Encryption

Most content is not sent or stored with any sort of encryption. For example, attachments sent through email, files sent using many file transfer solutions, form data sent over the Internet, content stored in repositories like file servers, desktop computers, laptop computers, tablets, smartphones, removable storage devices like USB sticks, etc., are not sent or stored with encryption. The result is that a wide range of sensitive or confidential data is left vulnerable to interception by unauthorized parties, sometimes with very damaging results.

Decision makers are clearly not happy with the current state of their email policies in the context of encryption. For example, Osterman Research found in a study published in August 2012 that only 38% of mid-sized and large organizations find that their policies for encryption of confidential email and attachments meet their needs. Moreover, only about one-half of organizations have automated systems in place to scan outbound content for policy violations, sensitive information, credit card numbers, and information that should be encrypted. The predominant actions with outbound email at such organizations is to automatically apply policy requirements (such as encryption or distribution through a secure channel), or to remind users of corporate policies through a pop-up message.

Making the encryption problem worse—dramatically in some cases—is the proliferation of cloud-based file synchronization and storage tools that are widely used in organizations of all sizes. For example, Dropbox is widely employed and currently has about 55 million users worldwide. An Osterman Research survey conducted in the first quarter of 2013 found that Dropbox is used extensively in organizations of all sizes, often without IT’s blessing or even their knowledge.

Dealing with encrypted messages in an end-to-end encryption solution presents a dilemma for content monitoring: allow the message to flow through unchanged thus respecting the encryption, or decrypt messages to check for policy and content violations. If the message is allowed to flow through unchanged, but the message is in violation of policy and compliance rules, this presents a problem for organizations. Encryption is being used to hide violations, and that creates a risk. On the other hand, if messages are authentically encrypted due to following policy and compliance rules for confidential or sensitive information, unnecessarily decrypting those messages creates the risk that the decrypted message will be accessible to people who should not have access to it. On balance, Osterman Research believes the most appropriate course of action is to decrypt inbound messages to check for policy violations.

On the other hand, integrated gateway encryption solutions take this issue into account as a core part of their design. For example, inbound messages found to be encrypted with an “approved” encryption solution are decrypted in memory at the gateway, scanned for various policies (which may include spam, malware and compliance policies), and sent in encrypted form to the appropriate destination based on policy. By default, both the gateway and the intended recipient have access to the unencrypted contents of the message and its attachments. In such a system, inbound messages encrypted with other forms of encryption (which the gateway cannot decrypt and analyze), are typically handled by an “acceptable encryption policy.” Typically, these policies specify some set of trusted recipients that may be allowed to receive arbitrary encrypted messages, but these messages will be quarantined if directed to others.

For more information on these issues and our recommendations for dealing with them, please see the white paper we published recently, Why Securing Communications and Content 
is a Critical Best Practice.