Email Encryption: Securing Client Confidentiality in Email
Posted by Matt Sidman at March 20th, 2017
For a printer-friendly version, click here for the PDF: Email Encryption: Securing Client Confidentiality in Email
Email is King
With many methods of electronic communication available, email is still king. In 2017, email remains as the preferred communication tool for small and medium sized businesses (SMB) for marketing, customer interaction, and intra-office communication over faxing, voicemail, texting, and other social media messaging.
The Radicati report, “Email Statistics Report, 2017-2021,” estimates that people send 269 billion emails daily, and projects this number to mushroom to 320 billion by 2021. Further, the average office worker sends or receives 121 emails per day.
Confidential Information in Email
SMBs depend primarily on email to send and receive information and documentation that is critical to business operation and customer service. Most emails are considered to contain some level of critical or confidential information, which places every SMB and its customers at risk.
A data breach is considered any event in which an individual’s name plus other personally identifiable information (PII) – such as SSN, medical record, financial record or ID – is put at risk, either in paper or electronic format.
In 2014, Google estimated that between 40 and 50 percent of all emails sent and received between Gmail and other email providers is unencrypted. Subject lines, sender and recipient addresses, message bodies, and attachments are sent “in the clear” in normal email transmission. More clearly stated, any packet reader, server admin, or technology professional can access and read the information if they know what they are looking for. Personally Identifiable information (PII) – such as SSN, medical record, financial record or ID – sent in the clear is considered a breach event.
The Life of an Email Message
When you send an email message, it travels through several stages, being handed off from computers, programs, and servers on its way to the recipient.
Your email originates at the client, which is simply a fancy name for the program or device you use to create the message. The mail app on an iPhone, Microsoft Outlook, and the Gmail website in your web browser are all considered email clients.
The client connects to the sender service – such as Gmail, Exchange, Yahoo, AOL – to show incoming messages in your Inbox, and send your outgoing email. The connection between the client and the service is usually secured through encryption. For example, the connection between Outlook and an Exchange (or Office 365) server is encrypted, and most web-based email services are encrypted using a secure socket layer (SSL) certificate. You can verify web encryption at the address bar of your web browser, looking for the “Secure” indication. This provides you with confidence that when you hit the “Send” button, all information in your email is protected between your client and the email server at the service provider.
Once your email has transferred from the client to the server, the email service will attempt to contact the recipient by locating the recipient’s email server. Through internet location records (DNS, or Domain Name Services) the server can identify the IP address of the recipient’s email server, and whether the recipient’s server requires or supports certain security levels to accept an incoming message.
The message is handed off to the recipient server, and then delivered to the recipient Inbox to be read and replied on the recipient’s email client.
There are three primary solutions to encrypt email while it traverses the Internet.
1. Encrypting Email with TLS
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that secure communications over a computer network, both internal and the internet.
A sending server that is configured for TLS will ask the recipient server if it supports an encrypted channel to transfer messages. Servers that support TLS are outfitted with a security certificate (a digital “key” used to scramble and encode data, and then decode or unencrypt on the recipient side) and uses the certificate to negotiate a secure transmission with the recipient server. If the recipient server also supports TLS, the sending server encrypts the message and content and safely hands off to the recipient server, which then passes the message on to the recipient client.
However, if one or the other server does not support TLS, other measures are required to safely encrypt outgoing messages.
Also, the sender may need proof that the message was delivered with encryption, positively confirming protection of the contents all the way to the recipient. Other options exist that enforce encryption all the way through delivery, including Web of Trust, and Gateway Email Encryption.
2. Web of Trust Encryption
In the “Web of Trust” encryption model, unique certificates are generated and “signed” by parties to endorse the authenticity of the certificate key. All signers become known or trusted by each other, and the certificate is then privately shared for communication between the signers. The most common implementations of Web of Trust encryption include Public Key Infrastructure (PKI) and Pretty Good Privacy (PGP).
The challenges associated with Web of Trust encryption include the very DIY nature of certificate creation and signature, as well as the requirement to establish trust with all participants of the certificate. It becomes very difficult to share the key with recipients who have never communicated with the sender, and can slow the secure sharing process down.
Setting up a Web of Trust can be expensive, and requires specific skills and credentials to set up the certificate and signers.
3. Gateway Email Encryption
Gateway Email Encryption is a subscription-based solution that provides a secure web portal for delivering and controlling secure delivery of email. This is common when doing business with a bank or title company.
When an encrypted message is sent using a Gateway, the sender will have a special button in the email client to flag the message as sensitive and requiring encryption. If sent with encryption, the server first attempts to send the message with TLS encryption. If the recipient server does not support TLS, the message is held in a vault and the recipient receives a notification that a secure message awaits, and is provided a link to access the message via secure web portal. The recipient will register their email address, and log into the vault to read and reply to messages. The message never leaves this secure ecosystem, ensuring the end-to-end communication remains under encrypted control.
Gateway Email Encryption can automatically detect whether PII is being sent in case the sender forgets to encrypt the message. It will scan the outgoing message for common PII, such as common formats of social security numbers or credit card numbers. If the Gateway finds PII, it will reroute the message and apply encryption automatically. This is a wonderful feature that protects the firm in the event the sender forgets to encrypt the message.
Common services for Gateway Email Encryption include Zix, AppRiver, MimeCast, and Virtru, among others. These services are often available on a subscription service model, have little to no startup costs, and provide other features such as outbound spam filtering and delivery confirmation.
Protecting your clients’ and customers’ confidentiality and risk of identity theft and fraud begins with locking down and protecting your organization’s electronic communication. As email communication continues to grow, the risk of sending sensitive information increases, and your organization is responsible for protecting the contents of electronic messages.
Teqworks, a Managed IT Service Provider to businesses and non-profit organizations throughout the Chicago suburbs, can help your firm determine how encryption can secure communication and protect clients’ information.
Contact Teqworks today to set up a consultation and assessment.