" email Archives - LuxSci

Posts Tagged ‘email’

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.

How to Create Email Suppression Lists

Tuesday, June 29th, 2021

LuxSci customers are now able to create email suppression lists. In this article, we will walk you through how to create an email suppression list in your own account.

email suppression lists

What is an Email Suppression List?

First, it may be helpful to clarify exactly what a suppression list is. It’s simply a list of email addresses to which all email sending should be blocked (or suppressed). There are many reasons why you might want to use a suppression list. One example is to track people who have opted-out of receiving marketing emails. When someone decides to unsubscribe from a mailing list, their email address can be placed on a suppression list that prevents them from receiving future emails.

Suppression lists are used to manage:

  • requests for removal from mailing lists,
  • requests to never be emailed, and
  • lists of people who have complained about emails sent from your account (i.e., by marking it as Spam).

LuxSci & Email Suppression

LuxSci Secure Marketing customers already have access to suppression tools for email marketing. The new suppression features apply to all email sent via:

  1. WebMail
  2. SMTP
  3. Secure Connector/smart hosting
  4. API
  5. Secure Marketing (Secure Marketing has additional suppression list functionality which is applied first).

Suppressions do not apply to email sent:

  1. via SecureForms
  2. from web hosting (that does not send through an authenticated SMTP connection or API call).

To view these features in your own account, login to the WebMail portal and navigate to the Settings page. From there, go to “Outbound Email” and select “Email Suppression.” From there, you will be able to add up to 500 new email addresses to be suppressed.

Email suppressions can be applied at the account, domain, and user level. Account-level suppressions apply to everyone in the account. No users in your account will be able to send emails to the addresses on the list. Domain-level suppressions apply to everyone whose login email address uses that specific domain name. For example, if your email username is joe@company.com the suppressions you apply will also be applied to jen@company.com and julie@company.com. However, they will not be applied for john@business.com. User-level suppressions apply only to the specific user who created them. For example, the email suppressions that joe@company.com creates will only apply to his account if the suppression is applied at the user-level.

Email Suppression Expirations

When an email suppression list is added to your account, the default setting is that it never expires. However, there may be times when it makes sense to add an expiration date to your suppressions. When uploading a list, select the length of time you want these emails addresses to remain on the suppression list from the drop-down menu. You can choose to keep email addresses suppressed for up to one year.

Deleting Suppressions

To delete an email from the suppression list, click the red “X” icon to the right of any entry. If the “X” is not present, then the suppression is defined at a higher level in your account and cannot be removed from the current page. This means that you cannot delete an account-wide suppression from the page where you mange user-specific suppressions.

How to Manage Email Suppression Lists via API

Finally, suppressions can also be managed by the API. The API allows managing user-level and account-level suppression lists and enables:

  • Listing/searching suppressions
  • Deleting suppressions
  • Adding suppressions individually or in bulk

If you have additional questions about the suppression features LuxSci offers, please reach out to our Support team. Current customers can find more information in our help documentation.

High Availability High Volume Email

Tuesday, June 8th, 2021

High volume email sending is essential to the business operations of many different companies. Whether these emails involve onboarding messages to new users, form a key part of an organization’s marketing strategy, or are sent for a wide range of other purposes, they are often a core component of how a company spreads necessary information.

If the right systems aren’t in place, high volume email can go down. This puts a stop to all of those important transactional and marketing emails, which can cause delays or disruptions to business operations. These outages can have significant effects on a company’s bottom line.

If you don’t want your critical email to suddenly go down, then you need a high availability high volume email system in place. This gives you the redundancy you need in case your systems go offline.

high volume email

What Is High Availability?

As we discussed above, you want your organization’s email to be up and running as much as possible. This is known as high availability, an engineering term applied to many systems, especially in computing.

‘High availability’ is commonly used when talking about websites–a high availability service is one that has redundancies in place that keep a website online, even if the main server fails. In addition to the server that hosts the site itself, high availability web apps also need high availability MySQL so that databases are still accessible if the main server that hosts them goes down.

These high availability services are critical for businesses that cannot perform their core functions if their websites or databases go offline.

If a high availability service isn’t being used and there aren’t any redundancies in place, any outages to the servers will force the site or some of its functionality to go down. This means that customers will no longer be able to access the platform or some of the site’s key services.

