Posted 11 months, 3 weeks ago
The online world is a bit like the American Wild West 150 years ago. Most people are genuinely good and honorable and are just trying to live their lives. Then you have the gunslingers and train robbers, those people who today are hackers and scammers just trying to make a fast buck at the expense of those good people.
You can follow all of the industry best practices you want when doing business online, and yet still fall victim to a man-in-the-middle email attack. Or one employee may fall for a phishing scam and end up endangering your entire network and all of your company’s proprietary data. These are today’s versions of the train robberies of the Wild West.
One solution that is too often overlooked is enterprise email encryption. 21st-century business communication runs on email. Yet the vast majority of companies out there are not doing anything to lock down their servers or the client software their employees use heavily each and every workday. Each organization has its reasons for leaving this communication channel open to attack, whether it’s out of a lack of understanding as to the extent of their vulnerability or due to outdated ideas of what it takes to encrypt enterprise email systems. No matter the reasoning behind the decision, end-to-end email encryption is something that any business, of any size, should consider implementing in today’s online climate of phishing scams and hackers-for-hire.
We’ve talked about this recently, but since it’s so crucial to have an understanding of the importance of encrypting communication, we’re covering it again in brief here. There are three primary reasons to encrypt your company’s email communications: confidentiality, integrity, and authenticity.
The most self-evident of the three, encrypting emails ensures that only the intended recipient sees the contents of the message—to everyone else the contents are obfuscated. End-to-end encryption also ensures that if a protected message is being picked off, it stays unreadable to the interfering party.
Slightly less well-known, yet no less important, than confidentiality is the ability to prove the integrity of an email message. This means that an encrypted email cannot be intercepted, manipulated by a third-party, then allowed to continue on its way to the intended recipient without them noticing. Any interference of this type is stopped in its tracks by the signing of the encrypted message.
Our last key attribute of encrypted email systems is the ability to guarantee the authenticity of the sender. With the increase in both phishing attacks and spoofed email addresses being seen today (especially during the COVID-19 pandemic), verification of keys (or so-called fingerprints in the case of PGP) within the context of encryption ensures that the person you’re interacting with is indeed who you think they are.
As with any business software solution, there are myriad offerings on the market that purport to provide end-to-end email encryption. Perhaps the most well-known of these is also the originator of the segment, PGP. Standing for Pretty Good Privacy, PGP has been around for years, providing the sort of email encryption we’re talking about.
PGP was created in 1991 by computer scientist and cryptographer, Phil Zimmermann. It was the first widely available public-key cryptography tool, initially offered via public FTP download along with the source code. PGP uses a combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography to encrypt and decrypt data. It can be used on email communications, individual files, directories, or even entire drive volumes.
This flexibility is possible because it uses signing along with end-to-end encryption, thus allowing it to be used to encrypt just about any file type out there. One of the benefits of this flexibility is that it leaves room for others to improve upon the baseline technology to offer more user-friendly implementations.
For our purposes today, we’re going to focus on end-to-end email encryption in order to sketch out the ways that PGP does and doesn’t make life easy for users and sysadmins.
For starters, PGP is packet-based. This means that while it is great at encrypting and decrypting individual files, for email communications that consist of multiple layers of packets, sub-packets, and packets of vastly different lengths, it’s not optimal. Further, and from the user’s perspective, this complexity extends to what is called the “web of trust.” This is basically a non-computer based network of trusted individuals with whom a user wants to be able to communicate via encrypted email. This web of trust acts as a kind of central authority, which means that PGP isn’t actually a peer-to-peer (P2P) system. The out-of-network nature of this system means that often a user has to accept that a sender is who they say they are, receive a message from them, and only then can they go about verifying that person’s identity. This enhances protection, but it does require effort.
With the plethora of implementations that exist there simply is no unified interface for a user to learn in order to be able to use PGP reliably. There are, however, many solutions available that use the underlying PGP encryption algorithms while creating their own UI and/or integration with existing third-party software (more on that in a moment).
PGP’s reputation has mostly been bolstered by users and admins who are above average in their level of technical expertise and savviness. Folks like this are often able to take full advantage of PGP’s many benefits, while less technical users (who might be on the same system as these tech-savvy email users) may have a harder time getting that level of protection reliably. Having been developed in the early days of BBS systems with a target audience of fellow cryptographers, there was no need to create a friendly UI for PGP. These early users were more than capable of accessing key servers, changing their public keys, and everything else required for smooth use of the tool. Today, asking a financial analyst to change their public key and be sure it’s stored correctly on the key server leaves your system open to more possibilities of human error than is strictly ideal. Given the choice between letting users manage the complexity of this kind of protection themselves and finding a way to automate key management and document signing (such that they’re invisible to users), the latter choice is typically going to be safer.
The whole point of encrypting business emails is so they remain secure and private. Given that human error is the single biggest risk in cyber security, user experience is more important than it’s ever been.
Recent developments in encryption have led major players in the instant messaging world to be able to seamlessly enable end-to-end encryption on real-time messaging platforms. Both WhatsApp and Apple’s iMessage now encrypt all messages sent between users. And the majority of users had no idea that any changes were made. These two systems are using an asymmetrical (RSA) token system to ensure that messages are not intercepted and read and that the sender and receiver are both who they claim to be.
So the question remains, if Apple and Facebook (parent company of WhatsApp) can deploy security like this, what’s stopping businesses from providing this same level of ease for their email users?
p≡p does things a little differently. We’ve built our encryption on top of a solid base that includes SequoiaPGP, an OpenPGP implementation based on Rust, but we manage trust rather differently. Because of a number of incidents revealing security flaws in X.509 public key infrastructure, we’re creating trust internally on a peer-to-peer basis between a person’s contact ID and key.
Thus, the trust is truly peer-to-peer. We don’t want to sign keys and upload them to public key-servers, because privacy issues with those servers can result in users’ contact networks being published to attackers. In addition, the lack of control over who uploaded which key to the keyserver may lead the user to download fake keys which will interfere with his or her communication. As such, we avoid any centralized server in the p≡p infrastructure. Of course, we’re compliant with Open PGP as we support what OpenPGP does as a standard—but our model of trust averts the risks involved with the typical web of trust scenario and the public key servers.
At the same time that we’re enhancing trust and security, we’re also prioritizing ease-of-use. The practical upshot for your users is that they don’t need to do anything beyond checking message status via a color-coded indicator next to each message in their inbox. That’s it. We accomplish this simplicity in two primary ways: automation and integration.
p≡p provides a fully automated end-to-end email encryption solution. Once installed, p≡p handles everything from key management to identity verification. The end-user just sends an e-mail and replies to the response to have perfect encryption running. The end-user will see a color indicator light to know that a message went to who it was supposed to and that it was successfully encrypted along the way.
p≡p integrates with your existing enterprise-class email server, whether on-site or hosted infrastructure, including anti-spam solutions, anti-virus software, and firewalls. This eliminates the need for an additional UI for users to navigate in order to send secure messages every time. Whether your workforce is on PC or Mac, iOS, or Android, everybody is covered.
By laying this extremely simple and intuitive user interface on top of industry-leading encryption algorithms, p≡p aims to make end-to-end email encryption a reality for everyone. No matter your company’s size or number of employees, you will benefit from encrypting your confidential communications, and your users won’t have to learn complex processes or how to read programming languages to make it a reality.
As a bonus, users who are already utilizing PGP can import their keys into p≡p’s system, and the encryption protections that we offer between p≡p users also extend to PGP users. PGP users that like to keep their desktop tools, can do so and use the pEp mobile apps with those tools on their smartphones.