I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:
- Private data stored on laptops must be encrypted
- Private data that is transmitted must be encrypted
So here are a few scenarios in question:
- What if I have private data on my laptop and I want to e-mail it to a fellow employee who sits three cubicles away from me. Should this e-mail be encrypted?
- If I want to send this private data in an e-mail to an external party, it appears like I have to encrypt the data from the time it leaves my PC until the time it is received by someone on the other end.
As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.
I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.
Read Jon’s other blog entries at Insecure About Security.
Share
Hi Jon, Can’t help you with the legal answer but perhaps some customer insight: We architected our email encryption product to deal with this scenario some years ago – not because the law dictated it, but because customers were telling us they were just as worried about the IT admin reading data from Personnel, Finance and the Board as they were about threats on the internet. On MS Exchange Server, for example, the administrator can add an email address to forward all messages to for a mail box - that addition is completely invisible to the owner of that mail box. So customers told us they wanted to be able to encrypt at the desktop, at least for some sensitive users. That doesn’t remove the need for gateway encryption – that’s a great place to run rules for content driven encryption (DLP) and also to scan for malicious content or private data (DLP again) on the way out. In fact it’s vital that desktop and gateway encryption both exist and interoperate – so that content on the way in can be decrypted and scanned (in a very tightly controlled environment) for spam and malware before being allowed to continue encrypted to the desktop. Rules may determine that for other content / users the encryption can terminate on the gateway. Separation of duties can be used to have different Admins holding the rights to set encryption / decryption rules and to administrate the email server. If data protection regulations are starting to catch up to that best practice operation then that sounds like good news to me.