E-mail Encryption via TLS

advertisement
E-mail Encryption via TLS
Frequently Asked Questions for Agents
Q1
What is TLS?
TLS (Transport Layer Security) is an encryption process that functions similar to SSL (i.e.
https://) which is used by Internet sites to encrypt and protect transmissions between the
web server and the user’s PC browser (i.e. Explorer or Firefox). Both TLS and SSL create
an encryption tunnel between two entities. SSL is in use when you see a padlock icon on
your browser. The URL address will show as https when SSL is active.
TLS creates an encryption tunnel between two e-mail servers that both have TLS active.
When TLS is in place, users from both parties can send e-mail to each other without doing
anything extra to encrypt the email or its attachments. Passwords are not required to open
a given e-mail message or attachments. This greatly simplifies the process for protecting
confidential information, because no extra steps are required by the sender or receiver.
The official definition is in Network Working Group - Request for Comments (RFC) 5246 found at
http://tools.ietf.org/html/rfc5246.
Q2
Why should I care about e-mail encryption and TLS?
All the business reasons for protecting customer data – the effect of a data breach on the
agency’s reputation, the cost of remedying the breach for the client, possible regulatory action, potential
E&O exposure, etc. See
http://www.iiaba.net/eprise/main/CB_Website/Affiliated/NationalAssociation/IIAA/16_AgentsCouncilForTe
chnology/02_RepresentativesToAct/NA20061027093133?ContentPreference=NA&ActiveState=0&Conte
ntLevel1=ACT&ContentLevel2=REPACT&ContentLevel3=&ActiveTab=NA&StartRow=0
Q3
How secure is TLS?
TLS is considered a standard secured email when properly implemented. Should be implemented by an
IT professional.
Q4
What are the benefits of TLS?
 Provides 2 way email encryption of your data
 Inexpensive to implement, and works
 Requires no changes to the end-user PC
 Is an industry standard and can work for most vendors, carrier and commercial insureds.
Q5
What are the hardware/software requirements?
TLS is built-in to most all modern email systems.
Most agencies that use a recent version of Microsoft Exchange or Lotus Notes already have the TLS
encryption available to them to turn on. For those agencies that outsource their e-mail to a third party,
many vendors already support TLS.
Q6
How much does it cost?
This depends on your agency e-mail configuration but the typical e-mail certificate runs between $70 and
$400 for one year.
Q7
What resources are available for additional technical information?
See these links:
http://msexchangeteam.com/archive/2006/10/04/429090.aspx
http://technet.microsoft.com/en-us/library/bb430753(EXCHG.80).aspx
1
Prepared by ACT TLS Email Encryption Work Group
April 24, 2009 Version
Q8
Which insurance carriers have TLS capabilities?
Many insurance carriers already support TLS. See the “Agency Security/Consumer Privacy” section of
the ACT Web site (www.independentagent.com/act) for the latest list of carriers which have reported to
ACT that they are enabled for TLS for their agents if they also have this capability. If one of your carriers
is not on this list, please check with them to see if they support TLS.
Q9
What is the impact on the end user?
None. The e-mail is sent / received in a secure way that is transparent to the sender / receiver.
Q10
Is any training needed to support TLS for e-mail?
Not for the end user.
Q11
How can you tell if your e-mail system already supports TLS?
Nothing in your e-mail client will tell you. You should ask your e-mail system administrator or third party
provider.
Q12
How can you tell if your e-mail was sent via TLS?
See your email administrator.
Q13
Are file attachments encrypted?
Yes. The entire email is protected including all of the attachments
Q14
What effect does enabling TLS have on your e-mail server’s performance?
This would depend on the e-mail server – probably less than 10MB of family pictures that get forwarded
all the time.
Q15
If I access my company e-mail at home, does any e-mail I send/receive still get TLS
encrypted?
No from your home to your agency unless you are using a secure remote desktop connection such as
VPN or SSL. Yes from your agency email server to the company email server.
Q16
We use a third party for securing email (anti-virus or spam filtering). Does this have any
effect on TLS?
You need to have your IT administrator verify with your 3rd party providers that they also support TLS.
Q17
Once TLS is enabled do I have to configure our e-mail server for each
carrier/vendor/customer that wants to support TLS?
No, unless you want to force TLS with an entity, then Yes (this may vary by e-mail system).
Q18
Are there any adverse effects to my existing e-mail integration with my agency
management system?
No.
Q19
How are other agencies leveraging TLS with customers, carriers and vendors?
A few agencies are starting to promote to their customers (during the sales process) that they have
secure email and take data security very seriously.
Q20
If I already use proprietary e-mail encryption software in my agency, do I still need to
support TLS?
The proprietary solution may provide protection when TLS is not available for a particular business
partner.
Some proprietary e-mail encryption packages may be stronger than TLS in that they protect from desktop
to desktop.
2
Prepared by ACT TLS Email Encryption Work Group
April 24, 2009 Version
Contractual obligations may require specific encryption packages.
Q21
What happens if our agency implements TLS and the receiver/system of the e-mail does
not support TLS?
This depends on how the e-mail server is set up. A possible set up is to have the server negotiate a TLS
session when TLS is available, but send the e-mail unencrypted if TLS is not available.
Q22
What is the down side to supporting TLS?
If configured correctly, none. It can only help your agency to protect your customer data better.
Q23
If I outsource my e-mail hosting to a third party, can I still leverage TLS?
This would have to be discussed with the third party.
Q24
How can enabling TLS increase sales?
Companies today are becoming increasingly aware of the risks associated with Internet use and will
prefer to do business with partners which are like-minded regarding protecting sensitive customer and
company information.
States are beginning to require businesses to protect the sensitive information owned by their residents
that is transmitted over the Internet. Businesses that cannot comply with this requirement may find it too
risky to do business in those states or may be barred from doing business by the state regulators.
Make security of data a talking point for producers during the sales process. Explain how your agency is
protecting their data both at rest and in transit.
Q25
Can I take advantage of TLS if I am using a free e-mail service?
If you are using a free e-mail service such as Yahoo, Hotmail or Google, these service providers do NOT
typically provide TLS capability.
3
Prepared by ACT TLS Email Encryption Work Group
April 24, 2009 Version
Download