3 Questions a Small Business owner should ask before buying email encryption software. By Darren Leno
As a software developer and sales person, I have spent many hours on the telephone coaching small business owners about Outlook email encryption software. I've learned that it is not necessary to "sell" our email encryption software; if it is a good fit it, then it will sell itself. My job is to help guide people to the solution that is the best fit for them, whether it is an Encryptomatic product or not.
Today, I'm not going to focus on which method is “strongest,” because they are all strong and it's seldom the most important factor these days. Rather I'm going to discuss some of the business-practical aspects of implementing email encryption in a small business.
Too often, the process and practicality of email encryption software is not given enough consideration. The strongest encryption systems are of no use if they can’t be used effectively by both the sender and the recipient.
By the time you get me on the phone, you have already been baffled by all of the different options that are available. I try to bring clarity to the small business owners’ search for email encryption software by asking them these three questions.
- Why are you evaluating email encryption software?
- Who will you primarily be sending encrypted emails to?
- Do you have the IT assets on staff to manage the solution?
The answers to these three questions can inform any email encryption software purchase decision.
“Why am I evaluating email encryption software?”
There are different reasons to implement email encryption. Perhaps your business is now required by a law, such as HIPAA or Sarbanes Oxley. Perhaps you are pro-actively trying to protect your email solutions. Maybe it's a very specific reason, such as business partners needing a secure way to communicate that can’t be intercepted within the company. Or perhaps you are being forced to implement email encryption by a major supplier.
Small business owners I talk with often feel they are being coerced into implementing email encryption either by the Government or a larger company wielding influence.
If you are, say, a small office insurance producer and you are being told by a large insurance company that you must only send them encrypted emails, you should ask the larger insurance company for recommendations. They will usually have a recommendation for you. It’s important to ask, because you don’t want to purchase incompatible software.
Not all email encryption software can work together. Often large companies will require the use of a public key encryption system (PKI), or a SMIME certificate based system. Both are fairly complex to setup and operate, and may involve recurring fees. If you decide you do not want to operate such a system, then ask if they can work with you on another system. If they require you to implement their chosen email encryption method, then problem solved -- you'll have to go along with it if you want to keep doing business with this company by email.
Methods of email encryption solutions
There are two basic forms of email encryption algorithms: symmetric and asymmetric
Both algorithms come in two basic flavors that will determine cost: as a service, or as self-managed software.
Symmetric key encryption
The first is symmetric key encryption. It consists of a simple shared secret, and an encryption algorithm (there are many possibilities). The secret (or password) is known by two parties who agree somehow on what the secret should be. The secret is used both to encrypt and then decrypt the message. If two parties trust each other and can agree on a secret privately, then this is the easiest and cheapest email encryption method to implement.
Asymmetric key encryption
The other major method is asymmetric key encryption, often called Public Key encryption (PKI). This is a method that requires all parties involved to have two keys: a public key that anyone can use to encrypt a message to you, and a private key that is used to decrypt a message that has been encrypted with your public key. In other words, only your private key can decrypt a message that has been encrypted with your public key. The public key can encrypt, but it can’t be used to decrypt (and vice versa).
PKI requires all users to generate a public/private key pair. To have a two-way conservation, an exchange of public keys is required. Keys must be stored and discovered. It’s secure, yes, but often very difficult for non-technical recipients to setup. PKI service providers will often establish computers called Key Servers which will manage public keys for all of their users. Connecting to or maintaining your own key servers can be a complex undertaking.
S/MIME encryption is a PKI standard that is widely implemented and it is built into Microsoft Outlook. It provides authentication and message integrity and non-repudiation. S/MIME requires obtaining and installing a certificate in your software. Certificates may be obtained from your IT department (self-signed) or purchased from a certificate authority for an annual fee. Using SMIME involves an exchange of certificates, which can be easy or complicated, depending on how it is implemented in your software.
Once PKI or S/MIME is implemented by sender and receiver, the process of communicating can be fairly straightforward, or made automatic. There is a level of complexity here, however, that makes these email encryption methods not always the best choice for small business and individuals.
Who will I primarily be sending encrypted messages to?
If you need to send secure messages to individuals, such as patients, transcriptionist, individual customers, then you will want to find a system that puts the emphasis on ease of use.
The easiest to use systems will be those that are an intermediary to the communication. For example, Lockbin.com will store your message until the recipient retrieves it by entering the symmetric key password. Messages may be retrieved from virtually any computing device. No special software is required.
However, if you are a technically competent researcher who wants to establish a secure email connection with another researcher who is equally competent, then setting up S/MIME or PKI would be an excellent choice.
Do I have an IT department to help manage this?
If you have expertise on staff able to help you, your staff, and possibly your customers implement an email encryption solution, then you’re in good shape! Help yourself to whatever software you can afford.
If you aren’t blessed with an IT department, then you’ll need to strongly consider a managed solution (service) or a symmetric key solution (like Lockbin.com or PDF Postman) that is easy to operate.
What kind of email encryption strength do we need?
As I write this in 2012, I recommend AES-256 bit encryption. AES is the Advanced Encryption Standard. Without getting too technical, 256-bit encryption is now much more common than it was just a couple of years ago, and increased computing power has made it practical and accessible. 256-bit encryption is built into many common software applications today, including Winzip, Adobe PDF Reader, Microsoft Word, and your favorite web browser. Use 256-bit encryption if you choose a symmetric key encryption.
PKI encryption needs a much stronger level of encryption, at least 1024-bits, with 2048 bits quickly becoming the standard bearer. The higher level of encryption is required because with PKI there are actually multiple possible keys that can be used to decrypt a file, however, they are lost in a universe of key possibilities created by using such a high level of encryption. Use of 1024-bit encryption is most compatible at the moment, however, be sure your software is also compatible with 2048-bits or higher keys. The level of encryption required over time will only rise.
The type of email encryption solution you should implement in a small business is both an important and difficult question to answer. By asking yourself some basic questions, you can bring some clarity to this situation.
If you are required to implement email encryption by an authority, then ask that authority to provide information about acceptable methods.
If you are implementing for pro-active security reasons, ask yourself about your ability to manage a complex infrastructure, and understand the ongoing costs of a solution.
In conclusion, we would like to offer for your consideration two symmetric key solutions that we have developed primarily for small businesess.
We designed PDF Postman as an effective and practical email encryption solution for Microsoft Outlook users. PDF Postman leverages the AES-256 bit decryption capabilities that resides within Adobe Reader software. The nice thing about this approach is the low cost of maintenance, the wide availability of PDF readers that support 256-bit decryption, cross computing platform compatibility, and the ease with which the recipient can open the files (all they need is the password).
Another symmetric key solution we offer is Lockbin.com, which is provided as a service and uses 256-bit encryption. Just agree on a password with the recipient, and Lockbin.com will host your email until the recipient can retrieve it from the server over secure connection.
We at Encryptomatic LLC wish you well in your search. If we can be of help, call us at 1-651-815-4902 x1 or email sales at encryptomatic.com