Proofpoint Response to Microsoft Auto-Encryption
Details Of The Automatic Policy
The policy will enable automatic email encryption when “sensitive” information is detected in email content. Microsoft has provided examples of what is considered “sensitive” as follows:
- ABA routing number
- Credit card Number
- Drug Enforcement Agency (DEA) number
- U.S. / U.K. passport number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. Social Security Number (SSN)
They also add that the “exact sensitive types may differ by your organization’s locale and will be communicated in the Message Center notification.”
Impact To Spambrella DLP/Encryption Customers
The impact of this automatic policy will be immediately disruptive for Spambrella customers:
- DLP: Given that many emails will have already been encrypted, the Spambrella DLP engine will not be able to inspect those emails for sensitive content. This implies any compliance / regulatory visibility that customers rely on Spambrella for will not be available.
- Outbound email scanning: Spam and AV scanning would not be possible on those encrypted emails.
- Plugin or Subject-based encryption: would probably result in “double” encryption because the Proofpoint gateway will try to encrypt an already encrypted email.
- Policy-based Encryption: emails encrypted by Microsoft cannot be scanned for DLP by Spambrella. Therefore, Proofpoint Encryption will not be triggered.
Customers should also note that this automatic policy will alter the recipient experience significantly. The recipients who receive encrypted emails will now have to login/authenticate with their user id/password or use a One Time Passcode to access automatically encrypted content.
For the reasons outlined above, Spambrella recommends that customers disable this automatic policy so that all the PPS services (DLP, Spam/AV, Encryption) that customers value continue to operate as before.