Email, despite being one the very first methods for digital correspondence, remains the most commonly-used form of business communication. As such, CIOs and CISOs must find a way to secure email without hindering business processes. Several issues must be considered, including defending against the constant barrage of phishing attacks that most enterprises experience, addressing security risks that may arise from using managed email solutions from third-parties, and complying with e-discovery requirements and other regulations.
Securing Email In An Enterprise Environment
It’s becoming increasingly common for enterprises to use third-party email providers, such as Exchange Online or GSuite. These providers do an excellent job of ensuring high availability via scale and uptime, but typically come at a cost of confidentiality and integrity, as the providers can read and alter your email and forge emails on your behalf.
While most email providers are very unlikely to do this, why give them the opportunity if it is not necessary? Luckily, a well-established solution exists for this problem: Secure/Multipurpose Internet Mail Extensions, better known as S/MIME.
With S/MIME, you can sign and/or encrypt your email to protect its confidentiality and/or integrity before your email provider gets access to the email (i.e., the solution provides end-to-end security). By signing your email, you restrict the ability for others to alter or forge emails in your name. When you also encrypt your email, you ensure that only you and your intended recipient(s) are able to read the contents of the email.
S/MIME Deployment Challenges
So, if S/MIME is the most established solution for securing email, why hasn’t it seen broader adoption? Like every technology, S/MIME isn’t perfect. Traditionally, it has been considered too difficult to deploy for most enterprises. The main challenges with S/MIME are:
- Issuing certificates/keys to thousands or tens of thousands of end-users.
- Maintaining the ability to revoke access to keys for specific end-users when they depart the company.
- Ensuring compliance with all relevant regulations, like e-discovery requirements.
It’s important to note that these problems stem from the fact that S/MIME certificates and keys are typically distributed out to end-users, rather than managed centrally. If you were instead to generate and store the S/MIME keys centrally, only giving end-users proxied access to the keys they need, the solution would be much easier to deploy and maintain.
In such a solution, the S/MIME private keys would be centrally managed in an enterprise HSM cluster and never exported from those secure devices. When end-users need to make use of the keys— that is, when they need to sign or decrypt email— their email client would invoke a cryptographic service provider that makes a call to the HSM to use the private key. In this way, the keys are always secure, auditable, and easily managed, while email is both fast and secure.
GaraSign Makes Deploying & Managing S/MIME Simple
GaraSign is the tool you need to deploy a centrally-managed S/MIME solution. It integrates with your Active Directory domain and Certificate Authorities (both internal and external) to auto-generate keys and certificates for each of your employees, ensuring that the deployment is simple and free of manual administrative processes. As team members come and go, their keys are easily granted and revoked from a centralized interface.
GaraSign’s cryptographic service providers integrate directly into your employees’ email clients to transparently sign and encrypt email. Since the keys are centrally managed, encrypted emails are always recoverable and can be made available to legal and compliance teams whenever required.
Better still, GaraSign supports S/MIME as just one of its many use cases. It can also be used to secure and accelerate code signing, SSH, TLS, document signing, and other use cases.