Email Encryption

More and more industries and even some states are starting to require that all email containing sensitive information be encrypted. I think this is a great idea. Email should be encrypted, sensitive data like personal information should be protected from end to end. Frankly, I think there is going to be a time where ALL email is encrypted. Just like telnet, FTP or any website that get's input from a user is using SSL, It will become the norm.

The problem right now is the user intensive process involved in retrieving the encrypted messages. From a sender perspective it's pretty easy. Your I.T. department installs a security appliance of their choice (IronPort, Barrcuda, etc...) and it's pretty easy from that point. Depending on the system, the user may have to choose to encrypt the message by clicking a button or selecting an option from a dropdown. However, the receiving end is miserable.

As of right now the process for every secure email system I've seen goes like this. The recipient get's and email with a link to a website hosted by the email sender. The link is activated and the recipient is required to create and account in the senders system, user name/password etc... Once the account is created and accessed, the encrypted email is then displayed in a window generated by the senders encryption system. The recipient can now forward, reply, download an attachment (typically the case in my environment) etc...

Aside from this being a lengthy process, this process needs to be done for every domain that sends you encrypted email. That's a heckofalotof users names and passwords to remember. People typically can't remember their passwords to login to the network, or in to our (non AD compliant) core app. What makes you think that these users are going to remember potentially hundreds of other ones? This is and has become a major problem with the company I work for.

We get secure email from big banks often and several different people receive these emails. If a user forgets their password to the banks encryption system they are pretty much screwed. We, in I.T. can't reset their passwords because it's the banks system. The person who sent them the email can't reset their password because all they did was click the "encrypt email" button. So the request to reset passwords ends up requiring assistance from the bank's I.T. department. This is the problem, a lowly end user from some random company like ours isn't going to get the attention they need from the bank's I.T. department to reset that password. The only solution we've come up with is to have the sender at the bank send the email to a different address (typically we just create an alias on the users account) and they setup a new encryption account. It's really silly, it creates confusion on our side and an excess of accounts on the bank's side.

Clearly email encryption is the future and it's not going to go away anytime soon. I just don't think the usability from a recipient perspective is there yet. Until the encryption and decryption (is it called that?) is done with no user intervention completely at the gateway or network edge, I don't think laws requiring email encryption are appropriate.