Wednesday, July 1, 2015

Cloudstar, encrypted email: Just say no

Cloudstar Encrypted Email is a service promoted by several software vendors - to include SoftPro. The encrypted email service is one of a number of offerings cloudstar has, and this has been my only experience with the company.

They tout encrypted email without passwords or usernames - something which sounds too good to be true: it is.

In most all circumstances, an established business would want to stay away from Cloud Star. The only scenario where I think their services can be argued is if you don't already have an email provider (and money isn't terribly important to you), and/or you're hoping that Cloud star will assume a liability* that you don't want to. A note on liability, please read the asterisked (*) comment lower down for my opinions on this.

In that instance, their hosted email package costs slightly more than what you'd pay elsewhere, but you can be sure they're going to meet expectations. ($17 per mailbox per month opposed to $5-10 per mailbox per month), plus Cloudstar has a $700 setup fee which I don't believe is justified -- see below for more on that.

Here's what CloudStar encrypted email does

1. Hosted Email
2. Smart Host for Exchange, Office365 & Google Apps
3. Offer an audit log - they assume liability*.


Here's why cloudstar is useless:

1. They utilize TLS as their encryption scheme which is a default of most all mail servers. TLS is standard on most all mail servers, it's the mainstay of their encrypted email package. 


2. In the event TLS can't be established, they instead send a portal. Which would be a useful service - if they didn't send info to access that data unencrypted to the source. Said otherwise, if they can't send a secure TLS email, they'll send a non TLS email with a message that says "Click here to access your message" but the "click here" link is not secure so if someone IS spying on the email, they'll just be able to click that link.
 (They do offer options here, including pre-defined passwords on the portal, but a similar level of security could be accomplished any number of ways. If you're sharing a key and the data is important, you might as well use PGP - that will be true end-end encryption. If the user has the ability to reset their portal password to a compromised mailbox, how is that secure?).

Furthermore, the retention period on the document hosted in a portal is 30 days.

3. Emails are no more encrypted than they would be otherwise. They try to hide this by encoding it in base64 - but that's practically plain-text to anyone with a plan.

4. Their audit log could be usurped by showing that all of your emails are set to not deliver unless TLS can be established. Said simply, instead of an expansive audit log, simply showing when "Only TLS" was set could be similar evidence of compliance.

Cloudstar does address security, but no more so than doing something simple like setting mail to not deliver unless TLS encrypted communication can be established.

Here's how to turn off best delivery, requiring TLS for all recipients:
1. Google Apps
2. Office365
3. Exchange
3.5 Exchange 2010

Or ask, your mail host if they'll enable the feature.

General security practices:

- Set up SPF DNS records

- Set up DMARC services and DNS records.

- Use spam filtering
-- if you use outgoing spam filtering, or on-prem services, you can filter strings in the message body.

- Invest in training for your users.


Cloudstar charged a $700 setup fee. I'm not sure if this is a blanket fee or perhaps there is actual configuration and setup on their end, but in the instances I've worked to onboard a client with with them it's me, doing the work, changing: configs, certificates, smarthosts, DNS records and troubleshooting, if any.

I believe Cloudstar is unnecessary and fits a niche role. Referring companies use verbage to promote CloudStar as "an industry standard" or, "necessary compliance requirement" when I think in actuality, Cloudstar merely assumes liability* and follow industry standards which could be followed by anyone.




Though CloudStar offers a solution to the bounced email, the portal - it's not a secure solution because they send access in an unsecured manner. There IS an option to enable passwords on the document but at that point the only option is to exchange passwords in person or over the phone because if their email is insecure, emailing the password renders the encryption moot.

In summary: 
Cloudstar's "encrypted email" service has use, but I'm not sure it's fair to say it's an encrypted email service- it's not complete (end-end) encryption, and it's not any more advanced than what is standard for sending e-mail. They offer a portal that is no more secure than sending an insecure email, and if you flip the switch to make it more difficult, you're opening up avenues to use any number of other services due to a password exchange.

