For health care providers, governmental agencies, and other entities who need to protect private, sensitive, and valuable information communicated via email, the Barracuda Email Security Service provides Data Leak Prevention (DLP) features using email encryption. DLP enables your organization to satisfy email compliance filtering for corporate policies and government regulations such as HIPAA and Sarbanes-Oxley (SOX). Advanced content scanning is applied for keywords inside commonly used text attachments, as well as email encryption. You can configure email encryption policies per domain.
Outbound Mail Encryption
Encryption is performed by the Barracuda Email Encryption Service, which also provides a web interface, the Barracuda Message Center, for recipients to retrieve encrypted messages.
Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service.
Secure Sensitive Message Transmission
TLS provides secure transmission of email content, both inbound and outbound, over an encrypted channel using the Secure Sockets Layer (SSL) - also known as TLS. For DLP, you should require mail to be sent outbound from the Barracuda Email Security Service over a TLS connection. To do so, enable Force TLS for each domain on the Outbound Settings > DLP/Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a TLS connection can not be established, then the mail will not be delivered. See also Secured Message Transmission.
Define when to Encrypt Messages
Use the Outbound Settings > Content Policies page to create policies for encryption of outbound message in one or both sections:
- Message Content Filters – You can select the Encrypt action for outbound email based on characteristics of the message's subject, header or body. You can specify simple words or phrases, or use Regular Expressions. Content filtering is case sensitive.
- Predefined Filters – You can select the Encrypt action for outbound email messages that contain matches to pre-made patterns in the subject line, message body or attachment. Use the following pre-defined data leakage patterns (specific to U.S.) to meet HIPAA and other email security regulations:
- Credit Cards – Messages sent through the Barracuda Email Security Service containing recognizable Master Card, Visa, American Express, Diners Club or Discover card numbers will be subject to the action you choose.
- Social Security – Messages sent with valid social security numbers will be subject to the action you choose. U.S. Social Security Numbers (SSN) must be entered in the format nnn-nn-nnnn or nnn nn nnnn .
- Privacy – Messages will be subject to the action you choose if they contain two or more of the following data types, using common U.S. data patterns only: credit cards (including Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver's license number, street address, or phone number. Phone numbers must be entered in one of the following formats:
- HIPAA – Messages will be subject to the action you choose if they contain TWO of the types of items as described in Privacy above and ONE medical term, or ONE Privacy item, ONE Address and ONE medical term. A street address can take the place of Privacy patterns. So, for example, a U.S. Social Security Number (SSN), an address, and one medical term is enough to trigger the HIPAA filter.
Click Help on the Outbound Settings > Content Policies page in the Barracuda Email Security Service web interface for more details.
Send and Receive Encrypted Messages
The Barracuda Message Center is a web-based email client for receiving and managing encrypted email sent by the Barracuda Email Security Service. The email client looks and behaves much like any web-based email program (see Figure 2). For a user's guide, see the Barracuda Message Center User's Guide. The workflow for sending and receiving encrypted messages is as follows:
- Outbound messages that meet the filtering criteria and policies configured as described above are encrypted and appear in the Message Log, but the message body does not appear in the log for security purposes.
- The Barracuda Message Center sends an email notification to the recipient including a link the recipient can click to view and retrieve the message from the Barracuda Message Center.
- The first time the recipient clicks this link, the Barracuda Message Center prompts them to create a password.
- The recipient logs into the Barracuda Message Center and is presented with a list of email messages. All encrypted messages received appear in this list for a finite retention period or until deleted by the recipient.
Figure 2: Barracuda Message Center web interface
Senders have the option to allow replies from recipients to be sent from the Barracuda Message Center. When the recipient replies to the encrypted email message, the response is also encrypted and the sender receives a notification that includes a link to view and retrieve the message from the Barracuda Message Center.
Senders can also enable read receipt to be sent from the Barracuda Message Center so senders know when a message has been read.
An example read receipt email sent to the sender that the recipient has read the message.