Email Encryption is as Much About Policy as Technology

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

One of your most important duties as a legal and compliance leader is to protect your organization’s confidential information. In an era when virtually all information exists in electronic formats that can be transmitted instantaneously to anywhere on earth, this is a daunting task. The challenges arise from both technology and policy. The foundational technology for information protection is encryption. But in the cloud era encryption comes in a bewildering variety of flavors. Choosing the right options requires careful thought about your real objectives.

Any kind of electronic information can be encrypted. But today I want to focus on the encryption of office documents, by which I mean email messages and their attachments. Of course protecting the information contained in transaction processing databases, analytical data warehouses, and repositories of CAD-CAM blueprints is also essential. But these highly structured kinds of information usually live in specialized silos with their own forms of protection. Office documents on the other hand flow everywhere in modern organizations. They also flow between organizations, and over the open Internet to consumers. Emails or their attachments can contain highly regulated information such as the health and financial data of private individuals. They can also contain an organization’s most important trade secrets or intellectual property. So getting their encryption right is critical.

To be sure, email encryption is not new. Well-established standards for email encryption such as Pretty Good Privacy (PGP) and S/MIME have been around since the 1990s. Originally designed in a PC-centric world, these solutions use the same advanced public key encryption algorithms as modern cloud-based solutions. But they are inconvenient to use and, crucially, they lack the fine-grained policy controls that are essential to information protection and regulatory compliance in modern organizations.

PC-era email encryption solutions really do only one thing: they encrypt an email on your PC and ensure that it remains encrypted all the way until the intended recipient retrieves it from the email inbox on their device and decrypts it (we needn’t delve here into the ingenious public key cryptography algorithms that make this possible). But for today’s organizations this is not nearly enough.

What more should legal and compliance leaders look for in cloud-era email encryption? Here is a partial list of essential features:

• Encrypting office documents should require little or no special effort. Ideally, this should happen by simply clicking on drop-down menu options in the user’s customary email client or typing pre-defined keywords in the message, such as “Confidential,” “HR only,” or “Attorney-Client Privilege.” Microsoft’s Office 365 Message Encryption works this way.
• Organizations should also be able to configure their email systems to apply encryption automatically to messages that contain pre-defined keywords or sensitive information in certain formats, for example, social security numbers, passport numbers, or health ID numbers. Again Office 365 Message Encryption makes this easy. Today such rules must be spelled out by system administrators who create pattern-matching templates. But in the future the process might be more sophisticated. For example, an AI might be trained to trigger encryption when it recognizes that a confidential business strategy is being discussed in a message, even in the absence of designated keywords.
• Users and organizations should be able not only to encrypt messages but also to control what recipients can do with them. For example, it should be possible to prevent the recipient from copying, printing, or forwarding an encrypted message, or even revoke/limit in time the recipient’s ability to read the message. Both Office 365 and Gmail offer these functions.
• Users should be able to use their normal email software to read encrypted emails they receive. This has long been a challenge for organizations that need to send encrypted email to external recipients but don’t want to use older point-to-point solutions like S/MIME. For example, healthcare providers in the U.S. are obliged by HIPAA regulations to encrypt any email containing personal health data. Usually this means that patients can’t read or reply to emails from their doctors just by using their normal email software but must instead sign into a web portal. This is inconvenient and discourages fluid communication between patients and doctors. Many businesses that want to communicate with other businesses also face this problem. Requiring your strategic customers or your outside law firm to resort to such a cumbersome scheme to read your encrypted emails to them is not ideal. The latest version of Office 365 Message Encryption can’t yet eliminate this problem for doctor-patient emails, but it does solve it for encrypted emails exchanged between organizations as long as both are using Office 365. Users in such organizations can now skip the web portal and read encrypted emails addressed to them using their familiar Outlook client—including Mac, iOS, Android and web versions as well as Windows.
• Finally, encrypted emails and their attachments should not be immune from standard security and compliance checks that advanced cloud email services perform. Critically, this means scanning documents for the presence of malware or indications of phishing attacks (such as the use of URLs known to be malicious). It also includes indexing documents for legally mandated search and retention purposes, such as eDiscovery. Cloud email services such as Office 365 are designed to perform such vital functions on encrypted documents by briefly decrypting them within the protected confines of highly secure cloud data centers. For the small fraction of messages containing genuinely top secret information (are you a defense contractor sending the plans for a new submarine to the Navy?) it is still possible for customers to combine the cloud with end-to-end encryption methods—I wrote about one such option for Azure and Office 365 in an earlier post. By contrast, on-premises encryption software or gateways that encrypt all messages before sending them to the cloud prevent the cloud provider from performing these scans and thereby create significant security and compliance risks for the user organization. Allowing the cloud provider to perform these functions requires a strong trust relationship with the provider, backed up by solid proofs such as certifications, contractual guarantees, and reputation. But in the Internet era, it is no longer safe or even feasible to conduct business without this kind of trust relationship. Choose your cloud providers wisely.

I’ve listed what I think are the most important features of modern cloud-based email encryption. The key takeaway here is that defining how email encryption in your organization works should not be treated as a solely technical issue to be delegated to technologists, because the most important choices involve matters of information safety and legal compliance. Certainly the IT team has the important job of configuring the solutions once they are chosen. But defining the objectives and requirements for the organization’s email encryption policy is the job of the legal and compliance leadership—that means you.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on encryption. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.