|
 |
|
General Information
|
Add To My Personal Library |
May 2, 2008
• Vol.30 Issue 18
Page(s) 11 in print issue
|
Email Encryption Showdown
A Look Inside The Multiple Methods For Encrypting Messages
|
To the average employee, email is a simple, efficient means of communication. But to IT security personnel, email represents a battleground, where messages containing sensitive company information travel through cyberspace as snipers lie in wait. The first line of defense against these snipers is encryption, but choosing the right method for a particular IT environment can be challenging.
“[IT managers] really need to build a security profile and then base their decision on that,” says Andres Kohn, vice president of product management at Proofpoint (www.proofpoint
.com), a firm that specializes in email security and data loss prevention. “They should talk to security personnel, compliance personnel, and business users to really understand how email relates to their business and then choose an email security solution that will support the business needs.”
Understanding email’s role in the business is only part of the security equation because there are multiple methods of encryption that can help to keep messages out of the hands of thieves, competitors, and others not intended to see their contents. Each of these methods can prove effective in certain environments, but knowing their particular aspects can help managers make an informed, safe decision.
 Server To Server
The most common method of email encryption, server-to-server encryption, creates an encrypted connection between two email servers through the use of Transport Layer Security, or TLS. Although the email remains encrypted during its journey between servers, it begins and ends that journey in plain-text form.
"Server-to-server encryption methods are beneficial from the point of view of ease of use—from the user's point of view, nothing needs to be installed, configured, or done on the user interface side in order to transmit messages securely from system to system," says Cameron Niles, principal at consulting and integration firm Syzygy 3 (www.syzygy3.com). “On the downside, the message transmittal between the endpoints to the server are not encrypted, and the go-forward storage of the email of the server systems may or may not be encrypted.”
Taher Elgamal, CTO of Tumbleweed Communications (www.tumbleweed.com) and the recognized inventor of SSL, adds that this method, also known as gateway to gateway, has no impact on the email client and allows automatic encryption based on policy, but the lack of encryption within the organization and the inability to use signatures are downsides.
Server To Recipient
Unlike the server-to-server method, server to recipient encrypts email between the sending server and the recipient’s system, even if the email wasn’t originally encrypted on the sender’s system. This type of system can be particularly useful when companies send email out of the enterprise, such as to customers or partners.
“Server-to-recipient encryption can be an improvement over server-to-server methods, as it generally stores the sent email in an encrypted manner on the recipient’s system and also transmits the message from the sender’s server all the way to the recipient’s endpoint in an encrypted manner. On the downside, this method can require significant additional configuration and interaction at the recipient’s endpoint,” Niles explains.
Kohn adds that because this method is easy to manage and transparent to the sender, it can be valuable to regulated companies that must prevent information leakage. Rules can be established on email policies that automatically encrypt sensitive email to the recipient’s inbox, though the rules must be configured ahead of time.
Sender To Recipient
For the ultimate in security, at least in theory, the sender-to-recipient method ensures that messages are encrypted from the moment they leave the sender’s client and remain encrypted when they reach the sender’s system. Despite its inherent ability to provide end-to-end security, this method brings significant drawbacks.
Plenty of configuration, maintenance, and interaction on the user endpoint is required to make this method work, and those aren’t traits bound to be well-received by employees. Kohn notes that because the encryption requires this level of work on both ends, the potential for human error is increased because people might forget to encrypt messages, not know messages need to be encrypted, or not know how to encrypt at all.
“Additionally, some systems limit the availability of access to email to the physical user endpoint that has the encryption solution installed, making it impossible for a roaming user to access historical email from other endpoints,” Niles says.
URL Delivery
Over the years, many iterations of the URL delivery method have made their rounds. In this method, recipients receive an email instructing them to click a URL to securely receive a sender’s message. The message can also be sent as an HTML attachment directly to the recipient’s inbox.
Although this form of server-to-recipient encryption boosts security by forcing users to engage in the encryption process to access their messages, it carries its share of downfalls. Niles notes that these two-step systems are often impractical for time-sensitive communication methods such as email, and they can also severely limit access to incoming email by recipients using handheld devices.
Which Is Best?
The sender-to-recipient encryption method appears to deliver the highest degree of security, ensuring that messages are encrypted during transmission and facilitating the easy encryption of stored messages. But this method’s success rests on the shoulders of its users, creating potential problems. Experts generally agree that the “best” method is that which best fits a specific environment.
Niles recommends that managers find the answers to multiple questions to determine the best encryption fit: Are we primarily concerned with encrypting transmission across the Internet? Are we primarily concerned with the encryption of stored email after it’s sent? Do our existing messaging systems integrate tightly with encryption solutions? Do we have direct access and control over user endpoints in the organization?
“Encryption is an effective method of security but particularly so when the organization clearly understands what needs to be achieved via encryption,” Elgamal says. “Each method of encryption best suits a particular set of enterprise situations—the challenge is determining the required method that fits an enterprise’s need.” 
by Christian Perry
Benefits Of Blending
Not all security technologies play well together, but email encryption methods do. In fact, experts often recommend using more than one encryption method if the particular IT environment calls for it.
“It is sometimes even necessary to use multiple methods of encryption,” says Taher Elgamal, CTO of Tumbleweed Communications (www.tumbleweed.com). “In cases of communications between closed communities, there are more options, whereas communicating to users outside the organization may require the use of private URLs. . . . Gateway-to-gateway encryption should be used in conjunction with other forms of encryption since it allows all emails to be encrypted over the Internet, while only a small percentage would be encrypted to the desktop.”
Cameron Niles, principal at consulting and integration firm Syzygy 3 (www.syzy
gy3.com), adds that the most common blend he sees is server-to-server and sender-to-recipient, which combine to ensure all messages are transmitted and stored in an encrypted manner from endpoint to endpoint. |
|
|
