|
What’s Driving Interest in Secure Messaging?
For World War II’s “greatest generation” loose talk, which could cost lives, was the greatest threat to security. Two generations later the threat to security is far more complex and multidimensional, but the stakes remain high. When valuable intellectual property is compromised, medical records revealed, or privacy rights threatened, there’s hell (and often big dollars) to pay. Because of a perception that companies that haven’t taken strong enough measures to protect against these dangers, governments at home and abroad, state and federal, have stepped in. And in place of warning posters, there are statutes; many with sharp teeth.
A by-now-familiar list of regulations either require—or strongly suggest—that organizations adopt email encryption as an important component of their overall security architectures: o The Sarbanes-Oxley Act holds CEOs and CFOs of public companies personally accountable for documenting and controlling business processes and systems with intentional offenders facing up to twenty years behind bars.
o HIPAA (Health Insurance Portability and Accountability Act) regulations are aimed at protecting patient privacy. Penalties range for up to ten years in prison with fines to $250,000 for knowingly misusing individually identifiable health information.
o Financial institutions of all types—from banks and security firms to tax-return preparers, credit counselors, real estate settlement services and insurance companies—fall under the aegis of the GLBA (Gramm-Leach-Bliley Act), which includes a host of provisions for protecting consumers’ personal financial information.
o Corporations doing business globally are forced to adhere to other countries’ laws as well. There are Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the United Kingdom’s Data Protection Act (OPA) and the European Union Privacy Directive. Each specifies different guidelines or rules for the handling of private information. and, in some cases, penalties for non-compliance may apply.
o It goes almost without saying that companies doing business with Uncle Sam (and the government itself) must comply with a whole raft of regulations including FISMA (Federal Information Security Management Act) when implementing email security. o Many states have also initiated laws relating to a company’s responsibility to maintain customer personal information confidentiality. California’s AB1950 requires businesses that store or manage residents’ “private” information provide “reasonable security” for that data.
But regulatory compliance concerns are only part of the picture—internal governance, privacy and intellectual property protection concerns are also driving organizations to take a closer look at technologies that can protect data both at rest and in transit. Because email is the most common conduit for all types of business information, email encryption (aka secure messaging) systems are becoming more popular with organizations of all sizes. Only a company attempting a high dive into red ink needs a government edict to explain the absolute necessity for secure messaging that safeguards information. Trouble can suddenly appear anywhere there’s a leak—being blind-sided by a competitor who’s gotten hold of in tellectual property, financial information getting out to the market prematurely, social security numbers compromised. Unfortunately, the list of potential risks is long and uninviting.
What is Secure Messaging?
Secure messaging has three primary benefits: keeping sensitive information private, preventing anyone from tampering with the contents of messages and authenticating the identity of both the message’s sender and recipient. By using encryption algorithms, the contents of sensitive messages are kept private from anyone except the designated message recipient(s).
Encryption works by means of digital “keys” which, similar to keys in the physical world, lock the contents of a message so that they cannot be viewed until “unlocked” with a corresponding decryption key. One of the primary differences between the various cryptographic systems is the way they handle the generation, distribution and management of these keys.
Beyond the technical details of each encryption system, effective enterprise secure messaging systems are primarily about enforcing messaging policy. The goal is to have a system that offers administrators the greatest control and ability to quickly set and change parameters for who will (and won’t) be authorized to access specified information at specified times from specified individuals. At the same time, this has to be done without unduly inhibiting the free flow of other business communications, whether sent in encrypted form or “in the clear.”
|