It’s not just websites and web services that can go down. If a company’s high volume email doesn’t use a high availability infrastructure, it can go down when a server fails. This grinds all of an organization’s email to a halt, delaying or disrupting its marketing and transactional emails.

If these emails aren’t sent and received by customers, the company won’t be able to perform many of its necessary business functions until the server comes back online. This can lead to the loss of customers, increased complaints, reduced sales, and many other serious problems. With this in mind, high availability high volume email services are critical for any organization that relies on its email to perform its core functions.

Why Do Systems Go Down?

Some of the most common reasons that online systems go down include:

  • Hardware failures that bring down critical components such as the memory, CPU, or power.
  • Crashes or bugs in an operating system or other software.
  • DDoS and other attacks against the server.
  • Excessive amounts of traffic.
  • Failure of the network.
  • Overloading the network.
  • Failures at the data center, including human error or power outages.

How Can Load Balancing Help to Give You High Availability High Volume Email?

As we discussed above, there are many reasons your services could go offline. These causes of failure are inevitable, and they can occur frustratingly often. If you want your high volume email to be operational as much as possible, you need to have redundancies in place that can take over when these inevitable failures take place.

A core component of this is load balancing, which shares the workload between servers. This boosts the capacity, allowing servers to share the volume with others when they get overwhelmed by traffic. Load balancers can also detect server failures and automatically redirect traffic to healthy servers when necessary. When your high volume email service uses load balancing, it can continue to send its emails even when a server goes down.

Many providers have their servers and load balancers in the same place, which makes it easier for them to operate, but creates additional risks. If everything is located in the same data center, this means that a failure at the data center or in the network can still bring your email system down. Load balancing can’t help you if all of your infrastructure goes down at once.

At LuxSci, we offer a more robust alternative by placing three servers in separate data centers in the same geographic region. Having servers in three different physical locations makes your high volume email service far more resistant to going offline, because even if one data center fails, you still have backups at two other sites.

High Availability MySQL For High Volume Email

High volume email requires databases for tracking, logging, and other purposes. If your database goes down, then so does your ability to send transactional and marketing emails. This means that if high volume email is critical to your business, you also need high availability databases.

LuxSci’s solution is its regional high availability MySQL service. This offering includes three Enterprise MySQL servers, with each one located in a separate location within the same geographic area. It automatically replicates your databases across all three servers, with features including automated:

  • Failover and recovery
  • Zero-downtime system
  • Software updates

Our high availability MySQL service is excellent for organizations that rely on their high volume email for business operations, because it makes databases extremely resistant to going offline. It’s a solution that can help your organization survive the failure of a data center, all while being HIPAA-compliant at the same time.

Together with LuxSci’s high availability load balancers, our high availability MySQL makes your bulk email incredibly resistant to downtime.

LuxSci’s High Availability High Volume Email Solution

If marketing and transactional emails are critical to your organization’s operations, then you need a high volume email service. When you consider the costs of the service going down, its best to choose a solution that offers high availability.

Nothing will stop systems from failing, but with redundancies such as high availability load balancers and MySQL in place, we can make sure that regular failures don’t impact your business. Contact us now to find out more on how LuxSci’s offerings can help to keep your high volume email online as much as possible.

 

Securing your iPhone’s Email – Best Practices

Wednesday, November 4th, 2020

Apple offers an array of configuration options for securing your iPhone email. However, there are a number of steps that you will have to take before your device and its emails are actually protected.

Securing your iPhone Email 

Securing your iPhone email: Protect the iPhone itself first

The best place to start securing your iPhone email is by making sure the phone itself is protected. If the phone isn’t secure, then not only could someone access your email, but they could get your documents, pictures, contacts, and everything else you have on it. They could even take over your accounts.

This first step is pretty basic, and it applies to everyone, regardless of whether you have an iPhone or an Android device. Set up a passcode or password, and Touch ID or Face ID if you prefer these methods for unlocking your device.

A strong password will be harder to crack than a shorter passcode, at the sake of convenience. Your choice will depend on how sensitive the data on your phone is. At the lower end, a 6-digit passcode should be fine as long as it isn’t too easy to guess.  Why? Because after several failed attempts, Apple begins to lock the phone for longer periods before a user can make further guesses. There’s even an option that users can set so that the iPhone will erase its data after 10 failed attempts (enable that if the data on your phone is very, very sensitive).

