Security: A Year in Review 2013
LuxSci is constantly adding and improving its service offering. As part of that evolutionary process, we continually make many additions and changes related to security and privacy. This post provides a summary of many improvements we have made in this area in the past 12 months. To see last year’s security wrap up, see: Security: A Year in Review 2012.
- Account admins, domain admins, and users can now restrict access to their user accounts based on IP and/or IP Range. Lock down access to WebMail, IMAP, POP, SMTP, FTP, and/or SFTP to only IP addresses of your choice or block specific IP addresses from access.See: Ultimate Control: Manage Access to Your Services with Custom Firewalls
- Support sending secure email messages using SecureLine Escrow to recipients whose email services do not support TLS, PGP, or S/MIME, but where the data needs to go securely.Send your Web and PDF Form Posts Securely to Anyone: SecureForm to SecureLine Escrow has Arrived
- Track if messages received used TLS encryption on delivery to LuxSci by adding a special email header
- Track if messages sent used TLS for delivery to the recipient email servers. Visible in email message tracking reportsSee: Enforcing and Detecting TLS Email Encryption on Inbound Messages
- SecureLine messages track what kind of SecureLine encryption was used both in email message tracking reports and by custom email headers added to the outbound email (e.g. TLS, Escrow, PGP, S/MIME, or Opt Out)
- Security Audit: The domain and account security auditing reports now include a report of what users, if any, are accessing services insecurely (e.g. without TLS or SSL) for POP, IMAP, SMTP, and FTP.See: Enhanced Email Security Reports
SecureLine Escrow and SecureSend
- SecureSend Authentication: Enable optional use of SecureSend authentication instead of a question/answer pair for identity verification so that recipients do not have to answer sender-provided security questions.See: SecureLine End-to-End Email Encryption: Easier than Ever!
- NameSpaces: Customers can define SecureSend namespaces to segregate the recipient users belonging to their account from those belonging to other customers.
- Customers can configure domain-wide and account-wide policies for the minimum expiration time for SecureLine Escrow messages (e.g. to ensure that they do not expire “too soon”).
- SecureLine Escrow web sessions expire and auto-logout due to inactivity.
- The PGP passwords used to encrypt Escrow messages are now 20 random characters long, instead of 8.
- Message Center: Customers can now enable a Message Center where recipients can view a “unified inbox” of all received Escrow messages and access these all at any time (until they expire) without needing to have the Escrow notification message at hand.See: SecureLine Message Center – Free Centralized Secure Email Access
- SecureLine Escrow reports now allows you to see if Read Receipts were specified and sent and what kind of authentication is to be used for the recipient (Question and Answer or SecureSend Authentication).
General HIPAA Accounts
- Encryption Opt Out
- Optionally enable some or all users to be allowed to designate specific messages as not containing ePHI and thus allow them to be sent “normally” without encryption.
- Opt out via a Checkbox in WebMail or Outlook.
- Out Out by adding special text to your subject lines in any other email program.
- Optionally specify an auditor email address to get copies of these insecure messages.See: Email Encryption Opt Out Now Available for Outlook and Other Email Programs and HIPAA Compliant Email – You Decide Which Messages Need Encryption
- HIPAA accounts are restricted from forwarding email (even over TLS) to other LuxSci accounts that are not HIPAA compliant.
- HIPAA accounts are restricted from using SecureForm to send form data to addresses hosted by LuxSci that are in non-compliant accounts.
- WebAide optional encryption and auditing is enabled and enforced on in all HIPAA accounts.
- Simple rules for allowing users to block inbound non-secure email messages (e.g. ones that are not TLS, SecureLine Escrow, PGP, or S/MIME)
- Global policies are in place which allow customers to have WebAide encryption and auditing automatically enabled on all supporting WebAides.
- Security Audit reports show these encryption/auditing policies.
- Customers can enforce minimum password strength requirements on their SecureSend users. See: Private Labeling
Affiliate Portal – See: Affiliate Program Improvements
- Block password guessing by locking out IPs for a time after 5 failed logins
- Track and report on successful and failed logins
- Logout users after 1 hour of idle time.
- Improve storage of affiliate passwords
- Access your stored password library from your mobile deviceSee: Mobile Device Access to your Password Library