Encryption solution: What to consider?

"Anyone who then forgoes e-mail encryption can be really expensive because security precautions for protecting data have not been implemented in accordance with the current state of the art," says Christian Heutger, managing director of the PSW Group, to the point. However, the IT security expert advises not to panic right away: "Nowadays, e-mail encryption is practicable and can be implemented with little effort. Ideally, companies should use a solution that is set up unnoticed in the background, i.e. on the server side. That way, employees don't have to make any changes to their workflows."
Companies should also not neglect the fact that in the event of a data breach, they will in future be obliged to report it within 72 hours to the responsible supervisory authority and, in the event of a high risk to personal data, to the affected individuals. However, if the compromised data was encrypted in such a way that third parties cannot access it, companies can at least refrain from disclosing it to affected individuals. "This saves a lot of work and protects the reputation as a data protection-oriented company," notes Heutger.

Secure encryption

But what is not only a practical, but also secure encryption solution? "When encrypting e-mails, a distinction is made between transport and content encryption. While in the first variant, the e-mail is virtually only sent through an encrypted tunnel on its way from server to server and is stored in plain text on the servers themselves, in content encryption the e-mail itself is also encrypted," explains Christian Heutger. Since metadata such as the sender, subject of the message and recipient remain unencrypted and thus readable, both methods should be combined in practice: "It is advisable to rely on standard protocols. For example, S/MIME is suitable for content encryption; an alternative would be OpenPGP. TLS, on the other hand, is the standard protocol for transport encryption," advises Christian Heutger.

S/MIME and PGP are solutions on the market that require certificates and keys. However, this requires a corresponding infrastructure and at least a little technical knowledge. In practice, it is therefore worth considering alternatives. "That's why gateway solutions for e-mail encryption are a good choice. They enable e-mails to be encrypted and signed automatically and centrally on the server," says the expert.

Gateway solutions are not always the best choice for SMEs

However, Heutger advises small companies against gateway solutions: "Compared to isolated end-to-end solutions, the configuration effort turns out to be quite high. They should therefore seriously consider an isolated solution and seek individual advice on which solution is right for them. In addition, many e-mail gateways do not protect internal corporate mail sending and, if necessary, internal security must be achieved with another solution."

When choosing a suitable encryption solution, interfaces to other security software, such as a virus scanner to scan incoming e-mails for malware, should not be neglected under any circumstances. The same applies to the e-mail archive: in order to index e-mails, the archive system should be able to access e-mail content in plain text. Otherwise, it will be difficult to find a particular e-mail again later. The choice of a suitable encryption solution should also fall on a system that also integrates mobile end devices such as smartphones or tablets. "In order to remain flexible and be prepared for the future, a solution should be chosen that is compatible with many operating systems and platforms," says Heutger.

More info on the topic here