Email encryption and email archiving: How can the two be combined? - TechGenix

Email encryption and email archiving: How can the two be combined? - TechGenix
How to Send Encrypted Email on 3 Major Email Platforms - Hashed Out by The SSL Store™
Barr says the US needs encryption backdoors to prevent "going dark." Um, what? - Stock News Brief

Posted: 25 Sep 2019 05:32 AM PDT

Do you already know how email encryption works and which different encryption methods are available? And how to combine email encryption with an email archiving solution? In fact, is it actually possible to archive encrypted emails? If you have no answer to these questions yet, this blog post will help you understand the basics of email encryption and email archiving and show you how to archive encrypted emails. But let's start at the beginning.

Why do we use email encryption in the first place?

Emails travel from one server to the next on their way from sender to recipient. If they are not encrypted prior to sending, they are vulnerable to attack by third parties both en route and on the servers themselves. Crooks could intercept or even tamper with these emails, which is why it is advisable to encrypt sensitive data.

The financial or reputational loss resulting from an attack on personal or corporate data can be considerable; nor should the repercussions of violations of the GDPR be underestimated.

According to a Virtru study, only significantly less than 50 percent of emails are client-side encrypted, many people regard encryption as simply too complex. We'll look at what is meant by too complex later on in this post.

Email Encryption

Which parts of an email are actually encrypted?

Only the actual body of the email is encrypted: It is not possible to encrypt information such as the sender, recipient, destination, date of delivery, IP address, and subject line. Yet because even this data will often harbor internal and sensitive information, it is up to the respective company to decide whether email encryption actually makes sense and adds value.

Apropos: Transport Encryption

In order to keep an email's subject line and its content as secret as possible, and to provide a certain measure of protection against the unauthorized reading of unencrypted emails during transmission, SSL/TLS encryption at transport level should ideally always be used. In fact, this approach is already much more widely used than email encryption itself. Another reason for the more widespread use of transport encryption is the EU's GDPR that entered into force at the end of May 2018. Professional software solutions, such as MailStore Server for email archiving, attach great importance to transport encryption.

After this brief introduction to the subject of email encryption, we want to explain why an email archiving solution really should form part of your overall data governance strategy.

Why do we use email archiving in the first place?

Every day, a wealth of information, including invoices, contracts, and other business-critical content is sent around the globe in the form of emails. With an email archiving solution in place emails can be stored on a long-term basis and their contents remain unchanged. Email archiving primarily serves the purposes of making data retrievable and available for a longer period of time. In addition, it serves the purpose of preventing data loss and documentation.

This is why a professional email archiving solution should be a significant component of your data governance strategy.

But how do you archive something that's encrypted?

As a general principle, emails are archived in the form in which they enter the archive, so encrypted emails remain encrypted even during archiving and cannot be read by users, e.g. when conducting an archive search. In order to combine email encryption with an email archiving solution in a purposeful way, it is important to compare the different encryption methods and consider the disadvantages in each case, which we will examine again at a later stage.

Client-based or server-based encryption?

Encryption and decryption can take place either on the clients – known as conventional client-based (or end-to-end) encryption – or on the email server or an email gateway (generally a firewall), in which case it is server-based:

With client-based encryption, only the sender and recipient are able to read the emails. The data is encrypted on the sender's system, so that only the intended recipient can decrypt and read the messages, which cannot be read or tampered with by third parties.
With server-based encryption, the emails are encrypted on the email server or an email gateway when leaving or arriving at the company. The user is no longer involved in the actual encryption process per se, and is unaware of it when sending and receiving emails.

Apropos: Asymmetric Encryption

The most common email encryption processes, S/MIME and PGP, always use asymmetric encryption. This type of encryption was developed in the early 1980s and comprises pairs of keys. The public key used to encrypt messages may be disseminated widely, while the private key used exclusively to decrypt the information is known only to the recipient and is generally also password protected.

Incidentally, the same keys are used for digital signatures. In this case, the private key is used to sign the email and the public key to verify the signature.

