The Case for E-Mail EncryptionCritical Communications Require Next-Gen Security Measures
The difference between first-gen and next-gen solutions, Janacek says:
"In the first-gen system, the encrypted e-mail is given to internal users - employees - and they send messages from their desktop to external users. It's a one-way exchange of secure message," he says. "In the next-gen solution, we're looking at the bi-direction aspect of e-mail, and these systems empower the internal employees, along with their business powers and customers, to initiate an encrypted message. So, by allowing the external users especially to initiate a secure message, the organization speeds up its processes, which increases their business value and decreases their costs."
There are other solid business benefits to be gained from next-gen e-mail encryption solutions, Janacek says, that can help organizations ensure greater security of communications while saving costs. And the new solutions treat mobile communications as a "first-class citizen," he adds.
In an interview about next-gen e-mail encryption, Janacek discusses:
- The business case for e-mail encryption;
- The differences between first-gen and next-gen solutions;
- How organizations have improved security and cut costs through e-mail encryption.
Janacek has over 20 years of security and software design experience, and is the architect and original developer of DataMotion's email encryption and managed file transfer system. In his role as CTO at DataMotion he is responsible for keeping DataMotion technology on the cutting edge. He works extensively with customers to ensure DataMotion products bring them a strategic advantage as well as being easy to use and manage. In 1999 he co-founded DataMotion, and in 2004 he received a fundamental ease-of-use patent for 'dynamic creation of recipient accounts upon receiving a message.
TOM FIELD: Bob, to start out with, give me a sense: What does the recent Epsilon data breach tell us about the importance of data encryption?
JANACEK: Well, Tom, email is a killer app. It's used by most businesses, and because it's so ubiquitous, it's taken for granted. Even companies that should know better, like Epsilon, don't think of protecting it, and the same goes for companies in the financial industry and in banking, in healthcare, insurance - companies that deal with sensitive information send it over email just because it's taken for granted.
In Epsilon's case, the sensitivity was the relationship between the email addresses and the companies that those people did business with. So, for instance, a bank's customers could be correlated between their email lists. Therefore, it could be used by a phishing attack or, specifically, called spear phishing, where you know the relationship of the email address and the companies that that person does business with, and you can masquerade email messages to those users mimicking what the bank looks like, for instance, and getting them to divulge sensitive information like their login details. So that type of information was very sensitive, and especially the relationship between the email and the companies, and it really should have been protected.
The Case for EncryptionFIELD: Bob, it seems to me that this case was a wakeup call for a lot of organizations about encryption. If you take that as a premise, what would you say is the business case today? Why should we encrypt our email?
JANACEK: There are really five main areas that we would like to focus on as to why an organization should implement encrypted email. The first that I'll highlight is that it protects proprietary data about the business, things like intellectual property, their financials, communication among their board of directors. There's all sorts of things that an organization communicates that are part of its "secret sauce," and that shouldn't get out in the public. And so protecting their own data is probably the first reason to use email encryption.
Secondly, if they communicate to their customers, especially if they send sensitive data like account statements, Social Security numbers, the types of assets that may be in the customer's portfolio. This type of information needs to be protected, and also, by protecting it, you're showing the customer that you value the relationship with them, and that serves to increase your brand value.
In a similar sense to protecting data about their customers, a business needs to also protect the data that they exchange with their business partners. So whether that data contains customer data or other data about the organization, the communication to business partners is definitely a channel that should be protected.
And one that we all think of, which is the fourth in this list, is compliance with privacy regulations and audit requirements. In the financial space, there are numerous privacy regulations, on the federal level and also on state level, of governing the types of information that can be sent over the public internet. A lot of firms are sending out this information. Maybe they're unaware of it, but that would put them in breach of these privacy regulations.
And then, lastly, from a pure business improvement perspective, sending things electronically is much more efficient than using legacy processes like telephone, postal mail and fax. So by running more of your business electronically, you gain a strategic advantage over those companies that are left behind using paper and fax and phone and such. So those vital exchanges of information should also be done by encrypted email.
Fundamentals of E-Mail EncryptionFIELD: Well, that's a good introduction to the "why." When you're looking at level setting, where we are with email encryption today? What would you say are the fundamentals of email encryption as we know it?
JANACEK: Well, the key fundamental of email encryption and the reason we do it is because you want the message and the attachments to go across the internet in a secure manner. I mean, that's by and large the driver for most businesses today. And just a little bit of background on that, because there is some confusion in the market as to how email really works. There are three main legs that an email message takes. One goes from the organization up to their mail server or to their cellular provider. The other leg goes across the internet to the recipient's systems. And then the final leg goes from the recipient's system down to their client. So it's like an up, over, and down type of scenario. The up and down legs between the organization and their servers and such are usually secure, but the one that crosses the public internet is the one where hackers can eavesdrop on those messages. In fact, a message just doesn't go from the sender's system to the recipient's. It actually takes many hops as it goes across the internet. They call it the worldwide web, and one of the reasons is it has a very high availability should any of the legs of the system go down. So, hops are built into the system. At every one of those points where there's a hop, the message is open for hackers and unintended people to see that message, even long after the recipient has received the message.
