Home » Kerio User Forums » Kerio Connect » Kerio Connect and GDPR
  •  
Alfik

Messages: 5
Karma: 1
Send a private message to this user
One short question: Is Kerio Connect GDPR compatible?

I agree with other colleagues - the last recommended version was released 2107-04-27.
What are we paying for?
I´m seriously thinking about a replacement. Kerio will lose 335 client licences.
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
In regards to GDPR, the applicable requirements relate to security of data that may contain personal information. Specifically this refers to data encryption, whether at rest or when transferred over the network.
For network encryption, all protocols in Kerio Connect support SSL and you can enforce this with the security option to require encrypted connections.
Regarding data at rest if you are on macOS the file system is encrypted. For Linux and Windows there are a number of third party applications that can encrypt directories or the entire file system.

Brian Carmichael
Instructional Content Architect
  •  
bm

Messages: 56
Karma: 11
Send a private message to this user
I cannot agree with Brian...

GDPR regulations are more complicated than only this and they will be required huge changes in email server. At this moment I don't see any chance how to be GDPR compliant until May 2018 with using Kerio Connect due for dead development past year...
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
BM, please elaborate on your comments. Aside from my previous reply regarding data encryption, what areas of Kerio Connect are preventing you from being compliant?

Brian Carmichael
Instructional Content Architect
  •  
bm

Messages: 56
Karma: 11
Send a private message to this user
Brian, we can spent many hours and talk about these, but nobody from us have time for this. If GFI was taking the GDPR more seriously, we was starting this conversation one year ago. For begin, try spent some time with Microsoft solution pointed on GDPR and then do compare with GFI Connect. I give you small hint:

- Data processing
- Logs processing
- Backup & archiving
- Retention rules
- Incoming/Outgoing mail rules/filters (attachments with PI)
- Security (2-step verification, etc.)
...

Due for lack of development of GFI Connect past year (we can discuss about maintenance fee) I don't belie fake promises and GFI is not a trustworthy partner for my company anymore. Especially with security based solutions.

[Updated on: Fri, 16 February 2018 08:23]

  •  
ian.bugeja

Messages: 89
Karma: 8
Send a private message to this user
GFI has assessed GDPR compliance in Kerio Connect email server.

Kerio Connect is a robust email server which already has a lot of compliance already with the GDPR regulation. It does fall short like most of software today in terms of encryption at rest. This is mainly due to the fact that encryption at rest comes with a cost of increased processing power.

In early Q2, we will be releasing a version of Kerio Connect which does help for Encryption at Rest on Linux based systems. However for Windows based systems we are suggesting to enable BitLocker while for Mac FileVault2. Similarly backups need to be stored on an encrypted storage medium, using the same encryption technology.

There are other aspects that need to be addressed for example self signed certificates, although not mandatory we suggest to have proper validated and certified certificates. It also depends on any customisation like proxy servers etc.

Proper password policies are also a must ensuring that the system both at OS level and also at mailbox level cannot is safe and secure.

In terms of 2 factor authentication GDPR compliance does not impose such a requirement.

Hope this clarifies all issues on GDPR. A more formal whitepaper on the topic will be issued formally by GFI in the coming weeks covering all GFI, Kerio and Exinda products, and the required actions.

Ian Bugeja
GFI Software
  •  
stepak@ribbon.cz

Messages: 10
Karma: 1
Send a private message to this user
Hello, I'll join the thread. Since GFI bought KERIO it's going down. Kerio has not updated anything for the past year, and it still wants annual fees for customers. And to such an important thing as the GDPR all the questions are downplaying. This should be done and tell our customers what to do and whether Kerio Control complies with GDPR.
  •  
ian.bugeja

Messages: 89
Karma: 8
Send a private message to this user
What OS are you using for Kerio Connect?

Ian Bugeja
GFI Software
  •  
stepak@ribbon.cz

Messages: 10
Karma: 1
Send a private message to this user
Windows Server 20016 Standart
  •  
ian.bugeja

Messages: 89
Karma: 8
Send a private message to this user
Hi

Kerio Connect is GDPR compliant on Windows Server 2016 once the following steps are performed on such an OS.
1) You need to have encryption on your disks. This is either achieved through hardware encryption (some drives support it) or via enabling Bitlocker which is part of Windows.
2) Ensure that the protocols enabled (both web and email) are secure
3) Ensure complex passwords are being used especially to access Administrative accounts or Server resources.

Optional: Use proper certificates not self-signed ones for HTTPS communication.

Hope this helps. Any questions let us know.


Ian Bugeja
GFI Software
  •  
bm

Messages: 56
Karma: 11
Send a private message to this user
Dear Ian, let me ask you. With all the respect, do you know what the GDPR is all about?

I ask because i think you have no clue or you just not tel the truth to your customers. One topic for all. Logs in Kerio Connect. At this moment - there is no auditing, no pseudo anonymization, no control at all. Do you know that the IP address, as well as the email address, are considered as personal data and as such are subject to processing rules?

How about enctrypted backups? How about many other things?

GDPR is not a new thing. You had two years to prepare. You did nothing...
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
@bm,
All data which could potentially include personal information should be encrypted. If the data (e.g. logs) are encrypted, this is a form of Pseudonymisation. To the best of my knowledge, auditing with respect to GDPR is something that should be performed by a person and is not explicitly a responsibility of the information system. Please reference sources that state otherwise.
Regarding backups or archiving, it's the responsibility of the administrator to ensure that this data is saved to an encrypted volume.
As Ian indicated, we are preparing a version that supports data encryption (Linux) that will not require the use of separate encryption software.

Brian Carmichael
Instructional Content Architect
  •  
bm

Messages: 56
Karma: 11
Send a private message to this user
@Brian
Any processing activity (reading, storing, exporting ...) must be recorded and audited with respect to the GDPR. Even the authorized person (admin) has no right to perform this activity without recording.

Sorry, but encrypted storage does not fix everything. It's just a small part of something much bigger. For fun, try compare archiving between yours products GFI Connect and GFI Archiver.
  •  
bm

Messages: 56
Karma: 11
Send a private message to this user
Fun fact

https://www.gfi.com/gdpr-compliance

Kerio Connect isnt listed here... Smile
ian.bugeja

Messages: 89
Karma: 8
Send a private message to this user
That page lists solutions that can help you achieve GDPR in your organizations. It is totally different from having a product as GDPR compliant.

Yes Kerio Connect is GDPR compliant and a whitepaper listing the necessary steps required by IT administrators will be released soon.

Ian Bugeja
GFI Software
Previous Topic: Sync Problems with Linux Ubuntu - but not with Windows Server?
Next Topic: Downgrade 9.2.6 to 9.2.5p3
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 20 08:31:53 CEST 2018

Total time taken to generate the page: 0.68439 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.