Aamir Lakhani wrote a good post on email security. The original can be found HERE
Headline Emails Lead To Data Breach
Today we use email far more than we use writing letters to communicate with our friends and relatives. In business, the use of email is ubiquitous and seems to grow exponentially each year. But who’s reading these emails besides those who they were intended for? Is sending information this way secure? Before email, we either sent our correspondence by post in an envelope or byway of fax. Both relatively secure. In the case of postal services, the interception of letters is quite rare and almost impossible for faxes.
Email on the other hand is much more easily subverted and not so easy to detect. You can think of encrypting email as akin to putting your letter in a registered envelope. It can’t be read as it travels to the recipient and only the bona fide recipient will actually receive it. Opening clear text emails on the other hand are an invitation to the headline, “Emails lead to data breach”. So encrypting your emails sounds like a great idea, a no brainer! But how do we implement such a system?
Simplicity with Security is the Answer
The first major obstacle to using encryption is how will the intended recipient be able to decrypt the encrypted email? An issue that is by no means a trivial concern and one that can lead to the whole system falling into disuse because it is not easy to administer and for the user not easy to use. Any system that is put in place to increase security, if it relies on the user changing their normal business practices, is doomed to fail. What is needed is a simple but secure solution that everyone can use.
Finally technology is allowing the emergence of easy to use and deploy encryption products. Software that allows you not only to encrypt emails and their attachments but also much larger files for exchange via cloud servers, thumb drives, CD ROMs even DVDs. The clear front-runners in email encryption make use of identity-based encryption.
Why Identity-based Encryption?
There are three very good reasons why identity-based encryption is highly desirable:
- With identity-based encryption, you immediately ensure you link the private data to be shared with the intended recipient.
- You can negate the need to create another password that has to be remembered.
- You don’t have to burden the user with the need to understand “key pairs” along with the exchange of their public key.
Think about it, the one thing that will be unique when emailing someone is his or her email address! A system where a user’s email address is bonded in this way can generate key pairs associated with the address. These keys will be used to encrypt and decrypt any emails the user requires protecting.
But why limit it to just emails? Some software products allow the same simple system to be used for files, disks, thumb-drives, CD-ROMs pretty much anything you require to be encrypted.
How Does It Work
Every email or data file you want to encrypt and subsequently share with someone else has to be encrypted using that persons “public key”. Their “public key” will have a twin known as a “private key”. Together they are known as a “key pair”. The “private key” of an individual is used to decrypt something that has been encrypted with its twin or “public key”.
OK, so now we need a method of exchanging “public keys”. By generating and then associating the “key pair” with someone’s email address, you have automatically produced a unique “key pair”. The system will know if you are sending an encrypted message to Fred, it must generate a “key pair” for Fred. Using Fred’s “public key”, it will then encrypt the message. When Fred receives his encrypted email, he will be asked to retrieve his private key by logging onto the system using his email address, which will be used to authenticate him and then automatically decrypt his message.
These matching key pairs can be one-time pairs that will only apply to each email or data exchange further improving the security. Since each key pairing is only good for one exchange, if they were to be compromised, it does not result in and future or past exchange being put at risk … clever!
What to Look For
Considerations to bear in mind when selecting this type of product are;
- How good is the algorithm being used?
- Has the algorithm been implemented correctly?
- Has sufficient entropy been collected to utilise the full force of the algorithm?
Say what? I know! This is where it gets quite technical. However there are some products out there that have been independently certified by experts in the field so that you can take assurance that the product offers robust protection. Egress Software Technologies have encryption software that offers everything mentioned above.
Don’t keep sending your emails via the digital equivalent of a “postcard” … send them via “registered post” an encrypted email. The tools are out there now that make this solution entirely possible for individuals, SMEs and major corporations. Do this and you won’t be the next headline along with the loss of reputation this will bring.
If you would like more information on file encryption software and large file transfers visithttp://www.egress.com/solutions-large-file-transfer/