Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SecureMail (SecMX) » SecureMail - Provider

SecureMail - Provider

Providing a means for people and government agencies to exchange information electronically.

Information for Service Providers

To print the information on this page, download the file:PDF [164 KB] or Word [504 KB].

The case for SecureMail

Government is encouraging the deployment of SecureMail by service providers so that government can securely exchange messages with businesses and people.

For a service provider, the value proposition for providing SecureMail is anticipated to be:

Increased transactions - SecureMail is expected to increase message volumes as government, businesses and people use email, where previously they have used letters and other channels because of security concerns. Some message types that are expected to increase:

  • Adhoc messages from organisations (government or business), responding to enquiries involving personal information;
  • Notifications
    • from government, such as official results or reminders;
    • from business, such as statements or payslips;
  • Transactional messages
  • from business, as part of a process, such as interaction with a supplier: purchase orders - invoices - remittance advices - receipt; and
  • from government, as part of a process, such as completing a form: form - receipt - service.

Opportunity for Value-Added Services – SecureMail will offer several opportunities for a service provider to market value-added services:

  • SecureMail itself might be considered a value-added service. Many businesses have a street address, but pay additional for a secure PO Box. A SecureMail mailbox might be considered similar;
  • SecureMail will help enable the development of new transactional applications. These applications are likely to require value-added services such as payment gateways, transaction hubs and application software;
  • Many government agencies and businesses will require assistance with integrating SecureMail into their processes; and
  • There is an increasing volume of messages with faked FROM: addresses generated by spammers or automated viruses. SecureMail provides a high level of assurance that the FROM: address has not been faked, meaning filters and automated rules can be applied in highly effective ways. A service provider will be able to prioritise authenticated SecureMail messages over the rest if its customers desire.

Brand differentiation - Providing SecureMail allows a service provider to demonstrate to its customers, that it is aware of security issues, and is responding to meet them, whereas its competitors may not be. A SecureMail service provider will be able to assure its customers that messages are being sent and received with greater security than normal Internet email.

SecureMail System

The diagram below demonstrates how the SecureMail system will work from a service provider’s viewpoint. For simplicity, multiple instances of each organisation are not shown.

On the top right, the diagram shows a Gateway Service Provider providing a Gateway to a Mail Service Provider, who in turn provides mail store services to lots of people and small organisations. In addition, the Gateway Service Provider offers a gateway service to medium organisations with their own mail store.

On the bottom right, the diagram shows a Gateway/Mail Service Provider providing both Gateway and mail store services to many people and small organisations. For both types of service providers, their Gateways securely send/receive messages for their customers.

On the middle right, the diagram also shows how a large organisation can use its own Gateway to send/receive secure messages over the Internet, without any service provider intervention.

One configuration option for SecureMail is to only have a single government Service Provider. Effectively, this option would require the establishment of a centralised all-of-government webmail service. This option is not currently being considered, but is included for completeness.

secure mail system

SecureMail deployment: an overview

Before offering SecureMail services, a service provider will need to consider:

  • Business and legal topics: There will be legal and business topics to be considered in providing SecureMail services.
  • Business processes: A service provider’s existing business processes may need to be re-designed to work with SecureMail.
  • Technical architecture: A service provider’s existing technical architecture may need to be reconfigured to work with SecureMail.

To send/receive SecureMail, a service provider will need to organise access, by either installing its own Gateway or contracting the service from a Gateway Service Provider.

Option 1: Own Gateway: A service provider requiring its own Gateway will need to:

  • Acquire a Gateway: Select, install and test an accredited SecureMail Gateway. Gateways can be acquired from SecureMail accredited vendors. Once installed, the Gateway must pass site certification tests. Gateways also need to perform regular automated testing and to be upgraded in a timely fashion, as amendments to the SecureMail requirements are notified;

  • Join SecureMail: Sign the SecureMail Service Provider Agreement. This Agreement sets out the terms that apply to providing SecureMail services, such as complying with the SecureMail requirements;

Option 2: Contracted Gateway: A service provider can use the service of a Gateway Service Provider. The Gateway Service Provider will impose SecureMail requirements for security and interoperability on the business.

Any service provider handling SecureMail will need to:

  • Comply with SecureMail requirements: Be responsible for maintaining security and interoperability in accordance with the SecureMail Membership Agreement or those terms that the Gateway Service Provider imposes on the service provider.
  • Impose SecureMail requirements: Impose applicable SecureMail requirements on their customers, employees and contractors, and ensure relevant security issues are reported and actioned.

To operate SecureMail, a service provider will need to:

  • Continue to comply with SecureMail requirements: Continue to maintain security and interoperability in accordance with the SecureMail Service Provider Agreement or those terms that a Gateway Service Provider imposes on the service provider. Where a service provider has its own Gateway, deploying SecureMail will also place an obligation on a service provider to undertake regular testing of their Gateway and to upgrade their Gateway in a timely fashion, as amendments to the SecureMail requirements are notified.

