Jump to content


Photo

Any reason to use Barracuda encryption with TLS connections?

Encryption TLS HIPAA DLP Content Filter

  • Please log in to reply
12 replies to this topic

#1 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 28 posts

Posted 04 August 2017 - 08:44 AM

 Hi there:

 
We are a hospital and we recently turned on the HIPAA pre-defined DLP content filter for Subject and Body (Block/Accept -> Content Filtering -> Predefined Filters).  A lot of outbound messages unnecessarily trigger this filter.  (Meaning there is no confidential patient data in the messages.)  We've figured out that if senders remove the street address and/or phone numbers from their email signatures, the number of messages caught by this filter are greatly reduced.
 
In the process of analyzing the encryption traffic we've realized that most outbound messages are going to email servers that agree to using TLS with our email server, which always requests it, and we've started exempting those domains from encryption (Basic -> Administration -> Email Encryption Service -> Recipient Email Address/Domain Exemptions), but we are questioning whether this is a sensible strategy.  If you exempt a domain, you can't even manually encrypt the message via the ESG.  (By "manually" I mean we have a custom content filter in place that will encrypt any messages that have the word "ENCRYPT" at the beginning of their subject lines and staff here know to use that if they are sending sensitive information.)
 
My question for others on this forum is:  Are there reasons to use the ESG encryption even when the messages are being sent over a TLS-encrypted connection?  If not, it would be great if the gateway could detect that a message is going to use TLS and avoid encrypting the message in that case.
 
Thanks for your input.
 
Johnny Lee


#2 opjose

opjose
  • Members
  • 253 posts
  • LocationWashington D.C. Area

Posted 04 August 2017 - 10:59 AM

TLS only encrypts the message exchange to the initial receiving server. Bad things can still happen to the information beyond that point.

ESG actually keeps the message on your own server without any transfer of data. The intended recipient must directly retrieve that message via a web browser. ESG is theoretically more secure.

#3 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 368 posts

Posted 04 August 2017 - 12:35 PM

As far as the need for encryption that is something that needs to be determined by you. Your mail after delivery could be on a server that could be attacked so it might not be a good idea to not use encryption.

As to your request about seeing it the destination domain supports TLS before we encrypt the mail.

That would be a feature request which might be difficult to design without impacting the performance of the Barracuda Device.

Currently when mail is encrypted we don't contact the destination domains mail server. We send the mail directly to the our message center. To accomplish what you are requesting would require a connection to the domains mail server first to verify they have TLS enabled and then deliver the mail or close the connection and then deliver the mail to our message center. Getting a mail session to start a connection and then stop it and start a new connection would be problematic and would put more load on your unit.

I have however created a feature request for this. It will be reviewed by the Product Managers and may show up in the firmware in the future.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#4 opjose

opjose
  • Members
  • 253 posts
  • LocationWashington D.C. Area

Posted 04 August 2017 - 12:50 PM

To be clear his first sentence refers to sending messages with TLS.  You may not trust the security on the destination domain or through intermediaries...



#5 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 368 posts

Posted 04 August 2017 - 12:57 PM

Opjose,

I understand that which is why I noted that the delivered mail would be on a mail server that could be attacked.

TLS encrypts the data from point to point. Once it reaches its destination the mail is again at rest usually un-encrypted

The Barracuda Encryption service also uses TLS to send the mail to our message center but once it gets there it is stored encrypted.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#6 opjose

opjose
  • Members
  • 253 posts
  • LocationWashington D.C. Area

Posted 04 August 2017 - 02:25 PM

Hi Michael.

 

That wasn't aimed at you.  I was trying to underscore exactly what you just said that TLS only encrypts the data point to point.



#7 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 28 posts

Posted 16 August 2017 - 01:21 PM

Thanks for the replies.  I hadn't realized that you need to deliberately follow a thread, even if you were the one to start it, so I missed these until after I just created another post in the Feature Request section.

 

I agree that messages within the Message Center are more secure overall than the point-to-point encryption used by TLS connections.  We've decided that we will exempt domains that use TLS.  My feature request asks for the option to have the gateway bypass encryption when TLS is used, notwithstanding Michael's observation that this might require extra connections by the gateway to determine that before deciding to encrypt or not.



#8 Noah Carlisle

Noah Carlisle
  • Members
  • 3 posts

Posted 16 January 2019 - 12:01 PM

We are also utilizing Barracuda Encryption. I have been setting up rules on the Barracuda for quite some time for domain specific accounts with TLS enabled. I setup the bypass encryption for the domain and I also setup the require TLS option for the domain to make sure any ]mail will not get delivered unless a TLS connection is made. We get mail from other vendors that have this capability and have been looking into it. I really would like to stay with Barracuda.

 

Having the ability to setup a rule that will allow bypass of encryption services with any domain that has a verified TLS connection and will include a customizable banner informing the recipient that the email was delivered securely would be a great addition to the firewall. 



