One of the largest challenges many organizations face is how to secure email. There are many industries including the healthcare, financial and other industries that have government regulated policy to adhere to such as HIPPA and Sarbanes Oxley. So how do we ensure that our uses are not sending out information they shouldn’t be from their desks or mobile devices? Also with the emergence of Bring Your Own Device (BYOD) securing company data is become even more important than it has in the past.
Over the years there have been many options that we have been able consider. First, let’s look at Information Rights Management. This is a great product from Microsoft that allows the administrator or the user control what can be done with their email. For example, if I send you some information that may be somewhat confidential in nature I can put a restriction is place that prohibits your ability to forward this message or even print it for that matter. Even better yet the message is transferred in an encrypted state. As Microsoft continues to work on Information Rights Management the feature set is improving. From a BYOD perspective they are even able to support Outlook Web App and Exchange Active Sync with the newer versions of the Exchange product, but the largest downfall of this application is that it will only protect messages internal to an organization. You will need a two-way federated trust between your Active Directory forest and any other organizations Active Directory forest in order to send messages to that external entity.
Next, let’s look at Transport Layer Security (TLS) encryption. TLS is great for securing the data between two SMTP hosts while it is transit, but the data is not secured on either end-point. The data can be forwarded, printed or manipulated by the recipient. If you would like to send something via TLS to an external recipient, so the data is at least secured in transit; the external recipient must have TLS enabled. So you should check with your IT department or that other organization before assuming that your sensitive data will not be exposed in transit. Fortunately, these days most organizations do have TLS encryption in place. Since TLS is encrypted between while in transit regardless of the device you are using, this will work nicely with BYOD initiatives.
So what else is there?
Some companies simply put a disclaimer at the bottom of an email indicating that the email message may contained “Privileged and Confidential Information that should not be shared, etc, etc.”. Obviously there is not anything secure about this, besides stating if you share the data in this email I can potentially open a lawsuit against you.
PKI encryption is also an option. This can be done internally with an encryption key and the email message on the recipient side cannot be opened without the appropriate encryption key. This concept has been around for years, but has always been a struggle for external corporate use. Most organizations have tried an internal PKI infrastructure for this. These internal PKI certificates cannot be available to external recipients. I guess the only good thing, if you can call it a good thing, is that even the recipient wouldn’t be able to open the email. That being said there are third-party PKI options available making this look like a more realistic option for users.
Antivirus and mail gateway products should also be looked at. Many vendors in this area will allow your organization to configure policy that will stop mail from sending depending on the rules you put in place. For example you can setup social security number detection. If a social security number is detected in the email it will not send. This would work regardless of whether or not you were using your own device or a corporate device as long as you are on corporate email.
Last, but not least. With the emergence of BYOD we are being presented with options that involve securing the corporate data through an enrollment process on your own device. These are Mobile Device Management solutions with several third party options available. The concept here is that if the organization can securely wrap the corporate data it cannot be left behind on personal devices if a person leaves the organization or if the device is stolen. The largest advantage that I see with these third party options related to email (Citrix, Airwatch, Mobile Iron and more) is that the administrator can restrict where email is saved to. Many users today either do not save their attachments from their mobile device at all or they use a Dropbox or equivalent to move their data around from their email to another location. These third party options are allowing us to secure corporate data and allow our users alternative options that will allow them to do their jobs without compromising corporate data.
So, does one size fit all? No, but hopefully this article has provided you with some ideas that will help you decide where to begin or what questions to ask when trying to determine how to secure your corporate data and enable your users to do their jobs in a more efficient way.
Great write up Theresa!