No one questions that email is universally adopted. It is in the mainstream. And despite the huge advantages of personal and corporate productivity, the open nature of the internet has made email vulnerable to interception and even alteration by malicious parties. As the risks to the privacy and security of email messaging have grown, so have efforts to protect it.
Initial efforts to encrypt email were driven by the need for the government to better protect highly sensitive government communications. Encryption involves highly complex mathematical algorithms that scramble messages before they are sent over the internet, and then unscramble them once they are delivered to the recipient.In addition to securing communications of all kinds, there are additional requirements that are driving the need for encryption:
- To satisfy regulations and laws concerning privacy and identity theft
- To meet the demands of clients, business partners, and consumers to reduce the risk of lost or stolen information
Ensuring Regulation and Compliance
In regulated industries such as healthcare and financial services, companies are required by law to protect messages that contain sensitive information, such as patient records or personal financial data.
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA), mandates that personally identifiable patient data must travel through secure channels. The Graham-Leach-Bliley Act requires that confidential information must be sent securely. Likewise, Canada and Europe have similar and, in some cases, more stringent regulations for transmitting data. The U.K. for example, has the "Data Protection Act" and the "Companies Act" designed to protect personal information, as well as "EC Directive 95/46" indicating personal data should be handled with appropriate care. There is no shortage of regulations, and they continue to grow and become more complex.
Ensuring Security and Trust
Beyond regulatory mandates, businesses have become more aware of consumer fears and concerns about the privacy and confidentiality of their data transmitted over the internet. And, as business relationships and partnerships are increasingly linked over the internet, securing those partner communications has become a basic requirement for many corporations.
What about TLS? Doesn't That Solve the Encryption Challenge?
Transport Layer Security (TLS), an Internet Engineering Task Force (IETF) sponsored-protocol, was first introduced in 1999 as a practical and affordable method to encrypt and thus secure email transmission over the public internet. TLS is the open-standard successor to Secure Socket Layer (SSL), the proven protocol that secures e-commerce transactions across the web. TLS's application independence allows application or higher-level protocol developers to choose the best way to initiate TLS "handshaking" and interpret authentication. As a result, TLS has been widely adopted; virtually all of today's email servers, or message transfer agents (MTAs) have TLS support built in. That means using TLS typically requires simply turning on the feature in an existing mail server at no additional cost. TLS encryption is "gateway to gateway" and doesn't require end-user involvement. Another important advantage of TLS is that it is compatible with message filtering. Encrypted messages that can't be examined by a company's spam and virus filters obviously pose a serious risk. Just because an email has been encrypted does not necessarily mean it is safe, or should be excluded from screening. TLS avoids this security gap by encrypting and decrypting at the edge of the enterprise network.
Beyond TLS: The Next Generation in Email Encryption
As useful as it is, TLS does has some limitations.
Follow-through: If the sending MTA cannot establish a secure connection with the receiving MTA, TLS downgrades the connection to plaintext (unsecured). This "best effort" approach is not suitable for environments where message security is a top priority or is required by law or industry regulation.
This limitation can be resolved by enhancing TLS to not downgrade to plaintext if the secure connection cannot be established. This enhancement protects mail from being transmitted over the internet unencrypted.
Flexibility: Many organizations wish to extend the value and security of encryption with all types of email recipients, not just with those who mutually support and accept the TLS protocol, such as outside individuals who do not have access to secure mail servers. The issue can be overcome by augmenting TLS with a message-based encryption solution which enables encrypted emails to be delivered to any and all recipients.
As a result, most organizations today are seeking more flexible, email encryption solutions that allow them to:
- Establish secure connections with trusted recipients on an ongoing basis with established TLS encryption servers, and/or
- Encrypt email for specific recipients on an as-needed basis, working with many types of authentication and proprietary systems, and
- Regardless of approach, centrally manage encryption based on company policies and regulatory mandates that govern the privacy of communications over the internet.
Using the above capabilities, companies can extend their compliance, security and productivity policies to all aspects of their business that involve messaging. When securing messaging, companies need to look to solutions that minimize their risk and allow them to communicate with any and all recipients. Solutions need to provide enforcement of company information security policies and flexibility to not slow down business.
- Scott Petry is founder, CTO and executive vice president of product development for Postini.