Email is an essential business tool that helps organizations to efficiently communicate – both internally with colleagues and externally with customers, clients, and partners. Yet with this vital tool comes the specter of sensitive data exposure caused by sending unprotected email. The risk goes wherever unprotected email is transmitted or is stored – including the Internet, cloud-based services, servers, desktop PCs, laptops, and mobile smartphones. The exposure of customer data, intellectual property, or legally protected data such as financial or personal health information can trigger penalties, lawsuits, damage to an organization’s brand, and loss of business. Every organization should address these risks by protecting sensitive email, and the most effective way to do that is with email encryption.
Choosing the right solution for strategic deployment of email encryption entails understanding points of risk, business requirements, and types of solution options. In conjunction with these, understanding operational best practices associated with email encryption helps an organization to assess the degree of effort associated with deployment and management of a particular solution.
Business strategy should drive the reasons for adopting a particular email encryption solution. Strategic deployment of email encryption will enable scalability while controlling costs of deployment and ongoing operational management. Considerations include:
- Points of Risk. Data transmitted through email can be vulnerable at many points. Sensitive data in email or an email attachment can be read from an endpoint including desktop, laptop, notebook, mobile smartphone, or other mobile computing device. It can also be downloaded from an email server, or other storage or backup device. It may be purposely or accidentally sent to a malicious or inappropriate user. It also can be “sniffed” from a network transmission or cloud-based application. Points of risk existing within your organization include trusted employees and administrators of email and network systems. They may include other points in the supply chain such as business partners, suppliers, service providers, customers, and any other place where email can go. Your email encryption solution must address all points of risk to control unauthorized exposure of sensitive data.
- An open, standards-based email encryption solution will work with virtually any email client, endpoint operating system, and server. A proprietary solution provides restricted options. Choose an email encryption solution that meets current requirements, but provides flexibility should other needs arise.
- Business processes. Some solutions require users to manually execute multiple steps to initiate encryption and decryption of email. At the other end of the spectrum, a solution can fully automate all encryption and decryption without any user intervention. Some organizations require email encryption for a specific department handling sensitive information, such as legal, finance, and human resources. Other organizations prefer to encrypt all email. Determine what your organization needs to provide acceptable protection of sensitive data in email.
- Enterprise integration. Your organization might require other types of encryption, such as for individual files, all storage for a laptop or portable device, tape backup systems, or a database server. Implementing a point email encryption solution may bring complexity to key management if it does not integrate with other encryption solutions. All of these must also work with existing antivirus, antispam, content filtering, data loss prevention, and archiving applications. Lack of integration will substantially drive up costs of deployment and ongoing management of enterprise encryption solutions.
- Determine specific regulatory compliance requirements that affect your organization, such as email encryption laws in U.S. States such as Massachusetts and Nevada, encryption mandated for cardholder data by the PCI Data Security Standard, the European Union’s directive to protect personal information transmitted over networks, directives to protect personal privacy in Australia and Japan, and other global requirements for using encryption and digital signatures to protect personal information and financial reporting systems.
- Specity the email encryption architecture to satisfy your organizations’s businesss requirements. There are five architecutural options, detailed by Osterman Research, Inc. These include:
- Endpoint-to-endpoint. Encrypts email from sender to recipient; cannot decrypt email protected during transmission of the message.
- Gateway-to-gateway. Uses an email encryption gateway. This eliminates a need for client software, which simplifies administration. It encrypts email between gateways, but not within the sender’s or recipient’s organizations.
- Gateway-to-web. Only secures email between the gateway and a web portal. Useful for external destinations not on your organization’s email encryption system.
- Gateway-to-endpoint. For email encryption inside the firewall, but still leaves originating messages in plain text before reaching the gateway.
- Secure managed file transfer. Useful for transmitting secure content without requiring a full-blown email encryption solution, which minimizes storage and bandwidth requirements.