Secure Electronic Email
By Paul Sawyer, OIT, Department of Professional and Financial Regulations
Secure electronic mail service is now in production for the Bureau of Financial Institutions (BFI) and the Bureau of Insurance (INS) at the Department of Professional & Financial Regulation. In response to requests from federal financial regulators and demands from financial institutions, secure email, or email encryption, became mandatory. Using the same product used by most current business partners made sense. The Bureau selected Zix Corporation as a solution provider. While investigating the solution for the Bureau of Financial Institutions it became clear that this product would also be a good interim fit for other agencies which were concerned about secure email due to Gramm-Leach-Bliley Act of 1999 (GLB), Health Insurance Portability and Accountability Act (HIPPA) requirements or any other confidential content. CIO Richard Thompson agreed that Zix was a good low cost, low impact solution that would meet immediate needs until a long term solution is identified and implemented. Enterprise Messaging staff Sandy Saunders and Lori Blier worked with Zix technical staff to install ZixVPM (Virtual Private Messenger). ZixVPM is a policy-driven, server-based email encryption solution that provides outbound content filtering using lexicons for GLB, HIPPA, and profanity. It provides the benefits of a secure e-messaging gateway without having to create, deploy, and manage encryption keys or software.
Business requirements for each agency were different. BFI wanted all email encrypted, unless they specifically requested plain text. ZixVPM was configured to meet the need. All outbound email from BFI passes through the Zix gateway. If the email is identified as originating from BFI, and the end user has not selected the "force plain text" button in Outlook, the email is automatically encrypted. Upon receipt a non Zix email recipient must register for a password at a Zix site, but only for the first encrypted message. The same password may be used to unencrypt all future messages. Zix users will be able to unencrypt the message without the need to register.
Conversely, INS wanted to encrypt only select messages. Outbound email originating in INS is screened for personal finance, Social Security numbers, personal health related information and profanity. A combination of pre-identified words will trigger automatic encryption of the message as it passes through the gateway. Otherwise the message is passed on as plain text. INS users also have the option of manually "forcing encryption" using an encryption button which is available in Outlook 2003.
Some of the key features for this product include:
- Full content scanning of messages and attachments
- Centralized policy management
- Automatic retrieval and distribution of public encryption keys
- Agency-defined policy management
- Flexible reporting capabilities
- Message and attachment compression
- Secure receive and reply for all recipients
- Creation of certified receipts and non-refutable time stamps
If you want to learn more about the ZixVPM, please contact Enterprise Messaging Manager Sandy Saunders or Regulatory Agency Information Technology Director Paul Sawyer for further information.