Email: An Overlooked Element in Securing Enterprise Communications

Many organizations are focused today on securing voice communications. State security regulations and other compliance initiatives tend to focus on encrypting data on notebook computers and portable devices. Email communications, however, still tend to be overlooked.

Environments that are serious about keeping sensitive information from getting into the wrong hands will look at one or more of the following solutions for securing their email communications:

PGP (News - Alert)/MIME end-to-end security: Pretty Good Privacy (PGP) is a mature solution that uses public key cryptography to secure content and digitally sign messages.

S/MIME end-to-end security: Digital certificates can be used with most email applications and provide seamless message protection using the certificate support built into the email application itself. All of today's most popular email applications have digital certificate support built in.

Site-to-site email encryption products: Products exist that act as a security gateway, encrypting messages on the fly as they pass between sites.

Web-based client-to-site SSL mail transport solutions: These solutions reroute sensitive messages to a secure server on a company's DMZ network. This server stores the actual message and sends a notice to the recipient that they have a new 'secure' message waiting, and provides them with a secure URL.

Site-to-site TLS encryption between mail hosts: A feature supported by many of today's Simple Mail Transfer Protocol (SMTP) systems is Transport Layer Security (TLS). If enabled, this lets two SMTP hosts use TLS to transfer mail within an encrypted tunnel.

Simple Password Protection / Encryption: If more robust technology isn't available, or your organization does not exchange sensitive information very often, simply password protecting or encrypting the content before sending it is a security improvement.

The current state of email insecurity needs to be addressed if we want our electronic mail systems to continue to be the backbone of corporate communications. Eventually, users should expect messages to be digitally signed or encrypted.

Kenneth M. Smith, CISSP, CISA, GCIH, is a security solution architect at Forsythe. Smith has 11 years of experience in information security, including payment card industry standards (QSA), data privacy issues, and incident response and investigation.

» Internet Telephony Magazine Table of Contents