Encrypted Email - What Is It and Do You Need It?

  

 Email Article  

Tweet  

  

Encrypted email is a pretty common term these days, but also a loaded term.  People make a lot of assumptions about what it means, but as with many things in IT, things get quite a bit more complex beneath the surface.

Encryption itself is fairly self-explanatory; encryption is the act of scrambling data so only people who are supposed to read it can do so.  Even if someone else gets ahold of that data, it will look like gibberish to them, unless they have the proper key to decrypt it.

So how does this apply to email?  Well, there are several places in email technology where encryption is a very good thing.  Some of them are more straightforward and easier to implement than others, however.  We'll go over each here.

1) Email storage.  The first and most obvious place to encrypt email is in your mailbox.  That is to say, if someone gets on your computer, can they simply copy your entire mailbox file onto a USB drive and read it later at their leisure?  If your mailbox is encrypted, it means that no one can read your email unless they can sign into it with your username and password.  This type of encryption has been used with email for many years and is an option with most email programs, such as Outlook.  If you use cloud email, such as with a company like Google (gmail), Rackspace, or Intermedia, the email would also be encrypted on their storage servers and to ensure that you and only you can look at the messages in your mailbox.  The same applies if your email is held on a central company server like with Microsoft Exchange; your mailbox would be encrypted on the mail server in your company's data center.

2) Sending email.  Email also can be encrypted in transit.  This is required by many modern technology compliance standards, such as the Massachusetts Personal Information protection laws, and for good reason.  Every time you send an email, it makes its way across the internet to its intended recipient.  Along the way, it passes through any number of internet devices, such as routers and switches, and even other mail servers.  At any point along this chain, your email can be read by anyone who happens to be looking.  Yes, you read that right; your email is just like an open letter in the mail that anyone can read as it passes them by.

In order to ensure that only the person you send the email to can read it, you would need to encrypt the message.  There are many technologies to make this work, but none of them are as seamless or user-friendly as might be hoped.  For instance, one type of technology doesn't send the email at all, but simply sends a message to the recipient redirecting them to a webpage where they can view your secure message by using a password.  Other programs work by requiring the person on the other end know a password to open the message in their inbox.  Each version works well, but neither is as obvious or easy to use as basic email.  Because of the added difficulty of using these kinds of technology, few companies or individuals use any kind of transit encryption, even though they may be required to do so by law.

3) Accessing email.  If your email is hosted in the cloud or on a server, you also need to be concerned with how you access that email.  For instance, if you access your email through a webpage, such as with a service like Gmail, each message you compose or read is being sent between you and that remote server.  If the messages aren't encrypted between you and your server, then anyone sitting between each endpoint can read your messages.  This is much like the example above about sending email, but it deals with the traffic between you and your server rather than the messages between you and your recipients.  Fortunately, this is a much easier area to encrypt than sending emails; most email systems already encrypt email access without the end user needing to do anything differently.  For example, Gmail uses HTTPS web addresses which encrypt your session with SSL technology and Outlook similarly uses SSL technology to encrypt data between itself and an Exchange server.

As you can see, "encrypted email" can mean many different things.  When looking at email solutions for yourself or your company, pay particular attention to what any solution means by encrypted email; you will often find that while it may cover points 1 and 3, it provides no solution for point 2, which is the most critical of the three.  This is of particular concern if your business works with personal information for your customers, such as credit card data, bank account info, social security numbers, or even phone numbers and addresses.  In these cases, you may be *legally required* to encrypt all your email containing any personal information, or face stiff fines and lawsuits.

Don't leave yourself wondering just how secure your email system is; Contact Us today and let a Terminal engineer go through your email system with you and help ensure you are doing everything you can to stay secure and compliant with today’s standards.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Standards for the Protection of Personal Information

  

 Email Article  

Tweet  

  

Many people may be familiar with 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, the Massachusetts data privacy law which went into effect March 1st, 2010; all companies which work with the personal information of Massachusetts residents were required to be fully compliant by this date.  Unfortunately, for many small and medium businesses, understanding and implementing this law has been a rather difficult and confusing process.  Many businesses may not even realize the law applies to them.  The law applies to any company which stores or uses personal information of a Massachusetts resident, which is defined as follows:

"...a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account..."

Luckily, Terminal.com has done quite a bit of auditing and compliance reviewing for clients in regards to this new law, helping them to recognize where their processes need to change and ensuring they become compliant.  This week, I helped a CPA firm implement all the changes recommended by their Terminal.com security audit.

In particular, the law requires individual employees each have personal network accounts with complex passwords and that user rights be restricted to information strictly necessary for them to complete their jobs.  In addition, data encryption is necessary for any portable devices or storage which may move around or out of the office.  Likewise, access to any personal client data, physical or electronic, must be protected whenever not in use by an authorized employee.  These are just a few examples of the requirements of the new law.

While the law can be quite a hurdle for many businesses, it isn't as strict as many other laws or guidelines, such as HIPAA or PCI.  Nonetheless, the requirements should be taken seriously; if the personal information of your clients is ever compromised, you could be held legally responsible for that breach, unless you can show a reasonable effort to comply with 201 CMR 17.00.

If you're unsure if you're compliant, be sure to review the 201 CMR 17.00 Compliance Checklist and verify you can answer yes to all the questions.  If you cannot, or are unsure, feel free to Contact Us and a Terminal.com engineer will be happy to help you review your current network and ensure your company is compliant.  

Brian St. Marie – Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Boston IT Security Discusses WikiLeaks Encryption and Data Security

  

 Email Article  

Tweet  

  

Boston IT Security

Boston IT Security Discusses WikiLeaks Encryption and Data Security

WikiLeaks has been in the news quite a bit lately, as has their founder’s “insurance” file, an encrypted document which the founder threatens to have decrypted if anything happens to him.  Today, CNN posted an article discussing the security of this file.  Their expert source, Hemu Nigam, is quoted as follows:

"Most of the time, you see a 56-[bit]key encryption. That's considered secure. When you are using 256, you are sending a message: 'I'm smart enough to know that you will try to get in.'"

Unfortunately, Mr. Nigam is way off or CNN drastically misquoted him.  The 56-bit encryption Mr. Nigam is referring to is the Data Encryption Standard (DES) developed in the 1970s and widely used until the early 1990s.  However, the encryption was successfully cracked first in 1999 and can now be cracked, on average, in less than a day.  It hasn’t been considered secure for many, many years and was replaced first by Triple DES (3DES) in the 1990s, and more recently by the Advanced Encryption Standard (AES) in 2002.  3DES typically uses a 168 bit key, but is much less commonly used these days.  AES, which is the most common encryption algorithm in use, typically uses a 256 bit key, which is exactly what was used to encrypt the WikiLeaks file.  This is the same encryption any user could expect from Windows Encrypted File System in Microsoft Windows Vista or Windows 7, or Symantec Backup Exec System Recovery encrypted backups.  In fact, it’s relatively easy to configure most products to use even 512 bit AES encryption, with relatively little impact on performance.

What this means is that if you use encryption in your business or even at home, you too are likely enjoying the same high level of security as WikiLeaks; the same security that has many of the largest governments in the world spinning in circles with no way to access any of the information for at least the next several decades.  That’s not bad insurance for anyone!

If you’re concerned about your data’s security or curious about how to improve it, feel free to Contact Us for a security consultation.

Brian St. Marie - Sr. Systems Engineer - Boston IT Security

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!