What to Consider When Considering Email Security
Last week, Google did everyone a favor by calling out competitors sporting weak email encryption. But the initiative also raised questions about the balance between security and complexity—questions the enterprise has long grappled with.
Love it or hate it, email is one of the most important modes of communication in any business, which is why it’s important to ensure it’s safe and secure.
Last week, Google got people talking about the security of the messages we send on a daily basis with two things—a planned new extension for Chrome that encrypts the messages sent through the browser, and a new section of its transparency report revealing how good various email clients are at encrypting emails sent to and from Gmail.
In a couple of cases, the report drew some unwelcome attention to big-name email providers who essentially were caught with their pants down. Comcast, in particular, hastily had to answer to the report, with a company spokesperson telling The Wall Street Journal that it would improve its email security after Google revealed that less than 1 percent of Gmail messages sent to Comcast.net addresses were encrypted. (Microsoft and Verizon faced similar shamings.)
Encryption Made Easier
But in the long run, the new Chrome plug-in (called End-to-End) might be a bigger deal. It’s been released as an open-source proof of concept, complete with anti-NSA jabs, and promises a more secure form of encryption than you can get with the standard out-of-the-box Gmail setup.
Most email systems that rely on encryption use a system called Transport Layer Security, or TLS. It’s secure enough for normal use and essentially invisible to the user, but it doesn’t work unless both sides of the interaction are using email clients that support TLS. That’s why Google’s decision to call out some of its competitors—who weren’t using TLS—stung so much. (For what it’s worth, both Facebook and Twitter have previously done the same.)
But sometimes, you need more security than even TLS can give you. There have been plenty of options for these cases, most notably Pretty Good Privacy (PGP), but these programs have been difficult to leverage for the average user because of their complex interfaces, which require users to share a public key to receive private emails. (To give you an idea of what you’re in for, check out this Ars Technica article.)
With End-to-End, Google’s Stephan Somogyi says, the goal was to bridge that gap through the use of OpenPGP.
“While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use,” Somogyi wrote on Google’s blog.
High-end encryption like this will likely remain a niche product, but Google’s efforts to make encryption more human-friendly might be enough to win over audiences that might have never bothered before.
A Glaring Need
And, boy, there are plenty of parts of the enterprise that fall under that description.
A white paper published last year by Osterman Research [PDF] revealed that many organizations are struggling to deal with this specific issue. The study found that just 38 percent of respondents felt their organization’s policies for encrypting confidential emails and attachments met their needs. Part of the problem was that encryption technology like PGP was a major turn-off for the average user.
“Some early-generation encryption solutions were too difficult for users to employ as a normal part of their daily work and so were not used to the extent they should have been or at all in many cases,” the paper states. “Some of these solutions were not scalable and required a great deal of IT effort to maintain, as well. As a result, many think of encryption as cumbersome and so perceive that newer solutions are saddled with the same problems as their predecessors.”
On top of this, these same needs are evolving, with mobile becoming more a part of the email diet. While other technologies like secure cloud offerings could help alleviate some of these challenges, they don’t do away with them entirely.
What to Consider
Now, End-to-End isn’t the only option out there. For example, Symantec, which sponsored the Osterman Research white paper, sells the commercial version of PGP, which it now calls Symantec Encryption. But the open-source nature of End-to-End and the backing of a consumer-focused name like Google could potentially make it more mainstream.
Ultimately, the concern is balancing security with simplicity and cost. PGP is a well-known name in the enterprise, with two decades of history, but it remains a niche product because it’s a pain to use for the average user.
And if you want to get super-serious about your data encryption, just remember you’re opening up a fairly costly can of worms.
“It can be done, but it takes a lot of forethought, a lot of effort, and the use of true end-to-end encryption will increase your costs,” Tripwire CEO Dwayne Melancon told PCWorld last year. “It may also require you to rewrite applications or switch providers in order to handle all aspects of end-to-end encryption.”
But even if you’re not ready to double up on your email security, Google did everyone a pretty good service last week by underlining that TLS should be a minimum standard for email delivery.
Because nobody likes to get caught with their pants down.