Email Encryption – are you prepared?

Image

So, GDPR – are you all sorted? Hope so, and if you’re not feel free to contact CSE on sales@cse-net.co.uk or 01993 886688 if you have any questions.

Today though, I’m going to concentrate on one of those aspects of GDPR we’ve all been trying to ignore – email encryption.

GDPR requires us to secure people’s personal details, and recommends that files or data that hold those details are secured or encrypted. We would like to think it is as easy as clicking that Protect button in Outlook, then the email message will be encrypted and it’s all sorted…nice try. Not that easy.

Before you understand how to do it, you need to know why it isn’t that easy. If you send an encrypted message to someone, the only way they can decrypt it is to have an encryption key, a digital certificate or some other way of proving they are the person who is the true recipient of the email. Just because they own the email address that you sent the message to, it doesn’t automatically allow them to decrypt your message.

The 'proper' way

The proper way to do this in a secure way is to get a personal digital certificate; have your friend have a personal digital certificate; upload them to the Global Address List; then digitally sign emails between yourselves. You should then be able to send an encrypted email to each other. It’s not as easy as you’d think though – I’ve been doing working with networks for nearly 20 years, and when I tried to get this going with one of our engineers it took quite a bit of messing around; so how can you possibly expect to roll this out to 100 teachers, expect them to know what to do, and expect everyone they might ever email do the same?

You can (in theory) do it for them, by setting up a certificate store and using PowerShell to extract digital certificates, then publish them to the Global Address List; but this is hard work, doesn’t allow for external users well and errors are extremely difficult to resolve.

Is there an easier way? Yes, actually there is (don’t confuse easier with easy, but there’s definitely a better way!).

The easier way

We are all at an advantage here, because schools get Office 365 for free, and if you have it we can use Microsoft Office Message Encryption (OME) to do everything we need to do. All you need to do is activate Azure Rights Management on your tenancy and OME is activated for us. Then we just need to configure our encryption.

I’ve set it up within CSE and it works a treat; I’ve set it up to allow you to choose the following when you compose an email:

  • set the email to be encrypted and only viewable by anyone signed in to a company email address
  • set the email to be encrypted and only viewable by anyone signed into a company email address,
    and do not allow anyone to copy, print, forward or edit the email
  • Do Not Forward – encrypts the message, allows sending to anyone in the world but does not allow
    anyone to copy, print, forward or edit the email
  • Encrypt – encrypts the message only
  • set the email to be encrypted and only viewable by anyone signed in to a company email address
  • set the email to be encrypted and only viewable by anyone signed into a company email address,
    and do not allow anyone to copy, print, forward or edit the email
  • Do Not Forward – encrypts the message, allows sending to anyone in the world but does not allow
    anyone to copy, print, forward or edit the email
  • Encrypt – encrypts the message only

You don’t need to set up any certificates; you don’t need the recipient to have any certificates; you don’t need to set up digital signatures or have any previous contact with the person you are sending the email to.

When a recipient gets an email, they receive a message saying you have sent them a ‘protected’ message. They then click a button to read the message. If the recipient is on Hotmail, or Office 365, or Gmail for instance, they temporarily sign into Office 365 by clicking the button – it’s quite seamless – and they read your message (their link is available for a period of time specified by you). If they are on a service that does not support the required authentication, they click a button to ask for a one-time code, which will unlock the message for them.

Even non-technical users can understand what to do to read the emails they’ve been sent. It’s miles better than setting up a huge certificate store which will only support users who have a certificate themselves. OME allows you to send messages securely to anyone in the world.

What ’s more, the fact that we are setting this up in Office 365 means you can apply all the protection discussed above to your Office 365 documents. All the options are displayed in a new Office bar where the user just clicks once to apply the correct encryption to the document in question. Simple.

It’s not a perfect solution – for instance the encryption-only email option is only available in Web Outlook until an Office 2016 update later in the year, and it’s not the most intuitive set up. That said, this will tick any school’s GDPR list for email encryption and will genuinely supply what you need, whilst making it relatively simple for end users to manage.

So, if you require email encryption to be set up for your school (or Office 365 for that matter), contact your CSE Account Manager on 01993 886688 or sales@cse-net.co.uk and we can sort it all out for you.

Stewart Priestley is Technical Director at CSE Education Systems Ltd.

Managed Services from CSE

Reducing costs whilst increasing system reliability are the key drivers
for schools moving away from outdated support models to intelligent
outsourcing and co-sourcing.

• Reduce costs

• Increase system reliability

• Unlimited expertise

• Peace of mind