Educause Security Discussion
mailing list archives
Re: Secure File and Email Transfer
From: "Clark, Sean" <Sean.Clark () UCDENVER EDU>
Date: Wed, 12 Nov 2008 10:10:34 -0700
I've been an email guy for a lot longer than I've been a security guy, so I will focus my suggestions on email-centric
Our university is using Ironport for email encryption and spam/virus checking on the mail gateways. I can't say enough
good things about the Ironport product: it is at least 10x more efficient at mail handling than our previous systems
(currently handling ~15 million inbound messages a day on two Ironport appliances) -- and much better at detecting spam
(blocking over 98% of the inbound traffic with false positives approaching zero). Those two Ironport appliances
replaced 14 physical and virtual mail gateways that were running Sendmail and Sophos' Puremessage -- AND two Tumbleweed
servers that were handling email encryption duties. I'm a big fan of simplification. Replacing 16 servers with 2
servers that actually do a better job of fulfilling their required duties is priceless! The Ironport email encryption
is easy to setup and easy for end users to use: internal email users who are sending to addresses outside of our
affiliate network can trigger the encryption by simply putting a predefined trigger word in the subject line -- and
Ironport does the rest.
TLS (Transport Layer Security) may also be a good option for gateway-to-gateway email encryption, depending on the
receiving institutions ability to implement TLS on their end. We originally setup TLS to ensure a secure connection
between researchers at our university and a drug company. After we setup TLS and configured our mail gateways to
preferentially use TLS for mail transfer (ie when the other mail server was TLS-enabled), we found that quite a bit of
our email traffic to other institutions was being encrypted. TLS is supported by Sendmail, Postfix, Exchange -- and
Basic info on TLS: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1111138,00.html
Manager, IT Security/Email/UNIX Systems
UCDenver IT Services
Sean.Clark () UCDenver edu
**Please note my new email address!**
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel
Sent: Wednesday, November 12, 2008 6:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Secure File and Email Transfer
I am conducting some research to determine the route that other universities are taking in securing files/emails when
needed. I have found three solutions and I am wondering which of them other universities are implementing or if they
are using other methods.
The three are:
1. Public Key Infrastructure, issuing public/private keys to all employees. This is time consuming and requires
key exchanges. I find this to require lots of time which translates into money to maintain and support.
2. Third party mediator. This is where an institution sends a file/email to a third party over a secure channel.
Then the receiver is told by the third party that a file/email is waiting and they log into a site to download/view
through a secure https connection.
3. Use secure ftp. Setup a secure ftp server and give vendors a username and password and they are notified when
something is waiting for them.
Any insight would be appreciated.
Daniel R. Bennett
Pennsylvania College of Technology
IT Security Analyst