Secure Email (Is there such a thing?)0
Cryptography or the practice of hiding information is not a modern concept. Throughout history people have built complex systems to conceal messages so only the intended party was able to reveal what was hidden and understand the message. This practice takes on even more importance in time of conflict. In fact, history shows us that when information is compromised, entire wars can be won or lost (depending on which side of the compromise you sit). Just ask the Germans after the enigma cipher was broken giving allied forces the ability to decrypt critical battle communications gaining a tactical advantage.
But what does this have to do with information security? Well, everything.
In today’s competitive business environment, the ability to safeguard information is critical to a business’ ability to succeed. As more of our communication goes online, securing information transfers are not only important, they are mission critical. In a previous post on information breaches, I quoted Avivah Litan of Gartner talking about a layered approach to security. The main point was to identify that usernames and passwords are simply not strong enough to protect the data that is being stored on corporate networks today. But to take this thought one step further, what security is in place to protect data that is being transmitted – primarily through email?
If you are like me, you probably get hundreds of emails throughout the course of a business week. Many of these emails are either spam or not critical to the future of the business (i.e. disclosing “where you are going for lunch?” will not typically hurt your company’s future). But there are emails sent that carry sensitive information and need to be secure. While we know this is true, very little additional security is done to protect this sensitive information as it is being transmitted over the internet leaving it vulnerable to being intercepted for information theft or corporate espionage. One approach is to disconnect yourself from the wired world putting all sensitive information onto unsecure USB sticks (topic for another blog). But this disconnected version of security has no place in the information-intensive business environment.
What is needed is a secure way to transmit sensitive information from one party to another, being assured that only authorized recipients are able to view the contents of the email. Microsoft has made significant strides in embedding security functionality into its Server 2008 and Forefront Identity Manager products which include the use of .NET smart cards enabling the ability to encrypt email with the click of a box in an Outlook message. Upon pressing send, the user is prompted for their PIN which, paired with the certificate on the smart card, enable encryption (similar to an ATM except the security is actually built into the identity card.
For the recipient, they would also need a .NET smart card (typically used both for corporate identity and logical access). Once the encrypted email is received, the recipient would be prompted to insert their identity card and enter a PIN – Voilà – the email is decrypted and ready to be read by the intended recipient. This process secures the information as it is being transmitted, with each party holding their own set of keys to unlock the message. If you don’t have the right keys, you will not be able to open the encrypted email. Translation: your message is only seen by those you trust with the information.
No technology is perfect, but implementing more secure communication for your most critical information assets is not an optional security step anymore. But what was once a daunting task has become more integrated into the products you already have deployed within your infrastructure. Adding strong authentication to your corporate infrastructure will make sure only the right people have access to the right resources internally AND give you the ability to enable email encryption.
This is the kind of real world protection you need for executive communications and for anyone who needs to email sensitive company information.