease of use -- no multiple steps to zip/encrypt/package messages and files
* Reasonable security posture -- we're seeking high-quality security and reliability without putting on tinfoil hats
I'm very aware that one stuff hits a person's laptop, all bets may be off, and we can't control what our clients do with their own hardware. But I'd like to understand what the state of the art is for the Internet leg of the communications route. I'm familiar with Google Apps but feel like we need to make an effort to get beyond SSL connections and into real data privacy. We're happy to pay for quality service and support; we're also happy to face up to reality if there is no cloud solution for this and we need to make an IT investment.
So, AskMeFites, what's out there? What works for real day-to-day business use? What broadcasts to clients that you care about data and communications security? What strikes the right balance between cost and benefit?
Thank you!
You should pardon me for saying so, but if you don't already know the answer, then how can you be in that business?
posted by Chocolate Pickle at 7:34 PM on December 28, 2010 [11 favorites]
posted by Chocolate Pickle at 7:34 PM on December 28, 2010 [11 favorites]
Encrypt all your email with PGP. Open source, and works with any email client that can handle text (all of them). Thunderbird (and I assume Outlook) will encrypt / decrpt with the push of a button with a plug in installed.
Good luck getting your clients to embrace encrypting all their email though. There is a reason encrypting email hasn't caught on in 15 years. For one thing, most emails are that important and don't really need to be encrypted.
posted by COD at 7:36 PM on December 28, 2010
Good luck getting your clients to embrace encrypting all their email though. There is a reason encrypting email hasn't caught on in 15 years. For one thing, most emails are that important and don't really need to be encrypted.
posted by COD at 7:36 PM on December 28, 2010
Best answer: X.509 email. Not bullshit self-signed certificates, either; do it right with real ones from a widely-accepted CA.
Yeah, there are some problems with X.509 and the underlying PKI scheme, but right now it's the best thing going. It'll let you have secure email that will interoperate with the US Government and many major corporations. (The only real competitor is PGP, but in my experience that's really only used by the open source and some elements of the hacker community, and it's not as widely supported by commercial software.)
Expanding it to outside vendors and clients will require purchasing certificates for them, though, or encouraging them to get their own. It's not a huge expense -- around $20 per user (although Comodo offers free ones that I haven't played with) -- that anyone even remotely interested in security ought to be able to bear, if they haven't purchased them already.
I've used X.509 on a daily basis for years, and it integrates well with nearly all major email clients. You can do end-to-end encryption on a Blackberry, but it might require a BES that you run yourself rather than a hosted service, I'm not entirely clear. Perhaps someone else can elucidate. I don't think that the iPhone does S/MIME email out of the box (which, IMO, is a ridiculous feature hole), but there are 3rd party apps for people who need to use an iPhone. Most security-oriented places I've worked with don't use iPhones.
Secure fax is a taller order; if you literally mean "fax" in the traditional telephone sense, than you'll need a STU-III (or a similar device), but they were never popular outside the Federal government (and then really only DoD). You can do encrypted SIP (VOIP), and then do T.38 over the encrypted SIP, but that'll only be end-to-end encryption if the other party has a similar setup, which most won't, and I have had a devil of a time getting it working. I think most people interested in security, who aren't satisfied with the security of POTS, just forbid regular fax and use attachments sent over encrypted email instead.
posted by Kadin2048 at 7:44 PM on December 28, 2010
Yeah, there are some problems with X.509 and the underlying PKI scheme, but right now it's the best thing going. It'll let you have secure email that will interoperate with the US Government and many major corporations. (The only real competitor is PGP, but in my experience that's really only used by the open source and some elements of the hacker community, and it's not as widely supported by commercial software.)
Expanding it to outside vendors and clients will require purchasing certificates for them, though, or encouraging them to get their own. It's not a huge expense -- around $20 per user (although Comodo offers free ones that I haven't played with) -- that anyone even remotely interested in security ought to be able to bear, if they haven't purchased them already.
I've used X.509 on a daily basis for years, and it integrates well with nearly all major email clients. You can do end-to-end encryption on a Blackberry, but it might require a BES that you run yourself rather than a hosted service, I'm not entirely clear. Perhaps someone else can elucidate. I don't think that the iPhone does S/MIME email out of the box (which, IMO, is a ridiculous feature hole), but there are 3rd party apps for people who need to use an iPhone. Most security-oriented places I've worked with don't use iPhones.
Secure fax is a taller order; if you literally mean "fax" in the traditional telephone sense, than you'll need a STU-III (or a similar device), but they were never popular outside the Federal government (and then really only DoD). You can do encrypted SIP (VOIP), and then do T.38 over the encrypted SIP, but that'll only be end-to-end encryption if the other party has a similar setup, which most won't, and I have had a devil of a time getting it working. I think most people interested in security, who aren't satisfied with the security of POTS, just forbid regular fax and use attachments sent over encrypted email instead.
posted by Kadin2048 at 7:44 PM on December 28, 2010
Best answer: * Email - Use encryption. If you have the expertise, setting up your own email server would be the best route, although plenty of email providers support encryption. Although I am usually a open source advocate, Exchange actually has some nice features for email security, such as enforcing that any phones which download email must be secured with a PIN number.