Disadvantages of the two encryption methods

In order to settle the issue of which type of encryption is better suited to email archiving, we need to look at the disadvantages of the two processes in more detail, as both client-based and server-based encryption are feasible:

Disadvantages of client-based encryption:

Introducing this type of encryption system can be extremely complex and entail high administrative costs (e.g. for training all users).
A great deal of time and effort may be spent on resolving recurrent user IT administration issues, for instance in relation to signature error messages, key handling, or expired certificates.
There is no comprehensive SPAM or virus protection, as encrypted emails cannot be vetted and can, therefore, constitute a security risk when they enter the corporate environment unchecked.
Either the user keys must be stored at a central location or every email has to be additionally (doubly) encrypted with a main key.
There is no enterprise-wide, robust security system, as each individual user can decide how strictly he or she complies with corporate policies on encrypting confidential information. Users may simply forget the encryption process altogether, leading to emails being sent in unencrypted form.
Another risk factor for the company is that a lost encryption key cannot be restored. This may give rise to legal risks with respect to emails, as the loss of a key could prevent some archived emails from being examined.
The forwarding of emails could also prove problematic if this compromises the integrity of the encrypted part of the message.
The fact that the emails are backed up and archived in encrypted form might contravene statutory regulations due, among other things, to their restricted readability. Nor would it be possible to search for the content of an encrypted email in the archive.
If a user is absent due to vacation or illness, has left the company in the meantime, or if a new private key has been generated for any reason, the content of an archived email can no longer be accessed.

Disadvantages of server-based encryption:

There may be the risk of a man-in-the-middle (MITM) attack. However, it is easy to minimize the risk of a successful attack of this nature via the additional use of transport encryption between client and server.
This requires an appropriate infrastructure or the use of a service provider.

Email Encryption

Our conclusion

Despite several disadvantages, email encryption is useful and necessary for certain types of company. Client-based encryption can entail a number of complications – for example when it comes to email archiving, however. We, therefore, recommend the use of server-based email encryption.

To sum up, server-based encryption offers the following key advantages:

A spam and virus check can be performed before the email enters the corporate environment.
This solution allows archiving and indexing in the email archive, for example with the email archiving solution MailStore Server.
All users can access emails in unencrypted form.
The user is not directly involved in either the encryption or the decryption process, thereby ensuring that the data remains secure.

Sponsored by MailStore Software

Images: Shutterstock

Post Views: 3

report this ad

Your step-by-step guide to sending encrypted email via Gmail, Outlook, and Mac Mail

News of cyber attacks and data breaches is continually making headlines. Sometimes, these breaches are the result of phishing attacks and poor employee email practices — other times, they occur because sensitive information is left unprotected, is sent via unsecure channels, or businesses fail to meet regulatory cyber security requirements. This is why upping your email security protections is vital to the safety and success of your company and customers.

Choosing the best way to accomplish this goal can be challenging. Of course, you can (and should) provide cyber security awareness training to your employees to teach them how to follow email security best practices (using strong passwords, not sending sensitive business or customer data over unsecure channels, etc.). But that's only one piece of the puzzle — employee training shouldn't be your only solution.

Beyond this approach, the next best way to help protect your sensitive data is to use email encryption and identity verification methods such as digital signing certificates. After all, every unencrypted email you send with sensitive information (personal information, financial data, product specs, etc.) is vulnerable and, therefore, leaves your business and customers at risk.

Not sure how to secure email with digital signing certificates so your messages can't be read by unintended third parties? No worries. We'll break down the process for how email signing and encryption certificates work and how you and your organization can send encrypted email communications using them on different email platforms.

Let's hash it out.

How to Secure Email Using S/MIME Email Encryption Certificates

Depending on your country and industry — such as finance, retail, eCommerce, or healthcare — you may have stringent requirements to meet concerning data protection. In many cases, you'll need to use encrypted emails to meet these requirements. (In the case of HIPAA, though, they're "administrative safeguards.") Staying compliant not only helps you protect your business, but it also helps you avoid costly fines and lawsuits stemming from noncompliance.

Companies use different methods for encrypting their emails — transport layer security (TLS), Pretty Good Privacy (PGP), third-party email clients such as ProtonMail, third-party and native web browser and email client plugins and extensions, etc. Each of these methods have pros and cons associated with them:

TLS encrypts the channel but not the message. Once the message arrives in the recipient's inbox, it's unencrypted and unprotected!
PGP is clunky and cumbersome and, historically, has had implementation issues that led to security vulnerabilities.
Encrypted email services such as ProtonMail offer end-to-end encryption but requires both the user and the recipient to use the email addresses provided by the service (e.g., @protonmail.com), which can make it impractical for a lot of businesses.