Anytime you see a * in this post, in reference to the liability cloudstar assumes, I am assuming that  based on how they send an unencrypted document to the recipient via secure link and that they keep audit log that this means that they've done their legal research and found that that's where their liability ends. This then assumes that they do have some responsibilities -- that part is especially conjecture so please research that if offloading liability is your goal.

I think that it's a bit scammy that they use the buzzwords they do and that they are referred by software companies as a requirement. That their setup fee seems arbitrary at best and indicative of an attitude.

Their tech support and sales team were very helpful when I contacted them.

I would feel much better if my clients did not use this service.


Going forward, I'm going to research a better password related encrypted solution - I have a number of leads some which may be paradigm shifts for our clients. That's a blog post for another day.


Edit! See my followup blog post here, which includes a set of questions you should ask any vendor offering encryption.

Edit #2, on 2/26/2017:
I've successfully navigated my clients away from using services like this. I'm now reading horror stories about people who are receiving "encrypted" portals from hackers and are entering their portal, domain or email credentials and losing them to the hacker. This service, and ones like it, have created a false sense of security which creates a perfect storm for interlopers.

My ultimate advice:
Train your employees. Seriously, this is the key. Find a group which will both train AND test them by sending 'real' phising emails to see if they fall for it, after training.


Have notes in your e-mail which seek to prevent interlopers, messages like "We will never change wiring instructions" or "call before wiring money, each time" are cumbersome, but remove a lot of potential for failure.

Turn off insecure cryptography packages:
Run IIS Crypto on your mail servers, if they're local, to disable bad cryptography packages.


On any mail client (exchange, o365, google suites) turn off the 'best attempt' delivery feature, and instead have emails which can't be securely sent, bounce back to the sender.

Other potential related security vulnerabilities:
- Office should open in protected mode when opening files from outlook - a lot of people turn this feature off because they don't like having to click 'disable protected mode' . Leave this feature on.
- Make sure users don't have admin access, passwords are secure and more.
- E-mail on your local network should be secure, incase someone installs something on your network to monitor for unencrypted messages.
- Ensure copiers, DVR and other internet devices have passwords on them. I've come across the following hacked devices: A PBX phone system, a large MFC copier and a front-end business router. In all instances, exploits were taken advantage of and the machine was snooping, spamming or redirecting to viruses.


EDIT:

I had a client sign up for a similar service - they were told that "google and hotmail accounts are not HIPAA compliant" but-- though the user did use google as their host - their email was coming from @companyname.com NOT @gmail.com -- if you're being directed toward a similar service- it's OK to have google or office365 ("hotmail" or outlook.com) as a host - so long as the email is coming from your domain -- said otherwise - anyone can be your host - but it needs to be tied to the domain name your company has purchased so no companyname@gmail.com!

3 comments:

  1. Thanks for sharing your thoughts. I had been thinking the same way about cloudstar. Have you had any luck with your research of a better password related encrypted solution? What leads have you found?

    ReplyDelete
    Replies
    1. The client we prevented from going to cloudstar is reviewing our proposal. For the most part, I think turning off unencrypted delivery will make them compliant, but I am considering nitrocloud - because not only can people sign documents electronically, but you can see who's accessed the document, how they read it and it comes right back to you after they've signed it.

      Just need to figure out a way to share the password.. maybe make it a drivers license or other unique to the client number? I'll have a more substantial answer in a month or if one of our clients indicate they're interested in those alternatives.

      Delete
  2. Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Services, IT Security, Storage solutions,An organization often maintains private data that needs to be secured and protected from online theft. McAfee Encryption Solution Providers secures your data from loss or theft with a fast endpoint encryption solution, supports environments with software- and hardware-based encryption, including solid-state and self-encrypting drives
    Email Encryption solutions

    ReplyDelete