* PGP can be used by the client, but they are going to have to set it up. I don't see any way to force them to send you encrypted mail, and I wouldn't even bother if I was you. It will just be an annoyance. If you need to communicate in a secure fashion, meet face-to-face or through a secure (?) phone line. Email is not a particularly secure protocol, unless you control the entire network there is no way to ensure compliance.
* Faxes - There are standards out there for secure encrypted fax transmissions, the boxes are more expensive but not prohibitively so. Again, this might be more of a hassle than it is worth, although it isn't unusual as HIPAA (medical regulations) and some financial services require compliance with these standards.
* Cloud solutions - Amazon's S3 is the most widely used. Cheap to start out and highly scalable. You could also check out Nasuni or some of the EMC gear depending on your budget. To store files, these services often support SMTP (email) gateways, as well as HTTPS, FTP, NFS, CIFS, etc. Figure out how you want to get the files there, then look for a secure provider that will support it. A good cloud storage solution will use block level encryption so that even if the hardware is compromised the data is still secure.
posted by sophist at 7:46 PM on December 28, 2010
* PGP can be used by the client, but they are going to have to set it up. I don't see any way to force them to send you encrypted mail, and I wouldn't even bother if I was you. It will just be an annoyance. If you need to communicate in a secure fashion, meet face-to-face or through a secure (?) phone line. Email is not a particularly secure protocol, unless you control the entire network there is no way to ensure compliance.
* Faxes - There are standards out there for secure encrypted fax transmissions, the boxes are more expensive but not prohibitively so. Again, this might be more of a hassle than it is worth, although it isn't unusual as HIPAA (medical regulations) and some financial services require compliance with these standards.
* Cloud solutions - Amazon's S3 is the most widely used. Cheap to start out and highly scalable. You could also check out Nasuni or some of the EMC gear depending on your budget. To store files, these services often support SMTP (email) gateways, as well as HTTPS, FTP, NFS, CIFS, etc. Figure out how you want to get the files there, then look for a secure provider that will support it. A good cloud storage solution will use block level encryption so that even if the hardware is compromised the data is still secure.
posted by sophist at 7:46 PM on December 28, 2010
Oh, Iron Mountain is also a good company to look at for secure file storage.
posted by sophist at 7:48 PM on December 28, 2010
posted by sophist at 7:48 PM on December 28, 2010
your requirements use the word "secure" a lot, but we have no idea what your threat model is (or if you even have one). without that, there's no way of knowing what technologies will meet your needs. as chocolate pickle said, it doesn't really sound like you know the right questions to ask for someone in this industry.
posted by russm at 9:45 PM on December 28, 2010 [3 favorites]
posted by russm at 9:45 PM on December 28, 2010 [3 favorites]
we're seeking high-quality security and reliability without putting on tinfoil hats
High quality, reliable security pretty much is a tinfoil hat, unless (as russm hinted) your threat model allows for something less. How valuable is the data you're trying to protect?
posted by sanko at 10:12 PM on December 28, 2010
High quality, reliable security pretty much is a tinfoil hat, unless (as russm hinted) your threat model allows for something less. How valuable is the data you're trying to protect?
posted by sanko at 10:12 PM on December 28, 2010
To meaningfully answer the question we need some idea of what information you're protecting, who you're protecting it both for & from. Suits of armor work great against swords; against bullets, not so much. Water's great at putting out fires but it'll also ruin your books & documents. We need to understand the threat before we can recommend solutions.
posted by scalefree at 10:52 PM on December 28, 2010
posted by scalefree at 10:52 PM on December 28, 2010
Best answer: it'd be worth thinking about what exactly you want to protect your data from.
* accidental disclosure by an authorised insider
* malicious disclosure by an authorised insider
* access by an unauthorised insider (someone with legitimate access to your systems, but not the data in question)
* routine/non-malicious access by a system admin (someone working at your email provider)
* malicious access by a system admin
* drive-by hacker (not targeting you or your clients specifically, an opportunistic attack)
* targeted hacker (someone with a specific interest in your or your clients data)
* LEO with a "polite request"
* LEO with a subpoena
* NSA
do you want an audit log of accesses to your data so you know who viewed or downloaded what when? do you want to be able to trace (document watermarking etc) the authorised account who downloaded some specific instance of a document that you have?
these are the kinds of things you need to have considered in order to make a meaningful technology/provider choice for "security", and doubly so in order to offer advice about these things to your clients.
