Eight Best Practices for Private Email Communications

Earlier this month, Voltage Security hosted a webinar entitled “Rethinking Email Security: Eight Tips For Private Email Communications”.  The webinar was positively received by the all those who attended. Below we share the link to the full webinar recording, and excerpts from the content.

With the ongoing concerns about enterprise privacy, and the pervasiveness of email communications, these eight tips are more timely than ever!

 Full webinar recording can be found here.

 1. End to End is a Must: Ensure data is protected while at rest and in transit. By shifting focus to protecting the data itself, it will be secured persistently, wherever it goes. Email Encryption solutions that rely on two or more different encryption technologies inevitably end up splitting messages at some point in the mail flow, creating security gaps and allowing room for data to be compromised. A single, streamlined solution – based on a single technology for all use cases – ensures that data is protected persistently. In recent months, many organizations have been migrating to an email service in the cloud, where it is critical that sensitive information must be encrypted before it enters the cloud, protecting it from access by IT operations and breaches.

2. Don’t Hinder ComplianceEncryption does not have to break, or require extensive additional infrastructure for, compliance scanning, archiving, and e-discovery. The ability to roll out encryption while still maintaining critical features such as archiving, eDiscovery, DLP, and email hygiene scanning is a must. Your solution should be able to encrypt and decrypt messages based on compliance and mail routing policies, and should offer lightweight tools and plugins to support existing archiving and e-discovery business processes.

3. Stateless Critical for Simplified Operations: Deploy a solution that is stateless, with no certificates or keys to manage, ensuring lower infrastructure and operational costs. Keys can be generated dynamically, on demand when they are needed, eliminating the need to keep and maintain a key store. With a stateless solution, the need for keys or certificates to be backed up and replicated across servers is eliminated, providing infinite scalability. Additionally, disaster recovery should be as simple as taking a one-time backup of the master secret, which can then be used to easily recreate a new key server that can generate keys for past and future messages – with no loss of data.

4. One Encryption Technology  IBE: Deploy a single encryption technology that can work across all use cases and all end points, whether that is a desktop, mobile device, smart phone, tablet, or web browser. Voltage Identity-Based Encryption™ (IBE) can address all of these use cases for both internal and external email communications. Whenever an email is encrypted, always use the same delivery mechanism – email should follow a push delivery model to the recipient’s existing inbox, rather than having to create a separate inbox for the sole purpose of maintaining secure email communication. Needlessly managing multiple encryption technologies and delivery methods only increases complexity and cost across the IT and Help Desk organizations, and frustrates users.

5. Ease of Use for Senders and Recipients: Implement a solution that is easy to use, with the freedom to send ad-hoc secure communication to anyone, without having to worry about doing a key exchange, or whether the recipient has a certificate or shared password. The solution should work across a variety of commonly used endpoints, including mobile devices, email clients, and Web browsers – with little to no impact on how senders and recipients use email.

6. One Infrastructure – Multi-Tenancy Capable: Find a solution that supports multi-tenancy, where each tenant can have its own policies and branding to address the unique requirements and use cases of different lines of business, departments, and geographic regions – all under a single email encryption infrastructure.

7. Flexible Architecture that Enables Business: Find a solution that is flexible in terms of its architecture – one that will not lock your enterprise into a specific deployment model, and that can support on-premises, cloud, and hybrid deployment models. The solution should also be able to address complex mail flows, and integrate with a variety of email infrastructure, business applications, and websites. An ideal solution is one that is able to work today, but also one that will be able to adapt to changing business needs in the future.

8. Proven in Real-World Deployments: Look for a solution that that is standards-based and proven in real world deployments. Traditional encryption technologies such as S/MIME, PGP, Symmetric Key, Webmail, and others have failed because they have poor user experiences and are costly to operate. Find a solution that has proven time and again that it can be deployed enterprise-wide, not just within small pockets of an organization. If your company does business globally, then finding a solution that has successfully scaled across multiple countries – with a single infrastructure – is a critical.

9. BONUS: A Look at Heartbleed & IBE: Data centric encryption helps to protect sensitive information when there is a vulnerability like Heartbleed. Another approach to mitigate the risk of vulnerabilities and breaches is to use a solution that can rotate private keys every N days based on policy, which will significantly limit the attack footprint if a private key is compromised. Only the information that was encrypted during that limited time period will be at risk. With traditional PKI, private key rotation is not an option. Finally, be sure to test for the worst case scenario. If your master secret is every compromised, doing a root key rollover should be a routine procedure.

 

Voltage SecureMail meets and exceeds these eight best practices. For more information on Voltage SecureMail, go here  and for a free trial go here.

Leave a Reply

Your email address will not be published. Required fields are marked *