So, with that understanding of the way the email flows across the internet, I just wanted to say some of the goals of email encryption. Like I say, the main goal is that it sends messages securely across the internet. That's done typically with a toolbar button that's added to the sender's email client, and it allows them to click, for instance, a Send Secure button instead of Send button, if they want the message to go securely. Then another main way that messages are sent securely is by examining their content. So when a message, before it leaves the organization's perimeter, it goes through a content scanner and it looks for sensitive data like credit card numbers or Social Security numbers or account numbers. It can send the message securely on their behalf. So the one way is the user initiated, by hitting a Send Secure. The other is by having the message inspected.
Next Gen EncryptionFIELD: So Bob, if that's email encryption as we know it today, how do you define next generation encryption?
JANACEK: Before I set up the next gen scenario, I think it's important to understand the premise of the first gen systems. In the first gen system, the encrypted email is given to internal users, like employees, and they send messages from their desktop to external users. It's a one-way exchange of secure messages. In a next gen solution, we're looking at the bidirectional aspect of email, and these systems empower both the internal employees, the one with their customers and business partners, to initiate an encrypted message.
Two other aspects of next gen which I think are important are bringing the content inspection up another level. It's one thing to look for patterns that may be an account number or a pattern that's a Social Security number, but a lot of those patterns that are matched turn out to be false alarms. So, increasing the accuracy of the system by actually using live lists of data and scanning against the live list of account numbers; not just any, for instance, nine-digit number, but the actual 100,000 account numbers that a financial firm may have, or 1,000,000 or 10,000,000. But using a live set of data and not guessing increases the accuracy of the system, and therefore users are more comfortable implementing it.
And then, lastly, I just wanted to point out that in a next gen system, mobile becomes a first-class citizen. Your employees today have iPads and iPhones and Androids, and they expect their email system to work with those, which they do very well today. However, the encrypted email system in the first gen treated those as second-class citizens, if at all being compatible. In the next gen system, as easy as it is to use email on those devices, that's also as easy as it is to send and receive encrypted email.
How to Reduce CostsFIELD: Now, Bob, I know you've got a number of customer success stories. If you look at your customer base, tell us how organizations actually have reduced costs by moving to next generation encryption.
JANACEK: I have a few examples. One of our customers is a credit union, and they're using some of these next gen features to greatly reduce some costs. And specifically, they allow their customers and partners to initiate encrypted messages into their organization, whereas previously they had to handle faxes, postal mail and telephone calls. Now the customer-initiated encrypted email is so efficient that they were able to reduce their call center head count by three employees. That's one example.
Another that we have is a bank. They use secure email to send PIN reset requests for the customers that have ATM cards. They send out the encrypted mail instead of postal mail, and that dramatically cut the cost of physical delivery, and it also increased their customer satisfaction since they get PIN resets within the hour as opposed to having to wait a couple days.
And then one last one I'd like to highlight, probably the biggest cost saver that I've ever been associated with, is a state agency that eliminated 1,500,000 overnight courier deliveries per year by switching to encrypted email. And it actually turned that agency from a cost center into a profit center.
FIELD: Wow, very compelling examples. Now, a couple minutes ago, Bob, you used the term about mobile devices, saying the next generation solutions really make mobile the star. Give us a sense of how your encryption solution, in particular, does help integrate with mobile devices.
JANACEK: Most people are familiar with apps on mobile devices, and apps are used to extend the capability. But from an email perspective, you want to really be in your email client on a mobile device. You don't want to have to go click an icon, log into some app just to see if you have a secure message. Or if you happen to be creating a message in the device's email client and then you say, "Hmm, yeah, that really should go securely," you don't want to cut and paste out of that email client, launch an app, and initiate a secure message. So what we've done is with that behavior of users, that they want to be in their mobile device's email client, we've completely integrated our secure mail product into the mobile device's client. So a user can launch their email client, send a standard message, or send a secure message in exactly the same way. Also, when they retrieve a secure message, other than it coming to the device securely, it looks exactly the same as a standard message. They can read it immediately. They can access the attachments immediately. It works exactly the same as standard email.
Where to StartFIELD: Bob, final question for you. The big question everybody is going to have is, where do you get started? So for organizations that really want to pursue this next generation of email encryption, what advice do you offer them?
JANACEK: When an organization is creating their requirements, they really should not just think about the compliance and privacy aspects of sending outbound email. Email encryption brings much more value than this. What they should do is consider what processes could be more efficient by allowing the customers and partners to initiate secure messages back to them. For instance, can they eliminate positions in their call center or maybe reassign those positions to other areas?
Secondly, they need to look at a multilayered approach to email security. Adding a button to the email client is called user-initiated secure mail. That should also be backed up by a gateway level approach where the outbound messages are scanned for sensitive content. That way their employees' backs are covered in case they click the wrong button, they click send, when there was something sensitive in the message. So that multiple layer of defense is considered a best practice in email security.
Then, finally, you want to make sure that email encryption treats your mobile users as a first-class citizen. You want to make sure that they use it in a way that's most natural to them where it's built into the email client. If they have to go out to an app or they have to launch a browser with a mobile skin, it's out of the normal workflow, and then it won't get used nearly as much. So those are the three recommendations that I have.