In Part 2 of our blog series Four things to consider before a mail migration, we are looking at encryption options.
Are you, or in fact, can you take encrypted messages out of the existing mail file?
If you are then you may have more options than you think.
Encryption options available
First point of order is to assess what, if any, content is encrypted. In the case of Domino mail virtually any object in the mail application can be encrypted (including mail, calendar, contacts, to dos) these will need to be decrypted during migration process.
Once it is established which items are encrypted, decide whether to re-encrypt any items on the target system. Be aware that different systems have different encryption mechanisms.
- Decrypt mail from the source and re-encrypt on the target system during migration (where supported) – Depending on the system you are going from and to, there may be different encryption mechanism in play. Domino has its own integrated PKI and Exchange/Office 365 support S/MIME as part of Active Directory.
- Pro: All mail is re-encrypted and secured, maintains security model, users aren’t forced to change their working practises
- Con: Takes planning time, potential configuration for target system, assumes cert store / access and availability for source system
- Decrypt from the source and push to the target as un-encrypted – Decrypt all items from the source system at migration time and do not re-encrypt. All content is sent to the target system un-encrypted.
- Pro: Saves migration time – no target system configuration time and no re-encryption at mail migration time.
- Con: Nothing is encrypted on the target system.
- Decrypt non-mail and mark them as private on the target system – Where re-encrypting items such as calendar entries isn’t supported on the target system, MME can mark these entries as private.
- Pro: Items decrypted re marked as private, this saves time and gives an awareness of what was encrypted previously.
- Con: Items are not encrypted.
- Re-encryption where target system encryption isn’t an option - Where it isn’t possible to re-encrypt on the target system - save encrypted items as password protected PDF files.
- Pro: Separate keys for re-encryption are not a requirement, Items are still encrypted, each user has their own password.
- Con: Takes time as part of the migration, users need to remember the password.
- Decrypt from target and save as password protected PDF file – Decrypt all encrypted items from the source and save as password protected PDF files on the source system. Same as item above.
- Do not decrypt – Do not migrated any encrypted content. The question is why would you do this? Most likely answer is – you don’t think you have any encrypted content and do not want to do the assessment.
- Pro: Saves migration time.
- Con: You may lose content as an assessment has not been run.
It is possible to run any of the above scenarios system wide or to take a mix of encryption options for groups of users i.e. VIPs would have all of their items re-encrypted etc.
In part three of our series we are covering content security and timescales, with a look at how BCC’s Mail Migration Engine can help.
Thinking about migrating your email to a new platform?