Encryption is one of those technologies that has been around for thousands of years (since the days of Caesar, in fact), but is still very misunderstood.
Actually, you use encryption every day, since it's the underlying technology that drives the Secure Sockets Layer and HTTPS protocols. But it seems email encryption remains an enigma at most small and medium-sized businesses (SMBs) because it's been portrayed to solve every information security problem. So, let's take a step back and understand what email encryption can do for you.
First and foremost, one of the biggest issues SMBs have is to ensure they are adequately protecting intellectual property. By encrypting emails that contain corporate secrets, there is very little risk of competitors and the like intercepting messages and stealing data. Likewise, in an age where customers are understandably concerned with protecting their private data, encrypting communications ensures that the customer's private data cannot be stolen.
Both IP protection and privacy considerations fall into a large, yet amorphous bucket called compliance. Any business dealing with regulatory oversight, or even those now accepting credit cards -- which are now subject to the Payment Card Industry standards, needs to be concerned with compliance. Email encryption is not a panacea for compliance, but having the ability to protect critical data is a critical step in the process.
Why isn't email encryption more prevalent? In a nutshell, it's due to complexity. Historically, email encryption was very complex to implement and required a significant amount of communication, configuration and experimentation between trading partners to ensure a message encrypted by you could be decrypted by them.
Additionally, there was no way to force users to encrypt sensitive messages. IT administrators had to hope users understood how to encrypt the message and that they'd remember to do so when appropriate. Since hope is not a good strategy, most organizations didn't deploy.
But as with most technologies, email encryption has evolved and matured over the past few years. It's by no means easy, but it's also no longer cost-prohibitive for SMBs to start experimenting with the technology. The advent of service providers that will host key servers and email gateways that can automate the enforcement of policies has dramatically decreased the effort required to get an encrypted email system operating.
Here are five essential steps to encrypting email:
- What and why? The first step is to define what types of content need to be encrypted. You are best off working with your general counsel (or outside law firms) to ensure that all sensitive data is identified and a policy is created to document the need to protect that data. Content types typically encrypted include customer records, intellectual property, strategy documents, etc.
- Who and where? Next, it's important to determine which trading partners will participate. The short answer should be all of them. But in reality, many organizations phase in their approach because it's not as easy as flipping a switch and then encryption just happens. Determine if you are going to let users decide what gets encrypted (via desktop software) or whether you'll take a gateway approach that will scan each message automagically and determine if it is required to be protected by the policy.
- How? There are many different ways to skin this particular cat. You could encrypt messages at the desktop or store messages encrypted on a staging server for pickup via a Web-based email interface. You could also implement the encryption either on the email security gateway or on a separate purpose-built device. The architecture will depend on your scale and number of trading partners. You could have a service provider manage the key server or you can manage it yourself. Value-added resllers and the vendors themselves can certainly help make those decisions, once you've determined that encryption is something you should do.
- When? Rolling out encrypted email to all of your trading partners at the same time is not advisable. You need to figure out which partners should go first and start working out the details of the implementation with them. As you add more partners to the infrastructure, you'll nail down the process, but it's in your best interest to start slow and figure it out incrementally.
- Refine. Given the policy and compliance drivers for email encryption, any project should have a period where the focus is to refine the policies used to determine which emails are encrypted. This can involve tuning the dictionaries and heuristics and manually auditing a subset of the messages encrypted (and those that aren't) to ensure the policies are being enforced.
Ten years ago, it required an armada of consultants and big infrastructure to implement encrypted email. That is no longer the case, but it's still not a walk in the park. But with a diligent process and dedicated project team, email encryption can play a key role in your compliance efforts and can protect both your intellectual property and private customer data.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at firstname.lastname@example.org.