Encryption and digital signatures are the best way to ensure the integrity and data protection of email communication. The advantages are:
- The knowledge of the email really came from the sender, including the identification of the organization represented
- Enable checking that email content and attachments have not been changed after sending
- Knowing that no one else could read the email on the mail server or while it was being sent because it was only encrypted for the sender and recipient
These skills fight spear – phishing attacks such as business email compromise (BEC ) and help meet a number of key global requirements including BIPR, HIPAA, the US Department of Defense DFARS and others.
By using S/MIME for encryption, both senders and recipients can use their existing S/MIME-enabled email applications with their familiar features. Alternative approaches require separate email applications or web portals with different user experiences.
It is tempting for the company to use S/MIME without automated certificate management in order to save money by having employees share the burden of certificate management. For example, Sectigo received this offer from a customer who was trying to use the manual management typical of S/MIME email certificates:
We deployed the secure email certificates to our end users four months ago and had difficulties deploying them. Although we created a step-by-step guide for end users to download and install their own certificates, we received numerous support requests to complete the setup. Is it possible to switch to Zero Touch to simplify the certificate management and installation process? YES!
The price of automation is a good investment that is less than the expected cost of support calls or the loss of productivity for employees who manually manage their own S/MIME certificates. Or worst of all, employees not using certificates and the associated compliance issues.
Common reasons for support calls are:
- If the new certificate is not published in the company’s global address list, senders of Outlook and ActiveSync email applications will not be able to find the certificate required for encryption for the recipient. The employee either spends a lot of time trying to figure out how to publish the certificate or the senders do not use encryption.
- If the global address list is not used, employees must send signed emails to each other so that the senders can extract the recipients’ certificates from the signed email. This reduces effectiveness as you cannot send an encrypted email until the recipient sends you an email first. As soon as a recipient renews a certificate, the sender has an older, expired certificate. If stakeholders even realize they are sending information in plain text via email, new certificate holders will have to resend signed emails to anyone they want to be able to send them encrypted messages.
- Without automation, each employee who needs an S/MIME certificate must visit a self-service web portal where they identify themselves using a shared secret, click through 5-10 screens, download the private key and certificate in a PKCS #12 file, and open the file to import the certificate to their desktop. Outlook users must then configure the program to use the newly installed certificate.
- Every employee must back up the private encryption key manually so that it can be restored if it is accidentally destroyed. Otherwise, emails and attachments encrypted with this key cannot be decrypted. This support problem has two specific forms:
- The employee forgets to back up the key, and if the private key is destroyed, past emails are not available for access.
- The employee saves the private key together with other data files on a USB drive. This private key is then potentially exposed to an attacker who can force the encryption that protects the private key from theft.
- To set up a mobile device, the employee must struggle to export the private key and certificate from Outlook and then transfer the file with the private key and certificate to the mobile device. There, the employee must import the private key and certificate into the email application, which leads to helpdesk calls due to the many complicated methods that vary depending on the email application.
- Once the private key and certificate are installed on the mobile device, the employee must figure out how to configure the email application to use the newly installed certificate. This often leads to a helpdesk call.
- If the certificate expires in 1-3 years, the employee must have sufficient knowledge to renew the certificate on multiple devices before the certificate expires. Otherwise, all recipients will receive a notification that the digital signature is invalid.
- After the renewal of certificates, emails from this sender use different keys on the email server. Without automation, the employee must manually ensure that the entire key history is available or some emails cannot be decrypted.