Why You Shouldn’t Email Your Sensitive Documents

David Stromdavid@strom.com

TechNet Mid America July 2012

Email docs to yourself

Email is inherently insecure…

Secure email alternatives

• Full encryption• DLP• Cloud-based storage• Secure document delivery services

Full encryption choices

• Voltage SecureMail• PGP Universal Server• Sophos Email Appliance• Proofpoint Protection Server• Mimecast's Unified Email Messaging

Common product features

• Crypto key management• Auto encrypt sensitive info as part of their

policies• Lots more rules processing• Outlook plug-ins

Drawbacks

• No visibility into document chain of custody• Encryption is still largely unused and

cumbersome• Key management

issues

Web-based encryption

• Voltage SecureMail Cloud• Hushmail for Business• Proofpoint on Demand• PGP's Web Messenger • Mimecast's Closed Circuit Messaging

Data loss prevention

• Global Velocity's GV-2010 security appliance • BlueCoat Networks DLP appliance• Sendmail's Sentrion email server• McAfee Host DLP• Symantec/Vontu DLP v10• Safend Protector• Trend Micro DLP

File sending services

Responses to MegaUpload shutdown

YouSendIt Privacy Policy

Certain information may become accessible, such as the text and subject of messages you have sent, the name and content of the User Files you have sent, the date and time messages were sent, and the email addresses of the recipients.

Secure document services

Security issues

Secure document issues

• Do you need secure intra- or inter-enterprise collaboration?

• Can you recall sent messages? • What happens when someone leaves your

company? • How does the service affect users’ existing

email experience? • Can you authenticate recipients and thwart

malware such as key-loggers?

The moral of the story: don’t use straight email to send your documents. Anything is else better.

Questions?

David Stromdavid@strom.com

314 277 7832@dstrom (Twitter)

http://strominator.com