Email Encryption Isn’t Enough Five Best Practices to Safeguard Against 3rd Party Cyber Risk Executive Summary
CISOs and other IT executives cringe when they think about an email’s journey across the internet, undergoing eavesdropping by criminals, companies and governments along the way. Or that it may sit in the 3rd party recipient’s email server for months, completely outside your control. Peers tell you about their non-compliance fines from breaches of personal information, while you worry about theft of intellectual property giving a competitor the edge.
Many firms try to address these problems by encrypting their most sensitive communications but discover a myriad of shortcomings. You can’t give users a tool that prompts questions like, “What is my recipient’s public key and why do I need it?” You need secure email that still works like normal email, especially for 3rd party recipients who may be customers, clients, and partners in other organizations. The kicker: you can’t guarantee email privacy if your cloud provider has the encryption keys, or if you don’t properly govern and monitor your insiders. Embrace the following five best practices to go beyond encryption and fully safeguard your organization’s email privacy.
SHARE TWEET SHARE
2 | www.accellion.com SECURE EMAIL BEST PRACTICE Ensure Employees Adopt Secure Email 1 Incorporate Simple Security and Governance into Users’ Workflows
Security professionals abhor the risks of standard email traveling over the internet in the clear. You want standard, compliant encryption—AES-256 at rest and SSL/TLS in transit—to thwart scans by advertisers, malware and foreign powers. You also strive to govern who has access to regulated data, such as protected health information (PHI), and who they can send it to.
To attain this, you may have rolled out secure email to your end users, only to find they won’t use it. Don’t blame them. Few business users overcome the barrier of working with public keys, so say goodbye to common tools like Pretty Good Privacy (PGP). Likewise, you can’t even consider asking your partners and customers to install and learn specialized software. Finally, you need a solution that goes beyond mere encryption: it must apply your governance policies and provide the tracking you need for compliance audits.
Resolve these security and compliance issues by equipping your employees with an easy-to-use secure email plugin or gateway. Ensure they can use it in their standard desktop and web email clients, such as Outlook or Gmail. Depending on your policies and their role, either give them checkbox options to individually secure emails, or transparently secure all of them. Make sure it works for your mobile users, and if it requires a special app, select one with consumer-grade simplicity.
Cover your primary 3rd party cyber risk — your recipients — by protecting their downloads and replies on any email system or mobile device. And lastly, close the loop by automatically encrypting and auditing their replies.
3 | www.accellion.com SECURE EMAIL BEST PRACTICE Guarantee Email Privacy 2 Own the Encryption Keys You’ve encrypted your email, but have you ensured its privacy? That depends on who hosts it. By US law, when you turn your email over to another company, you give up ownership. Cloud hosting vendors are obligated to surrender your content in response to a legal subpoena, unencrypted if possible, and may be barred from informing you.
Avoid these exposures by retaining ownership of the confidential email bodies and attachments. Strip them from the email with a plugin or gateway that stores them securely on-premise. The stripped emails will travel over the unprotected internet but contain only secure links, not the confidential information. When your recipients click those links in their own email clients, they will authenticate and securely download the reassembled emails. You will get the audit trail you need for compliance.
If your commercial or government organization mandates a cloud deployment, use a private cloud FedRAMP solution to reduce your risks. Since it serves only your organization, utilizing a private cloud service minimizes the attack surface. Public cloud services, on the other hand, intermingle your data and metadata with their other customers. Ensure it has FedRAMP Authorization for the peace of mind of its yearly audit of 325 rigorous security, process and access controls, including continuous monitoring.
“Avoid privacy exposures by retaining ownership of confidential email bodies and attachments”
4 | www.accellion.com SECURE EMAIL BEST PRACTICE Send Large Files Without 3 Breaking Your Email Server Stage Encrypted Content in Private Infrastructure
Executives may prefer outsourcing to encrypted email services, but frequently discover they are inadequate for their business processes because of 20 or 30 MB attachment size limits. For instance, engineering firms need to protect intellectual property (IP) from espionage when they transfer huge CAD designs to manufacturers. Marketing firms can’t risk leaks of promotional videos they send to clients, and tech support engineers must safeguard logs containing personally identifiable information (PII).
Some secure email services handle larger files by automatically staging them on public cloud virtual drives, violating Best Practice #2. Or users may resort to transferring on a personal cloud share, with no security or audit trail. IT managers who deploy traditional email servers on-premise, on the other hand, often find large attachments overrun their server’s storage capacity.
Fortunately, the solution to Best Practice #2—providing secure, governed staging for sensitive emails—applies equally well to large attachments. Choose a staging platform that provides for scalable storage growth, and meets requirements you may have for high availability, disaster recovery, and worldwide distributed processing.
SECURE EMAIL BEST PRACTICE Make Regulatory Compliance a Breeze 4 Centralize Policy Enforcement and Audit Reporting Do you consider the bargain worthwhile if outsourcing to an encrypted email service comes at the cost of duplicated governance and audit? For example, mail services usually contain their own, proprietary Data Loss Prevention (DLP), when you already painstakingly configured your on-site DLP to enforce your policies. And even though you already configured role-based data access policies for your data sharing software, your administrator must configure it again for the secure email service.
Centralize your secure email governance with role-based user policies. Tie role assignment to LDAP/AD attributes for set-it-and-forget-it new employee onboarding, and automatically onboard external users with a restricted role. Define each role’s policies for domain white- and blacklisting, unauthenticated downloads, allowed file types, forwarding and link expiration time. Also govern the decisions users are allowed to make: secure the message body? Set a digital fingerprint to detect tampering? Send a return receipt when the recipient downloads the file? Finally, reduce the preparation time for your audits: automate reporting of your policy settings, role by role, and deliver a searchable transaction audit trail.
5 | www.accellion.com SECURE EMAIL BEST PRACTICE Catch Inside Jobs in the Act 5 Track and Visualize All Content Leaving Your Organization To guard against malicious insiders taking trade secrets or careless employees leaking damaging information, your CISO and SOC need visibility into all email traffic leaving the organization. Create a consolidated audit trail of all the traffic as the first step, detailing the data source and content, the sender and recipient, and their locations. Next, utilize advanced, real-time visualizations to help you identify unusual traffic, with drill-downs to the details you need to take action.
Finally, utilize emerging machine learning technology to automatically alert your SOC to abnormal behavior patterns, while minimizing false positive indications. A sudden increase in emails of design files and strategic information to another country could indicate industrial espionage. New collaboration between teams who never worked together before could herald a new interdisciplinary project – or nefarious insider activities. The algorithms show you the needles in the haystack, and because of the complete audit trail, you know the who, what, where and when so you can take action.
6 | www.accellion.com Accellion in Action Secure Email Contents to Protect Privacy
S��i��e� Email Secure Link to Body � Attachments
B��ine�� U�e� Reci�ien� Web, mobile, desktop plugins Any email client, Any browser
Sec��e S�a�in� Body � Attachments
� �ncry�ted storage � Bui�t�in audit trai� PLAT��RM � C�S� das�board �ardened� sca�ab�e Acce��ion ��atfor� � Co���iance re�orting �n��re�ise � Private C�oud � FedRA�P � Ro�e�based �o�icies
7 | www.accellion.com About Accellion
The Accellion Kiteworks® content firewall prevents data breaches and compliance violations from sensitive 3rd party cyber communications. With Accellion, CIOs and CISOs gain complete visibility, compliance and control over IP, PII, PHI, and other sensitive content across all 3rd party communication channels, including email, file sharing, mobile, enterprise apps, web portals, SFTP, and automated inter-business workflows.
Accellion has protected more than 25 million end users at more than 3,000 global corporations and government agencies, including NYC Health + Hospitals; KPMG; Kaiser Permanente; AVL; American Automobile Association (AAA); The Linde Group; Tyler Technologies; and the National Institute for Standards and Technology (NIST).
For more information please visit www.accellion.com or call (650) 249-9544. Follow Accellion on LinkedIn, Twitter, and Accellion’s Blog.
© 2021 Accellion USA LLC. All rights reserved
SHARE TWEET SHARE
8 | www.accellion.com