Manage Learn to apply best practices and optimize your operations.

Securing e-mail exchanges

In this Ask the Expert Q&A, Michael Cobb examines how using S/MIME and various encryption methods can help solve your confidentiality, authenticity, non-repudiation, unsecured backup and other e-mail issues.

How do we secure our network so we can send confidential docs back and forth to our customers via e-mail? We are a mortgage broker and it's essential that all of the information we send over the Internet is private, secure and confidential.

In order to send e-mail over the Internet and still be sure it is private, secure and remains confidential you will need to provide digital certificates for your staff and your customers. Digital certificates allow e-mails to be digitally signed, encrypted and sent using S/MIME (Secure Multi-Purpose Internet Mail Extensions). Digitally signed e-mail and encryption will solve your issues of:

  • Confidentiality
  • Authenticity
  • Non-repudiation
  • Unsecured backups

S/MIME has become the standard method for sending secure e-mail, and most of the major e-mail programs, including Outlook, Outlook Express and Netscape Messenger support it. Using S/MIME is fairly straight-forward, particularly because you and your customers won't need to use the same S/MIME-compliant e-mail program, though browser-based e-mail accounts such as Hotmail don't support S/MIME.

When you send a digitally signed message, your digital certificate is sent along with it so your customers can use the certificate to verify that the message is from you and has not been modified. They can then use your public key, stored in the certificate, to encrypt a reply that only you can read it. This is done by decrypting the message with the corresponding private key installed on your machine. Likewise, if you wish to send an encrypted message to a customer, you must first obtain their digital certificate in order to be able to use their public key to encrypt the message so that only their private key can decrypt it. It is this aspect of secure e-mail communication, which can make it impractical if you want to send encrypted messages to thousands of customers. If your organization runs Windows server 2000 or 2003, you can use the free Microsoft Certification Authority, which can issue certificates for your staff and customers, but you will need to explain how they use the digital certificate that you issue to them. It is also important to remember that although S/MIME e-mail is securely transmitted once it is decrypted and read by the recipient, it can be copied or printed without limit, so you will still need to consider the nature and sensitivity of an e-mail's contents before sending it.

This was last published in November 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.