Grace CaoTechnical Product Marketing Manager
Email encryption - the ultimate guide in 2023
23 Nov, 2022 7 min read
Enterprise email encryption is a must-have security tool for anyone who wants to safeguard data that’s in transit. The truth is, there are numerous types and technologies available to help you with this, but what you need for your business ultimately depends on how seriously you want to take the protection of your own, and your clients’ or customers’ data.
Why encrypt email?
The unfortunate truth is that email encryption has never been more important. Theft of data—financial account information, personally identifiable information, health information, and other forms of sensitive data—fuels a multi-trillion-dollar worldwide cyber threat industry.
Threat actors work to steal that data however they can. It’s become so common to see large-scale ransomware attacks make the news on an almost daily basis and their sensationalism and scope of impact continue to grow. These worst-case cyberattack scenarios happen daily and can compromise service delivery for thousands of people at a time.
Much more common, however, is email compromise. The fact that email compromise can happen intentionally, where a threat actor tries to intercept emails in transit, capture emails sitting on a mail server on a corporate network, or gather email data cached or stored at the endpoint, should be concerning.
Email compromise can also happen unintentionally. Emails can be misdirected, and sensitive data intended for one recipient can easily be sent to another.
An email compromise is no less critical than ransomware. Organizations can send millions or billions of emails a year and each one of those emails can contain potentially sensitive information that can be compromised by a threat actor and contribute to global cybercrime.
Encryption essentially helps thwart email compromise. It can prevent threat actors and unintended recipients from accessing sensitive information in transit. Email encryption is so effective in safeguarding data that numerous regulatory regimes worldwide have started to suggest or even mandate email encryption as a mechanism for safeguarding data in transit.
What is email encryption?
Email encryption is encryption of the contents of an email and its attachments, to prevent anyone but the sender and identified recipient from accessing the email. To accomplish that, effective email encryption must accomplish at least three tasks:
- Encrypt an email in a way that prevents improper viewing of the contents
- Authenticate the identity of the recipient
- Enforcement of encryption
Types of email encryption
Email encryption typically uses one of three encryption mechanisms. Those three mechanisms each target different vulnerabilities and attack modalities. They also provide different levels of security overhead.
Transport Layer Security (TLS)
Starting with the least amount of overhead and the least amount of protection is Transport Layer Security, or TLS. TLS encryption, typically implemented through STARTTLS for email, will encrypt the email in transit. While TLS encryption is a relatively secure encryption mechanism, STARTTLS has well-documented vulnerabilities that make it highly susceptible to compromise.
Pretty Good Privacy (PGP)
PGP, or Pretty Good Privacy, is a signature-based encryption technique that relies on numerous modalities to provide secure data transmission. The sender generates a public and private key pair, keeps the private key, and sends the public key to the recipient. The recipient uses the public key to decrypt the email and encrypt its response.
Secure Multi-purpose Internet Mail Extension (S/MIME)
Finally, Secure Multi-purpose Internet Mail Extension or S/MIME was developed by RSA to provide “end to end” email security where emails and their attachments are encrypted at the point of creation and are decrypted only by the authorized and authenticated recipient at the point of reading. S/MIME uses PKI technologies, ensuring each user’s identity through their individual digital certificate, issued by a trusted Certificate Authority.
Which to use - Gateway (server-based) or end-to-end (client-based) email encryption?
The above three encryption mechanisms are leveraged in either gateway (server-based) encryption or end-to-end (client-based) encryption.
What is gateway (server-based) email encryption?
Gateway (server-based) email encryption does not encrypt emails at the endpoint. Instead, it encrypts emails at the external email gateway. What this means is that emails internal to the organization are not encrypted while stored at the endpoint, but will be encrypted when leaving the organisation. The user may be completely unaware of this activity or may be given a choice of whether to send secure emails or not. When using gateway email encryption, your organisation may be at risk of a man-in-the-middle (MITM) attack but you can reduce the risk with the additional usage of transport encryption between client and server.
What is end-to-end (client-based) email encryption?
End-to-end (client-based) email encryption, conversely, encrypts emails at the endpoint so that all emails are encrypted as soon as the user hits the “send” button. The benefit of end-to-end encryption is that it ensures all emails are encrypted regardless of location.
End-to-end encryption can also be used successfully to automate encryption in ways that gateway encryption typically cannot. Most gateway encryption solutions require the passage of a flag to signal the secure email gateway to encrypt the message. That flag can be passed by user interaction (e.g.: typing “encrypt” in the email subject line) or by other information monitoring software.
While end-to-end encryption solutions can be used similarly, they can also be leveraged to encrypt all emails an organisation sends or all emails that meet certain policy requirements. In effect, they deduplicate the infrastructure needed to secure email.
How does SecureAge SecureEmail protect email communications?
SecureAge SecureEmail uses S/MIME technology to provide end-to-end email security. It ensures authenticity and privacy without requiring any user training or changing the way you send and receive emails.
SecureAge SecureEmail works with other parts of the SecureAge Security Suite to provide best-in-breed encryption, trusted authentication, and policy-based encryption enforcement. It does so with very strong cryptography, PKI-based enforcement, and solid key management. It works independently of any centralised server and decrypts emails with the recipient’s private key at the endpoint. We do offer the option to generate a one-time password requiring recipients to validate their identity before accessing.
SecureAge SecureEmail works well with industry-leading mail client software Microsoft Outlook and IBM Notes, offering drop-down menus for labelling and classifying emails. You can define classifications that can be linked to security levels, such as sign and encrypt and DRM options that allow for control of messages on the recipient side when both users have SecureEmail.
SecureAge SecureEmail allows you to exchange encrypted emails with external people outside of the organisation (i.e. those that do not have the SecureAge Security Suite). The entire email body and any attachments will be encrypted to ensure 100% privacy. What recipients need to do is to verify their email address when prompted to obtain the password to decrypt.
What further sets SecureAge apart is our ability to protect all your data with the same high watermark baseline. This ensures all your data is safe, thereby reducing the time, cost and resources for data classification. When it comes down to it, there’s no such thing as “more important” or “more sensitive” data anyway. All of your data needs world-class protection and SecureAge handily delivers.
The bottom line - email encryption is a must
Email encryption is a critical part of a comprehensive and modern enterprise information security ecosystem. It prevents people who oughtn’t to access data from doing so. While there are many ways of achieving this, SecureAge enforces email encryption using strong and best-in-breed safeguards.
SecureAge renders emails unreadable except for the sender and recipient through end-to-end encryption paired with key-based authentication mechanisms. Combined with other facets of the SecureAge platform, SecureAge protects all data, at all times, in all places. Visit our SecureAge SecureEmail page to find out more and get in touch with our representative to see live in action how SecureAge SecureEmail (part of SecureAge Security Suite) works.