auris - Fotolia
A number of my employees must access corporate email abroad. I recently read that corporate email communications were intercepted by authorities in a foreign country. What are the best ways to secure enterprise email abroad and ensure corporate data remains protected? Are there encrypted email applications or tools that could prevent such activity?
Many countries have different legislation from the U.S. when it comes to surveillance, and revelations about the NSA's surveillance program show that government agencies may well interpret such legislation differently when it comes to monitoring people's communications. Since regular email is transmitted "in clear text," it should be considered no more secure than a postcard as the contents are vulnerable to interception and eavesdropping on the Internet and by online email providers. I would therefore recommend every enterprise encrypts any emails that contain sensitive corporate information whether the sender or recipient is abroad or not. This will ensure the content of the emails are not readable by any service that processes them or by anyone who manages to intercept them as they travel from sender to recipient.
The best way to secure enterprise email is to issue digital certificates to all employees so they can digitally sign and encrypt their email messages. A digital certificate used for signing and encrypting emails is bound to a validated email address so message recipients can verify the sender and check that the message has remained private and unaltered during transmission. A signed email also provides something called nonrepudiation which essentially prevents the sender denying later on that he sent it. Individual digital certificates for signing emails can either be obtained from a certificate authority (CA), such as VeriSign or Symantec. Large enterprises could also consider acting as their own CA and issue and revoke digital certificates using a solution such as Microsoft Certificate Services. These and other digital certificates work with any S/MIME-compliant email client such as Microsoft Outlook, Mozilla Thunderbird and Apple Mail.
An alternative approach to using a CA to authenticate public key information is a decentralized trust model called a "Web of trust," a concept used in PGP and other OpenPGP-compatible systems. Instead of relying solely on a hierarchy of certificate authorities, certificates are signed by other users to endorse the association of that public key with the person or entity listed in the certificate. An enterprise could use a Web of trust for authenticating the identity of its intranet and extranet users and devices.
The one drawback of using digital certificates is the sender needs the recipient's digital certificate in order to encrypt messages to her. This is fairly straightforward to do, but users will need training to ensure they follow the correct procedure. They also need to be told what to do in case an email arrives that has been signed but the email program warns that there is a problem with the certificate or message as this is a strong signal that the message may well have been tampered with. Employees traveling abroad should also be made aware of the corporate communications policy which needs to cover all methods of communication such as SMS, instant messaging, Twitter and video communications, as well as the more traditional methods of voice, fax and paper.
Finally, remember that for encryption to fully protect against unwanted surveillance or data theft, data must be encrypted throughout its lifecycle -- at rest, in use or in motion -- so sensitive information on laptops should be encrypted at all times.
Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Learn more about protecting sensitive data overseas
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading