Encryption of data, whether in transit or at rest, is seen as a cornerstone of data loss prevention best practice. But when it comes to the encryption of data sent via email, the efficacy of legacy approaches to email encryption are increasingly being called into question. This is largely due to the rigid and binary nature of legacy email encryption solutions.
Increasingly, email security solutions that rely on encryption to prevent data loss are unable to meet the demands for frictionless and time-sensitive communication. An even greater challenge, however, is the declining effectiveness of this approach to preventing data loss, especially in the face of increasingly sophisticated cyber adversaries and the growing prominence of insider threats.
The fundamental challenge of legacy email encryption solutions hinges on its inability to address the root cause of email related breaches and data loss: human error.
In this article, we’ll explore the pros and cons of encryption, and more effective alternatives.
What is encryption?
Encryption is a method of data protection that encodes data so that it can’t be accessed by unauthorized parties. File encryption solutions, in particular, often use AES-256 bit encryption to secure unstructured data, usually with a long list of policies and access rights that the end user must choose before sending an attachment through email.
This has a negative impact on real-time communication and collaboration in organizations and their legitimate business partners.
Is encryption useful in specific cases?
The short answer? Yes.
When the first order of business is simply to secure a particular asset, like an email or the attachment in that email, encryption can provide immediate protection of that sensitive information. Depending on the solution, it can work at rest or in-transit. It’s also a long-standing technology that’s widely used, especially when fulfilling particular compliance mandates. Finally, it tends to be inexpensive compared to other solutions, simply because it’s providing a very targeted and specific technology, as opposed to a more comprehensive data loss prevention solution.
However, we’ve learned from our customers and based on where the market is headed in terms of preventing sensitive data exfiltration that more and more, organizations are actually shifting away from encryption for a variety of reasons (more on this below).
Industry experts also see the severe limitations of encryption in email security.
As Gartner® states in the 2021 Email Security Market Guide, “Although email encryption has been available for many years, the workflow is often very poor, meaning open rates of encrypted emails are historically low. Authenticating the recipient has always been the challenge, requiring users to create new accounts on messaging portals and leading to very poor open rates. With the widespread adoption of cloud email, authenticating users that are on the same platform (e.g. Microsoft 365) has simplified the process, but as soon as recipients are on different platforms, the issue remains.
A number of vendors focused on email data protection are looking to address this with simplified workflows and second-factor authentication. Secure messaging portals that store sensitive information separate from email is one solution, but that raises questions over data residency and where the keys are stored.”
Looking at Encryption? Consider these issues first…
Encryption can give a false sense of security
Back in 2011, Lockhead Martin’s servers were hacked. It was reported extensively in the press and was characterized as “significant and tenacious”. The press reported that hackers gained access using stolen SecurID tokens from the security company, RSA.
In other words, hackers simply gained access to the private keys so they could access Lockheed Martin’s servers. Encryption is only as strong as the solution used to secure the credentials to those encrypted assets.
Encryption does NOT solve for accidental data loss
Encryption itself doesn’t prevent sharing emails to wrong parties or sending wrong attachments. It also doesn’t solve the root cause of many data loss incidents — sending information to unauthorized or unintended recipients. The recipients of encrypted emails, including incorrect recipients, are free to decrypt encrypted emails by requesting a one time password to view the information.
Encryption requires end users to set policies and access rights which can be error prone and disruptive
File encryption requires that the end user define the policies and access rights to every file they attach to their emails. This is often a huge list of options, including view only, block printing, block sending, and time bombs, and many other policies.Naturally, users find this process cumbersome as it hinders their ability to collaborate and communicate through email effectively.
Encryption doesn’t work for Insider Threats
Just as we saw in the Lockheed Martin example, the viability of encryption is often dependent on the security of the credentials used to access the encrypted assets. This is exactly what Edward Snowden did:He simply compromised the credentials of the admins who had access to the encrypted assets.
The bottom line
While security leaders have to consider the loop holes above, perhaps the most important aspect to consider with legacy encryption is its inability to engage the end user in any meaningful way. In other words, the context of the data and attachments in emails is never thoroughly examined, so it’s not addressing the root cause of data loss.
Instead, cumbersome solutions like encryption are used, which don’t account for unknown anomalies, or consider the friction and latency it produces when implemented. To prevent today’s email security incidents, your security controls must address the root cause of data loss — human behavior. This is why Gartner recommends adopting cloud native email security solutions that address data loss, by leveraging context-aware machine learning (ML) — able to detect threats and anomalies, while at the same time educating the end-user on email security best practice.
Tessian was included in the report as a Representative vendor. Here’s why:
- Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite
- Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness
- Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements.
- Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI
Want to learn more about how Tessian compares to legacy solutions? This whitepaper provides an extensive comparison document that covers a variety of legacy security solutions, including encryption, Secure Email Gateways (SEGs), Legacy Data Loss Prevention, Network and Perimeter Security, DMARC, and many others.