The Basics of Email Encryption with SSL/TLS
The Internet's original encryption standard also protects email
May 16, 2005
Ordinary email is sent "in the clear," meaning that anyone with the ability to "sniff" packets of information can read it in plain text. Protecting the contents of these messages while in transit from sender to recipient is one of the enduring challenges in email security. While email encryption technology has existed for many years, confusion surrounding the selection of an appropriate technology has delayed its widespread use.
Certainly this delay is not due to a lack of need. Email is used to transmit all types of corporate information, and enterprises that fail to adequately protect information contained in these emails risk revealing their most vital secrets. Each unencrypted email potentially exposes sensitive data - from confidential financial and product information to legal contracts.
In addition, U.S. and international regulations pertaining to information security and privacy require that businesses in every industry take appropriate action to protect the privacy of personal information of their customers, patients, etc, and ensure that this vital data, including social security numbers, birthdates, credit card numbers and bank account numbers, is safe. Encryption of email containing this data plays a large part in ensuring that your organization stays on the right side of the law.
The most effective method of ensuring encryption of sensitive email communications is to integrate a capable policy engine at the sending gateway. This allows automated enforcement of corporate or regulatory policy with regard to what messages need to be encrypted, stopped or reviewed before they leave the organization, ensuring that organizations can enforce regulatory compliance and protect vital corporate data without relying on the end user to take any sort of action.
While organizations in all industries are now recognizing the need for encryption, they are faced with multiple options when selecting a solution to suit their needs. This week, we'll take a look at SSL/TLS as an encryption option.
Encryption Using SSL/TLS
The SSL (Secure Sockets Layer) protocol was developed by Netscape in 1994. The development of SSL and its acceptance and deployment as a standard for encryption was one of the most important steps to the growth of the Internet. SSL allowed the safe transmission of credit card data, therefore enabling the massive growth of Internet commerce. The beauty of SSL is that it is completely transparent to end users while providing enough encryption to protect the data at hand.
SSL provides encryption for web traffic but was not generally used to secure email. In SSL version 3.1, a variation was created that provided a good solution for email encryption. Officially known as TLS (Transport Layer Security) it provides the same simple use and deployment of SSL for the SMTP protocol used for email. The combination of the two technologies into one results in the vowel-challenged SSL/TLS acronym.
The TLS technology creates a "secure tunnel" for the transmission of plain text messages from one secure server to another, protecting messages while in transit across the Internet. TLS provides three basic advantages:
- First, sender and recipient are authenticated to one another directly, avoiding "man-in-the-middle" or DNS spoofing exploits;
- Second, TLS negotiation and exchange protocols operating during transfer protects content from interception; and
- Third, the contents of an email cannot be modified while in route between two TLS clients.
SSL/TLS Deployment
TLS, or "gateway-to-gateway" encryption can be used to secure communication between email servers and other email servers. The message is secure when it is traveling over the open Internet, which is the time it is most vulnerable. Regardless of how it is deployed, TLS is transparent to the end user, which is integral to its success as a standard.
In this "gateway-to-gateway" mode, the sender creates an email which is sent to the server in plain text. In this case, the secure tunnel is created between the corporate gateway and the recipient's email server (or a secure email gateway such as IronMail). The secure tunnel ensures that the message is protected while traveling across the open Internet.
The "gateway-to-gateway" mode can be particularly useful to corporations because it protects the message without preventing either organization from scanning the message at the corporate gateway. The sending organization can scan the message for material it does not want sent, such as confidential information or offensive content, and the receiving server can examine the message for threats such as spam and viruses.
ID Please
A comprehensive email security approach including encryption is the most effective defense against all external and internal threats. For more information on how to encrypt information entering and leaving your enterprise email network, download CipherTrust's FREE whitepaper, Protecting Email: Overview of IronMail Privacy Architecture.
For an in-depth look at encryption's role in your overall email security plans, download CipherTrust's free whitepaper, Securing the Email Boundary: An Overview of IronMail.
|
