Page 13 - Cyber Warnings - November 2015
P. 13
Organizational Approach – Combining internal with external encryption
For everyday use within a business environment, even with end-to-end there needs to be a point of
access to the actual mail content. The organizational approach sees this single point of access at
the Secure Email Gateway if the Gateway is deployed together with an End2End encryption
solution.
The task of the End2End solution is to manage an encapsulated internal PKI and enable the
Gateway to bridge between the internal and external PKIs. Imagine this as encrypting in two
different worlds with a passage from one world to the other. This passage is the access point that
gives organizations control over their email traffic.
The internal world speaks only S/MIME. S/MIME is supported by all standard email clients out of the
box which means low administration efforts. The Gateway translates S/MIME to and from other
encryption languages. An internally S/MIME encrypted email can reach an external recipient as an
OpenPGP encrypted mail or via secure Webmailer depending on the recipient's environment.
Emails are stored in an encrypted state on email servers and cannot be read by system
administrators – especially important if the company email infrastructure is a third party hosted
service. The email also remains encrypted on the end device and can only be decrypted as needed
by the user.
The work flow proceeds as follows: Encrypted emails reach the gateway, they are decrypted at the
Gateway from which they can be routed to content filters such as virus scanners or data loss
prevention tools. Those tools process the emails following their own routines and send them back to
the Gateway where they are re-encrypted for the next part of their journey. If the journey is internal
the email will be re-encrypted using the keys of the internal S/MIME PKI.
Outbound emails will be received by the Gateway in an S/MIME encrypted state. In order to re-
encrypt this email for the travel over the Internet the Gateway checks the possibilities for secure
email delivery depending on the external recipient's data. This enables instant end-to-end
encryption with virtually everyone.
And the original sender does not even need to know how things work. All the sender needs to know
is that the email was securely encrypted without worrying about the actual technical details. This
scenario is ideal for organizations and is referred to as “Organizational End-to-End”.
Organizational End-to-End can work in parallel with the so called “Personal” method. Messages are
fully encrypted from sender to recipient. This is analogue to the classic form of End-to-End
encryption and is targeted at users with high security needs such as a board of directors.
Encryption takes place on the client devices and no content filtering can take place. In fact, not even
the gateway administrator can access the message content.
13 Cyber Warnings E-Magazine – November 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide