Voltage security-adventures-in-secure-mobile-email

WhitepaperAdventures in Secure Mobile EmailBy David Strom

Adventures in Secure Mobile Email A Voltage WhitepaperSending and receiving encrypted email with sensitive data should be a lot easier to do. Butit ends up being something painful, and as a result we tend to avoid this protection. Haven’twe all been schooled that sending emails in plain text is like having a post card plastered tothe wall of your local coffee bar? Haven’t all the various exploits with stolen credit cards andhackers breaking into various Web-based email services been warning enough? Apparently not.Oddly, this summer marks the eleventh year anniversary of identity-based message encryptionwith more than a billion secure messages being exchanged annually. But that still pales incomparison to the many insecure messages containing sensitive data being exchanged in theclear.Certainly encrypted email still isn’t very common practice, despite this impressive statistic.In the many years since encrypted email was first invented in the mid-1990s, we have seen alot of progress, at least from the technology side of the house. We have some standards, wehave some multi-vendor interoperability, and we have some products that don’t require a PhDin cryptography to install and use. There are some terrific products that make encrypting anddecrypting emails almost effortless, and relatively inexpensive to widely deploy across smalland large enterprises.Obstacles to Widespread Encrypted Email UseBut despite these improvements, using secure email is still not widely adopted. There areseveral reasons why:First, as we all know, unencrypted emails are very easy to send and encryption can add extrasteps. Some certificate-based systems are too complex: most end users don’t even know whata public key certificate is or how to use it.Second, many IT admins are still under the mistaken impression that securing their email iseither expensive, cumbersome, or requires a symmetric key solution for both recipients andsenders. None of these are true today, although they were for many years. Maybe someoneshould send these IT managers a message! Some products even have Outlook plug-ins to makethe whole process even easier for the user, and the latest identity-based encryption productsare simple to use without compromising on security.Third, many businesses have to comply with ever-present regulations around communicationof sensitive data, and the processes that support it, like legal e-discovery and archiving.The latter can be a big deal. Companies even resort to sending sensitive data on media viasnail mail with all the risks that come with it, unaware that technologies like identity-basedmessaging can solve both problems.Finally, there is the biggest obstacle yet: more people are using mobile devices that don’t havevery good email encryption experiences. Let’s take a closer look at this. 2

Adventures in Secure Mobile Email A Voltage WhitepaperThe Mobile Encryption ExperienceToday’s knowledge worker isn’t just using their Windows or Mac desktops, but a variety ofiOS, Android and BlackBerry mobile phones and tablets to communicate. Indeed, in manyorganizations the iPad has become the defacto executive dashboard, and many peoplehave moved to using their mobile device as their exclusive communications tool. Gartnerpredicts that worldwide tablet sales will reach 119 million units by the end of this year1 andthat enterprise tablets will compromise more than a third of total tablet sales in 2015. Asone example, many school districts are buying them for all of their students to facilitatehomework completion and communication after school hours. This represents yet anotherreason to encrypt emails with sensitive data.Most end users think of their mobiles devices as their own, even if they were purchased withthe company’s credit cards. They think nothing of using them to transmit sensitive corporatedata or to just making whatever copies they need of business documents to take along.But they are a corporate asset, and need to be protected accordingly. That is a challenge.Given that a smartphone is lost or stolen every 15 seconds, that is a lot of data that is justripe for the picking. We don’t think what would happen if our mobile phone or tablet is lost orstolen, and whether our corporate email traffic is saved on it. To make matters worse, abouthalf of business users don’t even protect their devices with a simple four-digit power-on PIN2.On top of these issues, the secure email world has lagged behind this influx of tabletpurchasing. If we wanted to use encryption we have to go through multiple steps to make ithappen on a mobile device. We have inconsistent delivery methods and clunky workflows tocompose, send, and receive encrypted emails. We have to use a Web-based email solution,or add a special proxy server, or handle certificates that bring us back to the mid-1990sbefore identity-based encryption was commercially available.The native iOS and Android email clients don’t support much in the way of encryptionoutside of a SSL connection which only protects the data from the mobile to the server, notbefore or after. iOS email app has basic S/MIME PKI support but it’s just too complicated touse, especially for ad-hoc secure messaging which is typical in today’s on-demand sociallyconnected world. And most of the third-party mobile email clients don’t do much to add anysecurity to the attachments or messages accessed by a tablet or a smartphone.Finally, one additional challenge: many enterprises are encouraging their customers andpartners to use their mobiles to communicate with their brands, making it more difficult tokeep private information secure on non-corporate owned devices too.Mobile Data Security OptionsTo truly protect your email and data from getting hacked, you need an approach that looksat the entire end-to-end process and protects all of the various components, including themessage body, the header, the attachments and any replies. This needs to be secured1 http://www.gartner.com/it/page.jsp?id=1980115 2 http://www.cioinsight.com/c/a/Latest-News/Identity-Fraud-Victims-are-Smartphone-Social-Media-Users-Report-187247/ 3

