for our 12/13 webinar (1PM ET) with leading cyber attorney Robert Metzger on the risks of not complying with DFARS 7012 & CMMC
Our CMMC whitepaper has helped over 2000 defense contractors jumpstart their compliance journey. Check out our updated version for CMMC 2.0.
At its core, encrypted email describes a process where email messages are encoded so they can’t be read by people who aren’t part of the conversation. Given that email can easily be read if there is no encryption in place, it’s really important to have encryption for your individual and enterprise communications so you can protect your email account.
There are many ways of protecting you email messages over the internet. Not all these methods are equally secure. Some methods actually leave emails vulnerable to attack. This vulnerability is a result of either weak encryption standards or leaving the message unencrypted at points along its journey.
This blog will look at the methods for email encryption as well as how to build strong email encryption protocols for the enterprise.
When email was first created, there were limited encryption standards in places to secure email messages and limited ways to send encrypted email. Messages were transmitted in plain text. However, over the years as criminals showed how easily this standard enabled the theft of information, technologist implemented security protocols to ensure messages were protected as they went from the sender to the receiver.
Today, the main protocols for email encryption are:
These standards are used widely and work in very different ways that will be explained below
Today, TLS (Transport Layer Security)is the default standard used by providers such as Google and Microsoft for sending email. In fact, STARTTLS is the most common email encryption platform to secure email messages in transit. STARTTLS is a TLS layer that upgrades the protection on plain text message. If the email servers on both sides of the communication use the TLS standard, then the email is afforded some level of protection.
TLS has vastly improved security for email because it protects messages in transit against opportunistic “man-in-the-middle” (MITM) attacks. MITM attacks try to read a message while the text is in transit from the sender to the recipient. MITM were very common before strong TLS protocols came out in the mid 2000s.
While TLS does provide encryption for the data in transit, it does not secure the data itself. Only the transmission channel is encrypted. So, if an attacker could get through the encryption on the channel then the data would appear in plain text.
The other major challenge of TLS is that it only provides security for your email messages as it travels from your computer to the server. You have no assurance that the message will travel encrypted from the server to your recipient. For data that needs to be secure or has sensitive information, TLS does not provide a strong assurance for security.
Also known as public key encryption, end-to-end encryption ensures that the messages are encrypted on the sender’s device and only ever decrypted on the recipient’s device. Servers in between can never read the message. End-to-end email encryption provides the gold standard for securing communications.
In end-to-end encrypted email, encryption is enabled by using public and private keys. The sender encrypts a message by using the recipient’s public key. The recipient decrypts the message by using a private key that is stored on their device.
End-to-end encryption is important because it prevents any third party from reading messages at any point along the message’s path to the intended recipient. Malicious third-arties, over-reaching governments or criminals can never access the data on the server as it only decrypted on a user’s endpoint. If an attacker went after the server, all they would get is jibberish.
In the past, Google has used its ability to read user messages to determine which ads to serve up to an account holder. In 2018, the Wall Street Journal reported that Google provided user data to third party app companies and that ‘app developers generally are free to share the data’
Microsoft O365’s platform does not read user emails in order sell ads. However, the company’s ability to read user emails means that they can and have given personal information to government entities. In fact in April 2016, Microsoft filed a suit against the U.S. government because they were required to hand over customers’ email and not inform the customers it had done so.
By contrast to TLS, end-to-end encryption is very secure. With end to end encryption the only people who can ever read an email message are the sender and the recipient. And no one else. Messages are secured by use of public and private keys. The sender encrypts his message to the recipient with the recipient’s public key and the recipient decrypts the message with her private key. Users are the only ones who have access to their private keys.
While end-to-end encryption is recognized as the best way to secure data, there are a number of different ways in which to implement the algorithm.
PGP (Pretty Good Privacy) is an end-to-end encryption standard used to send messages. The platform was originally used by activists and journalists who were trying to keep their communications secured. In PGP, public key infrastructure is used for securing and decrypting messages.
Here’s how PGP works:
While PGP is extremely secure and PGP based systems are often free, it comes with significant challenges.
Problems with PGP encrypted email
One of the big challenges of PGP is that it makes management of public keys extremely challenging for the end users. End users are responsible for distributing their own public keys to the people they want to talk to.
Additionally, if the user loses their device then they have to go through the process of exchanging their public key with all their correspondences all over again. Moreover, any email that was secured with their original keys cannot be decrypted. The loss of the user’s device means their private key is also lost.
The Secure/Multipurpose Internet Mail Extensions, (referred to as s/MIME) is another platform that relies on end-to-end encryption. Unlike PGP, s/MIME uses digital email certificates provided by a certificate authority (CA) for encryption. S/MIME also uses digital signing to create a digital signature for emails in order to ensure the messages are who they say they are from.
Problems with s/MIME encrypted email
One of the main challenges of s/MIME is that it is not available for web-based email clients like Gmail and cannot be accessed through a web portal. Another significant challenge is that in order to ensure that private keys can be recreated if devices are lost or stolen, s/MIME allows copies of private keys to be saved on the server. This means that if a server is attacked, criminals can get copies of users private keys which can be used to access their encrypted email.
An additional challenge is that s/MIME has proved very challenging for users in an enterprise setting. Admins inevitably spend a lot of time trying to manage multiple certificates for employees. As a result, s/MIME is not frequently used in an enterprise setting.
PreVeil is an example of a modern day end-to-end encrypted systems that is friendly for the enterprise while also providing the best level of security. PreVeil provides:
PreVeil has also received PC Magazine’s Editors’ Choice because it is “very easy to use and doesn’t require switching to a new email address. Underneath its simple exterior, it uses high-end encryption and security techniques including an unusual key recovery method that involves sharing bits and pieces of your key with friends. ”
While email encryption might seem like a daunting task, an easy to use end-to-end encrypted email solution does exist. Encrypted email does not have to be something your organization tries to solve on its own. Instead, choose a provider like PreVeil that offers the gold standard for email encryption while eliminating friction for the user and enterprise.
Schedule a demo with PreVeil today to bring easy-to-use encrypted email to your enterprise.