Should regular business e-mail be encrypted?
Regular business email that gets routed outside of a company's firewall onto the general Internet should be encrypted. The reasons for this are very straightforward. Outside of their firewall, a company has no control over the information. It can be copied and backed up purposefully or automatically on any number of servers. Unencrypted, these messages can be read by anyone with sufficient access to these machines (or, indeed, by anyone sniffing the network traffic). If backups are made, this information may be read months or years later by unknown parties long after the original messages were deemed deleted.
Beyond these confidentiality issues, unencrypted email traversing the general Internet can be untraceably modified or deleted by people in the "right" place or with the "right" access. Emails can also be captured and resent later, possibly with modifications. This could have a devastating effect on a business!
The only way to prevent this is to use a combination of encryption and digital signatures in your business email to prevent eavesdropping, provide modification detection, and provide non-repudiation for messages traveling through the general Internet and through the corporate Intranets.
Even messages confined to a corporate Intranet are subject to all of the same kinds of attacks that messages traveling over the general Internet are vulnerable to, should a hacker break into the Intranet or should an employee or other insider wish to compromise the system. Especially if a company has a large Intranet, it should consider using secure email even for internal email messages as this threat is much greater than is usually perceived.
Are there problems with secure messaging interoperability?
First, let me point out that there are no interoperability problems involved in using IMAP, POP, and SMTP over SSL or TLS. All modern email clients support these types of secure connections and are generally very easy to configure.
The interoperability problems come in when try sending or receiving encrypted or digitally signed messages. The first problem is that there is not a single standard for encrypting and signing messages; the two most prominent methods are PGP and S/MIME. These are completely incompatible; if you are using PGP and your friend is using S/MIME, you will not be able to send each other secure messages.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.