#9 Steve Braaten

Steve Braaten
  • Members
  • 5 posts
  • LocationAlbany, OR

Posted 06 June 2019 - 06:31 PM

Barracuda,

 

Is there a way we can escalate this request?  

 

As a HIPAA entity we are looking to enable encryption ONLY on an email connection where TLS cannot be a requirement as they do not support TLS and the DLP detects a HIPAA trigger.  In it's current form this DLP HIPAA flag is identifying so much that it is unusable for our recipients.  Most have denied communicating with us through the Barracuda encryption portal as their only approved portal for use is their own portal.  Since these organizations are at the State level, we cannot legally dictate they enter our portal.

 

The HIPAA DLP process needs this option to instead use required TLS.  Proof Point is a service, similar to Barracuda Email Security, which the state is using to only use DLP triggered encryption when TLS is not being required.  

 

Adding this feature request would be very easy.  A simple checkbox on each domain listed in Outbound Connections -> DLP/Required would allow an easy and simple method to enable this for each domain.  This would also allow a means for an organization using Barracuda to also have the ability to use the DLP Encryption and TLS concurrently if they desired.  Our organization however would like DLP disabled if TLS for a domain is a requirement within the DLP\Required section for outbound connections.  Adding this one feature will enable us to be 100% HIPAA Compliant in all scenarios and compete directly with what Proof Point is doing for other organizations.

 

Please escalate this as soon as possible.  When working with HIPAA Entities this is essential.

 

-Steve Braaten



#10 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 368 posts

Posted 07 June 2019 - 09:51 AM

Steve,

Yes, adding a checkbox would be simple but creating the delivery process would be extremely difficult to accomplish and would probably result in failed delivery or lost mail.

You are asking that we try to deliver mail that "should" be encrypted normally first and if that connection is NOT TLS to stop the delivery, requeue the mail and then delivery it to the message center.

I can easily see this resulting in a loop where the mail is never delivered. 

As a previous person commented the solution would do this for the domains you want to send mail to directly via TLS

1. Add them to the force TLS option for your domain
2. Add them to the Encryption Exemption list 

If the destination domain accepts TLS the mail will be delivered. If it doesn't the mail won't be delivered.

On the BESG You have full control over who has their mail sent to the message center and who gets it directly.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#11 Steve Braaten

Steve Braaten
  • Members
  • 5 posts
  • LocationAlbany, OR

Posted 07 June 2019 - 11:08 AM

Hi Michelle,

 

I'm asking for what the other administrators are essentially asking for.  If TLS is required, we only want the email going out using TLS.  If TLS is not available with the destination email server and DLP detects HIPAA, only then do we want it to go through the DLP encryption process and be sent out to the recipient.  This will cover us 100% of the time for HIPAA as TLS v1.2 meets our requirement.

 

If we use this solution:

1. Add them to the force TLS option for your domain
2. Add them to the Encryption Exemption list 

 

We will need to enter the domain onto a list twice.  Once under forced TLS domains and then again under Encryption Exceptions.  Personally I would rather do this only once and maintain one list, that being on the Forced TLS list with a checkbox to enable DLP for each domain or not.  

 

I am not sure how ProofPoint does this, but they are doing this and they found a way.  For HIPAA organizations the current method for Barracuda is just not working for us, we need something better.

 

As mentioned in your solution, adding an exception for domain under the Encryption Exemption would work.  Unfortunately we can only exclude Addresses and Phone Numbers currently, so this is not even an option.  Personally I like my single domain solution under Forced TLS domains but your solution would also work, just requiring a bit more effort.

 

I am really scratching my head on why this is not a priority and is a feature that is not escalated.  It is a huge issue and one Proof Point and other solutions have successfully resolved.  

 

Who can we talk to to escalate this?

 

-Steve



#12 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 368 posts

Posted 07 June 2019 - 01:32 PM

Steve

 

There is a feature request for this. It has been requested by 6 customer since it was created in 2013.

I have added your comments to the feature request but at this time it is not on the roadmap

Sincerely,


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#13 Steve Braaten

Steve Braaten
  • Members
  • 5 posts
  • LocationAlbany, OR

Posted 14 June 2019 - 12:04 PM

Thank you Michelle, I will be working with my Account Representative to push this through. 

 

It's an issue for all HIPAA Entities and needs to be prioritized accordingly.  We can be fined up to $50,000 per client breach with a maximum fine of $1.5 million.  If an email contains hundreds of clients, you can see how these costs rapidly increase and potentially can put an organization out of business.  To a HIPAA organization, a failure at this level is not acceptable and could have great financial impact.  This is such a significant feature most HIPAA organizations likely move to a system such as Proof Point as it has been solved within that system.

 

If this is not corrected within Barracuda, we may need to do the same, moving away from Barracuda and onto Proof Point.

 

Thank you,

Steve