NEWS: Why you should automate S/MIME
News & Events S/MIME

Why the automated S/MIME issuance pays off twice

by 7. November 2019

Companies in all industries rely on email as an essential communication method that helps customers, customers, employees, partners, providers and more interact. Since private and confidential information is sent via email every day, it should come as no surprise that email encryption tools such as S / MIME have become an important part of corporate security.

The use of encryption and digital signatures remains the best way to ensure the integrity and privacy of email communications. Using tools such as S/MIME, the user can check whether the email is actually from the supposed sender, whether the content of the email - or the attachments it contains - has been changed in any way, and can proceed with the certainty that nobody someone other than the intended recipient reacts to this and may have read the email.

These features are important weapons in the fight against fraud through commercial email compromises. Digital certificates also play a crucial role in helping companies meet legal requirements such as the to comply with strict GDPR requirements worldwide that organizations operating in Europe must meet. SMIME offers an elegant solution: By using SMIME for this type of encryption, both sender and recipient can use their existing SMIME-enabled email applications, while other solutions are likely to use a new, separate email Mail application or its use would require a cumbersome web portal where the recipient would have to perform the risky operation to click a link in an email. S/MIME stands for email security made easy. S/MIME ensures that the email is encrypted on the sender and recipient mail servers. An important level of defense, especially if the mail server is in the cloud.

Without automation, the user has to configure sophisticated email applications like the Outlook shown here.

The costs that arise if the provision is NOT automated

Automatic certificate management is not a requirement for S / MIME, but is strongly recommended. If you allow your employees to share the burden of certificate management, you may save some money in the short term, but problems will almost certainly arise in the long run. A Secorio customer described the experience of not using automatic certificate management:

“We deployed the secure email certificate to our end users four months ago and [were] faced with deployment difficulties. Although we have created step-by-step instructions for end users to download and install their own certificate, numerous support requests have been received to complete the setup. "

The difficulties associated with manual certificate management prompted this customer to zero touch management Solution, which finally included automatic certificate management and installation in your solution. In most cases, setting up this automation costs less than a single support call - and saves employees valuable time because they no longer have to manually manage their S / MIME certificates.

The cost of lost employee productivity is also noteworthy. For example, if a junior lawyer in a law firm (who charges clients EUR 200 per hour) spends at least half an hour installing a digital certificate on their iPhone and the support (pays EUR 100 per hour) does the same Amount needed To fix an incomplete or confused installation, the company spent EUR 270 just providing a digital certificate - more than five times the cost of a zero-touch S / MIME certificate that could be automatically provided to the user.

Avoid painful problems

Without automation, the risk of human error exposure increases dramatically. How does automation help? Below are some of the most common problems caused by manual certificate management. Most (if not all) problems can be solved with effective automation:

  • Failed to publish a new certificate. If a new certificate is not published in the company's global address list, senders of Outlook and ActiveSync mail applications cannot find the certificate required for the recipient's encryption. The employee either spends a lot of time trying to figure out how to publish their certificate, or the senders do not use encryption.
  • Error using global address list. If the global address list is not used, employees must send signed emails among themselves so that the sender can extract the recipient's certificate. This limits the effectiveness, as an encrypted email can only be sent when the recipient has replied to the email. This works until the recipient renews his certificate and the sender has an older, expired certificate. Once the cause of the problem is identified, a new signed email must be sent to everyone the sender wants to communicate with.
  • Problems with the self-service web portal. Without automation, every employee who needs an S/MIME certificate must visit a self-service web portal. There they have to click through 5-10 screens using a shared secret they identify themselves, download the private key and certificate in a PKCS # 12 file and open the file to import the certificate to their desktop. You will then have to manually configure Outlook to use the newly installed certificate.
  • Ineffective private key store. The employee must manually secure his private encryption key. In this way, emails or files can be further decrypted if the private key is accidentally destroyed. This can result in two types of support problems:
    • The employee forgets to save the key and can no longer access his previous emails if the private key is destroyed.
    • Der Mitarbeiter vergisst, den Schlüssel zu sichern, und kann nicht mehr auf seine früheren E-Mails zugreifen, wenn der private Schlüssel zerstört wird.

Some providers state that they offer a backup of the encryption key. However, the customer has to implement it on site, with additional hidden costs.

  • Problems installing mobile devices. Many employees have problems exporting the private key and certificate from Outlook when setting up a mobile device. You need to transfer the private key and certificate file to your mobile device. Employees then have to import the private key and certificate into the email application, which can be problematic due to the different methods required for different email applications. Once the private key and certificate are installed on the mobile device, many employees have trouble configuring the email application to use the newly installed certificate.
  • Bad renewal management. If the certificate expires in 1-3 years, the employee must renew the certificate for each device before it expires. Otherwise, all e-mail recipients receive a notification that the digital signature is invalid, which interrupts communication. Even worse, the recipients ignore the errors of an expired certificate, making the solution ineffective.
  • Decrypt older emails. When renewing certificates, the emails stored on the mail server must be accessed with different keys. Without automation, employees have to manually check that the entire key history is available. Otherwise they cannot decrypt the older emails. This leads to help desk calls - or worse, some emails related to a lost key cannot be decrypted.

These problems can be frustrating for users and clearly illustrate how ineffective certificate management can negatively impact the security and reliability of a company's communications.

S/MIME is an important and user-friendly email encryption tool. Adding zero-touch S/MIME makes installing and renewing the many certificates in an organization easier and cheaper than ever.

More information can be found in the Sectigo Zero-Touch Deployment S/MIME- Product Video.

Tags: