Although E-mail communication has been an essential part of internal and external corporate communication for a long time, a huge discrepancy between perceived and actual e-mail security becomes apparent. According to a survey of German companies commissioned by the digital identity specialist TC TrustCenter at the Smart Research market research center, there is a high level of protection against well-known threat scenarios like spam (83% of those surveyed), phishing (58%) or harmful E-mails infected with viruses (93%). However, protection against further risks is frequently neglected. Only 41% of the companies in the survey consider protection against deceitful tampering or unauthorized reading of confidential E-mails an issue. And only 27% of the CIOs asked, encrypt their business E-mails and only 36% are signing them.
So what prevents the majority of business users from encrypting or signing their E-mails? Are the benefits of encrypting and signing E-mails not sufficiently known or is there a lack of social or legal pressure?
Reason #1: Business Requirement – Competitiveness
Keeping pace with the market is a key success factor for businesses. Competitive advantages can be gained with shorter time-to-market and faster reaction time in customer services. Remote or mobile workforces requiring short-term submissions of proposals or fast approvals must use E-mail communication. Only digital signatures provide the necessary non-repudiation and tamper protection for those business critical transactions. And no business wants to see details of a new product published prior to the product launch, therefore the encryption of confidential content is also mandated by best business practices or just common sense.
Reason #2: Legal Requirements – Compliance
An increasing number of new guidelines and laws (see box) define the legal framework for secure electronic documentation and storage, for archiving and resubmission of data and for the ability to check digital documents.
Violations of corresponding data-protection, financial and taxation regulations and even criminal law can be sanctioned with drastic fines. The individuals ultimately responsible, such as CEOs, Boards, Management Teams or those responsible for IT can even be made personally liable for damage incurred. And we should not forget the direct damage, like data loss or production downtimes, as well as damage to a company’s image if, for example, security gaps become known to the public. Many managers are therefore asking themselves with good reason whether they are protecting their organisations effectively.
There are few general legal frameworks with clear requirements for signing or encrypting E-mails, however some industries, such as Utilities or Pharmaceuticals have defined specific requirements.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Data protection laws
Corporate Governance codes and principals
Legal requirements or guidelines from the US for multinational companies
California Senate Bill 1386
USA Patriot Act
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX):
Gramm-Leach-Bliley Act (GLBA)
Reason #3: Customer Trust – Anti-phishing
The trust of customers in a supplier has always been an essential success factor, not only since the financial crisis evolved. After all, new reports on cases of fraud through phishing E-mails are published every week.
There have been many campaigns to educate people on the topic of phishing mails. And you would think that every user is well informed on how to recognise E-mails sent from a fraudulent source. Yet there are still a large number of cases of fraud perpetrated using phishing E-mails. The resulting damage for the companies concerned due to the loss of image or the loss of trust by their customers can hardly be expressed in numbers. Therefore for many companies, the medium of E-mail used for customer communication is no longer attractive.
The best reassurance for customers is a high-quality digital signature on E-mails. This protective measure is inexpensive, generates no extra effort for senders and recipients and is also forgery-proof. That is because a digital signature enables the customer to reliably check who the sender of the E-mail is. This confirms without a doubt whether the signature is genuine and really originates from his bank, Internet service provider or online service provider.
Typical customer requirements
Once a company has recognised the necessity and the advantages of introducing signatures and encryption for its E-mail communication, project managers see themselves confronted with a whole range of requirements:
Even encrypted E-mails must be covered by the enterprise virus and spam protection.
Encryption needs to meet different requirements for various confidentiality classes. Usually, basic protection is required for regular communication and special protection for selected areas, e.g. the research and development department.
Measures for non-repudiation and tamper protection of E-mails must comply with revision security requirements.
The workflow may not be hindered by the implementation of a secure E-mail solution, e.g.
with regard to rules for substitute employees (during leave or sickness cover) or to allow the secretary to read E-mails
when issuing receipts of delivery
when communicating with external addressees without any secure E-Mail solution
when using mobile devices
when connecting mobile employees by using web mailers
And last but not least, long-term electronic archiving of the E-mails is also to be carried out without revision security being lost during this time.
A high degree of user friendliness and low administrative and support costs repeatedly rank at the top of the list of the criteria most often named in surveys. The option of central implementation of a corporate-wide policy is also a decisive selection criterion for E-mail security solutions.
Some of these requirements were long considered irreconcilable. However, in the meantime the required technology has been perfected to such a degree that it can no longer only be used by expert groups with an affinity for technology. Today, the requirements frequently cited as obstacles can be solved and typical stumbling blocks can be avoided.
Two components matched to each other are required to implement E-mail encryption and signatures: software providing signing and encrypting functionality and a PKI (Public Key Infrastructure) for generating the certified cryptographic keys.
Component: the E-mail Software
Two procedures have been established for signing and encrypting of E-mails: Either each user signs and encrypts locally on his E-mail client, or this is done centrally and transparently on his behalf via a server based so-called E-mail gateway.
In case of control directly via the E-mail client (e.g. Microsoft Outlook), each user is urged to observe and follow the corporate-wide policy for sending E-mails. All functions for signing and encrypting or for checking and decrypting are carried out on the E-mail client. The key material is also managed in decentralised key memories (on the workstation or on a token) in this case. The auto-enrolment ability of Microsoft servers from 2003 onwards can ease the key generation and distribution process. Together with a suitable PKI, e.g. the TC EID QuickStart solution, the certified keys are available within just a few minutes.
