What's happening with email?

Protecting business email is different from securing consumer-based messaging

close up of outdoor water faucet nozzle against cloudy sky

During the hot summer months, many of us are being asked to pay attention to our water usage. A faulty sprinkler head in your lawn's sprinkler system can result in water all over your lawn. Perhaps you have a leaky faucet, and water just drips away.

Email is like a leaky faucet. Lots of towns have instituted water bans in an effort to conserve water, which is one solution to fixing a problem. Just don't use it isn't the most effective way to mitigate risks and vulnerabilities in the digital world, though, especially when it comes to email.

There is an entire ecosystem of email protection, which includes email security. Email security is not only about inbound hygiene, but a more holistic email protection solution. As part of any layered security system for the enterprise, both email protection and email security have to exist.

[ ALSO ON CSO: Email security still a struggle for most companies ]

"About four to five years ago, Google and Facebook started looking at web traffic, and Snowden really raised awareness," said Dave Wagner, CEO, ZixCorp. "The market is waking up to the importance of encryption. SSL technology works really well, and then IT began a much more aggressive encryption campaign."

Public perception drives a lot of change, as evidenced by the water ban announcements displayed through many towns. When consumers understand risks and impact, they get on board with viable solutions. Consumers, said Wagner, have largely helped to change the perception of encryption.

"The Snowden breach caused a global awareness of protecting personal information. Apple and Facebook responded with really strong end-to-end encryption for consumers. That created the FBI San Bernadino complication and furthered this awareness of encryption," Wagner said.

There is a distinction between the end to end consumer messaging being much more strongly protected, and the security of enterprise email.

"Business email is different from consumer-based messaging because enterprises have an obligation to look at data for business-continuity reasons. They have to have the ability to decrypt, store, and use the information," said Wagner.

Information that’s not encrypted being sent across signals is one of the easiest places for malicious actors to grab unprotected data. "They can pull information off the internet if email is not encrypted," said Wagner.

"Point to point web connection is safe. SSL or TLS was built to be secure. Google cloud to Microsoft cloud that’s going to be strongly encrypted. In email we take advantage of those point to point encryption opportunities. Where email gets tricky is it's a multi domain, multi user experience," said Wagner.

That means that Gmail to Gmail is all going to be protected, but that's most often with personal use. "The other use of email is in the business context, working on a lawsuit, multiple domains, content may or may not be protected by a properly configured connection," said Wagner. "The TLS standards that exist today leave enterprises unaware of whether they have proper configurations."

So, if law firm 1 doesn’t have TLS configured properly, it’s going to go in the clear, which could create security risks for law firm 2.

"There is a way to implement mandatory TLS so that the recipient would fail, not send, process to clean out email queue, resend, and find another way to deliver it," said Wagner.

If it's there, many enterprises will use opportunistic TLS, but if it's not there, the information sends as clear.

Wagner said using a public key for the domain of each customer in a directory available to be checked and encrypted with that key is one way to augment basic TLS. 

"We will continue to see a focus on encrypting and protecting information at increasing rates of adoption with base TLS more properly deployed. Email is going to continue to be a tool used by businesses for a long time. It's not going away. What’s happening is a really pronounced shift to the cloud," said Wagner.

As an understanding of the need to have email security solutions takes hold across sectors, we can expect to see more cloud-to-cloud emailing in the enterprise. 

New! Download the State of Cybercrime 2017 report