Encrypted Email - What Is It and Do You Need It?

Brian St. Marie - Sr. Systems Engineer

Encrypted email is a pretty common term these days, but also a loaded term.  People make a lot of assumptions about what it means, but as with many things in IT, things get quite a bit more complex beneath the surface.

Encryption itself is fairly self-explanatory; encryption is the act of scrambling data so only people who are supposed to read it can do so.  Even if someone else gets ahold of that data, it will look like gibberish to them, unless they have the proper key to decrypt it.

So how does this apply to email?  Well, there are several places in email technology where encryption is a very good thing.  Some of them are more straightforward and easier to implement than others, however.  We'll go over each here.

1) Email storage.  The first and most obvious place to encrypt email is in your mailbox.  That is to say, if someone gets on your computer, can they simply copy your entire mailbox file onto a USB drive and read it later at their leisure?  If your mailbox is encrypted, it means that no one can read your email unless they can sign into it with your username and password.  This type of encryption has been used with email for many years and is an option with most email programs, such as Outlook.  If you use cloud email, such as with a company like Google (gmail), Rackspace, or Intermedia, the email would also be encrypted on their storage servers and to ensure that you and only you can look at the messages in your mailbox.  The same applies if your email is held on a central company server like with Microsoft Exchange; your mailbox would be encrypted on the mail server in your company's data center.

2) Sending email.  Email also can be encrypted in transit.  This is required by many modern technology compliance standards, such as the Massachusetts Personal Information protection laws, and for good reason.  Every time you send an email, it makes its way across the internet to its intended recipient.  Along the way, it passes through any number of internet devices, such as routers and switches, and even other mail servers.  At any point along this chain, your email can be read by anyone who happens to be looking.  Yes, you read that right; your email is just like an open letter in the mail that anyone can read as it passes them by.

In order to ensure that only the person you send the email to can read it, you would need to encrypt the message.  There are many technologies to make this work, but none of them are as seamless or user-friendly as might be hoped.  For instance, one type of technology doesn't send the email at all, but simply sends a message to the recipient redirecting them to a webpage where they can view your secure message by using a password.  Other programs work by requiring the person on the other end know a password to open the message in their inbox.  Each version works well, but neither is as obvious or easy to use as basic email.  Because of the added difficulty of using these kinds of technology, few companies or individuals use any kind of transit encryption, even though they may be required to do so by law.

3) Accessing email.  If your email is hosted in the cloud or on a server, you also need to be concerned with how you access that email.  For instance, if you access your email through a webpage, such as with a service like Gmail, each message you compose or read is being sent between you and that remote server.  If the messages aren't encrypted between you and your server, then anyone sitting between each endpoint can read your messages.  This is much like the example above about sending email, but it deals with the traffic between you and your server rather than the messages between you and your recipients.  Fortunately, this is a much easier area to encrypt than sending emails; most email systems already encrypt email access without the end user needing to do anything differently.  For example, Gmail uses HTTPS web addresses which encrypt your session with SSL technology and Outlook similarly uses SSL technology to encrypt data between itself and an Exchange server.

As you can see, "encrypted email" can mean many different things.  When looking at email solutions for yourself or your company, pay particular attention to what any solution means by encrypted email; you will often find that while it may cover points 1 and 3, it provides no solution for point 2, which is the most critical of the three.  This is of particular concern if your business works with personal information for your customers, such as credit card data, bank account info, social security numbers, or even phone numbers and addresses.  In these cases, you may be *legally required* to encrypt all your email containing any personal information, or face stiff fines and lawsuits.

Don't leave yourself wondering just how secure your email system is; Contact Us today and let a Terminal engineer go through your email system with you and help ensure you are doing everything you can to stay secure and compliant with today’s standards.