Today we all use either texting or emails far more than we use letter writing to communicate with our friends and relatives. In business the use of email is ubiquitous, and seems to grow exponentially each year. Sooner or later someone in your company will raise the question regarding the amount of confidential or business sensitive information collectively the organization is sending and possibly receiving by email. Is this information secure and should we just casually be sending it via this medium? Before email we either sent our correspondence by post in an envelope or byway of fax. Both relatively secure. In the case of postal services the interception of letters etc. was and is quite rare any easy to spot. Whilst in the case of fax almost impossible to achieve.
Email on the other hand is much more easily subverted and not so easy to detect if and when it has been. This is when the idea to encrypt your company email will be discussed and considered. You can think of encrypting email as akin to putting your letter in a registered envelope, it can’t be read as it travels to the recipient and only the bona fide recipient will actually receive it. Sounds like a great idea a virtual no brainer! But how do we implement such a system?
Simplicity with Security is the Answer
The first major obstacle to using encryption is how will the intended recipient be able to decrypt the encrypted email? An issue that is by no means a trivial concern and one that can lead to the whole system falling into disuse because it is not easy to administer and for the user not easy to use. Any system that is put in place to increase security, if it relies on the user changing their normal business practices, is doomed to fail. What is needed is a simple but secure solution that everyone can use.
Finally smart technology is allowing the emergence of easy to use and deploy encryption products. Software that allows you not only to encrypt emails and their attachments but also much larger files for exchange via cloud servers, thumb drives, CD ROMs even DVDs. The clear front-runners in email encryption make use of identity-based encryption.
Why Identity-based Encryption?
There are three very good reasons why identity-based encryption is highly desirable:
- With identity-based encryption you immediately ensure you link the private data to be shared with the intended recipient.
- You can negate the need to create another password that has to be remembered.
- You don’t have to burden the user with the need to understand “key pairs” along with the exchange of their public key.
Think about it, the one thing that will be unique when emailing someone is his or her email address! A system where a user’s email address is bonded in this way can generate key pairs associated with the address. These keys will be used to encrypt and decrypt any emails the user requires protecting.
But why limit it to just emails? Some software products of this type allow the same simple system to be used for; files, disks, thumb-drives, CD-ROMs pretty much anything you require to be encrypted.
How Does It Work
Let me try to explain in simple terms how this all works. Every email or data file you want to encrypt and subsequently share with someone else has to be encrypted using that persons “public key”. Their “public key” will have a twin known as a “private key”. Together they are known as a “key pair”. The “private key” of an individual is used to decrypt something that has been encrypted with its twin or “public key”.
OK, so now we need a method of exchanging “public keys”. By generating and then associating the “key pair” with someone’s email address you have automatically produced a unique “key pair”. The system will know if you are sending an encrypted message to Fred it must generate a “key pair” for Fred. Using Fred’s “public key” it will then encrypt the message. When Fred receives his encrypted email he will be asked to retrieve his private key by logging onto the system using his email address, which will be used to authenticate him and then automatically decrypt his message.
These matching key pairs can be one-time pairs that will only apply to each email or data exchange further improving the security. Since each key pairing is only good for one exchange if they were to be compromised it does not result in and future or past exchange being put at risk, clever!
What to Look For
Considerations to bear in mind when selecting this type of product are;
- How good is the algorithm being used?
- Has the algorithm been implemented correctly?
- Has sufficient entropy been collected to utilise the full force of the algorithm?
Say what? I know! This is where it gets quite technical. However there are some products out there that have been independently certified by experts in the field so that you can take assurance that the product offers robust protection. One such system I have had experience of is Egress’s email encryption software. It offers all of the above and more.
Don’t keep sending your emails via the digital equivalent of a “postcard” send them via “registered post” an encrypted email. The tools are out there now that makes this solution entirely possible for individuals, SMEs and major corporations. Do this and you won’t be worrying about “who is reading your emails”.