Email Encryption Basics

New to Email Encryption? Learn the fundamentals from our collection of articles for beginners.

Encryption and Email Security

The cloud has outpaced our traditional approach to security. We try to keep intruders out with choke points and strong walls, while threat actors are already inside the open systems we use to send emails and other confidential data. To catch up with modern threats, we need to focus less on defending systems and more on defending the data itself. Data-centric encryption is key to email security.

Security Has Traditionally Been Treated Like a Fortress
The idea of perimeter security goes way back into prehistory. After all, the most obvious way to protect anything is by drawing a line around it and putting up defenses to keep outsiders out. For early mainframe computers, security was easy — the computer was stored inside a room, and couldn’t be accessed from outside.

Remote workstations made things a little more complicated, but there were still a finite number of access points that could be physically secured, and each user could be given their own authentication credentials to control access to internal resources.

As more computers were deployed and networked together in more flexible ways, physical perimeter security was no longer effective. Firewalls were developed to guard the network. A firewall looks at incoming traffic and decides whether it is safe or not based on factors like the protocol, source, destination and type of content. Content viewed as unsafe is dropped instead of being sent to its destination.

Firewalls are sometimes also used as part of email security as well. They blacklist domains or IP addresses that are known to send spam in order to protect users from dangerous content. Virtual private networks (VPNs) are another tool used to connect devices in different areas into a single, theoretically defensible network. However, this approach is inadequate to secure email and other sensitive data.

There Are No Outer Walls Anymore
The connectivity that allows your data to be accessed all over the world also makes the old model untenable. While you’re logged into your corporate secure email account or using applications inside your business’ networks, your device can be simultaneously surfing the web, serving up push content from 3rd parties, making a purchase, and running 3rd party applications — while logged into an unsecured public network. There’s no firm boundary where the network ends and the outside begins.

In one sense, this open structure is great — it’s what allows you to install a secure email add-on on top of your Outlook account, or choose your favorite calendar and scheduling app to organize your work tasks. But it also creates risks. Click the wrong social media post, visit the wrong website or download the wrong app and you can compromise your email security, expose financial and personal information and even give hackers access to your workplace data.

That doesn’t mean that secure perimeters are completely useless. You can and should try to control access to sensitive areas, such as confidential databases. But it does mean we need to go beyond perimeters and protect the data itself.

Data-Centric Email Security Is the Solution
Organizations need to move from network security that protects the perimeter to a security model that protects their most important asset — the data itself. Data-centric security gives each piece of information its own fortification that travels with it wherever it goes. This makes it ideal for applications like email security, where sensitive information needs to travel across the open Internet.

Data-centric encryption is the central component of this approach. While point-to-point encryption protocols like TLS encrypt the connection, data-centric encryption secures the file itself. Access policies and encryption key management are used to control access to the data, ensuring it can only be accessed by the appropriate party.

This means you don’t have to trust your app providers, since they do not have direct access to your information. For example, if you use Virtru secure email, neither your email provider nor Virtru will be able to read the emails you send — which means there is much less risk of a hacker or malicious insider successfully breaching your data.

Data-Centric Encryption Defends Against Both Opportunistic Attacks and Planned Hacks
Successful cyber security attacks exploit weaknesses. Opportunistic hackers take advantage of security lapses — for example, by intercepting unencrypted data such as credit card numbers. However, increasingly hackers take advantage of security lapses to gain access to more valuable data. For example, a hacker may steal a password to get access to a corporate database, or use stolen personal information to blackmail or impersonate a victim.

No single defense can protect against every security threat. However, data-centric encryption is far less risky than point-to-point encryption and other traditional approaches. For example, if you send an secure email that’s only encrypted by TLS to a group of recipients, it has to travel to each of their email servers. If any one of those servers (or any server on the way) doesn’t support TLS or isn’t properly configured, the email can be read.

If you use data-centric encryption for email security, you no longer depend on a bunch of random servers to protect you. Even if a hacker intercepts it, they won’t be able to read it. This doesn’t make breaches impossible — a hacker could use malware to spy on the data while the recipient is accessing it, for example — but it greatly reduces the odds of a successful attack.

Secure Email Encryption Protects Against Insider Threats
Whether malicious or just clumsy, insiders will always pose a risk. Although a malicious insider can be particularly damaging, the most common insiders threats in cyber security are from accidents. Mistakes like accidentally sharing confidential data outside the organization or using insecure communication for sensitive conversations can easily compromise customer privacy or company secrets.

IT providers are also vulnerable to insider attacks. If your provider can read your data, that means people inside their organization could abuse that privilege — in response to a government surveillance request, for personal gain or other reasons.

Encryption protects against insider threats in your organization by turning convenient applications into safe applications. Workers may forget to switch from email to a secure portal to share confidential information. However, if they have access to a secure email application, they can easily activate encryption without disrupting their workflow or using an inconvenient interface, decreasing the odds that they’ll forget to protect their data.

Encryption key management further restricts insider threats — both from your own organization and your tech providers. Most file and email security providers store both your keys and your data, which means that they could theoretically decrypt and read your information. However, if you choose a secure email app that stores your keys but can’t access to your data, neither your encryption provider nor your email provider will be able to read your information, which means they won’t be able to compromise it.

Encryption is Necessary But Not Sufficient to Secure Email
A strong lock won’t stop thieves if you leave your door wide open, and encryption won’t stop cyber criminals if you don’t follow good cyber security policies. Use these links to learn more about how to protect yourself.

Insider Threats in Cyber Security: What Can Employers Do to Protect Themselves?
Google Apps Security for the Mobile Workforce
8 Best Practices For Google Apps Security and Privacy