SecureLine End-to-End Email Encryption: Easier than Ever!
LuxSci’s SecureLine Email Encryption service enables LuxSci users to send secure email messages to anyone with an email address. It supports a combination of different message encryption mechanisms to handle different types of recipients and sender encryption strength requirements:
- SMTP TLS – for server-to-server transport encryption with recipients whose servers support TLS
- PGP and S/MIME – for customers who require higher levels of messages security through certificates
- Escrow – where recipients can pick up their waiting message from our secure portal
We find that a majority of our customers’ SecureLine messages prefer the Escrow system of secure message pickup because most customers don’t require the extra security and hassle of PGP or S/MIME. Another consideration is that either TLS is not supported for most recipients or many customers require some level of recipient identity verification — beyond the fact that they “have access to their email”.
LuxSci has augmented the Escrow service so that it can now send to any recipient without any setup or input by the sender. Customers using SecureLine encryption can now just “start sending” and it will “just work”.
SecureLine Escrow: Question and Answer Verification
The “old standard” mechanism by which Escrow works is called “Question and Answer” verification:
- The sender specifies a security question and answer for the recipient before or during the message composition process.
- When the message is “sent”, it is encrypted and stored in a secure database at LuxSci.
- The recipient is sent a simple notification email message indicating that the message is waiting.
- The recipient clicks on a link in the notification message and is taken to the LuxSci web portal.
- The recipient is prompted to answer the question provided by the sender.
- If the answer is correct, the recipient gains access to the message.
The “Question and Answer” mechanism is beneficial because it:
- Ensures that only the intended recipient can access the message
- Protects the secure message from access by “others” with access to the recipient’s INBOX
The “down side” is the need to actually define the questions and answers and to ensure that the recipients can answer the questions. Doing this with well chosen, secure questions takes some work and management. Using very weak questions (“what color is the sky?”) makes setup easier, but defeats the purpose of using questions and makes the question/answer process seem more than “extra work”.
SecureLine Escrow: SecureSend Login Verification
The augmentation of Escrow is the introduction of a new mode of recipient verification – “SecureSend Login”. LuxSci’s “SecureSend Portal” is a web site that anyone can use to initiate secure email messages to LuxSci’s SecureLine customers…. for free.
The “SecureSend Login” verification method eliminates questions and answers, instead asking the recipient for his/her password to the SecureSend Portal. Here is how it works.
The first time a recipient tries to access an Escrow message:
- S/he is taken through the steps to register for a SecureSend Account.
- This includes sending a confirmation email to his/her email address.
- S/he clicks on a link in the confirmation email to verify that s/he has access to that email account.
- S/he is taken to view the waiting message.
Subsequently, when the recipient tries to access an Escrow message, s/he is simply prompted for his/her current SecureSend password.
This is much simpler and easier than Question and Answer because:
- The sender does not have to pre-configure questions and answers.
- The recipient doesn’t have to answer questions.
- No one has to deal with situations where questions can’t be answered.
- There is no proliferation of different answers to remember.
- The recipient uses one password to access any and all Escrow messages sent to him/her; this password can be changed as needed and can be recovered easily if forgotten.
The down side of SecureSend Login verification is that it can be less secure than using Questions and Answers. As with use of SMTP TLS, anyone with access to the recipient’s INBOX can potentially access his/her Escrow messages sent using SecureSend Login.
Which one to choose?
SecureSend Login is the default mechanism for all new LuxSci SecureLine accounts; SecureLine TLS delivery is also enabled by default for all new accounts using SecureLine. The combination of these delivery options enable HIPAA-compliant end-to-end email security with no setup required performed in a way that is simplest and most natural for both sender and recipient. E.g. – it doesn’t get any “easier”.
If SMTP TLS by itself is not a sufficient level of email encryption for you, then we recommend disabling TLS support and changing to use of “Question and Answer” Escrow so that you have much more control over recipient identity. You may even want to use SecureLine PKI for some recipients — to have the highest level of security using certificates together with Opportunistic TLS.
We leave the choice up to you and your business requirements.
What about existing accounts?
Existing accounts who have been using SecureLine are configured for Escrow “Question and Answer” so that everything will work “as usual”.
Customers can change their TLS and Escrow settings on account-wide, domain-wide, and per-user levels.
- Account > Administration > Advanced Administration > Security > Global SecureLine
- Account > Domains > [select domain] > Outbound Email Tools > SecureLine Ecnryption
- Account > My Preferences > Security and Privacy > SecureLine
Note that if you have Escrow Questions and Answers specified for recipients in your Address Books, these will override the use of “SecureSend Login” verification for those people. This allows you to use higher levels of Escrow security for specific recipients.
However, if you are changing from “Question and Answer” to “SecureSend Login”, you may want to clear this Escrow information out of your address books. An easy way to do this is to:
- Backup your address book and save the backup file (just in case)
- Export your address book into a “CSV File” and do not “Export SecureLine Data”.
- Re-import your address book from this file – there will no longer be any SecureLine recipient data to trump the use of “SecureSend Logins” verification.