Encrypted Email Helps Secure Messages

By Renee Oricchio

Last year, an enterprise software survey of large North American and European companies found that one in three planned to invest in email encryption software in the coming year, according to Forrester Research. Another way to look at the survey results, however, is that one-third of these enterprises started the year out without any organized solution to secure the contents of their email.

"Most CIOs see the risk of eavesdropping on their email as pretty low," says Paul Stamp, a principal analyst from Forrester.

But corporate espionage is on the rise, and organizations are more vulnerable to data leaks as sensitive information is kept in digital form and databases that can easily be emailed to outsiders. A growing number of regulations now require organizations to keep customer data and company information confidential -- such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

"The biggest mistake a CIO can make?" says Stamp. "Ignoring it."

More organizations are deciding to encrypt their email to address this growing threat. The real challenge, however, comes with addressing the myriad questions that must be answered before shopping for a solution. For starters, which emails need to be encrypted? Which parts need to be protected: attachments, the message itself, or both? Does it need to be encrypted the second it leaves the originating computer or as it leaves the corporate network and hits the Internet? And most importantly, who will manage these decisions?

"CIOs struggle with projects that involve a lot of management. They don't want to touch that stuff," says Mike Gentile, research analyst at Computer Economics, an IT research firm. 

However, once they do get those initial questions answered the decision tree splits off in two directions: a client-based solution or an enterprise solution?

Client-based solution  Often this is how email encryption is first introduced into an organization. Pockets of employees recognize a need to secure their email and just take matters into their own hands, acquiring a third-party application and then installing it themselves.

• Pros: If the client-based solution is working, why make a change? Replacing something already in place that serves its intended purpose can disrupt workflow and stir up resentment among users, who typically hate making such changes.
• Cons: The IT department doesn't control it, but still bears responsibility.  "Users might choose a solution that doesn't meet the level of compliance your company requires," cautions Gentile. Also consider the impact of having the user controlling passwords -- would IT managers know if critical information is being emailed outside the company?

Enterprise solution This is the next logical step when that patchwork of various client-based solutions starts fraying at the edges. Many large organizations are turning to gateway solutions configured to flag and encrypt any messages that include types of data deemed sensitive. For example, a gateway solution may be set up to sniff out any outbound messages that include social security numbers, home addresses, or medical information. Those emails would be encrypted while everything else passes through.

• Pros: An enterprise solution is often the more efficient way to serve the whole organization with one centralized set of security tools and one corporate email policy. It gives the IT department control over passwords, managing policy, and ensuring compliance.
• Cons: It's very expensive, ranging in price from hundreds of thousands of dollars to the millions, depending on the size and requirements of the organization. Managing and setting policy can be labor intensive, and not understanding how the tools fit within the user's workflow can be disastrous. "I've been in places where a company has spent a ton of money on an enterprise solution. But, they didn't focus on functional requirements or workflow influences. Then employees just don't use it or adoption is very slow and very painful," says Gentile.

Controlling encryption keys
To compound matters, CIOs also have to manage how encrypted information is received and accessed at its final destination.

In a gateway solution, messages are typically encrypted between one organization's gateway and another organization's gateway. This works well, for example, with a trusted outside business partner that is bound by the same level of security and compliance. An example would be the human resources department sending employee information to an outside health insurance partner.

With a client-based solution, encryption is controlled by the user at the desktop. It is therefore the responsibility of the user to make sure the person on the other end has the right tools to decrypt the message. Some solutions require that the email recipient have their software installed on their end in order to open the message. Clearly, this could be problematic when dealing with outside contacts, especially first-time contacts.

Other solutions involve sending a link. The email recipient clicks on the link and is then required to access their Web-based decrypted message with a username and password. This method, however, is vulnerable due to the rise in phishing. All those technical layers of security are useless if the user can be duped into giving up a password.

"There's no perfect solution," says Stamp.

Many organizations are finding that the answer is to have multiple solutions. Gateway encryption may work best when sending sensitive data out to business partners. However, for the CFO who just wants to send financial information down the hall to the CEO, a client-based application is the only way to make sure another pair of eyes within the company doesn't get a peek, as well.

Renee Oricchio is a freelance writer in Norwalk, Conn. For the past 20 years, she has been writing and producing news segments about technology and business for CNN, MSNBC, Ziff-Davis, CNET, and a variety of Silicon Valley-based local news outlets.