Kfir What is the threat, who is the attacker and what is the asset you are protecting?
There is little reason to encrypt internal email in my experience. Let's say that Mike in sales has an insider tip on company stock options and he wants to tell Yael in HR. Encryption doesn't mitigate that threat. Let's say that Yossi has a secret algorithm he wants to sell to the dark side. Encrypting internal email won't mitigate that threat either. If there are confidential files being sent by email to external destinations - encrypt the files and give the key to the recipient. BUT - If you're concerned about information leakage then your cheapest and most effective countermeasure is monitoring email transmission for particular data types and destinations. Danny On 8/14/07, Kfir Lavi <[EMAIL PROTECTED]> wrote: > > Hi Danny, > I want to encrypt inside company emails. > I thought about building a mail server with webmail and a plugin for > encryption. > Most of the use of the webmail interface will be from known computers. > The amount of emails will be at a hundreds. > But I need to keep the private key at each user hand. > I'm thinking to pass the encryption, I don't want it to be a burden. > > On 8/13/07, Danny Lieberman <[EMAIL PROTECTED]> wrote: > > > > Kfir > > > > What exactly are you trying to achieve by encrypting email - are you > > trying to encrypt business communications between employees and > > vendors/customers to protect from eavesdroppers or do you want to encrypt > > the message repository and protect it from attackers? > > > > Before you start applying encryption as a panacea do a little threat > > analysis first. Ask yourself - what assets are you trying to protect, what > > are the threats and what are your vulnerabilities. > > > > My experience with extrusion prevention with a fair number of customers > > has shown the following: > > > > a. It's better to use outgoing email in clear text because 1) you can > > monitor what people are doing and 2) having a business partner > > decrypt/encrypt is generally a pain in the ass that is greater than the > > value of the business transaction. > > > > > > b. If you have high-value business communications between your company > > and vendors - you are better off just encrypting the file (for example a > > sensitive contract or product design doc) and sending the encrypted > > attachment. This will enable you to monitor who is sending and who is > > receiving and with the right monitoring system - you will be able to detect > > that an encrypted file was sent which is interesting information in it's own > > right. > > > > Read my blog entry on this topic > > http://www.software.co.il/blog/2007/06/secure_communications_without_1.html > > > > > > Best regards > > Danny > > > > > > On 8/10/07, Kfir Lavi < [EMAIL PROTECTED]> wrote: > > > > > > Danny, > > > Google apps is exactly what I'm trying to avoid :-) > > > What did you mean by "You don't want to get involved in encrypted mail > > > on your lonesome."? > > > > > > On 8/10/07, Danny Lieberman <[EMAIL PROTECTED]> wrote: > > > > > > > > Kfir > > > > > > > > The best bet for you is Google Applications - surf to > > > > www.google.com/a > > > > > > > > You don't want to get involved in encrypted mail on your lonesome. > > > > > > > > danny > > > > > > > > On 8/9/07, Kfir Lavi <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Hi, > > > > > I would like to keep company emails secure and encrypted. > > > > > I'm looking for a webmail program that is similar to Gmail. It > > > > > don't have to own all the stuff, just to be productive. > > > > > I would also want encryption. I want all the emails be encrypted > > > > > automatically. > > > > > What is the procedure for a user? should he take with him a usb > > > > > private key? > > > > > I'm looking for your comments on the idea. > > > > > > > > > > Tnx, > > > > > Kfir > > > > > > > > > > > > > > > > > > > > > -- > > > > Danny Lieberman > > > > Reduce risk with practical threat analysis- visit us at > > > > www.ptatechnologies.com > > > > "All things being equal, the simplest solution tends to be the best > > > > one." Occam's razor > > > > > > > > -------------------------------------------------------------------------------------------- > > > > www.software.co.il/blog - Israeli software, music and mountain > > > > biking > > > > www.software.co.il/pta - Download a free copy of the > > > > PTA-Practical threat analysis tool > > > > > > > > -------------------------------------------------------------------------------------------- > > > > Tel Aviv + 972 3 610-9750 > > > > US + 1-301-841-7122 > > > > Cell + 972 54 447-1114 > > > > > > > > > > > > > > > -- > > Danny Lieberman > > Reduce risk with practical threat analysis- visit us at > > www.ptatechnologies.com > > "All things being equal, the simplest solution tends to be the best > > one." Occam's razor > > > > -------------------------------------------------------------------------------------------- > > www.software.co.il/blog - Israeli software, music and mountain biking > > www.software.co.il/pta - Download a free copy of the PTA-Practical > > threat analysis tool > > > > -------------------------------------------------------------------------------------------- > > Tel Aviv + 972 3 610-9750 > > US + 1-301-841-7122 > > Cell + 972 54 447-1114 > > > > -- Danny Lieberman Reduce risk with practical threat analysis- visit us at www.ptatechnologies.com "All things being equal, the simplest solution tends to be the best one." Occam's razor -------------------------------------------------------------------------------------------- www.software.co.il/blog - Israeli software, music and mountain biking www.software.co.il/pta - Download a free copy of the PTA-Practical threat analysis tool -------------------------------------------------------------------------------------------- Tel Aviv + 972 3 610-9750 US + 1-301-841-7122 Cell + 972 54 447-1114