Another popular email encryption method is the use of S/MIME certificates (S/MIME stands for secure/multipurpose internet mail extensions). These certificates:

Use cryptography to protect your emails from access by unintended third parties.
Digitally sign the emails to validate the identity of the sender.

S/MIME certificates are used to encrypt emails before they are sent to a mail server or across the internet where hackers and malicious users can read them.

Is S/MIME perfect? No. The downside of S/MIME is that to use it, an S/MIME certificate first needs to be installed to your individual computer or device's email client. In the past, this was done manually. However, using a zero-touch S/MIME solution to automate the issuance and deployment of S/MIME certificates makes the process of managing multiple (or hundreds) of these digital certificates for your business simple. This solution also helps you to ensure that your certificates are renewed before their expiry date.

How S/MIME Works

We've previously discussed the what S/MIME is and how it works at length, so we won't go into depth about that here. But here's a quick recap to refresh your memory: SSL or TLS provides server to server encryption, which protects your email while it's in transit. S/MIME, on the other hand, uses asymmetric encryption to protect your email data both in transit and when it's at rest. Basically, you use a public key to encrypt the email data and your recipient uses a matching private key to decrypt it.

Note: For S/MIME encryption to work, both you (the sender) and your intended recipient need to have encryption enabled, and you need to have the recipient's public key to encrypt your messages so only they can decrypt them. A simple way to ensure that you and your recipient have the matching public/private keys is to send each other a signed certificate email prior to sending them an encrypted email. This way you'll each have the other's public key for encrypting emails.

Essentially, the difference between using SSL email encryption and sending an encrypted email is the difference between securing your channel (data in transit) and protecting the message itself (data at rest data protection). Let's consider the following example:

Protecting data in transit is like speaking normally (sending a plaintext communication) over a secure/encrypted phone line. This is great to keep man-in-the-middle (MitM) attackers out of the communication channel. But what if someone has infiltrated your office and is hiding in the cubicle next to yours?
Protecting data at rest, on the other hand, is like speaking in code over an unencrypted/non-secure phone line. This secures and encrypts your message so that even if an attacker breaks into your office, they can't decrypt your message because they lack your intended recipient's private key.

Using email encryption ensures that the message and attachments of your email are protected before they are ever sent to a mail server and will remain secure/encrypted until your recipient with the private key accesses it. So, rather than only protecting the communication channel, you're protecting the message itself.

Step by Step: How to Send Encrypted Email on Three Mail Clients

Regardless of which email client or platform you use, the first step to using S/MIME entails getting an email encryption certificate, which you can do by purchasing one directly from a certificate authority (CA) or a reputable reseller. The next step is installing the certificate on your email client/platform.

Seeing as how S/MIME certificates is kind of what we do — along with providing other digital security solutions such as SSL certificates, PKI management platforms, etc. — we've already written articles on how to install these certificates on Outlook for Mac and Windows systems. For explicit directions on how to install these certificates, check out these Apple– and Windows-focused articles.

Assuming that you already have these certificates installed, we'll move on to our step-by-step directions for how to send encrypted email in the following three mail clients: Google Suite, Outlook 2016, and Mac Mail.

How to Send an Encrypted Email in Gmail

Although Google promised end-to-end email encryption for users on their Gmail platform nearly five years ago, the internet giant has yet to follow through on their word. For a period, G Suite was selling and supporting Zix's G Suite Mail Encryption (GAME) as its own form of email encryption. However, since April 30, 2018, Google no longer sells or supports the service. The good news? Businesses using G Suite can use S/MIME. The catch? It's hosted S/MIME, which means that Google hosts clients' S/MIME certificates on its servers.

Google's Gmail email services offer Basic, Business, and Enterprise. The company's site shows that all three use TLS server-to-server encryption. However, only the Enterprise level users (G Suite Enterprise and G Suite Enterprise for Education users) can take advantage of hosted S/MIME encryption.

