After 40 years, email security still elusive, experts say
It's been precisely 40 years this fall since email was invented. Despite it's age, however, it remains elusive to secure, a survey released this week reveals.
According to the survey, conducted by secure messaging provider VaporSteam Inc., nearly three-fourths of respondents from large companies, reported that they've violated compliance rules via email. About a third of those surveyed said they did so intentionally.
While this won't surprise security professionals, it is a reminder how difficult it is to secure even the most widely used applications, and begs the question of why we can't make it more secure without killing its functionality? "Because people use technology," says Scott Crawford, managing research director, Enterprise Management Associates. "And email is simply copying and communicating text from one relay to another. But that simplicity hides a paradox: messaging, collaboration, social -- all these technologies are designed to enable people to express themselves. The more constraint we put on them, the more difficult it can be to use technology to communicate," he says.
Mike Rothman, an analyst at security research firm Securosis and former executive at secure email vendor CipherTrust, isn't surprised by the lackadaisical approach to email security by users. "As soon as they start monitoring outbound communications they start seeing everything that's being sent," he says. "They'll see social security numbers, account numbers, and other forms of controlled information. It opens their eyes and that's when they investigate."
"Most of the time the employees are just trying to do the right thing, emailing files to their home to get work done over the weekend. Most of it isn't malicious," Rothman says.
Experts agree there's no easy security email fix on the way: whether training or technical. "The answer is not more training and education, says John Pescatore, security analyst at Gartner. "20 years of that has not gotten us very far. More monitoring, via Database Activity Monitoring and Data Leak Prevention (DLP) is definitely needed," he says. "Monitoring to detect those conditions is important for both near term security and for figuring out what IT processes need to change so that users can get their jobs done without using email insecurely."
"Technical controls, like DLP and web content filtering work from pretty okay to pretty not okay, depending on the technology, your goals, and the type of data you are trying to secure," says Rothman. "Every company has to evaluate the risk and the cost with lowering it, and how disruptive monitoring and DLP would be to workflow," he says.
Crawford is hopeful that there may be a technical solution, but it won't be for some time: "Enterprise Digital Rights Management (E-DRM) may help with high-sensitivity data. The idea is along the lines of Jericho Forum's concepts of protection that travels with the data. These could become more compelling as the technology matures, particularly considering the need for control in third-party environments such as public cloud," says Crawford. "It's still not widely adopted yet, however, partly because the use cases have to be compelling, and also because policy control over data is a challenge," he says.
Whatever the answer is, let's hope it doesn't take another 40 years to figure out.
George V. Hulme writes about security and technology from his home in Minneapolis. He is an avid user of e-mail. He would encrypt more of it if he only remembered where he left his private keys. And lack of encryption doesnt keep him from tweeting prolifically from @georgevhulme.
Read more about data protection in CSOonline's Data Protection section.