Five challenges with e-mail encryption in the cloud: If e-mails are unencrypted on the server, all information can be copied and read by attackers.
Software as a Service (SaaS) makes life easier for companies in many ways: The providers not only ensure that sufficient computing power is available. You also import updates and patches for applications such as Office or e-mail services and thus close security gaps quickly. Especially after the critical weak points in Microsoft Exchange Server at the beginning of March, this aspect increases the attractiveness of Microsoft 365 (M365) as a SaaS solution.
However, companies cannot rely on it being completely protected. It can take a few days before a patch is available, during which attackers could tap e-mails stored on the server. If they are not encrypted, all information can be copied and read. But that is not all. Companies must consider the following five challenges of cloud-based e-mail infrastructures.
1. Data protection must be ensured
The EU's General Data Protection Regulation (GDPR) prescribes the protection of personal data - including in emails. Companies should always send these encrypted. In this way, they ensure compliance and protect personal data or business secrets.
It would be too one-sided to regard on-premise as secure per se and the cloud as fundamentally insecure. Encryption is therefore essential both for e-mails that are in the cloud and for on-premise infrastructures. If the cloud is the sole storage for all e-mails, additional data protection measures are all the more important. The existing security controls for the company's physically delimited access area then no longer apply.
2. Companies need sovereignty over their data
M365 has integrated its own encryption technology. In this way, companies initially protect e-mails and documents, but in the medium to long term they give up sovereignty over their data. It's like entrusting someone with a locked cash box and sticking the key to the underside with adhesive tape.
Microsoft will probably not use this key for itself. But the “Cloud Act” of 2018 allows US authorities to access data that is stored on servers of US companies - also abroad and retrospectively. It is therefore safer if control over the keys remains in your own company.
3. The encryption must be user-friendly
Encryption is not an easy subject. Taking this into your own hands with S / MIME certificates, for example, requires technically well-versed employees and is often not a good approach.
So that encryption does not fail due to resistance from employees, it must be user-friendly. Ideally, the encryption runs automatically and in the background. The users then do not have to worry about the management of keys and certificates or the registration of the users - they can concentrate on their actual tasks.
Marcel Mock, CTO and co-founder of totemo (Image: totemo)
4. The e-mails must be legible for the recipient
When companies encrypt e-mails, communication partners must be involved. There are various encryption standards such as S / MIME and (Open) PGP that are not compatible with each other. In addition, many SMEs and most private users do not have the technology or know-how to decrypt messages.
Companies have to adapt to the variety of encryption standards and be able to adapt flexibly to the standard of their partners. This also means offering an alternative if they do not use encryption so that encrypted mails do not remain unread.
5. What happens to old, unencrypted emails?
When companies migrate to M365 with their email infrastructure, encryption only applies to new messages. What happens to the unencrypted emails that move from the on-premise server to the cloud? They should not be kept in clear text, because they can be read by attackers.
How companies meet the challenges
On the one hand, companies should ensure more security and data protection by encrypting their e-mails. On the other hand, they want to retain sovereignty over their data, protect contaminated sites and offer a user-friendly solution for both communication partners and employees.
Independent email encryption solutions are necessary for this. These automate the key and certificate management and encrypt existing mailboxes before the migration. When making a selection, service-oriented companies can ensure that the solution supports as many encryption standards as possible and offers an alternative method for e-mail recipients without suitable equipment. This is what makes Microsoft 365 secure e-mail storage in the cloud.
More at totemo.com
About totemo
The Swiss software manufacturer totemo ag offers solutions for the secure exchange of business information. totemo protects e-mail communication and data transfer through encryption and attaches particular importance to optimal user-friendliness - of course also on mobile devices.
The patented and FIPS 140-2 validated totemo security platform enables quick and easy integration into any existing IT infrastructure.