File Encryption System

I recently started a discussion on flash drive and someone mentioned file encryption system, e.g. TrueCrypt.  I thought it was a good subject to be discussed.  So I started this new disucssion thread.

And I would like to use this opportunity to do a survery:

Do you encrypt your

- USB flash dirve

- Laptop / netbook

- Desktop

- Server

- other portable devices e.g. smartphone, tablets....

 

 

Comments
StephenElms's picture

Encryption

StephenElms | | Permalink

 Our HDD data is encrypted and hidden at night. Same for USB drives if we move data around outside of the office.

Encrypt laptops and USB devices

jonstanton | | Permalink

We took the decision a while ago to encrypt all of our laptops.  We have staff on the road all the time and felt that this was needed.  As we had over 80 devices we wanted to manage them centrally - so used Checkpoint Full Disk Encryption.

We have also recently enforced encryption of all our USB memory sticks.  We have used DriveLock to manage these devices and enforce our policy - so that staff cannot now write files to unencrypted or personal USB devices.

Our servers are in separate secure locked rooms - so these aren't encrypted.  We do however encrypt our backup tapes as these are taken off-site.

We also haev the ability to encrypt emails and offer this to clients where the data being sent is particularly sensitive.

I would recommend that anyone who doesn't encrypt portable devices reads the guidance on Encryption from the Information Commissioner - http://www.ico.gov.uk/news/current_topics/our_approach_to_encryption.aspx

challisc's picture

How about encrypting emails?

challisc | | Permalink

Important questions. Can I add "emails" to the list?

chanpangchi's picture

How can we miss Email?

chanpangchi | | Permalink

Don't know how often we email sensitive information in plain text.  Have to say we are just lucky!

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

Email encryption

jonstanton | | Permalink

Totally agree - emails containing sensitive data should be encrypted.

We are using Egress Switch to encrypt sensitive emails to our clients.  It integrates with Outlook for us to send messages and our clients use a free reader application to read the content - so there is no cost to them.

chanpangchi's picture

Great Information

chanpangchi | | Permalink
nogammonsinanundoubledgame's picture

Please correct me ...

nogammonsinanun... | | Permalink

... but it seems to me that the elephant in the room, when it comes to email encryption, is that both the sender and receiver have to have installed the same system for encrypting/decrypting.  Our firm has close to 2000 clients, admittedly not all using email as a preferred communication tool.  Some of them may have already installed some encryption technology.  But presumably every one of us would have to be using the same technology if we as accountants were routinely to email our client base in a secure manner.

The accounting community have been badgering HMRC for years to allow us to communicate with them by email in relation to our clients' affairs, and as yet this is a problem that HMRC have not yet been able to solve.

With kind regards

Clint Westwood

chanpangchi's picture

Exchange Hosted Encryption solution overview

chanpangchi | | Permalink

Transparent encryption and e-mail delivery

When a user sends an e-mail message, it travels to the Microsoft global network through a Transport Layer Security (TLS)-encrypted tunnel, and is automatically encrypted at the gateway according to rules created and managed within the Microsoft Forefront Online Protection for Exchange module.

When a message is encrypted, a private key for the recipient is created and stored in a security-enhanced environment on the Microsoft network. The private key is made available to the message recipient when the recipient decrypts the message. The recipient does not have to pre-enroll to receive and decrypt the message. In fact, the recipient may have never received a prior e-mail from the sender.

The Microsoft encryption process is entirely transparent to the sender, who does not need to do anything other than write and send the message as usual.

http://www.microsoft.com/online/exchange-email-encryption.aspx

And there are many more email encryption services that you can find on the cloud.

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

chanpangchi's picture

Online Storage

chanpangchi | | Permalink

Another approach is online storage.  I don't email attachment but only a link the the document that I store online. 

I used SkyDrive from Microsoft.

http://explore.live.com/windows-live-skydrive
 

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

Elephant in the room

jonstanton | | Permalink

Clint,

You are correct in that the sender and recipient need to both have the same encryption package in place for it to work.

That is why we chose a solution which we could deploy to all our staff, and which our clients could use to communicate with us at no cost to them.  The clients need to register and get the software, but once this has been done they are set to go. 

We have found most clients react very positively when we tell them what we are doing and why - particularly those who send the most sensitive data such as payroll clients.  When they are asked would they like some additional protection for their data at no cost to them - it really is difficult for them to object.

chanpangchi's picture

This is what we called added value

chanpangchi | | Permalink

Jon,

You provided your clients extra value at no cost; how can they say NO!

