Finally perspective: totemo explains the various standards for e-mail encryption and offers solutions. Companies have to react to the variety of encryption standards.
E-mails have become an integral part of everyday work: Companies reach almost all customers, both end consumers and companies, as well as their business partners in this way. Strong email encryption is therefore one of the most important principles for protecting business-critical or personal data from being accessed by unauthorized persons during transmission and storage. That is why IT security officers should deal with the TLS, PGP / OpenPGP, MIP and S / MIME standards. It quickly becomes clear: E-mail encryption requires a “specialist translator” and IT managers need a good perspective.
TLS: The transport protection
TLS (Transport Layer Security) is a cryptographic protocol that encrypts the transport channel between the sender and recipient. The advantage of such “transport encryption” is that even metadata such as sender and recipient, subject and time of the transmission cannot be viewed from the outside during the transmission.
To do this, the mail systems of the sender and recipient must communicate directly with each other. However, this is usually not the case, so that the encryption only works as far as the next node. That is why experts advise combining the TLS protocol with content encryption such as S / MIME or PGP. This offsets the weaknesses of TLS.
PGP: Pretty good, but complex
PGP stands for “Pretty Good Privacy” and, in contrast to TLS, encrypts the content of an e-mail, which can then only be made readable by the authorized recipient, regardless of the transmission channel. This standard relies on a "Web of Trust" for the validation of a key. Public keys are certified locally by many people. This guarantees security on the assumption that a potential attacker can hardly fool everyone who has previously signed the key. On the other hand, it remains in the dark who actually contributed to the certification.
Although PGP is one of the most important standards, mainly tech-savvy companies and private users from the IT community rely on PGP due to its lack of user-friendliness. One reason is that the standard is not integrated into all popular email clients - so there is no consistent user experience.
Microsoft 365 offers an alternative with MIP
With Microsoft Information Protection (MIP) in Microsoft 365 (M365) there is in principle a very user-friendly option for encrypting e-mails with a widely used solution. However, this mainly applies to business customers - rarely to private users.
Users should also pay attention: the cloud provider has the keys for the encryption. US authorities can invoke the CLOUD Act of 2018 to force US companies to surrender personal data even if it is on servers abroad. If you get involved, Microsoft hands over a cash box, so to speak, with the key stuck to the bottom.
S / MIME: an all-rounder?
The S / MIME content encryption enjoys a similar reputation as PGP and has the advantage of being integrated into common mail clients. Since no additional plug-ins or downloads are required, S / MIME is extremely user-friendly - also for M365. As a result, many companies use this standard instead of PGP.
In contrast to PGP, the standard provides for a small number of reliable certification authorities for the validation of public keys. Even if the process does not remain infallible, it offers users more security than the Web of Trust from PGP, in which virtually anyone can take over the functions of the certification authority, virtually without supervision.
Unfortunately, this standard is not a real all-round solution either because it - like almost all procedures - requires that both sender and recipient use it. In addition, users have to manage their keys and those of communication partners - no trivial task.
Wanted: flexible specialist translator
So there are many good encryption standards - but these are like languages: both sender and recipient must speak the same language in order to “understand” encrypted messages. An alternative are push and pull processes, in which the recipient does not have to use their own encryption. These are very secure and allow the user without their own encryption to open the encrypted e-mail either as an attachment to an e-mail in their own mailbox or on an external web portal - depending on the selected method.
On a technical level, an e-mail gateway that “speaks” the most common standards can help. This takes over the encryption in the background by checking which standard the recipient is capable of before sending an e-mail and automatically encrypting the sender's message accordingly. This makes the email encryption more user-friendly and can be guaranteed as widely as possible.
More at totemo.com
About totemo
The Swiss software manufacturer totemo ag offers solutions for the secure exchange of business information. totemo protects e-mail communication and data transfer through encryption and attaches particular importance to optimal user-friendliness - of course also on mobile devices.
The patented and FIPS 140-2 validated totemo security platform enables quick and easy integration into any existing IT infrastructure.