Recent events have put data security at the top of the enterprise agenda, and big vendors are reacting. This week alone both Google and Microsoft revealed plans to make their email services more secure. That is not to say that they weren’t secure already. However, what they, and other vendors building data-focused applications have to do now, is introduce new security layers so as to reassure users that using those applications won’t result in their personal data being compromised.
Microsoft’s big security announcement this week was that over the coming weeks, it will add another level of encryption to Outlook.com to allow mail recipients to receive a one-time passcode that prevents the wrong people from viewing sensitive documents that are forwarded from your account..
Google for its part, and according to reports in TechCrunch is testing a new feature for its new version of Gmail that will enable users sending emails to other Gmail users set an expiry date for those emails. It will also block recipients from using options to forward, download, or copy the email's contents and attachments will be disabled.
Related Article: 4 Information Security Trends for 2018
Encryption Needs To Be SeamlessLee Munson is a security researcher for UK-based Comparitech.com, which provides advisory services on the adoption of tech services. He says that at least for the moment, email encryption, while a good idea is not ready for general adoption. “From the standpoints of both security and privacy, the ability for everyone to send and receive encrypted email has to be a good thing, even if certain governments and law enforcement agencies around the world would disagree,” he said.
He added that for that to become a reality the process has to be seamless and, in that area, new features in both Outlook and Gmail are just off the mark. While Microsoft claims end-to-end encryption for its new service, it is unclear whether the same holds true for Google's alternative. “In both cases, the process is hardly quick or intuitive with recipients of confidential emails required to click on links, which in itself makes me shudder due to how prevalent an issue phishing is, in order to read the message, “ he said.
Related Article: Forget Slack vs. Email: Think Slack Plus Email
Why Email Encryption Is Difficult
However, while securing emails can only be a good thing, Dave Martin, vice president at VeriFyle, a San Jose, Calif.-based developer of messaging and file sharing software, points out that there is no easy solution to the problem of securing emails, even when encryption is available. Encrypted email services almost always require some kind of software (like an email client) installed on both the sender's and the recipient’s devices in order to manage the exchange of public and private keys. If the recipient doesn’t have nodes that can find the keys, you can't decrypt the message and the encryption becomes worthless.
This installation can be mitigated by using a browser app (where the browser hosts the installed software). In this case, users can encrypt messages on the client side and in transit as long as the sender and recipient are using the same service. In other words, if both people are using Gmail, the messages can be encrypted without much extra effort on the user's part. However, if someone using Gmail wants to send to someone using Hotmail, encryption becomes extremely difficult for the average user to manage. “What we've witnessed is that while many people say they want improved security for the digital communications, they loathe any extra complexity — even one step more than they are used to). As a result, they default to the most convenient method even when sending sensitive information,” he said.
A separate problem is how the keys are created, stored and managed. If many services in an enterprise choose to use master keys for encrypting information in bulk this can improve performance, but can also lead to massive breaches where one hacked key gives a hacker access to many user accounts. Separately, the provider in almost every case keeps a backup of all user keys (in case, for example, they forget their password). In order to be truly secure, a user needs to have the option to forbid the service from keeping a backup key.
Encryption Will Be Industry Specific
How encryption works will depend on the industry, according to Dylan DiMartino, the founder and CEO of New Orleans-based Dunwich Technologies, which builds technology for the health industry. He said that for healthcare and other industries that handle sensitive personal data, adding encryption is crucial for compliance and risk mitigation. New and small healthcare providers may not have the financial or IT capability to implement a standalone encrypted email solution and leave themselves open to fines if any protected health information is transmitted by email.
He points out that with major players like Microsoft and Google adding encryption to their email services competitors and even small business will have no choice but to follow that path too. “In light of recent data scandals, consumers are more concerned about Cyber Security than ever before. This is a win for consumer privacy, as Email providers will continue to implement Security focused features as a means of competitive advantage,” he said.
Built-In Encryption Offers Transparency
Email has to be one of the most relied upon methods of communication that, for the most part, offers no assurances about the sender or that the content of the message is still what was actually sent, according to Mike Bradshaw, a partner with San Francisco-based Connect Markerting. That email also has little or no guarantee of delivery makes it all the more surprising that its popularity grew to the level is has today until you consider how simple it is to use. And it’s likely to get better.
He said that having encryption built into the email solutions like Office 365 and Gmail offers the opportunity for a more streamlined and almost transparent experience that could make the transition to encrypted-only actually viable. For users this will mean assurance that the content of their message is safe from tampering and even unauthorized reading without needing to manage the complexity of the encryption and exchange of secrets.
“It won't stop email marketers from sending you messages but you'll be able to identify the sender and get yourself off their mailing lists more easily, “he said.