Email Encryption: Better Protect Office 365
Are you one of the many organizations that have decided to move on to Office 365? If so then you must have made this decision for a variety of comprehensive business ins and outs including cost savings, infrastructure simplification, and flexibility. While there is no doubt that such a decision is sound and will quickly provide a noticeable return on the investment, given the nature of the cyberspace, it also makes your company susceptible to cyber exploits.
Although I imagine and understand that privacy may not be a top priority for your deployment, but I believe that it soon will be. It is needless to mention the reasons to secure sensitive communications, whether that is with your customers, employees within your organization or with other organizations you deal with. Securing Personally Identifiable Information (PII) is something that every organization is required to be concerned about, especially when communicating via email.
Regardless the industry, there are many rules that govern the use of PII across the globe such as HIPPA (the Health Insurance Portability and Accountability Act), PIPEDA (the Personal Information Protection and Electronic Data Act), as well as the EU’s Data Protection Directive. These rules mandate companies to protect the personal information of its users/customers.
Now the question is, can Office 365 provide the appropriate level of protection for sensitive email communication? The answer is yes.
However, there is a “but” and the “but” is – the encryption capability within Office 365 is neither robust nor easy to use. Ease of use has a direct correlation to the willingness of the sender and recipient to readily adopt encryption in communications. Ultimately, the frustration caused by the complexity and inflexibility of encryption technology, leads to user to giving up on it. Unfortunately, this is a reality in many organizations.
Trusting Office 365 with my sensitive data
But, there is a silver lining. There are robust (and simple) ways to handle sensitive communication which don’t include having to rely upon what comes with the standard versions of Office 365. I encourage you to examine whether Microsoft’s native capabilities are sufficient for your company’s security and privacy. If you do, you will determine that there are indeed security gaps in the software. You should then examine third-party alternatives. This will help ensure the capability to effectively implement policies that are required to strengthen your business processes.
I regularly hear from IT professionals and business leaders that securing communications through encryption is a complicated and inflexible process. Imagine having a simplified option for a sender and recipient to facilitate sensitive email communications. Isn’t that an ideal image?
Simplicity equates to adoption; adoption equates to compliance, and compliance eliminates the potential of your organization’s name appearing in the news for all the wrong reasons. Can your Office 365 environment give you the simplicity and the flexibility to ensure the adoption and adherence of encryption protocols in multiple use case scenarios?
I assume you wouldn’t be reading this article if it didn’t have any limitations.
Some of the things that you should consider when evaluating the encryption capability within Office 365 include:
- New recipients must provide sensitive information to create a Microsoft account to then read an encrypted message, or receive a one-time password sent in clear text;
- When encrypted messages are sent via the Office Message Encryption (OME) Viewer app or the encryption portal, the sending email address is Office365@messaging.microsoft.com;
- Encryption options do not include S/MIME, PGP, Ad hoc encryption or Portal-based encryption;
- Users cannot track the usage of documents;
- Users cannot revoke access to documents;
- Android and IOS devices require access via a downloadable viewer (OME viewer app).
The registration process for new recipients (referenced in point 1 above) involves a 9 step process in order to get an account, and if you don’t want a Microsoft account, your options are even more limited. The only real alternative is to ask for a one-time password that is sent in clear text, which is not something I would call secure. There has to be a better alternative, and preferably one which would also seamlessly integrate the encryption solution with the mobile experience, because do we really need another app to view an encrypted email?
Now, if privacy is a priority within your organization, I comprehend that you need an enhanced encryption capability as an add-on to Office365 – one that makes encryption easy. That is to say, an encryption platform that gives you the flexibility to vary the encryption process for differing use case scenarios – a platform that comes with policy templates that are industry specific.
When sending an encrypted email there may be a need, based on the type of information and the needs of the recipient, to have a shared passphrase, a system generated verification code or even no password. How about leveraging open authentication to have the recipient use passwords they already trust from sites such as Linkedin, Facebook or Twitter? Think about having the capability to use text messaging to create a two-factor authentication process for communications.
When you look at the many use case scenarios that you will implement to send specific information to specific recipients, the limitations within Office 365 become clear. What happens when you need to enable an encryption delivery method not supported through Office 365? Encrypted Portal and PDF and two delivery methods that are being used a great deal by companies across many industry verticals – will you just ignore these?
And what about branding? There is very little flexibility to brand your encrypted communications with Office 365. As with any communication outside of your organization, it should represent your brand. Again, you must look to an add-on capability to ensure you have the ability to reinforce the brand of your company.
When addressing the secure email communications requirement, many organizations will need something more than what comes standard with Office 365 and flexibility will ensure your encryption compliance processes are adopted and adhered to.
You have deployed Office 365 and now it is the time to think about how you will secure communications. This is one area where it is critical to be proactive and not reactive, for, a reactive approach could lead to undesirable outcomes. Why not think about an email encryption solution that is cloud based, pervasive across the web, mobile, and desktop, policy template driven and fully integrated with Office 365?
Hopefully my article has provided you with substantial knowledge and provoked some ideas on how to enhance your Office 365 deployment to effectively deal with the ongoing need to secure sensitive email communications.
If you would like to find out more about how to avoid missteps in the implementation of your compliance process and sure ways encryption can better protect Office 365, the additional content listed below may be of interest.
- Watch our VIDEO Office 365 | Securing Mobile and Desktop
- Read our BLOG Making it Easier to Secure Office 365, From Anywhere
By Randy Lenaghan, VP Sales Echoworx