E-Mail In Peril

STOP THAT DATA

Once the "how" is worked out, mail systems must decide which messages are to be encrypted. In the case of bank statements and medical data, that's simple. But the big trend here is that vendors are merging data leak protection, or DLP, functionality into their e-mail systems, letting IT establish rules to encrypt messages when the content warrants. Using DLP techniques, rules can be keywords and/or regular expressions. Some products even include the ability to fingerprint key data files, so the mail server can recognize them and either encrypt them or refuse to send the e-mail.

Of course, another option is to encrypt everything. All of the vendors we talked to support SMTP-Transfer Layer Security to encrypt the entire data connection between mail servers. The benefit of this approach is that it's seamless to users while protecting all data in transit. The downside is that IT can reliably count on SMTP-TLS working only with established partners. When encryption is essential, you must configure the mail server to refuse to send to servers that don't support SMTP-TLS.

Also, because SMTP-TLS protects mail only in transit between mail servers, messages are subject to interception if there are intermediate stops outside the control of either party, such as an ISP relay. Messages are in plain text when stored in the recipient's mailbox, so the receiving party needs to understand the risk if its mail server were to be compromised. This isn't to say SMTP-TLS isn't useful, but as with all types of security, it should be just one link in the chain.

Continue to the sidebar:
Our Take: Any Spam is too Much