This content is part of the Buyer's Guide: The best email encryption products: A comprehensive buyer's guide

The business case for email encryption software

Email encryption is a valuable security tool for enterprises, but where and how should it be deployed? Expert Karen Scarfone outlines specific use cases for email encryption software.

Email encryption software is used by enterprises to automatically encrypt email messages and attachments that contain or are likely to contain sensitive information. So, for example, a business may choose to deploy email encryption when forwarding confidential personnel information to another organization, such as a payroll processor.

Because email messages and attachments don't have their confidentiality protected by default, using email encryption software can protect those from eavesdropping as they transit the Internet. Optionally, organizations can also permit email encryption software to work at the client level, thus protecting emails from end to end (sender to recipient).

Virtually any organization can benefit from the use of email encryption software. Even small businesses often find that adding email encryption software to their email infrastructure is a relatively low-cost investment to help prevent data breaches, which -- by contrast -- can be extremely costly. Organizations also need to consider the alternatives, namely, email encryption based on public key infrastructure (PKI), which is generally considerably more expensive to implement (particularly to maintain). Plus, PKI-based encryption typically places a much larger burden on end users.

With PKI-based encryption, each user has to create a public and private key pair; the user is responsible for protecting the private key and for providing the public key to anyone who wants to send the user encrypted email. With email encryption software, by contrast, keys are automatically generated when needed and all key management is taken care of behind the scenes.

When it comes to deciding whether a business would truly benefit from email encryption software, the most important point to consider is where the organization is looking to protect emails -- between organizations, in emails sent to customers, in internal emails or in some combination of the three.

Protecting emails between organizations

The use case that email encryption software was originally designed to solve was protecting emails sent from one organization to another, such as between business partners. With older, PKI-based products, which are still in use today, the users involved in sending and receiving these emails have to trade public keys with each other before sending messages. This is usually inconvenient and often confusing for users.

As keys change over time, the users need to manually exchange keys again and replace the old keys with the new keys. Key rotation may also make it difficult or impossible to recover old encrypted email messages that were protected by an old key.

Current email encryption software products place all of this key management under covers, so that users don't see it and do not need to know about it. This greatly increases the usability of email because users do not have to exchange keys with people from other organizations or maintain keys themselves, etc. Instead, users simply send emails as they always have, and email encryption software set up as a gateway checks emails to see if they should be encrypted using policy-based encryption. This refers to encryption that follows a set of policies, such as always encrypting email sent to a particular organization (payroll processors, for example) or always encrypting email containing Social Security numbers or other personally identifiable information.

When a recipient from another organization receives an encrypted email, what the user actually receives is an email with a hyperlink to a website controlled by the sending organization (or a third party on behalf of the sending organization, typically the email encryption software vendor's cloud-based offering). The user follows the hyperlink and is presented with the contents of the encrypted email over an encrypted channel. No password, encryption key or other authentication is necessary.

With some email encryption products, the recipient can respond to the email through the same website interface, which then encrypts the response back to the sender's organization. With other email encryption products, the recipient or the recipient's organization is responsible for providing encryption for the reply. Unless the recipient's organization also has email encryption software deployed, it may not be feasible to encrypt the recipient's reply. Of course, the reply might not require protection if it doesn't involve sending back any sensitive information.

Protecting emails sent to customers

Another common use of email encryption software involves sending protected emails to an organization's customers. This allows an organization to send sensitive information to customers directly via email, rather than having to wait until customers log onto the organization's website to access confidential data. This ability to "push" sensitive information to customers can improve customer service, halt fraudulent activity more quickly, and otherwise benefit both the organization and the customer.

This use of email encryption software is similar to the situation described in the previous section involving the sending of emails between organizations, except that in this case the recipient is generally an individual person (i.e., a customer) and not necessarily a member of another organization. This end user may have no knowledge of email encryption and no technical resources to rely upon -- no help desk and no technical support agents. As a result, an email encryption software product used for emails sent to customers will need to be even easier to use than in the previous use case.

Consequently, it may also be necessary to provide an email encryption mechanism by which customers can reply to encrypted emails; in general, it should not be assumed that the customers have any sort of email encryption capability themselves.

Protecting internal emails

The use cases described above involve sending protected emails from an organization to an external entity -- another organization or an individual. This leaves an important gap: protecting emails sent to another individual or group within the organization.

Although many of the eavesdropping threats to email are Internet-based, there is also a substantial risk posed by compromised internal hosts, both server and client systems. For example, a desktop or laptop on the local network could become infected by malware, and the malware could reconfigure it to observe and capture copies of email messages passing unencrypted on the local network. A malicious insider, meanwhile, could do the same thing using commonly available diagnostic and troubleshooting tools. An example is an insider running a packet sniffer to capture and record email-related network traffic.

To provide stronger protection for these internal-only emails, an organization can deploy email encryption software capabilities to its endpoints -- the desktops, laptops and mobile devices used by its email senders and recipients. Typically, these products require end users to choose to encrypt each individual email, relying on their judgment to determine whether the material in the message is sensitive enough as to merit encryption. The recipient user, in the meantime, generally needs to be running the same email encryption software as the sender. This software can automatically take care of decrypting the email message for the recipient.

Some organizations have alternative products for protecting their internal email messages. For example, organizations may use SSL/TLS protocols to encrypt the traffic for email protocols such as SMTP, POP3, and IMAP. If configured correctly, this encryption can protect all email-related traffic between individual users and the centralized email server. Then email encryption software deployed at the gateway can still provide protection for externally bound emails between the centralized mail server and recipients' computers, according to policy.


Email encryption software can be deployed at the gateway level and/or the individual endpoint level to protect the confidentiality and integrity of email messages and attachments as they are transmitted from sender to receiver. This can prevent data breaches caused by sending unprotected sensitive information, such as financial records or medical records, over the Internet and unsecured local networks via email.

The technology protects email sent between business partners and other organizations, as well as messages sent from an organization to its customers. Email encryption software can also provide protection for internal emails, thereby thwarting insider threats and malware.

Deciding which form or forms of email encryption protection an organization needs for its emails is a valuable first step in evaluating potential email encryption software products. The next step, outlined in our next feature in this series, will be to examine the major criteria you can use when evaluating email encryption products for your organization.

Next Steps

Find out which public key algorithm is used for encrypting emails

Learn more with this introduction to cloud email security

This was last published in January 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats