Google Apps / Gmail

Mail Clients

Tablets / Phones

New Users

HIPAA & Safe Harbor

Servers / API

Reviews

Support Center

Empower Your Business

Say it Privately

Service Updates

Translate:

Q1. I see companies offering “secure” email solutions. These services often fall short. Why is that?

Mostly because they want you to CHANGE the way you do email and/or email storage. That is, they try to change how email works, or change how you use email, or change how others use email, or they want you to store your email on their systems.

However, email is very hard to change. Email is one of the oldest (1971) and most diverse Internet systems.  Email systems are managed by millions of independent administrators, in many thousands of different ways, and users are also independent in their choices of Mail clients. Email has too much “mass” to be able to easily accommodate a coordinated change in the way it works. Trying to change how email works before enabling security is like proposing “let’s first boil the ocean”.

How about changing just my organization’s email system?

Even if the change seems trivial, it would likely not interoperate with other email systems... so, if you are not in your office, your organization would likely not even be able to talk to you.

What choices do we have? After all, organizations need to comply with privacy regulations including HIPAA.

Yes, organizations may have to agree to make changes in order to try some solution X. However, people sooner or later realize that conventional solutions do not work because their users need both usability and security, while (as usual) solution X is either secure but not usable, or usable but not secure.

At the end, these systems require changes and do not deliver what people really need.

Q2. How does ZSentry fit in?

First, ZSentry is for email — but not only. ZSentry provides a secure, HIPAA-compliant solution for many user services in all platforms, with seamless operation and surpassing known limitations including password problems. ZSentry supported user services include email, webmail, web forms, SMS, IM, file storage, and single-sign-on, in desktop, tablet, and mobile use.

We designed ZSentry with a single “golden rule” in mind: NO CHANGE. The idea is that there shall be no changes to how email or other Internet protocol works, how your email system works, or even how anyone else’s email works. Nothing to install either, and setup must be optional. No stored cookies, no ActiveX controls, no Java, and Javascript is optional.

How is this even possible? We accomplished this by making ZSentry a middleware, which is a technical term. It means that ZSentry stays in-between (the “middle” in middleware) what you already have. It works with the message itself, not receiving the message, not routing the message, not at a storage place for the message, and not even in sending the message.

You receive secure email at your usual Inbox, with nothing routed thorough ZSentry, for an email address that you already have. You use your current software, ISP or webmail provider. ZSentry does not receive email and does not host email addresses for users. There is nothing to download or install, no plugins or add-ons. There is no need to change your user interface. There is no POP or IMAP server use.

ZSentry does not change anyone else’s email or system either. Everyone keeps what they have, no new investments, no training, no change.

ZSentry works in-between what you already have, and that’s why ZSentry does not change what you have and can use what you have.

Q3. How about the security part for ZSentry?

Some security experts have expressed the view that users cannot have both security and usability, that if they have more of one then they must have less of the other.

We discovered that this is not true. People can have more of both security and usability, and at the same time.

Simplicity is the key to have both security and usability. Let us summarize some cases.

For example, suppose you are concerned someone may steal your smartphone or laptop, or you may forget them somewhere. How can someone be prevented from reading all your emails and yet retain usability?

You can forward any sensitive but unsecured email to yourself using ZSentry, and require login to open. You can ask ZSentry senders to require login when sending to you. After your first login, and before your session expires you can read all zmails with just 1-click.

However, if you are sending a ZSentry Mail to a patient and your email has no protected health information (for example, it just has standard questions), then you can allow the recipient to read based on ZSentry’s mailbox challenge-response authentication, with no registration or login, and reply securely using the Secure Quick Reply button. There will be no protected information stored in the cell phone or other device used to reply.

Simplicity is the key mainly because simpler systems tend to be both more secure and more usable. This also makes ZSentry easy to explain.

How easy? ZSentry is the only IT security system based on a principle that is so basic and intuitive that can be understood by kindergartners.

Q4. So, you can explain how ZSentry works to a 5-year old!?

