Demystifying email encryption

Security consultants and value-added resellers (VARs) can use these five simple steps, courtesy of SearchSMB.com, to master the intricacies of email encryption and help customers increase email security.

Encryption is one of those technologies that has been around for thousands of years (since the days of Caesar, in fact), but is still very misunderstood.

Actually, you use encryption every day, since it's the underlying technology that drives the Secure Sockets Layer and HTTPS protocols. But it seems email encryption remains an enigma at most small and medium-sized businesses (SMBs) because it's been portrayed to solve every information security problem. So, let's take a step back and understand what email encryption can do for you.

First and foremost, one of the biggest issues SMBs have is to ensure they are adequately protecting intellectual property. By encrypting emails that contain corporate secrets, there is very little risk of competitors and the like intercepting messages and stealing data. Likewise, in an age where customers are understandably concerned with protecting their private data, encrypting communications ensures that the customer's private data cannot be stolen.

Both IP protection and privacy considerations fall into a large, yet amorphous bucket called compliance. Any business dealing with regulatory oversight, or even those now accepting credit cards -- which are now subject to the Payment Card Industry standards, needs to be concerned with compliance. Email encryption is not a panacea for compliance, but having the ability to protect critical data is a critical step in the process.

Why isn't email encryption more prevalent? In a nutshell, it's due to complexity. Historically, email encryption was very complex to implement and required a significant amount of communication, configuration and experimentation between trading partners to ensure a message encrypted by you could be decrypted by them.

Additionally, there was no way to force users to encrypt sensitive messages. IT administrators had to hope users understood how to encrypt the message and that they'd remember to do so when appropriate. Since hope is not a good strategy, most organizations didn't deploy.

But as with most technologies, email encryption has evolved and matured over the past few years. It's by no means easy, but it's also no longer cost-prohibitive for SMBs to start experimenting with the technology. The advent of service providers that will host key servers and email gateways that can automate the enforcement of policies has dramatically decreased the effort required to get an encrypted email system operating.

Here are five essential steps to encrypting email:

1. What and why? The first step is to define what types of content need to be encrypted. You are best off working with your general counsel (or outside law firms) to ensure that all sensitive data is identified and a policy is created to document the need to protect that data. Content types typically encrypted include customer records, intellectual property, strategy documents, etc.

2. Who and where? Next, it's important to determine which trading partners will participate. The short answer should be all of them. But in reality, many organizations phase in their approach because it's not as easy as flipping a switch and then encryption just happens. Determine if you are going to let users decide what gets encrypted (via desktop software) or whether you'll take a gateway approach that will scan each message automagically and determine if it is required to be protected by the policy.

3. How? There are many different ways to skin this particular cat. You could encrypt messages at the desktop or store messages encrypted on a staging server for pickup via a Web-based email interface. You could also implement the encryption either on the email security gateway or on a separate purpose-built device. The architecture will depend on your scale and number of trading partners. You could have a service provider manage the key server or you can manage it yourself. Value-added resllers and the vendors themselves can certainly help make those decisions, once you've determined that encryption is something you should do.

4. When? Rolling out encrypted email to all of your trading partners at the same time is not advisable. You need to figure out which partners should go first and start working out the details of the implementation with them. As you add more partners to the infrastructure, you'll nail down the process, but it's in your best interest to start slow and figure it out incrementally.

5. Refine. Given the policy and compliance drivers for email encryption, any project should have a period where the focus is to refine the policies used to determine which emails are encrypted. This can involve tuning the dictionaries and heuristics and manually auditing a subset of the messages encrypted (and those that aren't) to ensure the policies are being enforced.

Ten years ago, it required an armada of consultants and big infrastructure to implement encrypted email. That is no longer the case, but it's still not a walk in the park. But with a diligent process and dedicated project team, email encryption can play a key role in your compliance efforts and can protect both your intellectual property and private customer data.

About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at mike.rothman@securityincite.com.

This tip originally appeared on SearchSMB.com.

Rate this Tip To rate tips, you must be a member of SearchSecurityChannel.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Email Encryption Mechanisms Can we offer managed security services to the client for this server? A review of Voltage Security's Voltage SecureMail Desktop Securing your customer's email with digital signatures Add DKIM to your customer's email security solution Securing email with S/MIME Transport Layer Security encryption: Five steps to get you started Email encryption mechanisms Email Security Channel Explained: Email security What security settings best apply to the client? Can we offer managed security services to the client for this server? What platform will best fulfill the client's needs? What information will you send and receive across the email server? Should we offer periodic security audits of the email server? What are your regulatory compliance requirements for email security? What operating systems can you best afford or support? Email security FAQ: Russ Rogers How will you support security in relation to your email server? Application Security Application firewalls create opportunities for VARs and integrators Why you need Web application security expertise Email filtering: Choosing a content filtering tool for your customer Use hosted email filtering for virus protection Content filtering: An integrated approach How to use an ISA Server as an SMTP filter Antivirus trends and strategies Web application penetration testing: Best practices Email security options for SMBs How to manage your customer's secure Web server RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.