Email Encryption 101
With so much data stored in and shared via the corporate inbox, email is a prime target for attackers and other malicious actors. Developing a comprehensive security strategy is a must.
Organizations of all sizes need a security solution that protects their most sensitive business data in email and file sharing workflows. This requires understanding available encryption options.
Those organizations that use Gmail are one step ahead in that the platform offers best-in-class security and privacy controls. That said, there are still some considerations to be made for compliance in highly regulated industries, as well as true business privacy.
To better understand this, we’ll start with the basics of encryption, followed by an overview of Gmail’s native security features, and finally an introduction to object-level, end-to-end encryption.
How Does Encryption Work?
When implemented effectively, encryption helps keep data safe, while still allowing authorized users to access it as needed. However, different types of encryption accomplish different levels of privacy and ease of use, protecting either the data itself or the platform through which the data is shared.
There are two main types: symmetric and asymmetric.
- Symmetric key encryption uses the same key for encryption and decryption. A password-protected PDF is a relevant analogy. First, the creator of the PDF uses a passcode to secure the document. Then, authorized recipients use the same passcode to view the PDF in plain text form.
Symmetric encryption can be a viable data protection option for its relative efficiency and simplicity, but it may not always be practical, especially for large scale deployments where complexities associated with key management and exchange can pose security risks and deployment challenges.
- Asymmetric encryption addresses some of these concerns. Asymmetric encryption uses two mathematically-linked keys: one to encrypt data and one to decrypt it. It’s often referred to as public-key encryption because the people who use it make the encryption key public while keeping the decryption key private.
A locked mail dropbox is a good analogy – the address where the mail dropbox is located is known to anyone who wants to deliver secure mail (the “public key”), yet only the box’s owner has the key that actually unlocks it (the “private key”) to access the mail.
Public-key infrastructure is required to manage these key pairs, along with digital certificates that verify the applications, systems, and users exchanging them to ensure integrity, allowing key management and exchange at scale that doesn’t sacrifice security or usability.
Both of these forms of technology have their challenges, so your organization needs to perform proper due diligence to determine which approach to use for what scenario, and how to implement it. With complex technology and multiple options, it can feel overwhelming to navigate through the encryption solutions market.
Gmail provides robust security of its own, but you may determine additional measures are needed as your organization develops and refines strategies to keep your most sensitive data private and compliant.
Gmail’s Native Security Features
Transport Layer Security (TLS)
Nowadays, most email providers—Gmail included—and other data-sharing platforms are protected by Transport Level Security (TLS) encryption. TLS uses asymmetric encryption to ensure both ends of the connection are legitimate and haven’t been hijacked by an imposter.
At the beginning of a session, your web browser initiates a handshake with a Google server by asking for a digital certificate to verify its identity, then uses the public key from the certificate to encrypt the connection.
This type of encryption ultimately secures the communication pathway that allows you to draft, send, and access Gmail messages from your browser. Once at-rest, however, the data itself is not protected.
While TLS is effective, it provides only partial cover: the content itself is not encrypted, only the channel through which it travels, so a breached perimeter would make sensitive data stored within Gmail vulnerable to exposure.
Google offers enhanced message security via Secure/Multipurpose Internet Mail Extensions (S/MIME) as part of the G Suite Enterprise tier. Administrators can require the use of S/MIME for outgoing messages, for example, to ensure the content is protected.
S/MIME encryption goes further than TLS and encrypts the message payload, but critical obstacles prevent successful S/MIME deployments in practice.
In general, both the sender AND the recipient need to have S/MIME configured the same way for it to function properly. If the recipient doesn’t have S/MIME or it is misconfigured, they won’t be able to access encrypted messages (unless they have extensive knowledge of how to securely exchange encryption keys—a nonstarter for the majority of users).
While S/MIME’s advanced encryption would ensure messages stay private and compliant throughout their lifecycle, complexities with its user experience prevent widespread adoption.
End-to-End Encryption for Ultimate Email Security
Even with Google’s network encryption, your data is still vulnerable unless you adopt a solution that provides end-to-end encryption. In other words, Gmail’s built-in TLS encryption is a great first step to protecting your organization’s sensitive data, but the actual content—messages and attachments—of the emails you send aren’t encrypted and are vulnerable to exposure.
End-to-end encryption closes that loophole. This object-level encryption method scrambles the contents of your emails into ciphertext so that they’re unreadable without the right encryption key: even if your email is intercepted while it’s in transit, your information is still protected from unauthorized access.
Unfortunately, most end-to-end encryption methods, such as S/MIME, require complicated setup and configuration and require manual exchanges of keys or certificates between parties. This can be particularly frustrating for G Suite users because of the collaborative nature of the platform.
If there’s one thing to know about keeping your data secure and private, it’s that end-to-end, object-level protection is necessary for ultimate security and privacy. But, when sharing sensitive data is necessary and complicated security workflows get in the way, many organizations quickly realize that user-friendly encryption is non-negotiable.
User-Friendly Email Encryption, Recommended by Google
Usability issues with legacy encryption solutions is a critical obstacle. At Virtru, we believe organizations shouldn’t have to choose between protecting data and sharing it, which is why we’ve made it easy for you to do both. After all, ease of use is foundational to adoption. If adoption slips, the strength of your data security program is weakened, and you don’t get the desired ROI on your security solutions.
For enterprises operating in highly regulated industries—such as healthcare, education, or manufacturing—the growth in the sheer amount of data created, stored, and shared shows no signs of slowing down. As the volume of data increases, so does the associated risk. Therefore, the challenge for modern organizations with access to sensitive data is how to manage the risk.
Usable and intuitive email encryption that does not interfere with business workflows helps secure your most sensitive data, increase productivity and collaboration, and provide scalability across the organization to reduce your risk and improve your security posture.
As Google’s only recommended email and file encryption provider, Virtu offers organizations the highest assurances that data within Gmail will remain private and compliant throughout the entire email lifecycle. To learn more about how Virtru can support your organization’s email encryption needs, please download our Guide to Gmail Protection.