-- Regards,

chan_a@algconsultings.com

http://ca.linkedin.com/in/alginc

http://algconsultings.wordpress.com/

nogammonsinanundoubledgame's picture

I sometimes wonder ...

nogammonsinanun... | | Permalink

... whether the security threat of unencrypted emails is overhyped.

That there is a security hole, I am perfectly willing to accept.  What I am less sure about is that it is a hole that gets exploited in any measurable degree.  You very rarely hear stories about data leakage through third parties snooping on emails in transit. (Well I have never heard of an instance, but you may know otherwise).  And when you consider the volume of emails of which only a tiny fraction are encrypted, that I think speaks volumes of the scale of the problem.  Leakage of data by some unauthorised or malicious user at one or other end of the transmission is commonplace, but merely encrypting emails during transmission will not get over that.

I suppose that if your organisation is of a type that is likely to get targetted, such as HMRC or MOD, then that may be a different kettle of fish.

With kind regards

Clint Westwood

challisc's picture

email leakage

challisc | | Permalink

Clint, you may well be right that there are few if any reported cases of emails being read in transit by a third party. But "reported" is the key. You probably won't know if someone's seen an email. Wherever there's a duty of confidentiality, is it appropriate to put unencrypted messages and documents into the public internet system?

Yes it is possible to put documents into encrypted vaults. I was talking to someone yesterday about a system specifically designed for communication between a professional firm and their clients.

A bigger issue with emails perhaps is their public nature. It's always interesting to be copied into an email where there has been some prior discussion, with comments made by one party that clearly weren't intended to go any fuirther. Best to regard anything in an email as in the public domain!

 

 

KH's picture

Email privacy v. millions of letters lost by Royal Mail each wee

KH | | Permalink

I have recently moved over to encryption, not purely out of fear, but mainly because the iMac I use neatly encrypts the Home folder on the fly, and the computer is password protected ... so it was very easy to go down the "secure" route. Likewise with back-up hard drives, like the iStorage DiskGenie, which is platform independent, but uses a log-in key to access the data. But with regards emails, I would have thought they were much much safer than normal post; the amount of mail which gets lost, and even worse, the sheer volume which is delivered to the wrong addresses each day, gives me far greater cause for concern than email security. On balance, I think I am safer sending information via unencrypted email than by unencrypted Royal Mail.

If I had any 'very large' clients, of the ilk who have specialised accounting departments, then I'd definitely look into secure email arrangements with those clients, but, for the Jo Next Door, who is still only just getting to grips with computers, let alone the perceived intricacies of email, who makes up the bulk of my clientele, then I definitely feel happier with email than with Royal Mail.

I tend to think that email security is just another of those myriads of new worries which government is keen to keep us enthralled by ... it's much easier to rule a cowed society rather than one where people actually think for themselves. However, when things get easier, or more scary, or my clients get more clued up, then I too will adopt a more secure approach to emails.-- KH

email encryption

Gentoo | | Permalink

A couple of posts have suggested using a third party service for encryption. However, if it is all about managed paranoia then even third party services are open to systematic abuse.

There is a self-managed solution that also eliminates (reduces probability to very close to zero) man in the middle spoofing of emails as it incorporates authentication (real authentication)

You need software that can create public/private keys

For the really paranoid (and that's why we are here, isn't it?) use GPG.

http://www.gnupg.org/

Because it's Free Software you can obtain the source code, read it, have it QA'ed, then (have it) compile(d)

For each new client you give them a copy of this programme, with instructions on how to use it, or show them, but you must make sure that they don't give you their private key, then hold a key signing party

http://en.wikipedia.org/wiki/Key_signing_party

You then have developed a tight secure confidential means of communication unique to you and each client however each of you only needs one key pair.

I'd have thought this could become part of your new client assurance induction

You will need an email client that can use public/private key encryption.

I like to use software that doesn't want to phone home, (it's also available free of charge) so I use the Kontact suite on KDE

http://en.wikipedia.org/wiki/Kontact

http://en.wikipedia.org/wiki/KDE_4

StephenElms's picture

Sky Drive

StephenElms | | Permalink

 So, where does sky drive ACTUALLY store your documents - the real location? If you don't know / can't find out then you are in breach of the data protection act....

Add comment
Log in or register to post comments
Group: IT Zone discussion group
IT & Technology discussion group