The importance of email encryption software in the enterprise
Expert Karen Scarfone explains how email encryption software protects messages and attachments from malfeasance.
Email encryption software products are a specialized security technology for protecting the confidentiality and integrity of email messages and attachments while in transit or in storage. Although the technology has been around for decades, the tools available have made the usability of email encryption better than ever before.
Email encryption software attempts to thwart risks posed by network eavesdroppers. By default, email is generally unprotected by protocols such as SSL/TLS, and it is transmitted in plain text across local networks and the Internet. As a result, the contents of email messages, as well as their attachments, can be intercepted and read by an attacker en route between sender and recipient (to say nothing of archived email stored on a server). This creates obvious problems when sensitive data is sent via email, even just between two users within the same organization. All it takes is for one host to be infected with malware to allow for the interception of email messages and the exfiltration of sensitive information.
In response to these risks, organizations deploy email encryption software to encrypt every sensitive email message and attachment (and in some cases, every single email, period) before sending them. The recipient is then responsible for decrypting the messages and attachments.
Historically email encryption has been difficult for end users to perform, both for the initial encryption and the subsequent decryption. Cryptographic key management has also been quite a challenge. Consequently, email encryption software products arose out of the need to make these processes easier for people to perform -- with encryption ideally accomplished (mostly or wholly) behind the scenes -- and the need to minimize user training requirements.
There are several forms of services and products that involve email encryption in some way, so let's clarify which forms are out of scope for this article:
- Web-based encryption email services such as Sendinc and JumbleMe
- Secure email hosting services, including Hushmail, Countermail and Neomailbox
- Email encryption features built into email clients
This article only covers email encryption software products that work within the context of an enterprise's existing email system instead of replacing it.
The architecture of email encryption software
There is no standard architecture for email encryption products. Most commonly, though, the heart of the product is gateway software that enforces policy-based encryption. Policy-based encryption means an organization implements a series of policies related to which emails should be encrypted under what circumstances -- for example, automatically encrypting any outgoing email that contains sensitive personally identifiable information (PII) or any outgoing message sent by a user in a particular group.
Some products provide an email encryption client to be installed on sending users' desktops, laptops and mobile devices. This client may use policy-based encryption, it may allow users to choose which emails are encrypted, or it may do both (forcing some emails to be encrypted and optionally encrypting others per user request). The client can also provide protection for email starting with the endpoint, instead of starting with the email gateway, therefore thwarting threats on the client's own local networks.
Generally, however, there is no need for a client to be installed on the recipients' systems; rather, there is a Web-based interface available for decrypting and reading encrypted email messages. Sometimes this Web-based interface is hosted by the sending organization; other times it is a cloud-based service offered by the email encryption software vendor.
Environments suitable for email encryption
Email encryption software is generally intended for environments that host their own email services. So organizations that outsource their email -- such as many small businesses -- probably cannot utilize the type of email encryption software profiled in this article. Such organizations should contact their email service provider to see what encryption options it supports, if any.
Any organization that hosts its own email services will likely benefit from email encryption software. Virtually every enterprise transmits sensitive data via email at times, even if only accidentally. These accidental disclosures can result in data breaches, costing a company much more than an email encryption software solution would have cost in the place.
Organizations that are subject to compliance initiatives, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), will very likely need an email encryption software solution because of the strong requirements by these standards to protect sensitive data.
The costs of email encryption software
One of the reasons why email encryption software has become popular is that it is often less expensive to adopt and deploy than alternative products. For example, email encryption software generally doesn't require a public key infrastructure (PKI) to be set up for the organization. Setting up and maintaining a PKI can be extremely costly.
Also, because email encryption software primarily functions behind the scenes, user training is often not necessary. If client-side encryption is to be performed, however, minimal training of about 15 to 30 minutes may be required.
The primary hard cost for email encryption software is the software licensing itself, typically charged per user (email account), plus software maintenance costs. If client-side encryption is desired, then there are soft costs involved in installing the client software on all the necessary desktops and laptops.
Then there are all the standard soft costs, such as maintaining the email encryption software itself and providing technical support for users. Keep in mind, these costs are expected to be much lower than they would be with a PKI-based solution, however.
The intent of email encryption software is to protect email messages and attachments sent over untrusted networks, such as the Internet, so that eavesdroppers can't gain access to messages or alter their contents. Email encryption software strives to be invisible to senders and highly usable to recipients. Most products work by encrypting outbound emails automatically at the email gateway, and sending the recipient an email with a URL to follow to retrieve, decrypt and read the actual encrypted email.
Unlike older generations of email encryption products, which required senders and recipients to manually exchange encryption keys, current email encryption software handles all the key management functions behind the scenes, removing a huge obstacle for widespread adoption of the technology. Finally, there is a way for an organization to asynchronously send sensitive data to its customers, business partners and others in a protected manner.
Email encryption should be on the radar of most enterprises today.
Learn about which public key algorithm is used for encrypting emails?
Read about the key features of cloud email security