There are many ways to encrypt email, TLS being the simplest and most seamless. With SMTP TLS (the use of TLS encryption to secure the “SMTP Protocol” used for the transmission of email between computers), messages are transported between the sender, recipient, and all servers securely. TLS is a layer that fits seamlessly over “regular email” to ensure transport email encryption when supported by both the message sender and the recipient. With SMTP TLS, sending a secure message works and feels the same as sending any other email message.
“It just works.” That is the ideal combination of security and usability.
However, SMTP TLS only solves the problem of email encryption during transmission from sender to recipient. It does not in any way secure an email message while it is at rest, whether while in the sender’s “sent email” folder, queued or backed up on the email servers of the sender or recipient, or saved and stored in the email recipient’s folders. While SMTP TLS is really easy to use, it is important to consider if use of SMTP TLS alone is “good enough” for companies to comply with the many U.S. government laws which apply to email.
When it is “good enough,” organizations may opt for the seamless simplicity of TLS over the added complexity of other modes of secure email communication.
In this article, we shall examine the security afforded by SMTP TLS and compare that to other modes of email encryption such as PGP, S/MIME, and Escrow (i.e. picking up your message from a secure web portal). We shall then look at many of the most important laws (HIPAA, GLBA, Sarbanes-Oxley, SB1386, NASD 3010, FRCP, SEX 17a-4, FINRA, and PCI DSS) to see what is said or implied about using “Just TLS” vs. other, stronger forms of encryption. We won’t spend a lot of time explaining each law; if you are interested there are innumerable articles on the web for that. We focus only on what they say or imply about encryption for email transmission and storage.
The short answer is that many of these laws outline various requirements for email storage, archival, and retrieval for legal proceedings without specifically delineating requirements for the encryption of those messages. So, use of TLS is just fine with respect to those.
For PCI compliance, avoid email if at all possible; however, if you must use email for sending credit card data, “Just TLS” is not sufficient.
For the rest, the burden ends up being on each individual organization to decide for itself the level of encryption appropriate to protect sensitive data. Use of encryption methods that provide protection for data at rest can mitigate liability in the case of a breach, but they are not mandated. There are also ways of protecting data at rest that do not involve more onerous methods of email encryption.
Indeed, your internal risk analysis may find that “Just TLS” is best in some cases and methods that provide explicit data-at-rest email encryption are warranted in others.
Read the rest of this post »