A study released last week by META Group underscores what many of us already knew: email is now a more important business communications tool than the telephone. If that’s the case, then email security must naturally follow as an increasingly important security discipline.
META Group conducted an online survey of IT and line of business personnel at 387 organizations. Eighty percent of the business people surveyed believe email is more valuable than the telephone for business communications while 74% of respondents said it would be more of a hardship to be without email for five days than to be without the phone for that long.
It should be fairly clear, then, that employees of all stripes are at least occasionally using email to send confidential messages and attachments, as well as information that perhaps should not be leaving corporate confines. They are also naturally receiving messages from colleagues within and outside the organization that may likewise be confidential. Couple this with federal regulations regarding data security, privacy and archiving in industries including financial, healthcare and accounting, and you’ve got the makings of a major security headache.
Security vendors have been hip to this for some time, of course, and there is no shortage of solutions that purport to address the problem. “Purport” is the operative word there, however. In practice, many of the solutions appear to address only part of the problem.
PKWare, Inc., for example, has been touting a new version of its PKZIP compression tool that now encrypts email attachments. But besides being rather cumbersome to use — you have to send a password separately from the original email — it doesn’t address the issue of what becomes of the attachment once it reaches its recipient. There’s nothing to prevent the recipient from decrypting the attachment and sending it in the clear to everyone in his address book.
Many other email security solutions offer lots of tools to help you define the policies that should apply to email of various sorts, often in combination with a content engine that “reads” your mail to determine its subject. If certain keywords show up that indicates you’re sending a financial statement, it may be automatically encrypted, for example. Such tools are certainly a good step and make it simple to apply some level of security with little to no end-user involvement.
Here again, though, most of the tools will secure the mail only until it reaches its intended recipient. After that, all bets are off. It’s incumbent upon the sender, apparently, not to send anything confidential to anyone who might do such a thing. Ask for character references first, apparently.
Ken Beer, director of product management at Tumbleweed Communications, an email security pioneer, makes no apologies for the lack of such features in his company’s offerings. For one, tools that do offer control of email or attachments after they are delivered typically (but not always — see below) require proprietary software on the client end, which Beer contends renders the tools unworkable in an enterprise that must send mail to thousands of recipients, especially if they are customers or others outside the company. Secondly, he says the technology is of limited value because if someone really wants to forward or copy the contents of a sensitive document, they will find a way to do it. “How do you prevent someone from taking a picture of their screen?” he asks.
OK, you can’t. But that doesn’t mean you shouldn’t make it more difficult, and therefore less enticing, for users to send sensitive documents where they shouldn’t be going.
At least two email security companies — Authentica and Omniva — seem to agree. Each offers features that allow the sender of an email, or administrators, to dictate policy regarding whether the mail can be forwarded (and, if so, to whom), copied, printed, even cut and pasted. Mail can also be set to expire after a certain time, even if it hasn’t yet been read, a feature also offered by Sigaba, another secure messaging player.
In Omniva’s case, no software is required on the client end for many functions, including allowing only authorized recipients to read a message, applying an expiration date to messages and attachments, and limiting copy and print functions. Client software adds more function, such as the ability to read messages offline. Authentica employs a simple browser or email plug-in that’s delivered after the user clicks on a URL. If you’re going to send mail to thousands of customers that will mean instituting some form of support, but then again most people are familiar with the idea of plug-ins by now.
Vic DeMarines, director of marketing for Authentica, says about half of the firm’s customers are using the company’s products that offer protection for email and documents after delivery. “We’re seeing a lot of adoption in the health care environment to address HIPAA (Health Insurance Portability and Accountability Act) requirements and in financial services, for protecting customer data,” he says.
Beers contends that HIPAA, for example, requires only that you protect information while it’s in your environment and as it leaves your enterprise; there’s nothing in the law that says you have to prevent the recipient from sharing the information with someone else. OK, but if you can, why not do it?
Legalities aside, in many cases it simply makes good business sense to protect email and other documents for their entire lifecycle. We’ve all heard enough horror stories about corporate corruption, insider trading and the like to know that there are employees in most any company who will, given the opportunity, do unscrupulous things to make a buck. If you can make it tougher for them to share information that they shouldn’t be sharing, that strikes me as a good step to take.
Paul Desmond is president of Paul Desmond Editorial Services (www.pdedit.com), an IT publishing firm in Framingham, Mass. He was founding editor of eSecurityPlanet.com.