posted by russm at 11:30 PM on December 28, 2010 [3 favorites]
* accidental disclosure by an authorised insider
* malicious disclosure by an authorised insider
* access by an unauthorised insider (someone with legitimate access to your systems, but not the data in question)
* routine/non-malicious access by a system admin (someone working at your email provider)
* malicious access by a system admin
* drive-by hacker (not targeting you or your clients specifically, an opportunistic attack)
* targeted hacker (someone with a specific interest in your or your clients data)
* LEO with a "polite request"
* LEO with a subpoena
* NSA
do you want an audit log of accesses to your data so you know who viewed or downloaded what when? do you want to be able to trace (document watermarking etc) the authorised account who downloaded some specific instance of a document that you have?
these are the kinds of things you need to have considered in order to make a meaningful technology/provider choice for "security", and doubly so in order to offer advice about these things to your clients.
posted by russm at 11:30 PM on December 28, 2010 [3 favorites]
Response by poster: Thanks for the feedback so far. For those of you who question how a "security expert" could not know the answers to these questions, may I humbly suggest that there are genres of security that do not focus exclusively on computers and networking. We are not providing IT security consulting. I certainly acknowledge that I am not an IT security expert, and I am grateful for the advice of those who are.
We would like to protect our proprietary company data and the proprietary information of our customers. We would like to ensure that data is protected during email transmission. We would like to ensure that data is protected at rest in company-branded server space. We would like to compartment our data from our customer data, and customer data from other customers. We would like to know that any data we choose to store this way is safe from loss, from unauthorized access inside the company and outside.
I do not expect to evade inquiry by government agencies. I do not expect perfect protection from insider threat, though that would certainly be nice.
I was hoping that some company somewhere offered an integrated secure communications suite. Does that exist in a cloud model, or is enterprise security still based on one's own IT infrastructure?
I hope this information is helpful. I apologize for not providing the right information; I am not in charge of this project, but came to MeFi in the hope of getting some advice so I could be helpful, because this stuff interests me.
posted by woot at 4:24 AM on December 29, 2010
We would like to protect our proprietary company data and the proprietary information of our customers. We would like to ensure that data is protected during email transmission. We would like to ensure that data is protected at rest in company-branded server space. We would like to compartment our data from our customer data, and customer data from other customers. We would like to know that any data we choose to store this way is safe from loss, from unauthorized access inside the company and outside.
I do not expect to evade inquiry by government agencies. I do not expect perfect protection from insider threat, though that would certainly be nice.
I was hoping that some company somewhere offered an integrated secure communications suite. Does that exist in a cloud model, or is enterprise security still based on one's own IT infrastructure?
I hope this information is helpful. I apologize for not providing the right information; I am not in charge of this project, but came to MeFi in the hope of getting some advice so I could be helpful, because this stuff interests me.
posted by woot at 4:24 AM on December 29, 2010
If your data is not under your own control, it is not secure. Once you send an email, you are trusting the recipient to maintain its security. You can encrypt and all of that, but the recipient can then forward to all.
Two kinds of security: nobody can get your stuff, but you can. If either is broken, you are not secure.
posted by gjc at 5:28 AM on December 29, 2010
Two kinds of security: nobody can get your stuff, but you can. If either is broken, you are not secure.
posted by gjc at 5:28 AM on December 29, 2010
In terms of sending and receiving secure attachments via email, I would recommend looking at leapfile.com. I use it in my company and it works out very well. They are a small enough and nimble company that they might even entertain the option of you being a reseller of their service. If so, this would make a useful introduction to clients for the technique.
The problem is that all security efforts have usability trade offs. One of the big challenges you will have in your business is the misconception that security is something you can buy -- rather, it is something you do. I'm not familiar with your business model, but if you consult and help companies implement sound security solutions I would look at every tool you use as a demonstration opportunity.
posted by dgran at 5:47 AM on December 29, 2010
The problem is that all security efforts have usability trade offs. One of the big challenges you will have in your business is the misconception that security is something you can buy -- rather, it is something you do. I'm not familiar with your business model, but if you consult and help companies implement sound security solutions I would look at every tool you use as a demonstration opportunity.
posted by dgran at 5:47 AM on December 29, 2010
You could set up a TOR node which offers opaque communication.
posted by JJ86 at 6:20 AM on December 29, 2010
posted by JJ86 at 6:20 AM on December 29, 2010
One thing you might want to think about is the security of the employee computers, if they are compromised or stolen. I think Lenovo still makes some laptops that require a fingerprint ID to startup, which seems like a good start. There is also drive encryption so that someone can't just pull out the drive and hook it up to another computer to browse through the data. It might be a good idea to at least come up with a written company policy about not keeping sensitive files on insecure USB drives, requiring login passwords, and keeping up to date with the latest patches of your operating system.
posted by sophist at 1:42 AM on December 30, 2010
posted by sophist at 1:42 AM on December 30, 2010
« Older How do you trust someone you are just getting to... | How do I operate this vintage calculator? Newer »
This thread is closed to new comments.
posted by XMLicious at 7:29 PM on December 28, 2010