Email encryption: Five steps to success

Actually, you use encryption every day, since it's the underlying technology that drives the Secure Sockets Layer and HTTPS protocols. But it seems email encryption remains an enigma at most small and medium-sized businesses (SMBs) because it's been portrayed to solve every information security problem. So, let's take a step back and understand what email encryption can do for you.

More on encryption Encrypting mobile devices: A best practice no one uses IBM, Sun roll out native tape encryption for high-end drives  Systems management essentials

First and foremost, one of the biggest issues SMBs have is to ensure they are adequately protecting intellectual property. By encrypting emails that contain corporate secrets, there is very little risk of competitors and the like intercepting messages and stealing data. Likewise, in an age where customers are understandably concerned with protecting their private data, encrypting communications ensures that the customer's private data cannot be stolen.

Both IP protection and privacy considerations fall into a large, yet amorphous bucket called compliance. Any business dealing with regulatory oversight, or even those now accepting credit cards -- which are now subject to the Payment Card Industry standards, needs to be concerned with compliance. Email encryption is not a panacea for compliance, but having the ability to protect critical data is a critical step in the process.

Why isn't email encryption more prevalent? In a nutshell, it's due to complexity. Historically, email encryption was very complex to implement and required a significant amount of communication, configuration and experimentation between trading partners to ensure a message encrypted by you could be decrypted by them.

Additionally, there was no way to force users to encrypt sensitive messages. IT administrators had to hope users understood how to encrypt the message and that they'd remember to do so when appropriate. Since hope is not a good strategy, most organizations didn't deploy.

But as with most technologies, email encryption has evolved and matured over the past few years. It's by no means easy, but it's also no longer cost-prohibitive for SMBs to start experimenting with the technology. The advent of service providers that will host key servers and email gateways that can automate the enforcement of policies has dramatically decreased the effort required to get an encrypted email system operating.

Here are five essential steps to encrypting email:

1. What and why? The first step is to define what types of content need to be encrypted. You are best off working with your general counsel (or outside law firms) to ensure that all sensitive data is identified and a policy is created to document the need to protect that data. Content types typically encrypted include customer records, intellectual property, strategy documents, etc.

2. Who and where? Next, it's important to determine which trading partners will participate. The short answer should be all of them. But in reality, many organizations phase in their approach because it's not as easy as flipping a switch and then encryption just happens. Determine if you are going to let users decide what gets encrypted (via desktop software) or whether you'll take a gateway approach that will scan each message automagically and determine if it is required to be protected by the policy.

3. How? There are many different ways to skin this particular cat. You could encrypt messages at the desktop or store messages encrypted on a staging server for pickup via a Web-based email interface. You could also implement the encryption either on the email security gateway or on a separate purpose-built device. The architecture will depend on your scale and number of trading partners. You could have a service provider manage the key server or you can manage it yourself. Value-added resllers and the vendors themselves can certainly help make those decisions, once you've determined that encryption is something you should do.

4. When? Rolling out encrypted email to all of your trading partners at the same time is not advisable. You need to figure out which partners should go first and start working out the details of the implementation with them. As you add more partners to the infrastructure, you'll nail down the process, but it's in your best interest to start slow and figure it out incrementally.

5. Refine. Given the policy and compliance drivers for email encryption, any project should have a period where the focus is to refine the policies used to determine which emails are encrypted. This can involve tuning the dictionaries and heuristics and manually auditing a subset of the messages encrypted (and those that aren't) to ensure the policies are being enforced.

Ten years ago, it required an armada of consultants and big infrastructure to implement encrypted email. That is no longer the case, but it's still not a walk in the park. But with a diligent process and dedicated project team, email encryption can play a key role in your compliance efforts and can protect both your intellectual property and private customer data.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at mike.rothman@securityincite.com.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Security for the midmarket Information security program revamp adds outsourcer oversight and more Your IT security budget: How to get more bang for the buck Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Email and messaging for the midmarket Midmarket data center management guides: Tips and best practices CIO's cost-cutting measures include move to Gmail Midmarket firm harnesses email communication as part of disaster plan Arts center's network infrastructure hits right note with Wi-Fi, FMC When Microsoft shuts you down and other IT horror stories CIOs, unified communications and the lost art of conversation Fixed-mobile convergence saves firms costly mobile phone charges CIOs grapple with tying Wi-Fi, VoIP into unified communications plan Unified communications: Savvy business move or security meltdown? Unified communications security: How safe is it? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.