Cloudiance Encryption Portal (CEP) User Guide 

This document is designed as a modifiable guide for CEP users.  Note that CEP is configurable, and your organization’s configuration may not be represented by this guide which uses the default settings. For instance, your keywords to encrypt mail may be specific to your organization. Please be sure to note any discrepancies before distributing the guide to your users.

Introduction 

The Cloudiance Encryption Portal (CEP), is a full featured encryption system that allows users to exchange information securely by way of email. CEP provides organizations with the tools needed to adhere to state and federal privacy regulations while protecting their organization.

When a message is sent using the CEP encryption feature, it is encrypted, and protected so that the message can be safely sent without the contents of the email being disclosed or tampered with.

As an option to CEP, you may also elect to enable Digital Loss Protection (DLP). This service takes the additional step of automatically scanning outbound email for potentially private, protected information (such as social security numbers), and requires your users to encrypt email containing it prior to sending.

The CEP is software licensed, managed and integrated by Cloudiance for our customers' use from the developer of our advanced anti-spam and virus software, TitanHQ, and may be referred in graphics as EncryptTitan. 

The CEP is both an optional, add-on service to Cloudiance's zMailCloud and Exclusive Hosting email services, and also may be purchased separately, and used with other email service providers.

Pricing ranges from $5/mailbox when applied to more than 49 mailboxes, to $10/mailbox when applied to one mailbox. The DLP option is an additional $2/mailbox, and applies to all users of CEP if enabled. Based on experience, for ease-of-use, we encourage you to apply the service to all mailboxes in your domain.

Depending on the complexity of your particular organization's mail routing, and the number of mailboxes to which you'd like to apply CEP, there may be an additional, one-time fee for consultation and installation. Please email sales@cloudiance.com, or open a ticket with the sales department for a quote.

Note that, like most of Cloudiance's services, CEP installations are guaranteed satisfaction, or your money back, as long as you cancel within 30 days of CEP activation. We are working on automating the activation of CEP in the portal like other features such as those under Reputation Protection, however, due to complexities inherent in the CEP service, to order CEP, at least for the time-being, you should open a ticket for a quote.

When to use the CEP 

In general, when sending sensitive information to email addresses outside of your own domain, then the CEP encryption feature should be used.

When unsure if the contents of an email would be considered sensitive; it is recommended that the sender use CEP encryption to secure the message.

Preparing to use CEP (required DNS SPF configuration) 

If Cloudiance is not already hosting your domain name, then prior to activating CEP, you should add this SPF text record to your DNS host's information for all domains you're using with Cloudiance:

v=spf1 include:_spf.zmailcloud.com include:spf.encrypttitan.net ~all

Finally, please add this CNAME record:

select-et1._domainkey CNAME select-et1._domainkey.encrypttitan.net.

Secure Delivery Methods in a nutshell

By default, CEP will automatically determine how to secure a message sent to the specific recipient.  

TLS Verify Delivery Method

CEP will first attempt to deliver an encrypted email using TLS Verify.  TLS Verify is often the preferred delivery method because, in general, TLS Verify meets state and federal requirements for sending private information over email and does not require the recipient to take additional steps to view the email. The message is transported securely to the recipients mail server and then handed off for processing.

Users should check with their Compliance or IT Officer to determine if TLS Verify meets the organizations encryption requirements, or open a ticket with us if we're acting in that role for your organization.

In order for a message to be delivered using TLS Verify, the recipients mail host, associated with the domains MX record(s), must support TLS version 1.2 or 1.3 (lower versions of TLS are no longer considered secure by regulators and are not supported by CEP). In addition, the mail hosts name must match the common name (CN) of the digital certificate used to facilitate TLS.  Both the TLS version and the certificate match are required for TLS Verify to be used as the deliver method. If either TLS Verify requirement are not met for a particular recipient, Encrypt Titan will automatically default to the Secure Portal delivery method for the email.

