Securing Email Correspondence
First things first, how does normal email work?
Today, most correspondence between individuals, companies and groups is sent and received using some form of email client and server. Email is typically a store and forward messaging system where a user will prepare a message and hit send to transmit the message to the recipient. This message will then be forwarded to the upstream server that the recipient is associated with, and will remain in the recipient’s “post box” until it is retrieved into their application inbox, residing on the computer or smartphone device.
Why is this not ideal for confidentiality?
Emails are sent and received using a standard set of protocols ensuring servers can work together irrespective of their Operating Systems and software variants. The protocol used to send and receive emails, is called Simple Mail Transfer Protocol or SMTP. Inherently, SMTP is an insecure protocol and does not include any encryption and or authentication.
This can be problematic especially when sensitive information is sent and received between governments, security agencies, companies, and other organisations. Lack of security and of authentication methods in the SMTP protocol means that email as a communication method, regardless of the email client used, is considered insecure and does not protect access to the information contained in message or its attachments.
Mail servers that the messages pass through between sender and receiver are backed up on a weekly, daily, and hourly basis, which means that information sent between recipients is always available for access. If a foreign government needs access to certain emails of another country or organisation, this would be possible. Government entities or even malicious organisations could easily instruct an ISP to “forward” all emails passing between individuals, companies, countries to them for scrutiny. The possibility of this action displays the lack security surrounding email and the SMTP protocol, especially when using this commercial public infrastructure as a convenient post office.
We are not saying re-invent the wheel, we are just suggesting a better tyre.
The global internet as a traffic carrier is a very efficient, cost effective and reliable means to communicate vast amounts of data across the world. It is clear, however, that to safeguard individuals, companies, organisations, and governments when communicating sensitive information, a more secure means of transmission of electronic correspondence needs to be used.
For true email security, there is no need to re-invent the entire email “wheel” by developing a stand-alone secure email application and server to replace the current SMTP mail infrastructure. Our suggestion is rather to make use of the existing commercial infrastructure combined with a secure plugin or extension that will ensure that the messages sent and received between specific recipients aretruly secured providing data integrity, confidentiality, and reliability.
Secure Communications Platform (SCP)
The Secure Communications Platform (SCP), offered by Specialised Technologies and Services is a stand-alone secure communications infrastructure allowing connected users to securely talk, instant message, send and receive data files, and securely send and receive emails.
The solution provides Microsoft Windows users the ability to add in a plugin to their Outlook application that will create a “Private Message” tab in the Outlook menu. This allows users to create a secure, private message to the intended recipient, with the same feel and touch as if they had clicked the New Message tab from the Outlook menu.
Once the recipient has been selected, the subject included and message created with the attachment, the user can simply hit ‘Send’ for the message to be sent to the recipient. In the background, the SCP secure plugin creates a AES256bit encrypted tunnel between the SCP Outlook plugin and the stand-alone SCP server. The private message is then sent to this SCP server and distributed to the intended recipient or recipients.
The process requires both the sender and receiver to have the secure plugin installed. When the recipient is online, they receive this message in their secure inbox, within their email client. The SCP secure plugin thus ensures that when sending sensitive information between parties, the content is secured before sending, during transit, at rest on the private server, and when received, preventing any form of man-in-the-middle attack. Protecting messages that would otherwise have been residing on multiple SMTP servers, to ensure the integrity of the data between intended parties.
The private SCP server allows users to have a complete audit trail log of who created the message, when it was sent, who received the message, when they received the message and what was in the message. The difference being that this information now belongs only to the entity using the system.
“The sooner we come to terms with the reality that traditional email is a convenient communication method, that is also conveniently accessible, the better”
If you intend on sharing confidential information using email as a communication method, there is no true guarantee it will remain private without the use of a secure plugin and private server. The sooner we come to terms with the reality that traditional email is a convenient communication method, that is also conveniently accessible, the better. Once this is recognised, true email security can become a priority, and true confidential communications can become a reality.