How can we improve email security?
As cyberattacks increase in number and sophistication, João Paulo Foini of business and IT consultancy Foini Consultores considers email security. And how the S/MIME protocol can play a key role in improving protection.
First, let’s look at the figures for 2021
5.13 billion economically active people
The world’s population was 7.87 billion people in 2021 and 5.13 billion were considered economically active (people aged 15 to 64 years, including employees, freelancers, interns, apprentices and employers).
4.1 billion email users
According to research by The Radicati Group (London), Inc, with an annual growth expectation of 3% per year, there’ll be 4.6 billion users in 2025.
319.6 billion emails per day
This research also indicates that email traffic is forecast to reach 376.4 billion per day by 2025.
Which leads us to the following approximate, average figures for 2021:
- 222 million emails are sent each minute.
- 41 emails/day (15,000 emails/year) are sent or received by each person.
- 145 million emails/minute (208 billion emails/year) are sent by the economically active population alone.
What are these emails for?
Interesting these numbers, aren’t they? In fact, they make us question how many of these emails were:
- For personal use?
- For corporate use (internally or externally)?
- Related to B2C, B2B or B2E processes?
- Linked to using electronic services (e.g. for e-commerce, video streaming, distance learning, content subscription, etc.)?
- Marketing emails?
- Sent unnecessarily or incorrectly?
- Instruments for cybercrime?
I think it’s important to highlight the relevance of email. Because, even in the current technological context where we use instant messaging, video calls, online meetings, document scanning, content channels (blogs, videos, etc.), service platforms, and more, email is still a widely used, necessary resource. This is potentially because email is asynchronous communication and is strongly used for recording information exchanged – it has a more ‘official’ feel.
Can I trust you?
Given the volume of emails, do you ever stop to verify if the author of an email is really who they say they are? And have you received the original content of the email or was it changed by a malicious third party during transit?
If we consider the emails that corporate organisations send to their customers, suppliers and partners, there’s a high risk of spam, spoofing, phishing attacks and more. And this can compromise important communication regarding billing and contracts and so on. This poses a great risk to a company’s corporate image, the levels of trust they have among customers and suppliers, and, ultimately, their business continuity.
How S/MIME increases email security
One of the ways companies can protect themselves is by using the Secure/Multipurpose internet Mail Extensions (S/MIME) protocol to secure the exchange of emails.
Designed to prevent emails being intercepted during transit, S/MIME was developed by RSA Security and is based on the Simple Mail Transfer Protocol (SMTP) method. It uses two important security features to authenticate the sender and ensure the email remains private:
- Encryption – the email content sent between two S/MIME-enabled users (the sender and recipient) is encrypted to make it unreadable by anyone other than the intended recipient.
- Digital signature – digitally signing emails sent between two S/MIME-enabled users eliminates any risk of spoofing or tampering with content.
It’s easy to configure S/MIME for use on most email technologies and email distribution platforms, including HTTP messages.
Here are some examples from platforms widely used in the market:
- Encrypt messages using S/MIME in Outlook on the web.
- Enable hosted S/MIME to enhance message security.
- S/MIME – Zoho Mail.
S/MIME uses public key infrastructure (PKI) and asymmetric encryption to authenticate and encrypt email messages. The most widely used approach is digital certificates in a PKI environment with global roots that are trusted and recognised by email systems, browsers and operating systems for desktops and mobile devices. Examples include GlobalSign, DigiCert, among others.
In corporate environments, there’s also the option of using private digital certificates. These are issued in a PKI environment with private keys where the root is the company itself.
This model helps to streamline electronic processes, reduce costs, increase flexibility, and facilitate scalable growth of users (internal or externally) with digital certificates. But it’s essential to follow country laws and regulations around transparency (for both the origin and destination of the message) to ensure you’re implementing a digital certification policy that’s appropriate for each location.
The commercial benefits of using S/MIME
Using S/MIME and the security it offers brings a variety of tangible benefits to your organisation. It helps to:
- Authenticate the origin of senders and content for emails relating to B2B and B2C processes.
- Give greater confidence in the source of content on content-subscription platforms.
- Protect commercial and judicial relationships delivered via email.
- Strengthen information protection and security policies.
- Ensure compliance with data-protection legislation.
- Protect the communications of employees working remotely – either in the field or at home.
- Ensure good practice in the exchange of messages with partners and customers.
Digital certificate management begins with preparation
Managing digital certificates can be complex, and the best approach depends on a variety of factors. These include the size of the company; how digital certificates will be used; the target audience; the security policies in place; and the number of digital certificates.
Things to review and define, to help decide on the best approach, include:
- Target audiences: internal and/or external.
- Which groups will adopt the S/MIME
- The public, private or hybrid certification roots.
- Which electronic messenger workflows will use S/MIME.
- What other types of digital certificates (public or private) the company uses.
- Validation and identification flows for issuing digital certificates.
- Digital certificate lifecycle (issue, renewal and revocation).
- Cycle of use for digital certificates – where and how to use them.
- Digital certificate providers – public root.
- Integration with internal systems.
- Email platform configurations and licensing.
- Technology for issuing internal digital certificates (if it’s a private root) and definition of the fields and validities of the digital certificates themselves.
Document security policy – especially considering local laws.
Is it possible to use public and private roots and other types of digital certificates?
Yes – in fact, a hybrid model is usually the most suitable scenario for a company. Most companies already use some types of digital certificates on their application servers and database and so on. And, in some cases, also for users.
After defining security policies (see above), there’s an important decision to make. Do you use several platforms for managing different digital certificates, suppliers and lifecycles? Or do you use a single, universal platform for managing all types of digital certificates? This decision is typically made by the head of technology and information security and is often influenced by the volume of digital certificates that need administering.
BlueX digital identity manager smooths the way
Over the last 15 years, I’ve overseen digital certification projects in Brazil involving hundreds of thousands of users and digital certificates. It’s not easy to manage the resources, policies and other requirements for projects of this scale. But having the right tool can make things much more streamlined and efficient.
For some years, I’ve been using AET Europe’s BlueX projects. It allows optimal flexibility to manage the cycles of use and life for various types of digital certificates, including S/MIME implementation.
As a technology, BlueX uses a client-server architecture and supports leading relational database management systems and key market protocols. It also integrates with the main software used by certifying authorities for public roots around the world. And you can configure BlueX to issue private digital certificates in the exact way they’re needed for each company or project. Including projects using both digital identification and attribution certificates.
In every case, I found it was possible to store the certificate on local equipment, or on cryptographic devices, PKI, HSM and cloud cards.
With its custom workflow development engine, BlueX lets you create customisable workflows for every step of a digital certificate’s lifecycle – including S/MIME.
Increase your protection against rising cybercrime
Remember, every effort to provide electronic security to users and businesses is rewarding. Especially when it comes to email – one of the corporate environment’s main work tools. Using S/MIME gives added security to emails in a time when cyberattacks are on the rise.