Secure Portal Delivery Method

The Secure Portal delivery method does not require any particular recipient mail server capabilities, however it does require the recipient to take the extra step of logging into the CEP Secure Portal. Overall, the Secure Portaldelivery method is more secure than TLS Verify, and offers encrypted message storage, two factor authentication and allows the encrypted message recipient the ability to reply back securely to the sender of an encrypted message directly from the Secure Portal.

The Secure Portal also provides additional controls for the sender of an encrypted email, such as message auditing, read receipts and the ability to recall an encrypted message that has been sent in error.

The table below summarizes the features of each secure delivery method.

How to send an encrypted email  

1. Log in to your email account (using the web client, or any other email client, such as one on your phone, or laptop)
2. Create a new email message.
3. Ensure the recipient’s email address is correct.
4. In the Subject field of the email, enter the text /secure/ anywhere in the subject of the message.
5. Type the message
6. Click on Send to send the message. The service will then encrypt the message and deliver it to the intended recipient.
7. By default, CEP will first attempt to deliver the secure message using TLS Verify. If the recipients email server supports TLS 1.2 or 1.3 and the common name of the digital certificate matches the host name of the mail server, the message will be transported using TLS encryption and the message will be decrypted by the recipients’ email server.

        Note: /secure/ is not case sensitive; /SECURE/ or /Secure/ for example, could also be used.
        Note: The keyword may be different for your organization.  Users should check with their Compliance or IT Officer when in doubt.

A TLS Verify banner will be injected into the body of the message letting the recipient know that the message was transported securely.

If the TLS Verify delivery method is not successful, CEP will automatically use the Secure Portal as the delivery method and the recipient will receive a notification message with a message link and instructions on how to retrieve the secure message.

The sender will receive a notification email when a message is encrypted.

If the Secure Portal was used as the delivery methodology, then the notification message will contain a tracking link that enables the sender to both audit and/or recall the message.  If TLS Verify was used as the delivery methodology, the tracking code link will not be included in the notification message.

How To force an Encrypted Email to the Secure Portal

Because TLS Verify does not provide the enhanced security that the Secure Portal offers, the sender may decide they want to ignore TLS Verify encryption as a delivery method and force the message to be delivered to the Secure Portal.

 To force a message to the Secure Portal the sender only needs to type in a different keyword in the subject line.

1. Log in to your email account.
2. Create a new email message.
3. Ensure the recipient’s email address is correct.
4. In the Subject field of the email, enter the text /secureportal/ either before or after the subject of the message.
5. Type the message.    
6. Click on Send to send the message. CEP will then encrypt the message and deliver it to the intended recipient.
7. CEP will “force” the delivery of the email to the Secure Portal and the recipient will receive a notification message with a link and instructions on how to retrieve the secure message.
   
   Note: /secureportal/ is not case sensitive;  /SECUREPORTAL/ or /Secureportal/ for example, could also be used.  

Display Audit Log of an encrypted email sent to the secure portal

When a email is encrypted and sent to the secure portal, the sender will receive a notification receipt, confirming that the email was encrypted. Within that receipt, is a unique tracking code that can be used to check the status of the encrypted email.

When the sender of the message clicks on the tracking code, an audit log is displayed showing the actions taken by the recipient. Actions such as “opened”, “saved as PDF”, “printed”, “replied” and “deleted” are some of the actions that will be audited.

Recalling an encrypted email sent to the secure portal

When a email is encrypted and sent to the secure portal, the sender will receive a notification receipt, confirming that the email was encrypted. Within that receipt, is a unique tracking code that can be used to recall (pull back) the encrypted email.

For example, if the email was sent to the incorrect recipient or the wrong attachment was sent, the sender can recall the email which deletes it from the Secure Portal making it impossible for the recipient to open the encrypted email.

Once an email is recalled, the audit log will show that the email was recalled by the sender.

Frequently asked questions 

How long is a secure message stored on the CEP Secure Portal?

The default retention time for a message is 60 days. Once the retention time is reached, the message will be deleted.

What is the maximum size of an email that can be encryption? 

Currently it is 100 MB.