In the 2016 email hack heard ‘round the world, almost 20,000 emails were stolen from the Democratic National Committee (DNC) in the middle of the United States election cycle. The hacker was able to get into the DNC’s unencrypted inbox, find emails that revealed the DNC’s supposed bias towards one candidate in particular and then release them. Had these emails been secured with end-to-end encryption, they would have been inaccessible—and many argue that the election would have had a different outcome.
While not every email breach has implications of the 2016 incident’s magnitude, it goes without saying that organizations in today’s world have a critical need for a secure email strategy— so how do you develop the right secure email strategy? First, consider the following:
When you think about historical approaches to email security, it starts with S/MIME, which has been an open Internet Engineering Task Force (IETF) standard since the 90s. Then came PGP and, in the early 2000s, we saw the SSL/TLS Pickup method gain momentum. While all three methods utilize public key cryptography and open standards, that is not enough to ensure your organization’s emails remain truly secure.
In today’s world, end-to-end encryption is leading the charge against email hacks and breaches—among both Gmail and Microsoft users—with organizations across industry lines choosing Virtru as their end-to-end encryption solution. With Virtru, organizations can use existing identities, host keys anywhere, share with anyone and search encrypted content, all without the need to install any software. To better understand the important role that end-to-end encryption has in today’s email security landscape, let’s take a closer look at where we’ve been.
S/MIME, PGP, and SSL/TLS all require the use of public key cryptography which means you have to set up key management capability, creating a need for additional internal resources. Further, encrypted messages under these protocols are not easily searchable within your inbox—presenting a challenge when you need to do a quick search for a recent email. You may find that your encrypted messages are not viewable by default since many email clients don’t automatically decipher the encrypted emails for you. In that case, it becomes a multi-step process to pick up the message, especially if you’re using SSL/TLS pickup.
What’s more, in some cases, you may have non-native requirements—either in the form of a third-party service provider or internal man-in-the-middle server infrastructure. Both of these can be disrupted by a native mail client provider’s application update. For instance, if Google decided that they no longer want to support the S/MIME as a native protocol because of a shift in business direction, that’s going to be a problem for S/MIME Gmail users. So, while each protocol can be considered an improvement upon the former, the significant implementation and usability challenges are what lead many organizations to find a new solution: end-to-end encryption.
When you think about secure email, one of the first questions to ask yourself is “what problem are we trying to solve?” A secure email strategy should:
Only one email security protocol successfully checks off all four of these requirements—end-to-end encryption—and it’s easy to use. Virtru’s end-to-end encryption ensures that all data is encrypted at all times—not just in transit and at rest—and that only the sender and recipient can view the contents of an email, providing the highest level of confidentiality and protection to your organization’s emails.
If historic email security approaches are any indication, without a high degree of usability, broad user adoption is not possible. End-to-end encryption uses existing accounts and, simply put, on-demand encryption for senders and frictionless access for recipients ensures smooth deployments and boosts the strength of your email security program.
Finally, taking a data-centric approach to email security extends beyond just protecting the data with end-to-end encryption. This holistic approach also includes control and audit. Think about it: if you’re going to apply protection with encryption, the value and risk of that data is going to change depending on where it is, where it has gone and where it has ended up. It’s important to have the ability to apply certain controls based on the lifecycle of that data and off an audit of interactions with that data that helps educate your decision.
With those three pillars—protect, control, audit—of a data-centric approach in mind, you’ll set yourself up for success in developing the right strategy for secure email.
Boost the strength of your email security program and talk to a Virtru expert today about how end-to-end encryption can work for your organization.
Contact us to learn more about our partnership opportunities.