Protecting Sensitive Data in Email

State laws, company/client policy and common sense mandate the encryption of some forms of data. Whether its company secrets, PII (personally identifying information that isn’t already considered public), or ePHI (Electronic Protected Health Information) it is required that users encrypt this data when sent outside of the company, and it is on the IT Department to provide the right tools so this can occur. Bonus points for making it occur seamlessly and automatically.
This post looks at methods for protecting this data in transit via email.
1. S/MIME Encryption using Digital Certificates
S/MIME is built into most email clients. Once the certificate is installed, it is relatively easy to use if both sides have a digital certificate. When the otherside doesn’t have a digital certificate, unless you’re the 800 pound gorilla, good luck getting them to purchase a certificate and learning how to use it.
Most web mail clients do not support S/MIME. One exception is Outlook Web Access.
Cost and the difficulty getting the external user to use a digital certificate make this solution difficult.
2. PGP
PGP is another standards based email encryption solution. While there are free versions, they didn’t work well with Outlook the last time I used them.
This has the same problem as S/MIME in that the external person needs to be running PGP. Again good luck getting your external contact to change their ways.
3. A phone call
In a lot of cases we aren’t talking about moving a Excel spreadsheet of Social Security Numbers. We’re talking just one. A phone call (not leaving a voice mail) could be a lot more secure than email.
4. Encrypted Zip File
Encrypted ZIP files are easy to use, and use software already on many computers.
There are also many problems with Encrypted Zip files. The external mail server may be configured to block encrypted archives. It may not allow zip files at all.
You must pick a password that is good. Then communicate that password to the recipient over a separate channel (not email). If the user wants to use that file at a later date, they are probably going to go back to the original email. They wont have the decryption password anymore, and most likely neither will you. There isn’t a enterprise recovery option.
Encryption in zip files last time I checked was not really a standard. Winzip encryption at AES strength wouldn’t open in other zip clients. That may or may not be the case anymore.
5. Password protected Office document
You could password protect the Office document themselves. I haven’t checked if there are issues with password protected files between Microsoft Office versus Open Office. I do believe to get the best protection you need to use the current version of Office and then earlier versions of Office will have issues.
The same password lifecycle issues that occur with Encrypted Zip files also occur with Office documents.
6. Secure File Transfer Server
Products like Accellion can be used to transfer sensitive documents. These systems work most securely when you set up an account for the external person and communicate the password to them out-of-band. If the system automatically sends a link to the external user when a file is uploaded for them, anyone reading the email who gets there first can snag the file. At least it should be obvious that this has occurred. But the idea is moving files more securely.
7. Mandatory TLS to customer Site
TLS/SSL is what you are most likely using when accessing your bank site with a HTTPS://. It is possible to work with your customer/clients and set up mandatory routes that require TLS on all messages between the two domains.
The main drawback of this is it would need to be done for every customer domain that you deal with. It also encrypts all mail. TLS requires a bit more processing power. Shouldn’t be a problem for well spec’ed servers.
The mail is only encrypted in transport and is stored in the clear on the recipient and sender mailbox.
8. Opportunistic TLS
Opportunistic TLS attempts to use TLS on every mail connection. If it is not supported it sends the email in the clear.
While this means you only have to configure your mail server, you never know for sure that sensitive email is encrypted.
9. Hold for pickup
There are some mail systems that detect sensitive data in transport an then transparently act like the Server File Transfer Server. They notify the recipient that they have a message to pickup. The message is then picked up over SSL.
There are issues with each method of moving sensitive data via Email. But there are many options.

4 Comments

  1. I especially liked your comment about “it is on the IT Department to provide the right tools”. Too often the business requirements for information security aren’t a factor in IT decisions for security controls. I’ve seen a company that used a glue gun on USB ports so users couldn’t plug in their USB memory sticks. If there is a business need for sharing information then the best thing the IT department can do is, as you say, to provide the tools!

  2. Another email encryption option is Voltage SecureMail.
    Voltage SecureMail can easily send encrypted email to anyone.
    Voltage SecureMail has Outlook plug-ins or you can use a web interface for sending encrypted email. Messages are completely controlled by the sender and recipient in their sent folder and inbox. No messages are stored on servers.
    Recipients don’t need any special software to decrypt and read their messages, just a browser. And recipients don’t need to pay to read their email. In fact, they even get free support from Voltage. It’s much easier to use than PGP, S/MIME or other older solutions…and just as secure…which is probably why they can afford to offer free support to their customers and recipients…unlike those other solutions.
    It’s an ideal solution to help address state privacy regulations in Massachusetts and Nevada as well as the more general HIPAA, SOX, PCI requirements, etc.
    There is a free trial at: http://www.voltage.com/vsn

    • Do not waste your time or money on Voltage. We became resellers in April 2010 through App River, every client we provided free trail has canceled. Hurts your credibility when you suggest a solution and it fails.
      #1 will not even work on Outlook 2010.
      #2You time out a vendor suggested

  3. We signed up for product in May then as a reseller. NEVER recommend to you clients!. 5 good clients tried the FREE Trial and canceled.
    WHY?

    #1 Times out if email is larger than 2 meg.
    #Often Times out uploading using their “Zero Download ” solution
    #3 Has promised since April for a plug-in for OUtlook 2010, still no solution (Only promissies of Tomorrow Tomorrow)
    I hereby rename the Voltage SecureMail “Annie” Maybe the product will be ready tomorrow, tomorrow . .. Da da da.

Comments are closed.