Here in the State of Florida we have a "Sunshine Law" requirement, and all email is achived for public reords requests and for legal proceedings if required.. When we receive such a request the email is reviewed by the County Attorney, and PHI and other protected info is redacted.
Now that we have deployed Ironport/Cisco Encryption (managed), outgoing email is still captured in its un-encrypted form, but email received that is encrypted (if the encrypted email originated by us, the recipient hit the embedded "reply" button to keep the entire conversation encrypted) can't be captured in it's decrypted form.
Can the received email be decrypted for review by the attorney or for a legal reason?
Let me see if I understand the situation correctly. Let me break it into two parts.
Part 1: When your domain/IronPort C-series sends mail out to the Internet and you want to encrypt it, it arrives on the C-series in a non-encrypted format. You archive the message in a non-encrypted format per the "Sunshine Law" requirement of your state. You then call on the encrypt action and leverage the CRES server(Cisco Registered Envelope Service) to encrypt the data and then the encrypted mail is sent out to the Internet.
Part 2: If recipient on the Internet replies back, it will be encrypted by the CRES server on the Internet and come back to your domain/MX records in an encrypted format. At this point, the message doesn't become decrypted until the user supplies their password and decrypts the message. The C-series only has this message in an encrypted format, thus not abiding by the Sunshine Law if called upon.
Let me know if this is a correct assessment of both parts.
--------------------------- Now here is the solution. Part 1 is fine. Everything is working great. You're able to archive non-encrypted messages per the Sunshine Law.
For Part 2, the solution would be that if the connection between the CRES service and your domain/MX records could be conducted over a TLS secure connection, the CRES server can be adjusted so that it can send to your domain non-encrypted CRES replies. This has been done for numerous C-series owner who use the encrypt function. They don't all have the Sunshine Law. Most do it for ease-of-use for the company end users.
Let me know if the solution for Part 2 would meet your needs. If you think it does, then you can proceed with following this KB below and then move towards establishing a secure connection between CRES and your domain/C-series. Once that is verified, CRES will start to send over non-encrypted replies over TLS. At that point, you can start archiving those replies, to meet the requirements of the Sunshine law.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...