The Future of Email Security
The landscape of email security is set to radically change in the next few years. The entire industry of email encryption and DLP was driven almost exclusively by privacy regulations enacted in the late 90’s and early 2000’s. It’s hard to believe we are almost 20 years removed, but are still mostly relying on the same technologies and procedures!
Current secure email technology requires recipients to either login to a encrypted portal with system-specific credentials or other SSO credentials (i.e. your Facebook, Gmail, or Microsoft login). Or, the system will send the email as an encrypted attachment that the recipient must figure out how to open, again using a dedicated password, a specific app, or through a web portal. While these techniques are generally secure, they still leave a lot to be desired in terms of usability. Most importantly, the cumbersome nature of these techniques generally leads to many senders circumventing them out of frustration or deadlines.
There is a better way to secure your communications. The techniques and methods are already out there, but have not yet had widespread adoption. Here is how we see the next few years of email security play out:
Universal Adoption of TLS Encryption and IPSEC
Currently, the majority of emails sent already use SMTP over TLS (STARTTLS) connections. This means that the message is transmitted encrypted over the internet from the sender’s server to the receiver. It is entirely possible that within the next couple years, it will be common practice for ALL email servers to REQUIRE a TLS connection and refuse delivery if one can’t be established.
Simultaneously in the next few years, another technology will also become much more prevalent: IPSEC. Because the current IPv6 protocol mandates the use of IPSEC, we will see more and more of the ‘backbone’ of the internet encrypted, by default. This will apply to not only email, but web traffic, VOIP, etc.
What this means for email encryption: Any solution that wants to be relevant in this environment must embrace TLS as a valid sending method that can provide ‘confidentiality’ to the email. For many organizations that must comply with industry regulations, this is all they may need. In these scenarios, you can rely on TLS for your encryption and only require other delivery mechanisms if TLS cannot be negotiated or trusted. The GlobalCerts SecureMail Gateway (SMG) allows the administrator to specify trusted ‘TLS domains’ with which the system will enforce a TLS connection when delivering mail. All other domains will use another secure delivery method.
S/MIME Will Finally Take Off
Traditionally, S/MIME signatures and encryption have only seen ‘pockets’ of adoption, in specific industries, mostly for internal emails. The main hurdle is certificate management and distribution: every party (sender and recipient) needs to have a certificate pair, and further, you need to have the recipient’s certificate before you can even send a secure email to them. Certificates must also be reissued/renewed yearly, so you also need to make sure you’re using the latest certificate. These requirements present an almost impossible hurdle for S/MIME between organizations.
This is about to change. The National Institute of Standards and Technology (NIST) has introduced a proposal for the future of email security. It uses the ‘DANE’ protocol to securely store all users’ S/MIME certificates in the public Domain Name System (DNS), the same universal system that allows for your computer to match a domain name (like globalcerts.net) to a specific computer IP address. Here, the system allows for you to search for a person’s email address, and it will return their S/MIME certificate so you can send a secured email to them.
GlobalCerts has been using this system of centralized S/MIME encryption ever since it’s inception in 2002. Our patented SecureTier™ technology automatically queries DNS for the recipient(s) public certificates and automatically encrypts the message. On the recipient’s side, our SMG server automatically decrypts the message and delivers it securely to the recipient’s inbox. As the DANE protocol starts to receive more widespread adoption, the SMG will be able to leverage certificates published in the public DNS and use them for automatic S/MIME encryption.
Putting it all Together
The results from these emerging technologies and protocols will be a drastic shift in what organizations will expect from their email security software:
- Message Integrity and Authenticity will be the focus: confidentiality (ensuring eavesdroppers can’t read your message) will be taken as a precondition and will be the ‘easiest’ part of the puzzle. What will be MUCH more important is message integrity (making sure no one changed the numbers in a contract you sent) and authenticity (making sure they email you received is really from your bank and not from a Nigerian scammer). Fortunately both of these features can be satisfied automatically through properly implemented S/MIME signatures and encryption. You can already see this becoming a priority in the U.S. Government, where they recently mandates all outgoing DOD emails MUST be digitally signed with the sender’s certificate. Another necessary component is the pre-existing DNS-based verifications, such as SPF records, DKIM, and DMARC policies, which will soon become basic requirements to send email.
- Message Portals will become a ‘dinosaur’: With the rise of TLS encryption and IPSEC, we’ll no longer need to rely on an HTTPS web portal to deliver an email confidentially. Instead emails will be transmitted encrypted by default, and those requiring further assurances (including integrity/authenticity) will be S/MIME signed and encrypted, and delivered direct to the recipient.
- Information Governance: The ultimate goal of both email security and information security in general is to make sure that the right information is in the right hands (and ONLY the right hands) at the right time. The goal is ultimate control over your information: (1) specifying exactly who has permissions to view something, either explicitly or through policy (2) control recipient’s ability to disseminate that information (3) the ability to update and/or withdraw information. At this point, the lines between traditional email security, secure file sharing, and other forms of communication will truly begin to blur.
Despite these coming changes, email will still remain the bedrock of business communications going forward; it is simply too ingrained into the psychology and business processes of most organization for anything else to displace it. But how we use email will be radically different. Security will no longer mean portals, apps, ‘send secure’ buttons, etc. Confidentiality will simply be baked into the protocols and infrastructure itself. The focus will shift to controlling your data and providing certainty to your business partners that their information is secure, and that your communications to them are unaltered and legitimate. It is definitely a brave new world we’re entering, and GlobalCerts is poised to fully embrace these emerging security changes.
R. Chandramouli, S. Garfinkel, S. Nightingale, and S. Rose. Trusted Email. SECOND DRAFT NIST Special Publication 800-177, March 2018. https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/draft
Duckett, Chris. (2018, February 26). Australian decryption legislation will not undermine ‘legitimate encryption’: Home Affairs, March 2018. http://www.zdnet.com/article/australian-decryption-legislation-will-not-undermine-legitimate-encryption-home-affairs/
Coons, Christopher. (2009, February 20). Digital Signatures on Email Now a DoD Requirement, March 2018. http://www.navy.mil/submit/display.asp?story_id=42771