The advantages of a client-based solution are easy to
It offers maximum confidentiality of information, and generally no additional software is required, On the other hand, the disadvantages may cause some concern to those responsible at the company:
Uniform corporate security policies are difficult to push through on a decentralized basis: the end user must be trained in the technology and the corporate processes involved and must ensure compliance with them personally.
Proper substitution mechanisms are not sufficiently implemented, antivirus and content scans become more difficult, and maintenance effort is the responsibility of the user and generally accumulates at the user help desk.
There is no standardised solution for access to encrypted information, e.g. for recovery purposes after an employee has left the company, and additional measures are required.
With secured communication on the server level an E-mail gateway monitors a company’s entire E-mail communication process centrally.
It automatically carries out the decryption of incoming E-mails, checks the signatures for validity and internally forwards the unencrypted E-mail together with the verification results to the employee in accordance with corporate policies. Other security checks (e.g. anti-virus checks) can be conducted as usual. In addition, the gateway also assumes the encrypting and signing for all outgoing E-mails in accordance with the central specifications.
In this case, key management is also carried out centrally on the gateway, where a corresponding signature and decryption key with a certificate is stored for each employee. If these are missing, they are issued and assigned to the correct E-mail account on the gateway within minutes.
Even addressees without the necessary infrastructure can be integrated in secure communication via a gateway solution. For this purpose, the gateways offer not only the sending of encrypted PDF files, but also the picking up of the E-mails via an SSL-secured webmail function. The recipients then do not require an S/MIME or OpenPGP-capable E-mail program, nor is it necessary to install another program at their end.
The advantages are obvious
Central implementation of the corporate-wide security policy is completely supported.
The central virus and content scan can usually remain unchanged.
No change in workflows and no training of the users is necessary.
Experience shows that this results in minimal work for the user help desk.
Very important: No maintenance effort required by the end user. In addition, simple processes for message recovery and representative rules are available
The disadvantages are minimal
Encryption of e-mails is only performed between the E-mail gateways, not end-to-end.
A hybrid solution using both approaches appeals to most people. It enables encryption for various confidentiality classes, i.e. both basic protection for regular communication using the server-based solution as well as special protection for selected employees of a company (management team, human resources department, etc.) using the workplace-based solution.
Component: The PKI
For the generation and certification of the necessary keys companies can either use a self-operated software solution or an On Demand service of a PKI provider. If binding communication with external business partners is a priority, the use of externally recognised certificates is recommended. With a self-operated PKI this can be achieved with Root signing the internal CA whereas established On Demand PKI providers usually offer this additional value as an essential part of their PKI services.
An important factor for a convenient rollout is the support of automated interfaces in the E-mail software. For example, when using PKI services from TC TrustCenter, the certificate rollout is carried out via a SOAP interface already integrated as standard in many gateways or via the TC AutoEnrollment Server customised for use with the Microsoft processes.
The PKI should meet the following requirements
Issuing of externally recognised user certificates by globally trusted root certificates.
Regular provision of CRLs and the option of checking certificates online with OCSP.
The publication of the encryption certificates in a publically accessible LDAP directory in order to provide external communication partners the ability for spontaneous, encrypted communication.
An interface for an automated certificate rollout to avoid additional effort and expenses during the setup and administration of the solution.
E-mail security strengthens customer trust
Many companies, like Autoflug, Arvato Systems, NetBank, LB Swiss and Stadtwerke Düsseldorf, have already introduced E-mail security based on TC TrustCenter certificates and can report strengthened customer trust:
“As one of the leading German IT service providers, it was especially important to us to ensure trustworthy communication with our customers and partners by attaching a digital signature to all E-mails,” says Thomas Tenzler, Product Manager at arvato systems. “Unfortunately, online fraudsters are always inventing new methods for phishing or spear-phishing attacks and other racketeering on the web. With the gateway solution from Totemo and the certificates from TC TrustCenter, we make sure our customers can always recognise which E-mails actually come from us and that all sensitive content is protected.”
“For us as a full-service bank that sells its products exclusively on the Internet, E-mail is the main communication medium. As a result, we especially take the maximum possible security precautions in this area,” says Nico Koller, of IT Project Management at NetBank AG. “In the age of phishing and spam, the signature-based authenticity check plays a major role. We have educated our customers on the use of digital signatures and have now been using the certificates since July 2006. Since then we have only received positive feedback from our customers and notice a high degree of trust in our electronic mail.”
“E-mail continues to grow in importance as a communication medium for us. To protect our customers from dangers like phishing or data theft, we have made signing of all E-mails directed outside the company part of our company policy and have created the possibility of sending electronic mail encrypted,” says Zdravko Ruzicic, Director of Systems and Network Engineering at LB (Swiss) Privatbank AG. “As there is no Trust Center in Switzerland yet that can meet the desired requirements, we looked around in Germany and found TC TrustCenter as the ideal supplier. Thanks to the managed services they offer, they take a lot of work off our shoulders.”
In today’s business communication, the greatest possible protection against tampering means a high level of obligation. Certificates can be created on demand quickly as needed with modern interfaces between PKI providers and key management software. A central, automatic implementation of corporate guidelines for E-mail traffic also simplifies the entire handling of E-mail security for all those involved. This being the case, there really is no reason today why companies should wait any longer to start with signing and encrypting of E-mails.