Yes. In Dr. Seuss’ “Moss-Covered Three-Handled Family Credenza” children movie, the Cat in the Hat (see U.S. stamp above) was asked to leave the children’s house, but did not want to. Therefore, he devised a trick. He claimed that someone in the house took his family credenza, which he wanted back. Everyone starts looking for it, otherwise he would not leave. But, even though they look very systematically throughout the house, the family credenza was not found. Of course, no such thing was there to begin with.

You cannot find (or attack) what is not there.

That is how ZSentry protects your data: By the power of mathematics and the ZSentry methods, the critical crypto keys to your data are not stored anywhere, not even encrypted or offline. Thus, your crypto keys cannot be found by anyone! Not even by you, so you have no liability either.

Furthermore, ZSentry is designed in such a way that only you know your ZSentry Usercode and Password, and those are also not stored anywhere, not even encrypted or offline. So, no one can find them either.

Therefore, just like the Cat in the Hat’s credenza, with ZSentry an attacker may even look endlessly but will not be able to find something that is not there.

For grown-ups, we call this technology “ZSentry Sans Target”. If there is no target anywhere, no one can find it.

Read more: How ZSentry Works >>

Q5. If none of our users’ passwords are stored on your system, how can you physically authenticate them?

The user is authenticated not by how their ZSentry Usercode and Password look, or whether they match an encrypted or hashed copy. There is no offline copy either, that could be compared with. Instead, the user’s ZSentry Usercode and Password are authenticated by the way they work together.

Do you have another analogy that can help us understand this?

We call it the “mailbox & lock” analogy. It is like having a key to a mailbox but neither has a number to match. How it works is that if you know where your mailbox is, you can open it by the way the key works in the lock. There is no key copy or number to look at and compare. And anyone else trying would not know where the mailbox is.

Using a non-physical “mailbox”, ZSentry can have trillions upon trillions of possible “mailboxes” and keys, so that an attacker could take ages of the Universe before, by chance, trying the right key in the right “mailbox”.

If none of the encryption keys used are stored on the server, and are not stored on any server of yours, how does the encryption/decryption take place?

When the key works in the “mailbox & lock” analogy, it “opens the mailbox” where level-1 keys are located, and so on.

How does the two-factor authentication work? Is it a time-based token sent over a device, like a key fob, cell phone SMS, smart-phone app?

As usual, the two-factors in the ZSentry authentication are what you know (your password, you created it) and what you get (the Usercode, which is unpredictable). ZSentry has no copy of either factor. In addition, ZSentry uses other factors in the auditing of authentication, such as IP number, DNS records, device identification, timing, and capability.

To provide protection against a more comprehensive attack profile (e.g., keyboard sniffing), ZSentry can also offer two-factor multi-channel user-based authentication, called ZSentry ID. For example, by adding a time-code that is sent to a cell phone, and/or a sequence of one-time access codes.

Q6. How can I explain how it works to users?

No analogy is needed. ZSentry is based on things that people already understand. When a Google Apps or Outlook user needs to send a secure email, she just needs to know “what button to press”. This is an operational HOW and that’s what most people have to know. The answer is simple:

There is nothing to learn to use ZSentry. After a simple setup, users just select the secure From address (the one that uses ZSentry) and click Send in their email program. It works the same way with any email client, for example with Outlook and Google Apps.

As an even simpler user case, when a user reads a ZSentry Mail and just wants to reply securely, all that is needed is to touch the button  Secure Quick Reply  — the reply will be sent securely even without user registration, allowing easy secure reply in a first contact. This requires no setup and works in all platforms and cell phones, even “not-so-smart” phones.

Q7. How to install ZSentry and what do I need to do in terms of IT?

There is no installation but ZSentry may require setup. To interface with user applications, ZSentry uses HTTPS at port 443 and/or SSL/SMTP at port 465 (safer, faster). ZSentry can be used in clients and/or servers.

