auris - Fotolia

Get started Bring yourself up to speed with our introductory content.

How can we secure enterprise email at home and abroad?

Emails often contain sensitive information, yet the proper measures are not always taken to secure them. Learn how to keep corporate email safe both at home and in foreign countries.

A number of my employees must access corporate email abroad. I recently read that corporate email communications were intercepted by authorities in a foreign country. What are the best ways to secure enterprise email abroad and ensure corporate data remains protected? Are there encrypted email applications or tools that could prevent such activity?

Many countries have different legislation from the U.S. when it comes to surveillance, and revelations about the NSA's surveillance program show that government agencies may well interpret such legislation differently when it comes to monitoring people's communications. Since regular email is transmitted "in clear text," it should be considered no more secure than a postcard as the contents are vulnerable to interception and eavesdropping on the Internet and by online email providers. I would therefore recommend every enterprise encrypts any emails that contain sensitive corporate information whether the sender or recipient is abroad or not. This will ensure the content of the emails are not readable by any service that processes them or by anyone who manages to intercept them as they travel from sender to recipient.

The best way to secure enterprise email is to issue digital certificates to all employees so they can digitally sign and encrypt their email messages. A digital certificate used for signing and encrypting emails is bound to a validated email address so message recipients can verify the sender and check that the message has remained private and unaltered during transmission. A signed email also provides something called nonrepudiation which essentially prevents the sender denying later on that he sent it. Individual digital certificates for signing emails can either be obtained from a certificate authority (CA), such as VeriSign or Symantec. Large enterprises could also consider acting as their own CA and issue and revoke digital certificates using a solution such as Microsoft Certificate Services. These and other digital certificates work with any S/MIME-compliant email client such as Microsoft Outlook, Mozilla Thunderbird and Apple Mail.

An alternative approach to using a CA to authenticate public key information is a decentralized trust model called a "Web of trust," a concept used in PGP and other OpenPGP-compatible systems. Instead of relying solely on a hierarchy of certificate authorities, certificates are signed by other users to endorse the association of that public key with the person or entity listed in the certificate. An enterprise could use a Web of trust for authenticating the identity of its intranet and extranet users and devices.

The one drawback of using digital certificates is the sender needs the recipient's digital certificate in order to encrypt messages to her. This is fairly straightforward to do, but users will need training to ensure they follow the correct procedure. They also need to be told what to do in case an email arrives that has been signed but the email program warns that there is a problem with the certificate or message as this is a strong signal that the message may well have been tampered with. Employees traveling abroad should also be made aware of the corporate communications policy which needs to cover all methods of communication such as SMS, instant messaging, Twitter and video communications, as well as the more traditional methods of voice, fax and paper.

Finally, remember that for encryption to fully protect against unwanted surveillance or data theft, data must be encrypted throughout its lifecycle -- at rest, in use or in motion -- so sensitive information on laptops should be encrypted at all times.

Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Learn more about protecting sensitive data overseas

This was last published in July 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats