Encryption and digital signature are the best way to ensure the integrity and privacy of email communication. The benefits are:
- Knowing the email really came from the sender, including identification of the represented organization
- Enabling verification that the email content and attachments were not altered after sending
- Knowing that no one else could read the email at the mail server or in transit, as it was encrypted only for the sender and recipient
These capabilities combat spear phishing attacks like Business Email Compromise (BEC) and aid compliance with a set of important global requirements including GDPR, HIPAA, the U.S. Department of Defense’s DFARS, and others.
Using S/MIME for encryption allows both sender and recipient to utilize their existing S/MIME capable email applications with their familiar capabilities. Alternative approaches require separate email applications or web portals with different user experiences.
It is tempting for the enterprise to use S/MIME without automated certificate management in hopes of saving some money by requiring employees to share the burden of managing certificates. As an example, Sectigo received this quote from a customer trying to use the manual management that is typical for S/MIME email certificates:
“We deployed the secure email certificates for our end users four months ago and faced difficulty in deployment. Although we created a step-by-step guide for end users to download and install their own certificates, a lot of support requests were received to accomplish setup. Is it possible to switch to Zero Touch in order to facilitate the Certificate management and installation processes?”
The price of automation is a good investment, less than the expected cost of support calls or the lost productivity for employees manually managing their own S/MIME certificates. Or worst of all, employee failure to use certificates and the compliance problems that brings.
Common reasons for support calls include:
- Failure to publish the new certificate to the corporate global address list means that senders from Outlook and ActiveSync mobile mail applications cannot find the certificate required to encrypt for the recipient. The employee will either spend a great deal of time figuring out how to publish the certificate, or the senders will not use encryption.
- When the Global Address List is not utilized, employees need to send signed emails to each other, which in turn allows senders to extract recipients’ certificates from the signed email. This reduces effectiveness, as you cannot send an encrypted email until the recipient first sends you an email. And once a recipient renews a certificate, the sender now has an older, expired certificate. If the involved parties even realize that they’re emailing information in the clear, new certificate holders will once again have to go through the process of sending signed emails to everyone they want to be able to send them encrypted messages.
- Without automation, each employee requiring an S/MIME certificate needs to visit a self-service web portal, where they identify themselves using a shared secret, click through 5-10 screens, download the private key and certificate in a PKCS#12 file, and open the file to import the certificate to their desktop. Outlook users then need to configure the program to use the newly installed certificate.
- Each employee needs to manually back-up the private encryption key so that to enable recovery should the private key be accidentally destroyed. Otherwise email and attachments encrypted using that key won’t be available for decryption. This support problem takes two specific forms:
- The employee forgets to back-up the key and then when the private key is destroyed, past emails are unavailable for access.
- The employee backs up the private key on a USB drive along with other data files. This private key is then potentially exposed an attacker, who can brute force the encryption protecting the private key from theft.
- To setup a mobile device, the employee must struggle to export the private key and certificate from Outlook and then transfer the file containing the private key and certificate to the mobile device. Once there the employee will need to import the private key and certificate to the mail application which, due to the many, complicated, possible methods varying by mail application, will lead to help desk calls.
- Once the private key and certificate are installed on the mobile device, the employee will need to figure out how to configure the mail application to use the newly installed certificate. This will often lead to a help desk call.
- When the certificate expires in 1-3 years, the employee will need to know enough to renew the certificate to the multiple devices prior to expiry. Otherwise all recipients will receive a notification that the digital signature is not valid.
- After certificates are renewed emails from that sender in the mail server will use different keys. Without automation the employee will need to manually ensure the entire key history is available or decryption of some emails won’t be possible.
No longer do enterprises need to rely on employees to share the burden of installing or renewing certificates. Zero-Touch Deployment of S/MIME certificates is available today - and the pros of automation far outweigh the hassle (and risks) of manual management.