How secure cloud content management can address email’s inherent security problem.
Starting in 2010, the U.S. State Department suffered the release of over 40 years of sensitive information, including emails, over the Internet through the Wikileaks website. This breach and its subsequent distribution would eventually catalyze events of global significance, like the Arab Spring. As they say, the rest is history, a lot of history (source).
In 2014 Sony Pictures suffered one of the most damaging corporate information breaches, as state-sponsored actors gained access to the email system which yielded embarrassing and sensitive information such as a list of passwords sent in an email attachment (source).
What these two incidents have in common (and many other breaches reported and not reported on a daily basis) is the release of sensitive email content. Few targets hold as much potential/promise/attraction as the internal discussions, sensitive files and private communications with outside parties all entrusted to a technology developed 40 years ago at a time that had little need for secure software much less an understanding of how the Internet would transform over the decades to come.
Most everyone knows that email is not secure, and the daily news cycle of the latest breach is there to remind them lest they forget. Despite this, email continues as the primary form of Internet communication and is growing 3% per year. On average, (between 2015 and 2019), taking on 89M new users a year (source). Towering at 2.8 billion email users today, email is trapped in the “damned if you do, damned if you don’t” category of communication choices for today's enterprises. Organizations deploy blood, sweat and treasure in an attempt to achieve “email security” (an oxymoron if there was ever one), but despite an eager and healthy 7 billion dollar security industry, the trends are only getting worse (source).
Many different solutions have been developed for email. Formal email standards have long been defined like PGP & S/MIME for message encryption and systems such as secure messaging portals, gateways, and technologies, like DRM, for file level encryption; all developed to protect content sent through email — but to no avail (source). I’ve been in the email business for more than 20 years and I have yet to receive a PGP or S/MIME encrypted message. What gives?
It turns out that it is far easier to hack technology and make our ever-smarter systems and software do new tricks than to force the smallest change in human end-user behavior. So, while the industry has been busy deploying shiny new buttons to protect our unprotected emails, we simply do not want to click or use those shiny new buttons. As the old adage has it, “old habits die hard”, and it seems that the older the habit the harder it dies — and few things on the Internet are older or riskier to our content than email.
To underscore this view, Dell published a fascinating study that sums up the issue:
The study notes that users are not maliciously skirting security as just trying get their work done. It’s simply that in the frenzy of modern life when we’re just trying to get things done, that extra step is one extra step too many in a life that already has us doing too many extra things.
As far as email security is concerned, we can conclude that the only real way of bringing security to email is to make it completely transparent. In other words, no new shiny buttons, no changes to how email is used, no new software to install, and no required changes to end-user behavior. Furthermore, to be meaningful to the organization, the security has to be always on — independent of how or from where the email is sent (laptop, mobile phone, Windows, Mac, etc).
In recent years, the advent of powerful and secure cloud content management or CCM platforms, like Box, have provided a viable means of sharing content without the shortcoming of email with regard to file size, content tracking and most critically, security. The main problem here is that such content 'strategies' do not natively include the predominant threat vector: email. Like it or not, email is where business is happening — contracts, orders and other critical content is exchanging hands. While many organizations have been able to convince their users to send files as cloud storage links pasted into emails, it’s a Sisyphean effort, an interminable struggle that can’t be trusted. Not everyone sends files as cloud storage links all the time or sets the correct access security on those links when they do.
If sending attachments as secure Box links is a solution but trusting the end user to do so is the challenge, what if we could automatically ensure that all attachments (both inbound and outbound) are delivered as secure Box links, set with the correct security profile without requiring any action on the part of the user? That would be ideal. The good news is that technologies, like mxHero, deliver this functionality. MxHero provides IT administrators with central control of all email attachments flowing in and out of the organization while automatically replacing the attachments with Box links configured with the appropriate security. For example, all attachments sent internally are delivered with links that only give access to authenticated employees. Now, if an employee’s email is hacked or an email is inadvertently forwarded to the wrong person, the content is protected as unauthorized users will have no access to the embedded and secure Box link. Meanwhile, attachments sent outside the organization can be delivered as secure links that automatically expire in (x) days. Critically, the creation of protected links specific for each recipient is all handled independent of the end user. For the user, they simply attach files and send them as they have always done. It doesn’t matter if the email is sent from a mobile phone, tablet or desktop. No new buttons, no new tricks.
Imagine if the Sony or the U.S. State Department had deployed a solution of this kind. How different Sony’s breach would have been if email attachments had been inaccessible as secure Box links. Imagine if when the ill-intended hackers breached the U.S. State Department's email, they discovered encrypted and secure links vs. unprotected file attachments — how different our world would be today.
Email is extremely useful and continues to expand its footprint, but it was born in another time. By transparently leveraging best of breed technologies of today including Box's CCM platform and solutions like mxHero's Mail2Cloud, organizations can continue to benefit from email’s familiarity without sacrificing their content security.
Originally posted to Medium