2. Adventures in Secure Mobile Email
A Voltage Whitepaper
Sending and receiving encrypted email with sensitive data should be a lot easier to do. But
it ends up being something painful, and as a result we tend to avoid this protection. Haven’t
we all been schooled that sending emails in plain text is like having a post card plastered to
the wall of your local coffee bar? Haven’t all the various exploits with stolen credit cards and
hackers breaking into various Web-based email services been warning enough? Apparently not.
Oddly, this summer marks the eleventh year anniversary of identity-based message encryption
with more than a billion secure messages being exchanged annually. But that still pales in
comparison to the many insecure messages containing sensitive data being exchanged in the
clear.
Certainly encrypted email still isn’t very common practice, despite this impressive statistic.
In the many years since encrypted email was first invented in the mid-1990s, we have seen a
lot of progress, at least from the technology side of the house. We have some standards, we
have some multi-vendor interoperability, and we have some products that don’t require a PhD
in cryptography to install and use. There are some terrific products that make encrypting and
decrypting emails almost effortless, and relatively inexpensive to widely deploy across small
and large enterprises.
Obstacles to Widespread Encrypted Email Use
But despite these improvements, using secure email is still not widely adopted. There are
several reasons why:
First, as we all know, unencrypted emails are very easy to send and encryption can add extra
steps. Some certificate-based systems are too complex: most end users don’t even know what
a public key certificate is or how to use it.
Second, many IT admins are still under the mistaken impression that securing their email is
either expensive, cumbersome, or requires a symmetric key solution for both recipients and
senders. None of these are true today, although they were for many years. Maybe someone
should send these IT managers a message! Some products even have Outlook plug-ins to make
the whole process even easier for the user, and the latest identity-based encryption products
are simple to use without compromising on security.
Third, many businesses have to comply with ever-present regulations around communication
of sensitive data, and the processes that support it, like legal e-discovery and archiving.
The latter can be a big deal. Companies even resort to sending sensitive data on media via
snail mail with all the risks that come with it, unaware that technologies like identity-based
messaging can solve both problems.
Finally, there is the biggest obstacle yet: more people are using mobile devices that don’t have
very good email encryption experiences. Let’s take a closer look at this.
2
3. Adventures in Secure Mobile Email
A Voltage Whitepaper
The Mobile Encryption Experience
Today’s knowledge worker isn’t just using their Windows or Mac desktops, but a variety of
iOS, Android and BlackBerry mobile phones and tablets to communicate. Indeed, in many
organizations the iPad has become the defacto executive dashboard, and many people
have moved to using their mobile device as their exclusive communications tool. Gartner
predicts that worldwide tablet sales will reach 119 million units by the end of this year1 and
that enterprise tablets will compromise more than a third of total tablet sales in 2015. As
one example, many school districts are buying them for all of their students to facilitate
homework completion and communication after school hours. This represents yet another
reason to encrypt emails with sensitive data.
Most end users think of their mobiles devices as their own, even if they were purchased with
the company’s credit cards. They think nothing of using them to transmit sensitive corporate
data or to just making whatever copies they need of business documents to take along.
But they are a corporate asset, and need to be protected accordingly. That is a challenge.
Given that a smartphone is lost or stolen every 15 seconds, that is a lot of data that is just
ripe for the picking. We don’t think what would happen if our mobile phone or tablet is lost or
stolen, and whether our corporate email traffic is saved on it. To make matters worse, about
half of business users don’t even protect their devices with a simple four-digit power-on PIN2.
On top of these issues, the secure email world has lagged behind this influx of tablet
purchasing. If we wanted to use encryption we have to go through multiple steps to make it
happen on a mobile device. We have inconsistent delivery methods and clunky workflows to
compose, send, and receive encrypted emails. We have to use a Web-based email solution,
or add a special proxy server, or handle certificates that bring us back to the mid-1990s
before identity-based encryption was commercially available.
The native iOS and Android email clients don’t support much in the way of encryption
outside of a SSL connection which only protects the data from the mobile to the server, not
before or after. iOS email app has basic S/MIME PKI support but it’s just too complicated to
use, especially for ad-hoc secure messaging which is typical in today’s on-demand socially
connected world. And most of the third-party mobile email clients don’t do much to add any
security to the attachments or messages accessed by a tablet or a smartphone.
Finally, one additional challenge: many enterprises are encouraging their customers and
partners to use their mobiles to communicate with their brands, making it more difficult to
keep private information secure on non-corporate owned devices too.
Mobile Data Security Options
To truly protect your email and data from getting hacked, you need an approach that looks
at the entire end-to-end process and protects all of the various components, including the
message body, the header, the attachments and any replies. This needs to be secured
1
http://www.gartner.com/it/page.jsp?id=1980115
2
http://www.cioinsight.com/c/a/Latest-News/Identity-Fraud-Victims-are-Smartphone-Social-Media-Users-Report-187247/
3
4. Adventures in Secure Mobile Email
A Voltage Whitepaper
wherever the email goes – including desktops, applications and mobile devices. The intended
recipient should be the sole entity that can decrypt any of these components.
Let’s look at three different intended solutions: mobile device managers, cloud-based
file sharing services, and Web email clients. Each falls short of this goal when it comes to
protecting the entire email data chain.
There are over a dozen different mobile device managers available today. These are tools that
provide a secure container to protect files and data on the mobile device. That is great, but
what happens if emails or sensitive data is saved to your phone outside that container? What
if you send an email from the container to an external recipient that doesn’t have the same set
up? And while many MDMs are great at deactivating a lost or stolen phone, they do add a layer
of complexity and detract from the overall ease of use of the native email experience. They
are also ineffective when it comes to protecting the email end-to end in your smartphones and
tablets.
Another solution is to use of more than a dozen different cloud-based file sharing services
that are designed for consumers. These tools are extremely easy to use and were originally
developed to get around file attachment size limitations of older email products, but have
since mushroomed. A recent report shows these services represent about 15 percent of total
network bandwidth consumed and their use is growing faster than any other application
category. At least one browser-based file sharing application was detected on 89 percent of
the participating organizations’ networks, and an average of 13 different file sharing apps were
found on each customer’s network3.
Cloud file sharing services aren’t easy to manage from an enterprise perspective. Many of
these services have other hidden limitations. Even when IT is aware of their use, the services
generally lack transaction logging, which makes document control problematic. And some
of these services aren’t as secure as their vendors advertise, or have questionable privacy
policies. That’s a red flag to a compliance officer.
A third solution is to use the Web-client options of many email encryption products. While
these will work with mobile browsers, they still aren’t as easy to use as the native email apps
that come with iOS or Android operating systems. Some of these products can only read and
not compose encrypted messages, and some still make use of the older and cumbersome
symmetric key solutions.
Voltage’s Mobile Email Security Solution
What is needed is a special app for mobile devices that can secure emails, but do so with the
involvement of centralized authentication and message management policies that can be easy
to maintain by IT staffers, where granular security policies can be created and enforced. That’s
where Voltage’s SecureMail Mobile Edition comes into play.
The app has several advantages over other mobile encryption products. First, it is dirt simple to
use: a few taps or clicks and you can be sending emails securely. Secure messages are received
3
http://www.paloaltonetworks.com/aur
4
5. Adventures in Secure Mobile Email
A Voltage Whitepaper
in the native email applications and opened with the Voltage app. The software mirrors the
same user interface that is native to the particular mobile device, so an iPad or Android user is
comfortable using the Voltage email application with the same familiar controls and integration
with the mobile’s existing contact list. There is no certificate management or downloading
cumbersome attachments to be read in the mobile’s Web browser, and it makes use of identity-
based encryption to simplify the process to communicate among correspondents who have
never used encryption software before on desktops or mobile devices. It also integrates into
the existing iOS or Android address books too. The app can be found on the Apple iTunes Store
or Google Play, so it is easy for end users to download, provision themselves and register the
app to securely correspond with enterprises enabled with Voltage SecureMail
The mobile edition is another extension of the Voltage SecureMail family of products that
have been around for several years and deployed by millions of end users and thousands
of enterprises. The Mobile Edition works with the existing security and centralized policy
enforcement and compliance settings too. The management console is a clean Web-based
interface that has added a new series of menus for handling the mobile client: you can disable
all mobile access with the click of one button, force end users to re-authenticate periodically,
and set up new mobile-oriented encryption policies. For example, IT managers can create
policies to block forwarding emails to non-trusted domains, or require certain compliance
actions such as forwarding a copy of all mobile emails to the original sender.
The Voltage SecureMail Mobile Edition satisfies the most stringent security requirements. All
traffic is encrypted in transit and on the mobile device itself, so no worries if an email falls into
the wrong hands. You can require users to re-authenticate themselves periodically as part of an
overall IT policy enforcement. Files from email attachments that are stored in the mobile device
inbox are also encrypted. Documents can be shared with external users outside your corporate
domain with another global policy setting, and specific users’ email IDs can be whitelisted or
blacklisted, depending on circumstances.
We have come a long way in the many years since encrypted emails have been possible, and
Voltage with its mobile software represents the next step in this evolution towards making it
easier and part of the normal messaging workflow.
About the Author
David is a world-known expert on networking and communications technologies. Whether
you got your first PC at age 60 or grew up with an Apple in your crib, Strom can help you
understand how to use your computers, keep them secure, and understand how to create
and deploy a variety of Internet applications and services. He has worked extensively in the
Information Technology end-user computing industry and has managed editorial operations for
trade publications in the network computing, electronics components, computer enthusiast,
reseller channel and security markets.
Voltage Security, Inc. w w w.voltage.com