Since the first emails were exchanged over ARPANET, the predecessor to the modern Internet, email security has been a prime concern, particularly with the passage of the Graham-Leach-Bliley Act.

Certainly, email is highly efficient for distributing information. Yet email is inherently insecure since it travels the Internet in plain text. Anyone can read Mom’s secret cookie recipe, and a determined troublemaker can alter the ingredients in transit with no reliable way to detect the difference. Email actually resembles a postcard written in pencil — anyone can read and modify its contents!

So email has two issues: confidentiality – protecting your message from prying eyes; and integrity – preventing your message from alteration. Solutions to these two issues, almost without exception, rely on encryption.

Encryption converts easily read plain text into code. A key is used to “unlock” this code, thereby converting it back into readable text. In theory, encrypted messages can only be read by someone who can decrypt the message, thus preserving confidentiality. Encrypted messages also can’t be altered without destroying the entire message, thus preserving integrity. The concept is simple, but implementation takes work.

Implementing email encryption offers three challenges. First, the industry has yet to establish an implementation standard. Second, there are no “magic bullet” encryption methodologies; each has advantages and disadvantages. Finally, your consumers will need education to utilize any encryption scheme while technology issues may interfere with functionality. 

The Big Three

Three technologies are commonly used to implement email encryption. They are:

·         Public Key Infrastructure (PKI) — relies on each user having a pair of keys, one public and the other private. Each person's public key is published while the private key is kept secret. Messages are encrypted using the intended recipient's public key and can only be decrypted using his private key. While this solution is highly secure, it can be difficult to maintain. PKI requires a centralized key management infrastructure as well as a means to distribute private keys to staff and consumers. 

·         Secure Sockets Layer Pull (SSL Pull) — This encryption technology stores a copy of each secure message on an SSL encrypted web server. The server then notifies the recipient that a new secure message has been received and provides the recipient with a link to an SSL web page where they can view the message in a web browser. This technique uses the same standards as most ecommerce sites.  The disadvantage to this technology is that secure messages are typically must be stored on the web server for extended periods, causing storage and retention problems.

·         Key Push Technology — In this technology, the sending email client requests a unique key for each message that the software encrypts. The centralized key server generates a new random key, stores it and returns a copy to the sending software to use for encryption. When the recipient receives an encrypted message, his or her software contacts the key server to request the key. If the recipient is authorized to read the message, s/he receives the key to decrypt the message. If not, access is denied.

The financial services industry currently favors Key Push Technology due to its centralized key management scheme and clientless environment. Centralized key management has the advantage of providing detailed audit trails and the ability to “shred” keys in case of a breach or employee termination. The clientless environment makes software installation unnecessary, reduces support and enhances consumer acceptance. Outsourced versions of these solutions deliver further convenience for banks.

Because the industry has yet to embrace a secure email standard, these solutions are implemented on a bank-by-bank basis. This discourages intra-bank functionality, leaving each bank on its own secure email “island.” On the other hand, consumer education offers opportunities for each bank to reach out to their customers and extend its service role.

For more information about secure email, please visit www.sigaba.com, and www.pgp.com.