Introduction      

 

As part of your job, you should share information that could be considered sensitive. With remote work and information technology, email and document sharing on a platform like Team, sharepoint, and OneDrive are commonplace. It is for this reason that it is important to protect the information in its transmission. In a second article, named: How to protect sensitive documents. We will talk more specifically about the methods in order to protect a document itself.

 

With this procedure, you can share sensitive data in several  different  ways. Here we share with you the procedure to follow to send encrypted emails. This method also applies to send  encrypted emails to third parties who  are not part of the organization such as customers or partners. It is the duty of all Alithya employees to protect the data that is shared and the duty of Alithya to provide you with the tools to do so. Good security practices avoid harm that can put us in a difficult situation.

 

To do this, it is important to understand how to classify sensitive data. To do so, please refer to Alithya's Information Security Policy on the intranet.


 

Procedure


Sending an encrypted internal email

 

When an email contains sensitive data  that could harm the company, it must be encrypted at  all times. To put it simply, there are two types of recipients;

  1. Internally
  2. Externally

 

In this section we will see how to send an email encrypt internally Alithya, in short those with an email with the domain @alithya.com.

 

  

 Internal recipient

 

  • Create a new message and do as usual:


 

  • Go to -> options at the top of the window and -> encrypt for encryption options:

 

  1. Two options are available to you for internal: Edgewater Technology – confidential display only will allow to encrypt the content and displays only when it is decrypted. This prevents you from sharing the content, copying, taking screenshots or forwarding the email.
  2. Edgewater Techno – confidential only allows you to encrypt the message internally.
  3. If you send type of email to encrypt externally, it will not work.

 


External recipient

 

  1. External recipients do not need to have an email with a @alithya.com domain.   They can access it through their business or personal accounts.  It works great with  Gmail or Outlook. Note that it cannot be guaranteed to work with all types of suppliers, there are far too many to confirm that they are all functional.  Despite this, we take into account that the most used suppliers are those who will operate without problems.
  2. Once the email is received in the inbox of the external recipient.  He will have to authenticate to confirm his identity in order to decrypt the email:

 

Encryption type: No transfer; Not to say that the email poster may take several seconds, see 1 minute: 

 

 

 

  • Once authenticated, the content is displayed and if the option not to transfer has been selected beforehand, the external recipient will not be able to forward the email, copy or print the content. However, it will be able to take screenshots. In any case, an automatic message appears to warn of the terms and conditions regarding the confidential content. Note that if the recipient has already authenticated after sending multiple encrypted emails, they won't have to do so every time, as your public key is automatically saved in their email account.  

 

Large file sharing

Beginning of the long introduction, "Example, if you want to share a large file, you can't do it by email. It must be shared through a SharePoint. However, access to this file may have little control, it all depends on who manages it. This is why it is necessary to encrypt or protect the file of a confidential nature or of a sensitive nature with a password and share it in a secure way orally.

When we talk about file sharing, several issues arise. The first is in the simple act of sharing a file. First, there's the nature of the content to be evaluated and how to share it with someone. Once on the internet, it is difficult to confirm 100% that the file will not end up in the hands of the wrong person. For fix this issue, we must first have a place to deposit this famous file in a secure place that allows us to control access to files. Fortunately, at Alithya, we have SharePoint from Microsoft that allows us to act as a repository of data on the cloud in a secure way and to control access to files. SharePoint already has a variety of technologies to protect the content we deposit on it. However, for the files themselves, they are only encrypted and are readable if someone has access to them. End of the long introduction.

It is therefore after this long introduction that we understand why it is important to encrypt/ protect the content of the files we want to share. In this way, if they are intercepted, in the transmission, in the reception or in the deposit of data. The malicious actor will not be able to have access to it, finally with difficulty.

How to proceed?

First of all, you need to create a Team Site  (SharePoint)  with external access. To proceed, you must first create a ticket to  HelpDesk  with a detailed request  people wanting access, the team and people externally, the professional needs.  It is important to specify the retention time of the SharePoint, such as the duration of use and deletion,  when rendered  obsolete. It is VERY important that the Share Point only serves  the purpose described and nothing else, if you have another business needs for another mandate or the same mandate without the same criteria, you must make another application. This is the principle of "Need to Know" and "Segregation of Duties".

 

It is important to note that once the external user is downloaded the sensitive data, this data must be deleted from the SharePoint. They should not rest unnecessarily in SharePoint.