In today’s world of cloud-based services and legislative forces that are upping noncompliance penalties with each passing day, the application of email encryption as a strategic tool is back on the front burner.
Email encryption is nothing new, of course. Yet outside of the usual circles — finance, healthcare, government — widespread adoption of the practice hasn’t occurred.
“Email encryption hasn’t taken off the way we expected,” Bill Mann, SVP of business unit strategy for CA Technologies, told TechNewsWorld. “The business drivers haven’t been strong enough. They weren’t sufficiently painful.”
Then there has been the issue of cost and underutilization.
“Most organizations typically spent more than they needed to on email encryption solutions,” Eric Ouellet, Gartner VP, secure business enablement, told TechNewsWorld. “In the past, they built very large, complicated systems and found that it was used for less than 5 percent of emails because most people’s roles didn’t require it — only a few key groups like legal, compliance, HR, senior executives, etc.”
The technology behind the scenes didn’t help the email encryption cause, Mann said. “It was cumbersome by nature and required [human] interaction to do it. It was also an area in itself. But with the cloud and virtualization, data is scattered everywhere. Now it has to become part of the bigger data protection and data loss prevention picture.”
Too Many Moving Parts
“Technology was good, but not user-friendly,” said Michael Ginsberg, CEO of Echoworx. “Traditional models provided certificates and keys. There were a lot of professional services involved, and a lot of moving parts when solving encryption needs.”
Traditionally, encryption was a two-way process based on establishing relationships between the sender and the recipient, explained Tony Wilkins, senior product manager for Symantec Hosted Services. “Typically, the recipient sends the key to the sender who uses it to encrypt the email. Establishing those relationships is a very labor-intensive business and a big task for administrators. You have to be really keen to use it, since it’s difficult, it isn’t spur of the moment, and it can be very challenging creating these predefined relationships.”
An underlying problem has been the fragmented approach to encryption, Ginsberg added. “A lot of different dynamics will occur within one company. Yet many products have concentrated on single solutions for laptops or encryption portals, for example. And if you bought tool A or B, you’re left with a mess five years later because they won’t talk to one another.”
Those who have implemented identity-based encryption such as PKI (public key infrastructure) solutions have been resistant to change, simply because of the disruption, he said. “The thought was you had to throw the baby out with the bath water — but now you can keep all that stuff and it still works.”
With demand growing, suppliers have learned to turn complex processes “into refrigeration,” Ginsberg explained.
“No one knows how a refrigerator keeps milk cold — it just does. That’s what encryption needed to do. The biggest push has been making this stuff usable,” he said.
“Rather than a separate infrastructure requirement, encryption should just be a checkbox item,” suggested Mann. “Encrypting email content using defined policies means the decision can be made without the need for user involvement.”
Gateways and Desktops
Gateway and desktop encryption have both come a long way in terms of ease of use and automated capabilities. A good number of companies are adding gateway encryption, which automatically scans emails for content based on predefined privacy parameters before they leave the organization and encrypts them when appropriate.
“Content-aware DLP (data loss prevention) is a class of products that … can scan the body of emails and attachments and determine if there is any sensitive content,” Ouellet explained. “DLP rules are usually based on internal policies and data classifications built into the engine. If there is sensitive content, it can actually provide some form of remediation, such as redirecting it to an encryption engine or automatic encryption.”
Desktop/laptop encryption is also gaining ground — especially with smaller businesses or in conjunction with gateway services for larger ones. Here emails are scanned at the user level, where they can activate an encryption key when flagged.
“The user isn’t aware of certificates and keys. They just press the ‘make it secret’ button,” Ginsberg explained.
Encryption in the Cloud
A newer method on the scene is email encryption in the cloud, which Ginsberg likened to an “encrypted mail lockbox.” It has significant potential for large-scale applications like statement presentment.
“Senders of financial statements can really benefit because they could feed data to an ‘encryption box’ at the same time as a printer, so it can be sent as an attachment to your customers,” he explained. “They can then get their [encrypted] statements in their in-box with the rest of the mail.”
In Symantec’s policy-based encryption service for example, all encryption is done in the cloud, and whatever keys are needed to send the email are managed on your behalf, said Symantec’s Wilkins. An Outlook plug-in adds an encrypt button to the toolbar for users to activate. The email is then sent to Symantec to be scanned.
This type of facility is feeding an increasing appetite for ad hoc encryption, Wilkins noted. “Organizations don’t need to set up the mechanisms within their own environment. Even when confidential emails are being circulated within an organization, rather than setting up a TLS (transport layer security) connection, they can use cloud-based encryption.”
A key element in cloud-based encryption is the establishment of user-defined rules that will detect sensitive information within email content for automatic encryption.
“The solution has to recognize that as well,” Wilkins said. “It adds another layer of security and negates the risk of human error — which can never be underestimated.”
“It’s just easier to let users create content and have a system to come up with the right application,” Gartner’s Ouellet said.
“These newer solutions are getting easier and easier, and have been pretty solid. We’re seeing email gateways tacked onto a whole bunch of components like antivirus or antispam engines. It’s almost barnacle-like — but it performs well,” he remarked.
“Encryption is no longer a one-size-fits-all-technology,” added Echoworx’s Ginsberg. “This is where the industry has finally caught up with the world. A few years ago you didn’t know how to put it together, let alone use it. Now [users] can just ‘flick the switch’ to get encryption.”
Why would you encrypt just *sometime* when you can encrypt ALL of it, ALL of the time.
The idea of scanning for keywords before encrypting is like a bank looking at your bank statements and saying "Hmmm, there are private purchases on here… better send this in an envelop rather than on a postcard."
There are complicated solutions (GPG, Enigmail) which require sender and recipient to exchange keys but there are also simple solutions (TrulyMail, PGP) which do it all for you (and some are even free). If you use one of the ‘refrigerator’ (your term) systems then you can just as easily encrypt all your messages rather than only some.
Encrypting some also tells hackers which ones to focus on. Encrypting all of them, especially with rotating keys, will keep away all but the most dedicated bad guys (and extremely large keys should stop them).
Like a flipping a lightswitch, indeed, though so many users would rather be the dark. The problem is that the safety of encryption isn’t exactly like the coldness of a fridge — you know your milk is definitely going to spoil if it’s left out, but you’re not quite sure what will happen to your private info if it’s transmitted unencrypted. SSL in particular is practically greek to most people, and while it’s not totally crucial that everyone understand the tech ins and outs, they should at least understand what they risk by not using it. Granted, I work for VeriSign and have a different understanding of the dangers of unencrypted email than most, but I feel like anything less than default SSL (preferably Extended validation ssl) on email and all cloud-based services is simply not enough protection. There shouldn’t even BE a light switch; the light should be automatically on in most rooms.