Page 12 - Cyber Warnings - November 2015
P. 12
Communicating without PKI Keys – Secure email delivery
Password based encryption has become an established alternative to key based encryption. The
message can be delivered directly to the recipient as an encrypted PDF file or a secure web mailer
account can be created on the fly for each recipient.
Only instructional messages to the recipient are communicated using non-encrypted emails whilst
the sensitive content is always protected. Secure PDF or web mail delivery enables businesses to
communicate instantly and securely with any recipient.
Limits of Gateway Security
A Secure Email Gateway acts as an interface to the Internet at which emails are en-/decrypted.
Within the company network however, the emails are transmitted in a plain state without any
encryption.
This remains a secure method to protect against foreign intelligence services and industrial spying
and has been used by companies, institutions and public authorities for years. At the same time
however, there are situations in which end-to-end encryption is required.
When using mobile devices such as laptops, phones and tablets emails are transmitted outside the
company network via WiFi or mobile network in plain text. It takes little investment and only basic
skills to gain access to the message content.
Therefore the aim is to secure the content itself between the gateway and end users as well as
between users. Securing the transport layer with TLS or VPN can add some level of protection and
investment in Mobile Device Management Systems (MDM) should not be ignored.
But foolproof security can only be achieved when the content is secured in transit and of course
when it is stored in an encrypted state on intermediate servers and end devices.
End-to-End Approach for Enterprises
End-to-end encryption usually means complete content encryption between end devices and also
the encrypted storage of the message on the end device. Only the recipient who is in possession of
the required key can decrypt and access the message and its content.
However, this highly secure communication method raises a number of problems for businesses.
Employees work for the business and the information and communication they generate belongs to
the company. In order to support audit compliance, archiving and business continuity, it is
imperative that the company has control over its entire email traffic.
Companies also need be in control in order to protect themselves from spam, viruses, loss of data
and even phishing attempts despite email encryption. The roll-out of distributed content filtering and
scanning would be simply not scalable or practicable in a standard end-to-end encryption scenario.
12 Cyber Warnings E-Magazine – November 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide