Feds Find Email Encryption Can Backfire
Encryption of outbound email can create a false sense of security, said Michael Dayton, senior vice president of Axway. "Agencies spend a huge amount of money on data loss prevention solutions and email inspection gateways, but those products are rendered useless if they can't inspect the content of an email after it has been encrypted on the desktop."
How big is the U.S. government? It's big enough that federal agencies transmit 1.89 billion email messages every day -- an average of 47.3 million daily emails per agency. How confident are the agencies about protecting the sensitive content of those messages?
In a recent survey, federal email managers and IT security experts expressed mixed views about email protection -- with a significant majority worried about future breaches. Just 25 percent of the 203 respondents would give their agency email security programs an A grade. Survey respondents said that email is the primary way unauthorized data, including classified and sensitive information, leaves federal agencies. The survey was conducted by MeriTalk, an online community of government and private-sector IT managers, with support from Axway, an IT services firm.
In the survey, MeriTalk presented respondents with six possible channels with a potential for unauthorized distribution of federal information. Of those six, standard work email was mentioned by 48 percent of respondents as a vulnerable channel -- ranking first in the listings. The next most-vulnerable channel was agency-issued mobile devices, mentioned by 47 percent of respondents, followed by USB flash drives (40 percent); personal email (38 percent); personal mobile devices (33 percent) and Web-based work email (23 percent). Of the six channels, three involved some type of email system.
Email vulnerability "is particularly troubling given that 83 percent of federal agencies provide users with the ability to encrypt outbound email," MeriTalk said in its report on the survey. Respondents to the survey registered differing views about the effectiveness of encryption. For example, the survey found that 84 percent of respondents believe that their communications are now safe, and that their email gateways support the inspection of desktop-encrypted email.
Agencies Worried About Future Security
Yet 51 percent of survey participants said that email encryption will become a more significant problem in the next five years. In addition, 80 percent of agency information security managers said they were concerned about the possibility of data loss prevention vulnerabilities from encrypted emails and 58 percent said encryption makes it harder to detect when valuable or sensitive data is leaving the agency.
"Email encryption is an important tool for protecting sensitive information, but agencies must be sure that encryption is not making outbound emails so opaque that sensitive information can pass through without detection," said Michael Dayton, senior vice president of Axway.
"The encryption enigma is that most agencies believe email encryption at the desktop will improve security, but it actually opens a big security hole if you're unable to scan the content to be encrypted," Dayton told the E-Commerce Times. "Agencies spend a huge amount of money on data loss prevention solutions and email inspection gateways, but those products are rendered useless if they can't inspect the content of an email after it has been encrypted on the desktop," he said.
Email messages pass through a number of network and transmission points, and each point along the route poses security challenges. A federal agency, or a company, usually routes individual employee messages from desktop workstations through a consolidated gateway as the first step in outbound transmission. In such systems, individual employees may have the capability of encrypting a message which then encounters the organization's gateway.
"If end users at workstations are encrypting messages at their own desktop and the gateway system is empowered to inspect outgoing messages, there is nothing to inspect because the content is encrypted, so the inspection process can't tell if the content is sensitive or not," Andres Kohn, vice president for technology at Proofpoint, told the E-Commerce Times. "This is true both in the government and in the private sector."
In short, many government and commercial organizations now have their email security programs employed backwards as they encrypt messages before outgoing content hits the gateway inspection point. Instead, individual users should be able to tag an outgoing message for possible encryption and then, after the content is inspected at the gateway, the message can be encrypted if necessary. Both Proofpoint and Axway provide offerings which include such options plus enhancements that apply content examination, data loss security, and encryption policy protocols.
The mere availability of encryption does not ensure security, as agency personnel do not always take advantage of the protections offered by encryption, MeriTalk reported. To effectively support the inspection of desktop-encrypted emails, agencies must validate all email users, have proper email polices in place, and ensure users follow correct email policies, according to Axway's Dayton.
A Role for Security Vendors
In addition to policy and behavioral issues, federal agencies could use some technology help for current email systems as well as future communication activities, including cloud-based systems.
"The survey certainly indicates that the federal government doesn't have security completely nailed, since 79 percent of respondents said security is a top priority in the next 12 months. They showed concern that they haven't fully addressed the issues around email encryption, since 47 percent cited a need for better email policy," said Dayton.
"This is an opportunity for vendors and providers who can help the federal government solve these issues," he added.
Change presents opportunity, said Kohn.
"In a federal project we worked on we learned that moving to the cloud can be an opportunity here. With cloud migration, agencies can sort of wipe the slate clean and start over with a properly configured inspection and encryption system," Kohn said.
Encryption is not necessarily a silver bullet for protecting email systems. Kohn noted that more than 95 percent of email breaches occur as a result of "non-malicious" actions ranging from improperly configured encryption to inattention and careless disregard of both encryption and other email security policies.
A survey conducted by nCircle and released in September also addressed security at federal agencies. The survey was broader in scope and did not directly address encryption. But it did reflect a cautionary attitude towards cyber security by federal IT managers. "The only common elements of both surveys are the barriers to better security: lack of budget, lack of training, policy adherence, and the rise of bring-your-own devices," T.K. Keanini, chief research officer at nCircle, told the E-Commerce Times.
Regarding the encryption issue itself, Keanini noted that encryption and crypto-analysis -- the study of finding weaknesses in encryption -- are evolving simultaneously. "Cryptographers are continually working to make it harder for crypto-analysis to be successful. Even so, encryption techniques that worked well a few years ago are easily broken now," he said.
"This means that all organizations really need to shift their thinking about encryption," Keanini said. "It's not the equivalent of a digital lockbox. Even the best encryption techniques will be broken at some point in the future. However, if you plan your information security program correctly, by the time the time the encryption is broken the data it protects should no longer be useful to attackers. That's why it's important to view encryption as just one tool of many in your security toolbox," he said.