Secure Email: an Oxymoron?

By: Dan Bremner

Email security is on my mind today for a couple of reasons.

With my oldest daughter off to Marquette University in the fall, the "college fund" my wife and I have been saving into for years is no longer a deposit-only thing - we need to start tapping into it to pay tuition bills. So I've had to exchange some documents (via secure email) with my financial advisor to get accounts linked so we can transfer funds and make those tuition payments.

At the same time, as some of you know, we're in the process of rolling out a new email security platform to our Managed IT customers. While "email security" in this sense refers to spam and malware filtering, the "secure email" I want to talk about is email encryption, a newly available option with this platform. It lets us exchange information via email while keeping prying eyes from intercepting and reading the contents. Like those documents from my financial advisor that have my bank account information in them.

But I've Always Heard Email Is Insecure?

Isn't email inherently insecure? Well, yes, it is. Standards for email delivery don't require encryption, which means that as your message passes from one mail server to another on the way to your intended recipient, there's a good chance it's being passed around and stored in plain text. It also may end up in many different places, not all of them secure, such as a smartphone, iPad, or home PC.

Bottom line: Email is insecure today, just as it always has been. This is why we avoid sending important login credentials, or anything else important like credit card numbers through email.

So How Do We Make Email Secure?

Over the years, many "email encryption" solutions have been introduced, incorporating technologies like S/MIME and PGP. Ease of use has been the biggest barrier to mass adoption. Not only were they cumbersome to use, but because you couldn't assume a recipient was even able to receive an encrypted message, these solutions never really took off in widespread use.

More recent solutions have emerged to simplify the process, and to comply with data security legislation, such as HIPAA, PCI-DSS, Sarbanes-Oxley, and the EU Data Protection Directive. To do so, they have approached the problem from a different angle. Essentially, since email is insecure, they take the sensitive data out of the email message. More on that in a moment.

It's worth noting that these newer solutions have different goals than previous "end-to-end" email encryption solutions. Whereas those solutions aimed to ensure only the individual sender and receiver could read the message, these solutions are more concerned with making sure the message remains under the control of your company (or designated service provider acting on behalf of the company), with access granted only to authorized viewers, because that’s the key to being compliant. If you think about how such information is handled in the non-computer world, this makes sense. Your medical information is not just given to your doctor, but also the nurses and other medical personnel who need access to it, just as multiple people at your bank have access to your bank account number and can look up your balance.

Email as a Notification Tool

These newer encryption solutions take advantage of several realities.
1. Email is great for notifying people when they have a message.
2. Everyone already knows how to use email.
3. Interacting with secure web pages, whether for e-commerce or online banking, is both simple and familiar for most users.

With our newly available encryption platform, when you have a secure message to send, the outbound mail server detects if the message needs to be encrypted based on rules set up by your company. You could have a trigger like [secure] in the subject line that automatically creates a secure message, or it could scan the email content for something that looks like a SSN, or credit card number, and auto-create a secure message.

Rather than sending the message along, the message content is removed and stored it in a secure web-based messaging system. An email is sent to the recipient saying, “You have a secure message,” with a link to the secure web-based system. The recipient clicks on the link and creates an account (no cost). After logging in, they can read the message and any attachments. Subsequent messages to the same recipient will use that same account.

For many organizations that need to communicate sensitive data while remaining compliant with data privacy laws, a secure email solution could be just what the doctor ordered. Or banker, or lawyer…