Business topics to consider

Before deploying SecureMail a service provider will need to consider how SecureMail will impact on its business processes. Some of the topics that need to be considered are outlined below.

They are grouped into those that apply to

  • a service provider providing both Gateway and Mail services;
  • Gateway Service Providers; and
  • Mail Service Providers.

Topics for any service provider

A service provider will need to make its own evaluation of the business issues around using SecureMail or providing Gateways.

Business model: A service provider will need to determine a suitable business model for the provision of SecureMail services.

SecureMail obligations: A service provider will be expected to maintain compliance with the SecureMail interoperability and security requirements. A service provider will have an obligation to report and react to security issues, undertake regular audits and respond to amendments to the SecureMail requirements in a timely fashion. In some situations, when contracting services to other service providers, the SecureMail obligations will have to be passed on.

Sovreignty: A service provider must ensure SecureMail messages are protected for the public interest and to preserve personal privacy. To ensure New Zealand laws protect SecureMail messages, a service provider will not be able to use facilities outside of New Zealand to handle SecureMail i.e. a service provider is only allowed to store messages in New Zealand and send messages over the New Zealand part of the Internet.

Value added services: A service provider is free to develop value-added services as it sees fit. Such services must not compromise SecureMail. In some situations, such as developing structured message formats, a service provider will be encouraged to develop standards for the whole of New Zealand.

Branding: A service provider will be able to market its products with a by-line of “SecureMail Accredited”.

No spoofing: A service provider must ensure that a customer cannot spoof another customer. For a gateway service provider, this will also mean ensuring spoofing does not occur between customers running mail servers.


Topics related to Gateway Service Providers

Contact Information: A gateway service provider will need generic contact information, kept up-to-date with the SecureMail administrator. This information cannot contain personally identifiable information, but rather < "securemailadmin@companyname.co.nz" > and a phone number.

Encryption issues: A gateway service provider will require staff with experience in the operational issues that arise if message encryption fails. For example, if a Gateway fails, then until a new Gateway is implemented, all the arriving encrypted messages cannot be delivered. A significant upstream queuing facility may be required to store incoming messages. If a service provider’s decryption key is lost, then messages are useless – there must be a robust process to ensure the key is backed up securely and available in a timely fashion when required.


Topics related to Mail Service Providers only

Mail server obligations: A mail service provider must ensure that any SecureMail message it sends has an authenticated FROM: address and can be linked to an accountable sender.

Offering SecureMail: A mail service provider will need to determine how the SecureMail service will be offered to customers. For example, a provider may offer SecureMail as a value-added service by offering customers the option of upgrading their existing mailboxes to SecureMail accredited mailboxes. Alternatively, a mail service provider may choose to offer all of its customers a SecureMail accredited mailbox. A mail service provider will also need to help customers with any set-up and ongoing support issues.

Authentication: SecureMail has minimum standards for authentication. A mail service provider must support username/password access to a mailbox. In addition, at least one form of strong authentication for access must be available. For example, strong authentication might involve the use of a username/password AND a one-time-password generator.

If a customer does not have strong authentication available, some messages being received, will have to be either held or returned to the sender as undeliverable. Similarly some types of messages must not be sent, without strong authentication.

It is expected that any authentication mechanism used within SecureMail will be consistent with the Best Practice Framework for Authentication.

Establishment of Identity: Some receivers might require the mailbox holder to identify him or herself to a level sufficient for a particular type of transaction to be carried out, such as providing a form of photo ID. A Mail Service Provider might choose to provide a service to simplify this process.

Accountability: In addition, some receivers might require the sender to acknowledge they are the only person using the mailbox (ie it is not a mailbox to which other individuals have access). A Mail Service Provider might choose to provide a service to simplify this process.

Legal topics to consider

Before deploying SecureMail a service provider will need to consider how SecureMail will impact on it from a legal perspective. Some of the legal issues that need to be considered are outlined below.

Privacy: As with any communication, SecureMail messages and associated information, such as operation logs, will be subject to Privacy Act obligations.

Crimes: If an interception, copying, accessing or interference offence is committed in relation to SecureMail messages or the associated SecureMail environment, then a service provider should take appropriate action.

Lawful interception: A service provider will need to ensure that it complies with the Telecommunications (Interception Capability) Act.

Employees/contractors: A service provider must ensure that obligations are imposed on employees and contractors. For instance that employees and contractors are not permitted to use the SecureMail environment for unlawful purposes.

Customers: A service provider will need to consider how to impose the relevant SecureMail Service Provider Agreement obligations on their customers.

Liability: A service provider will need to be comfortable with any liability that may arise from the use of SecureMail. Situations in which liability could arise include such things as security breaches, misuse of the system by authorised people and failure to perform an agreed action.

A service provider will need to make its own evaluation of the legal issues around using SecureMail or providing Gateways.


For more information: securemail@ssc.govt.nz


Back to top
Securemail
Toolkit