Encrypting traffic to your website is an industry standard, but what about protecting your other business communications? Should your email be encrypted too? Here at Roka Security, we think it should be, but there’s a little more to it than telling your IT person, “Make sure our email is encrypted.” Below we discuss the different aspects of encrypting email and what you need to know to safeguard your company.
Does Encrypted Mean Encrypted Everywhere?
People hear encrypted and think, “Yeah, my IT person said email was encrypted, so we’re good.” Well, maybe not. What most IT people mean is that the connection between your email client and the email server is encrypted. They aren’t talking about when your email is sitting on the server, or when email is in transit between your email server and other email servers.
Different Stages of Encryption for Email
Confused yet? Don’t worry, this isn’t as complicated as it sounds. Lets walk through the main email encryption concepts you need to know: In-Transit, At Rest, and End-To-End.
“In Transit” encryption refers to data while it is traveling between computers.
Connecting from your mobile or desktop email client to your email server
Between your email server and the recipients’ email server.
When the recipients download the email from their mail server.
This is similar to typing https on your browser versus http. “In transit” encryption means that no one can see or tamper with the data while it is being transferred across the network or Internet.
However, many (if not most) email servers, also known as MTAs, don’t attempt to encrypt the connection when talking to another mail server. When you hit send, your mail client encrypts the data to your mail server. Then your mail server sends your email (and data, pictures, etc.) unencrypted and vulnerable to the other person’s mail server. This leaves your email open for ISPs, the Government or Hackers to collect and potentially modify your email as it moves across the Internet.
A hurdle to encrypting between servers is that both email servers must support in transit encryption to protect your data. Even if your mail server is setup to encrypt between mail servers, the other person’s mail server has to be setup to receive the encrypted connection. So yelling at your IT person about it, probably isn’t going to do much good.
Encryption At Rest
As the name implies, “Encryption at Rest” describes when your data is taking a break and not moving around. This typically refers to if the hard drives or storage mechanism of the email server or your laptop encrypts the data when it is stored on disk. For example, if someone turned off the server and captured a forensic image of the mail server’s hard drive, the email would be encrypted at the hard drive layer.
End To End
Now we are getting someplace. All of the other types of encryption are great, and needed, but “End To End” is where it’s at. Even with “in transit” and “encryption at rest”, if someone has access to the running email server, they can read your email. End to end encryption refers to directly encrypting the email (or data) to the other user. This would mean that only the other user would be able to decrypt and read the email or data.
How is this different? With end to end encryption, before sending your email to your server, your mail client encrypts the content so that only the email’s recipient(s) can decrypt and read it. Now, mail server administrators, governments, hackers, or anyone else can’t access or modify the readable content.
What magic is this and why haven’t you heard about it before? Turns out this technology has been around for a VERY long time, and one method, S/MIME, is on most major email clients, including Microsoft Outlook, Outlook Web App, Mac Mail, Android Mail and Mail on your iOS devices.
How Do I Know if We Encrypt Email?
Hopefully, we’ve brought some clarity to how and where your email is encrypted. Ask your IT Admin about how your mail is setup and if your mail is encrypted:
Between the Mail Client and the Server
Between Servers (TLS startup?)
Data at Rest: Is the Disk Level, Operating System or other storage layer encryption used?
Links to Help Encrypt your Information
GPG for Mac Mail
RokaCom : Enterprise Secure Messaging and Calling
GPG for Outlook on Windows
Microsoft Exchange TLS Best Practices