The default ZSentry Premium choice for sending secure email is HIPAA-compliant with challenge-response mailbox authentication, login monitoring, and expiration control. It enables secure first-contact and reply with verified recipient online identity, without requiring the recipient to register. Alternatively, you can require recipient registration, and also login, and you can personalize ZSentry to activate the Secure Vault, request a Return Receipt, and much more. These choices are explained in Dashboard section. A full advisory about the ZSentry HIPAA configuration choices is provided upon ZSentry Premium signup (you can request a copy before you signup).

There are three cases concerning HOW it physically works, explained below.

ZSentry uses what is configured in your system, with a least-requirements strategy. At the very least, your system (desktop, tablet, mobile) should have a web browser. This requirement is easily met by all current systems and allows you to read, reply, send, and store securely without any setup, using the ZSentry App.

If you also have a Mail client, you can use it securely, exactly as you would with regular email — with NO CHANGES. You can read, reply, send, and store securely. With a Mail client, ZSentry can further protect you by using your web browser as an additional firewall and for message preview. This is done automatically, with the work of a single mouse-click. You can also do a Secure Quick Reply without using a Mail client. All you need to do is setup your Mail client (no download, no plugin) to use the ZSentry Client

Organizations and power-users may also want to use ZSentry API, where ZSentry can directly interface with office applications such as Word, and server applications using .NET, PHP, and other languages.

In each level, ZSentry does not require any new understanding or procedure. There is nothing that cannot be explained using what people already know.

Q8. Can this also be used for cloud storage, for my emails for example?

Yes. Because if an attacker cannot find your crypto key then they obviously cannot open the box of secret information (your encrypted email or data).

And ZSentry goes a step further in protecting information at rest (cloud or other storage). Even if an attacker has your ZSentry Usercode and Password, and full access to the server, the ZSentry message still cannot be decrypted. At this defense level, what is also not there is a message key that was sent with the message but not stored, not even encrypted or offline.

This additional ZSentry step for storage is important also to allay concerns of internal attacks.

However, how about an attacker who can use a super computer to make and try all possible keys, including crypto keys and message keys? With the ZSentry technology, it could take ages of the Universe to find the right combination.

Q9. What if an attacker, external or internal, gains access to the server and reads the data stored there? Not even large companies and nation states seem to be able to prevent that.

This is usually called a “server breach”. However, a server breach is not a problem for ZSentry-protected information because the data is encrypted in the server and neither the data nor the server contain the keys to decrypt. In regulatory terms, this condition is called “Safe Harbor”. It prevents data loss in the ZSentry servers and also protects the ZSentry customer, who is thereby exempted of breach notification duties as defined in state, federal, and international regulations.

Q10. How do I know that ZSentry is not just a fad that will be replaced by the next thing?

First of all, ZSentry is a process that works with what you already have. It also works regardless of any changes that you may make in your messaging, storage, or infrastructure systems. That is, ZSentry fits in today and tomorrow.

Second, ZSentry is “invisible” middleware with no mandatory user interface of its own. This places considerable burden on a replacement that would not be a middleware and would depend upon acceptance of its own user interface to work.

Third, a major cause for replacement is often the user interface, and a competitor can always offer a better one, at least in the eyes of enough users to make it significant as a replacement. We all want something different, and with ZSentry we can all have whatever we want.

Fourth, even if something else came along, you would lose nothing by having used ZSentry first. There is no investment in using ZSentry, the cost per message more than pays for itself in savings, there is no training and no new messaging or storage system to learn, and people can use their own devices without changes.

Finally, ZSentry will not cease to be usable. Due both to ZSentry’s middleware architecture and its compliance with Internet standards, whatever “next thing” comes, it will likely need to be compatible with Internet standards and, therefore, with ZSentry.

Q11. Is there documentation by the government that ZSentry is HIPAA compliant?

Yes. ZSentry is officially certified by the US Government to provide a HIPAA-compliant EMR (Electronic Medical Records) solution (CHPL Product Number: IG-2482-11-0040), including encryption when exchanging electronic health information (§170.302.v) and providing an electronic copy of health information (§170.304.f).

Q12. More questions?

Please try our Frequent Questions >>