Adventures in Secure Mobile Email A Voltage Whitepaperwherever the email goes – including desktops, applications and mobile devices. The intendedrecipient should be the sole entity that can decrypt any of these components.Let’s look at three different intended solutions: mobile device managers, cloud-basedfile sharing services, and Web email clients. Each falls short of this goal when it comes toprotecting the entire email data chain.There are over a dozen different mobile device managers available today. These are tools thatprovide a secure container to protect files and data on the mobile device. That is great, butwhat happens if emails or sensitive data is saved to your phone outside that container? Whatif you send an email from the container to an external recipient that doesn’t have the same setup? And while many MDMs are great at deactivating a lost or stolen phone, they do add a layerof complexity and detract from the overall ease of use of the native email experience. Theyare also ineffective when it comes to protecting the email end-to end in your smartphones andtablets.Another solution is to use of more than a dozen different cloud-based file sharing servicesthat are designed for consumers. These tools are extremely easy to use and were originallydeveloped to get around file attachment size limitations of older email products, but havesince mushroomed. A recent report shows these services represent about 15 percent of totalnetwork bandwidth consumed and their use is growing faster than any other applicationcategory. At least one browser-based file sharing application was detected on 89 percent ofthe participating organizations’ networks, and an average of 13 different file sharing apps werefound on each customer’s network3.Cloud file sharing services aren’t easy to manage from an enterprise perspective. Many ofthese services have other hidden limitations. Even when IT is aware of their use, the servicesgenerally lack transaction logging, which makes document control problematic. And someof these services aren’t as secure as their vendors advertise, or have questionable privacypolicies. That’s a red flag to a compliance officer.A third solution is to use the Web-client options of many email encryption products. Whilethese will work with mobile browsers, they still aren’t as easy to use as the native email appsthat come with iOS or Android operating systems. Some of these products can only read andnot compose encrypted messages, and some still make use of the older and cumbersomesymmetric key solutions.Voltage’s Mobile Email Security SolutionWhat is needed is a special app for mobile devices that can secure emails, but do so with theinvolvement of centralized authentication and message management policies that can be easyto maintain by IT staffers, where granular security policies can be created and enforced. That’swhere Voltage’s SecureMail Mobile Edition comes into play.The app has several advantages over other mobile encryption products. First, it is dirt simple touse: a few taps or clicks and you can be sending emails securely. Secure messages are received3 http://www.paloaltonetworks.com/aur 4

Adventures in Secure Mobile Email A Voltage Whitepaper in the native email applications and opened with the Voltage app. The software mirrors the same user interface that is native to the particular mobile device, so an iPad or Android user is comfortable using the Voltage email application with the same familiar controls and integration with the mobile’s existing contact list. There is no certificate management or downloading cumbersome attachments to be read in the mobile’s Web browser, and it makes use of identity- based encryption to simplify the process to communicate among correspondents who have never used encryption software before on desktops or mobile devices. It also integrates into the existing iOS or Android address books too. The app can be found on the Apple iTunes Store or Google Play, so it is easy for end users to download, provision themselves and register the app to securely correspond with enterprises enabled with Voltage SecureMail The mobile edition is another extension of the Voltage SecureMail family of products that have been around for several years and deployed by millions of end users and thousands of enterprises. The Mobile Edition works with the existing security and centralized policy enforcement and compliance settings too. The management console is a clean Web-based interface that has added a new series of menus for handling the mobile client: you can disable all mobile access with the click of one button, force end users to re-authenticate periodically, and set up new mobile-oriented encryption policies. For example, IT managers can create policies to block forwarding emails to non-trusted domains, or require certain compliance actions such as forwarding a copy of all mobile emails to the original sender. The Voltage SecureMail Mobile Edition satisfies the most stringent security requirements. All traffic is encrypted in transit and on the mobile device itself, so no worries if an email falls into the wrong hands. You can require users to re-authenticate themselves periodically as part of an overall IT policy enforcement. Files from email attachments that are stored in the mobile device inbox are also encrypted. Documents can be shared with external users outside your corporate domain with another global policy setting, and specific users’ email IDs can be whitelisted or blacklisted, depending on circumstances. We have come a long way in the many years since encrypted emails have been possible, and Voltage with its mobile software represents the next step in this evolution towards making it easier and part of the normal messaging workflow. About the Author David is a world-known expert on networking and communications technologies. Whether you got your first PC at age 60 or grew up with an Apple in your crib, Strom can help you understand how to use your computers, keep them secure, and understand how to create and deploy a variety of Internet applications and services. He has worked extensively in the Information Technology end-user computing industry and has managed editorial operations for trade publications in the network computing, electronics components, computer enthusiast, reseller channel and security markets.Voltage Security, Inc. w w w.voltage.com

Voltage security-adventures-in-secure-mobile-email

by David Strom on Aug 13, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Voltage security-adventures-in-secure-mobile-email Document Transcript