E-Mail is the standard electronic business communication tool today. Let’s evaluate how secure E-Mail communication is using the C-I-A Triad primary security principles of Confidentiality, Integrity, and Availability.
Confidentiality refers to the fact that the data is restricted from unauthorized access. This applies to the data while in storage, in processing and in transit. Today’s E-Mail system work per default on plain text E-Mails. The access is gated by user’s username and password to the E-Mail system which provides some protection for the average user. However malicious actors can get access to the data when stored on the endpoints or when in transit as the information is not protected with additional encryption.
Integrity is the principle that the information can’t be altered. In case of E-Mail, we can look at two aspects here which is identity of the participants and content of the message. The identity of the participants, especially the originator of an E-mail can be obscured. This is often done in phishing attacks as the displayed name of sender can be freely chosen. The attacker would impersonate a known entity, such as a company or person, by changing the display name and, hence obscuring his identity. The second aspect is the content of the E-Mail. An E-mail could be intercepted on the way between the sender and receiver by a malicious actor and the content altered. This is possible as the message is sent in plain text and there is no hashing verification of the original content.
The third principle is availability which refers to the fact the E-mail system is available. With today’s technology the availability or an E-mail server or mail transfer agents is not a problem as they are located in high availability environments. What is more a concern is the availability for the user. On Desktop systems E-Mail can be easily accessed but on mobile devices the availability is not often guaranteed especially if you factor in also the two other security principles of confidentiality and integrity. To improve the two other principles of the C-I-A Triad organizations must lock down access to E-Mail systems from certain devices, such as mobile phones, hence restricting the availability.
Now one might argue that is all true but only for a non-protected E-Mail system and we have the possibility to make E-Mail systems secure using S/MIME encryption technology. This is true but there are a few caveats one needs to be aware of when using S/MIME with E-Mail.
First, the identity of participants in an E-Mail system can be verified with the S/MIME certificates. This ensures the integrity of the system. Second the communication between two participants can be encrypted using S/MIME certificates which ensures that messages can’t be read or altered. This ensures the confidentiality of the system. S/MIME encryption can also be expanded to mobile devices which enables the availability for the user.
This is all true, but the implementation of S/MIME in an E-Mail environment is not a simple task. To start with to identify the participants each participant needs a personal certificate. To achieve that a PKI must be integrated into the E-Mail system. This enables easy communication between participants within the same system but communication with external participants still requires a pre-communication key exchange. This is where we end up with the inefficient “Please send me a signed E-Mail so we can securely communicate” setup. The distribution of S/MIME to mobile devices also provides a challenge since various E-Mail clients are used and the procedures vary widely. Lastly, we need to consider the human factor. It’s not mandatory to encrypt the E-Mail conversation and many people will just not do it because of the additional effort.
Yes, securing E-Mail communication with S/MIME certificates is possible but it also not easy.
What’s the alternative?
The Biocoded Secure Communication Platform can ensure that people can communicate freely while protecting the information according to the C-I-A Triad security principles.
The confidentiality of the information is ensured as information is always encrypted. No matter if the content of a message is stored on the devices, processed or in transit it’s always encrypted. There is no possibility that a malicious actor will be able to access the information in plain text at some stage. Even taken over the device on which Biocoded is running will not give the malicious actor access to the information as this protected with encryption independent of the operating system. In addition to breaking into the device a malicious actor would need to hack Biocoded as well.
As for integrity the Biocoded secure communication platform ensures that no impersonation can happen as participants on the platform need to be authenticated. Participants can find each other through an address book in which only registered users are shown. In addition, Biocoded ensure that before a secure channel is established between two participants it’s checked that both users are authenticated on the platform. Because of this no impersonation is possible. Also, the content of messages exchanged are hashed and verified hence altering a message is not possible.
Biocoded also provides a wide support of platform for users including mobile devices. This makes it effortless to expand the availability to mobile devices and enable communication any time even if the participants are not in the office. This enhances the availability of the communication platform beyond the of E-mail configuration. While confidentiality and integrity is not compromised, and no additional efforts are needed to implement secure communication.
On top of providing a more secure, authenticated, and available platform for your E-Mail like communication via messages, files, and media it’s also possible to directly contact the participants via voice and video calls. This is as well done in a secure fashion so no ears dropping is possible.
Find out more how to make your communication more efficient and secure contact us here.