You'll need to enable S/MIME in Google Admin console for G Suite and upload your certificate to Google's server. Once this is done, you can encrypt and digitally sign your outgoing emails in Google Suite (Enterprise or Education) by doing the following:

Create a new email and write out your message, add attachments, add a recipient, etc.
In the top-right corner of your screen (next to CC and BCC), click the padlock icon.
Click View Details to see whether your recipient has encryption enabled or to change your S/MIME settings.
Select Settings.
Click Enhanced Encryption (with digital signature) and select Ok.
Hit Send.

How to Send an Encrypted Email in Outlook 2016

Encrypting an email — or all outgoing messages — is a pretty straightforward process in Outlook. Once you've installed your certificate, there's really nothing to it.

To encrypt an outgoing email in Outlook 2016:

Create a new email and write out your message, add attachments, etc.
Select the Options tab.
Select the dropdown for Encrypt from the menu.
Click Encrypt with S/MIME.
Add you recipient's name and a subject line to those corresponding fields.
Hit Send.

… And that's it. It's really that simple.

Mac Mail Encryption: How to Send Encrypted Email in Mac Mail

Don't worry, Apple users — we haven't forgotten about you. The great news for Apple users who wish to increase their email security is that Apple Mail supports S/MIME right out of the box. This means that when you purchase and install an S/MIME certificate, you don't have to jump through a bunch of hoops to use it. They really make it easy.

Once you upload the certificate to your computer's key store, Mac Mail sets up the cert automatically for digital signing and the option for encryption. There is no required configuration outside of the keychain access utility. You can simply click to activate/deactivate signing and encryption. Again, the user would need to have the recipient's public key to encrypt to a (or many) recipients.

What this means is that to send an encrypted and digitally signed email using Apple Mail:

Open Apple Mail and create a new email.
To the right of the subject field, select the padlock icon.
To digitally sign your email, select the checkmark next to it to encrypt the message.
Create the content of your email and upload any attachments
Hit Send.

It doesn't get much easier than that.

Final Thoughts

Email signing and encryption are a must for businesses in a digital world. Every day, major companies are making headlines by falling prey to phishing scams — and small businesses aren't safe from these attacks, either. We can honestly say that we don't want to see your business as one of the next related headlines.

Are you not seeing these options for your email client? That may be because you need to purchase and install an S/MIME certificate. Without it, you won't be able to gain access to the email signing and encryption capabilities we discussed in this article. Whether you're a small or midsize business (SMB) or a large corporation, our team can help you find the right certificate to meet your needs. Hit us up with any questions or to learn more.

Have insights or questions about this topic? Feel free to share them below.

Barr says the US needs encryption backdoors to prevent "going dark." Um, what? - Stock News Brief

Posted: 23 Sep 2019 04:00 PM PDT

/ US Attorney General William Barr speaks at the International Conference on Cyber Security at Fordham University School of Law on July 23, 2019 in New York City. In his remarks, Barr stated that increased encryption of data on phones and encrypted messaging apps puts American security at risk. Barr encouraged technology companies to provide law enforcement with access to encrypted data during certain criminal investigations.Drew Angerer/Getty Images

Share this story

On July 23, in a keynote address at the , US Attorney General William Barr took up a banner that the Justice Department and Federal Bureau of Investigation have : the call for what former FBI director James Comey had referred to as a "golden key."

Citing the threat posed by violent criminals using encryption to hide their activities from law enforcement, Barr said that information security "should not come at the expense of making us more vulnerable in the real world." He claimed that this is what is happening today.

"Service providers, device manufacturers, and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances," Barr proclaimed.

And this, he said, was making it increasingly difficult for law enforcement to surveil criminal activity. This blindspot what also allowing criminals to make their information and communications "warrant proof… extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes," and allowing "criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy."

Fixing overexposure

Like this prison in Cuba, the NSA has turned the Internet into a place where the watchmen can see all and exploit the shoddy privacy of Internet services prior to Snowden.

Much of the Internet has become more secure over the past five years. The Snowden revelations may not have directly caused the rise of secure Web protocols, but they sure helped motivate protocol development. While the threat of a "global observer" on the Internet had been theorized before Snowden, his evidence of that sort of capability immediately triggered a response from the technical community.

"The engineering community took the succession of Snowden revelations really seriously," Hall told Ars. Just 11 months after the first of the leaks, the Internet Engineering Task Force put out , "stating that pervasive monitoring is an attack," Hall noted.

Search This Blog

Android Full Encryption