Apple encrypts iPhone data by default, so as long as you have a sufficiently strong locking mechanism in place, attackers cannot access any of your data through the device, including your email.

In addition to these measures, you may also want to:

  • Set your screen to lock after 30 seconds or so.
  • Change your notification settings so that no email details appear on your lock screen, visible to anyone looking at your phone.
  • Make sure you still have USB Restricted Mode on. After iOS 11.4, iPhones needed to be unlocked before they could connect to a USB accessory. While this is a great feature for preventing attackers from connecting to your device when you are away from it, some users may have turned it off without realizing its significance.  USB accessories are notorious being able to exploit security issues to gain unauthorized access to phones, laptops, and other devices.

Update your iPhone and its Apps

This is another general security tip that everyone needs to take heed of. Software is never perfect, and over time, security vulnerabilities are discovered. When good developers find them, they then rush out a patch to fix the vulnerability in the next update.  Although some updates can certainly be frustrating, it’s important to install them as soon as possible to prevent your device from being wide open to these old attacks. This applies to iOS, and all of the apps that you run on the device.

It’s an important step for securing your iPhone email, because otherwise attackers can use the old vulnerabilities to install malware, which can then send them all of your sensitive data.

A good example of this is the Apple Mail bug discovered in 2020, which allowed remote code execution. ZecOps, the firm that discovered it, suspected that it had been used to target Fortune 500 companies, journalists, executives and others.

Other vulnerabilities have allowed attackers to break into phones simply by sending carefully crafted text messages — even if you never explicitly opened the message!

Remove unneeded Apps 

Old Apps can have security issues, as just discussed.  However, even updated Apps can (a) contain unpatched security issues, and (b) contain malware that was purposefully placed there by the app designers.  It is a best practice to:

  1. Delete any Apps from your iPhone that you do not need or that you never use.  You can always re-download it later if you chane your mind.
  2. Carefully consider what Apps you do install.  Is the manufacturer reputable? Is the the one you really wanted, or one that just “looks really similar.”  App designers often name their Apps and create their logos to create confusion, hoping that you will download their App instead of the one you actually want.  Just search for “Zoom” in the App store.  Confusing.

Securing your iPhone Email Backups

Things go wrong. iPhones break and get stolen, so it’s important to have backups of your data, including your emails. A good rule of thumb is to have three copies of everything important. One on your iPhone, one in the cloud, and another physical backup, ideally stored in a separate location to your phone (i.e., your laptop).

If you need to save all of your sent and received email messages in Apple Mail, you can archive them automatically by creating Rules. Otherwise, you can just select the important emails to archive manually.

Part of securing your iPhone email involves securing all of the backups. Presuming you use iCloud, you will need a strong password for your Apple account, and to set up two-factor authentication.

While this may be enough to protect your email backups in many circumstances, according to Apple and the iCloud Security overview:

All traffic between your devices and iCloud Mail is encrypted with TLS 1.2. Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers. All Apple email clients support optional S/MIME encryption.

This means that  by default, Apple is capable of accessing your iCloud Mail. As Reuters reported in January 2020, Apple routinely hands this and other data over to US Government agencies, while only offering end-to-end encryption that it can’t touch for certain types of sensitive data.

Fully securing your iPhone email backups on iCloud Mail will require S/MIME encryption for your messages, which is not reasonable.

An easy way to set up physical backups is to save your Mailbox on your Mac, or set up iCloud on Windows and save your Mailbox data. Whether you choose to keep the data on the computer or an external hard drive, the device will need to be encrypted with a strong password to secure your iPhone email backups.

Securing the Apple Mail App

Apple may have a better privacy reputation than the other tech companies, but it’s not unscathed. Unencrypted emails are also inherently insecure. While individual Apple Mail messages can be encrypted with S/MIME as mentioned above, many users may prefer to send and store their email through a service that offers a greater range of configuration and compliance options.

One solution is to use a third-party secure email provider, like LuxSci, so that:

  1. Your email messages are stored outside of Apple’s ecosystem
  2. You can have a greater range of security, archival, and backup options
  3. You can still send and receive email through your iPhone Mail App (or other third party Apps).

If you do not like or trust the Apple Mail App, iOS 14 allows you to change the default email App on your iPhone.   After all, even Apple’s Mail App has had its share of security vulnerabilities.  A google search will show you a lot of email application alternatives.

