Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Is universal end-to-end encrypted email possible (or even desirable)?

Maria Korolov | Sept. 19, 2017
End-to-end email encryption is getting more attention as security and compliance concerns mount, but practical use cases are rapidly being eaten away by other technologies.

Man pointing to security icon for email
Credit: Thinkstock 

People expect their email to be private between them and the recipient, but in reality, the contents of your email are exposed during transmission. Full end-to-end encryption would  mean that only the receiver of the email can decrypt their messages, but sharing public keys and agreeing on a common encryption standard can be tricky for most users. Plus, if email communications are fully encrypted along the entire path, then there's no opportunity for a service in the middle, such as Gmail or Office 365, to check for spam, automatically sort emails into folders, or offer full-text searches.

Unless the platform is integrated with a company's email gateway, firewall, and data loss prevention system, end-to-end email encryption may also prevent enterprises from monitoring for suspicious traffic. "Right now, a large number of companies just don't have a solution dealing with encrypted email," says Tom Fuhrman, cyber security practice leader at Marsh Risk Consulting.

As a result, most enterprise uses of encrypted email today are either within an enterprise or for special purposes such as trips to China or Eastern Europe. When a message from an encrypted enterprise email platform is sent to external users, the recipient typically gets a link to a secure online service where they can read the message.

Usability issues are just part of the battle. Competing services have carved out particularly high-value niches that may have been served by end-to-end encrypted email, instead.

 

Non-email alternatives

One potentially useful purpose for end-to-end encrypted email is for doctors, banks, and lawyers to send sensitive documents to their customers. Sending these files through ordinary email is a security risk, but also a compliance violation in many regulated industries. Often, getting those users to sign up for an encrypted email service is a non-starter.

Instead, institutions typically used third-party file sharing solutions. One of the most popular services for documents that need signatures is DocuSign. The company claims more than 300,000 business customers, and over 200 million users in 188 countries. Recipients get an email with a link to the DocuSign website, where they authenticate themselves, and can then easily read and sign documents. DocuSign meets the legal requirements of the U.S. Esign Act, as well as similar laws in other countries, and the company claims that it's signatures have never been successfully repudiated or challenged in any court anywhere in the world.

When documents don't need legally binding signatures, there are many online document-sharing sites like Box that offer enterprise-grade security and authentication. As with DocuSign, recipients get a regular email that contains a link to the shared document or folder.

 

1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.