Email Encryption is highly sought after as a product and feature these days. This is not only because of privacy concerns and general suspicion about where our information goes on the web, but also because of increased awareness of the expanding regulatory requirements placed upon companies to transmit sensitive information in a secure manner. A primary example of these requirements is HIPAA, where healthcare providers small and large are required to transmit PHI (Protected Health Information) securely, meaning a good email encryption solution can fulfill this need.
Before going into what these solutions are really meant for, what they do and don’t do well, we need to explore some basic concepts to clearly define what the best solutions are and what really makes them the best.
What is Email Encryption?
Simply put, sending an email is like sending a postcard. In theory, it is completely open to anyone who’d like to peek. When email started, it was designed for open communication and networking within the very secure existing structure of the US military (this dates back to ARPANET). Now that anybody can basically get online, most people with any technical ability can set up their own email server and start sending, intercepting or compromising email in almost any manner they can find. To avoid vulnerability from these potential bad actors, those who desire or are required to have an added layer of security, you need to step back and re-create an email environment in which the information they transmit is better protected.
TLS or Transport Layer Security is a form of encryption that’s commonly used in services like Gmail, and is an effective means of protecting data in email transmission. It provides a “handshake” between a sending and receiving server that allows for the exchange of encryption algorithms that both sides understand, thus allowing the sender to encrypt a message that the receiver can decrypt. While the protocol also allows for the validation of the authenticity of the recipient, this is not a requirement in email and thus TLS is used only to encrypt the message in transit. This is also different from TLS in HTTPS connections, where the authenticity of the server is validated. Note that when the email is received in these cases, it sits unencrypted on the recipient mail server.
The 3 “Domains” of Email Encryption
Email Encryption, to be comprehensive, must apply to three broad areas of email: what is happening in transit, what is happening at rest, and the connection to the email server.
The best encryption solutions cover the following areas:
In transit: While an email is being sent, encryption via a “handshake” protocol ensures that no hackers can decipher and thus alter the data being transferred. Only the intended server can decrypt the contents of the email.
At rest: This refers to your email storage, when it’s sitting in your inbox and ensuring that anyone without proper decryption keys can’t decipher your data. Should your storage be compromised, the emails remain encrypted and thus undecipherable to the offending party.
The connection to email server: As mentioned earlier, when doing TLS in email, the authenticity of the server you are connected to is not necessarily validated. Self-signed certificates are allowed and abundant. Consequently, one is prone to “man-in-the-middle” attacks where an offending party inserts itself in between the sender and the valid recipient. Said party could provide its own certificate and thus decipher the sender’s messages. (Sidenote: Email requires port 25 and/or port 465. Encryption on port 25 requires an SMTP STARTTLS command. For 465 on the other hand is only for encrypted data.)
Who Needs Encryption?
To put it simply, everyone needs it, but not necessarily for every email.
For your private use, passwords, personal information, offline instructions (“Our house is empty for the next month, come rob us!”), and financial transaction information are but a few of the reasons you’ll want your email to be encrypted.
For commercial use, all of the private reasons apply, but from the perspective not only of the information you transmit about your company and employees but also that of your customers. Corporate espionage, social engineering attacks and more should concern you when looking at protecting your and your customers’ data. Add to this that maintenance of compliance with industry-specific regulatory requirements are crucial considerations of email encryption solutions.
What is an Email Encryption Solution?
A robust email encryption solution effectively creates a separate environment within the worldwide web that provides not only a secure, encrypted means of transit for data, but also encryption at rest, requiring a secure portal to login and manage email. The data accessed through this portal is effectively stored in a secure area or location with enhanced protection from a trusted provider. This is more expensive than any ol’ email server, therefore the data you transmit in this manner should be of value or in need of protection for compliance purposes.
By comparison, secure messaging is done similarly, but that moniker can apply to any messaging system that is functioning as an “overlay network” within the framework of the internet. This could also technically define a phone network or other non-digital messaging system that simply requires a controlled or anonymous method of access. Most secure messaging that organizations look for, however, is built on email – not only because email is so easy to use, but it’s also easier to track, manage, and incorporate into your workflow, and less casually used compared to SMS-lookalike secure messaging systems.
What To Expect From the Best Email Encryption Solutions
Automated Encryption Policies: Admins should be able to create automated rules that encrypt emails based on certain keywords, such as invoices, passwords, ePHI records, and more. These kind of Data Protection Policies (DPP) are necessary to ensure that even if employees are not complying or aware of regulation, the organization is not at risk.
Subject Based Encryption: Employees should be able to use triggers to automatically encrypt emails by certain keywords in subject lines.
Ease of Access for Recipient: How does a recipient of encrypted email access the email? How easy or difficult? Are there sufficient authentication mechanisms to ensure that the person accessing the email is the intended recipient, after it has been delivered?
Encrypting All Outbound vs Select: Certain encryption services will allow for encryption of all outbound email. This can be burdensome because of the time consumed in using encrypted emails, but ultimately makes the risk of decryption by hackers much lower. On the other hand, automated DPP can encrypt select emails, which can in a sense highlight emails that hackers might want to look at (this can be mitigated by encrypting some inconsequential emails as well).
Encryption has been a hot topic of late, with eFail attacks showing the weakness in PGP and S/MIME that leaks the plaintext of encrypted emails. This highlights the need to get top grade encryption with a secure portal, using TLS, to make email compromise as difficult a task as possible for any bad actors. It also highlights the need more than ever to use a top grade encryption solution to make it as difficult as possible to be a victim. You don’t want to make it easy.
The most valuable data you hold is what keeps your organization going – either because it belongs to customers, partners, or other stakeholders, which are all drivers of your success. If you don’t protect this critical information, it’s both them and yourself that you’re putting at risk.