HIPAA Compliance and Apple.

If you are using your iPhone for work and your job requires HIPAA compliance,  you should be aware that Apple’s iCloud email is not HIPAA compliant.  Your organization will need to use a third-party email solution that does provide appropriate HIPAA compliant email, security, and a HIPAA Business Associate Agreement.  And it goes without saying that you should not be texting or sending ePHI through Apple iMessage, either.

LuxSci offers a variety of options that are great for meeting your security and compliance needs.

Talk with our team to see how our solutions can help your organization keep its data safe and navigate the regulatory minefield.

What Are Your Goals for Sending HIPAA-Compliant Emails?

Wednesday, October 7th, 2020

…and how Do They Influence Which Provider You Choose?

So, you’ve heard that you need to send HIPAA-compliant emails. Maybe your company is only just starting to send ePHI in its messages. Perhaps it just wants to be extra careful, and limit the potential repercussions if ePHI is accidentally sent in an email. It could have even been skirting HIPAA regulations all along, and has suddenly realized the error of its ways.

Whatever led you up to this point, you are doing the right thing by looking for a HIPAA-compliant email provider. But the regulations and the services that have been developed to abide by them can be complex, so it’s important to do your research and carefully think through your decision.

hipaa compliant email sending

Secure email sending

On top of making sure that a potential service meets your compliance and security needs, you also need to consider the goals of your HIPAA-compliant email sending. Obviously, we can’t tell you what your goals are, but we can give you some suggestions that will help you refine them.

Are You Intending to Send ePHI, or Do You Just Want a HIPAA-Compliant Service to Be Careful?

Some organizations may want to directly email ePHI to their patients, so they need to focus on how they can do this effectively, while keeping both their patients and their businesses safe. For example, a doctor’s clinic may want to offer to send out test results via email.

Due to the high risk of exposing this information, it will probably want to opt-out encryption, rather than opt-in. Measures like this can significantly reduce the chances of accidentally sending out unprotected ePHI.

In contrast, other companies may only want to send ePHI on rare occasions, so they may find opt-in encryption more convenient. The point is that every organization has its own set of requirements, and they need to find a suitable email service for their individual circumstances.

Some will want a service that is tightly locked down to limit their risks, while others May have a high risk tolerance.

Do You Plan on Using It as Your Everyday Email Service, or for High Volume Messaging?

If you just want a HIPAA-compliant email service for everyday use, something like LuxSci’s Secure Email is a great option. Alternatively, if your main goal is to send out emails in bulk, you will need something like our Secure High Volume Sending.

Do You Want to Send Transactional Messages, Marketing Emails, or Both?

As obvious as it seems, marketing emails are messages that are mainly sent out for marketing purposes. These include newsletters and product updates. On the other hand, transactional emails are those that are essential for customer interactions with the company. Many different things qualify as transactional emails, from onboarding messages, to password resets, to receipts, and much more.

Savvy companies don’t just see transactional emails as a bland part of conducting business. Instead, they use them as opportunities to add in a little marketing for their products, services, or simply overall brand awareness.

Before you make your decision on an email platform, you should consider how you want to use the service, and which solutions cater best to those needs.

Do You Have an In-House Graphic Designer, or Do You Need Intuitive & Professional-Looking Templates?

If your company has its own graphic designer, or the budget to outsource it, then it may not need beautiful email templates. Not every organization has those resources on hand, and many just want something that looks good without having to put in a lot of effort. Your company’s current setup and goals will influence whether you look for a HIPAA-compliant email provider that offers these ready-made templates.

Do You Need Analytics that Help You Measure the Effectiveness of Your Campaigns?

If your goal is to have the most effective campaign possible, then you need to measure everything. Of course, this is only possible with a marketing service that has a comprehensive analytics platform. LuxSci’s Secure Marketing solution offers A/B testing, which allows you to compare two different approaches to see which is best.

It also features a range of reports that tell you who opened emails, what they clicked on, the bounce rate, whether messages were marked as spam, and much more. If you need this type of in-depth knowledge in your email campaigns, it will be an important factor in which email service you ultimately end up choosing.

LuxSci’s HIPAA-compliant email services aim to combine the functional features you need for high performance, alongside the security mechanisms required to stay within the regulations. Together, these provide adaptable services for those in the healthcare sector and for other businesses that deal with ePHI.

LUXSCI