Email Encryption in Google Apps

Introduction

With the ever increasing rate of cyberattacks and data leaks, email security is once again in the forefront. Often required for compliance with federal and state privacy laws and regulations, many organizations also see the need for policies, procedures, and supporting technologies to ensure that private information remains private.

In this article, we explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. We also explore the most popular email encryption services for Google Apps.

Our objective is to provide you with the information you need to assess your risk and select a solution that best meets your needs and your budget.

Built-In Encryption

Google Apps has three general classes of encryption for email that, when combined, cover the full life cycle of email.

When accessing Gmail via browser or email client, the best practice is to enforce encryption using the Secure Socket Layer (“SSL”) protocol. SSL is the industry standard for accessing web sites and services security. By forcing SSL, all of your communications from the browser or email client to Google’s systems and data centers are secure.

Once your data reaches Google’s systems, the encryption infrastructure Google has built into Google Apps takes over. Google encrypts, and otherwise protects, your data when it is “at rest” and “in motion”. This means that your data is not human-readable while stored on Google’s servers or in transit between servers and systems.

The third form of built-in encryption provides an added layer of security when you send and receive messages. Transport Layer Security (“TLS”) Encryption can secure email as it moves between sender and recipient email servers. As a best practice, we configure policy-based TLS Encryption within Google Apps to both accept encrypted messages from servers able to send them; and to send encrypted messages to servers able to receive.

Encryption is Not Compliance

While providing a reasonable level of protection from inappropriate access to your data, the built-in encryption is not sufficient to meet information privacy regulations. Laws such as the Health Information Portability and Accountability Act ("HIPAA"), and industry regulations including the Personal Card Information ("PCI") standards require more than data encryption.

Privacy laws and regulations typically include three components:

Policies and procedures that, when followed, provide appropriate data protections
A means to monitor compliance, with the ability to detect and mitigate potential violations of the policies and procedures
A defined response and resolution procedure in the event of a breach

Technology supports the implementation of these three components, but does not offer a solution on its own.

Using HIPAA as an example, you need more than encryption. HIPAA requires that personal health information, or PHI, should not be disclosed to unauthorized parties. More than encrypting the data, you are responsible to make a reasonable effort to ensure only the intended recipient can receive the information. Your HIPAA compliance needs to verify the identity of the email recipient before they can decrypt and open the message.

Encryption Options for Google Apps

There are currently three major players offering message level encryption for Google Apps:

ZixMail: A comprehensive message encryption service that includes user tagging of messages for encryption and heuristics and business rules to auto-encrypt. ZixMail also includes the ZixGateway of other ZixMail users, enabling automated end-to-end secure communications.

Google Apps Message Encryption (GAME): A private-label of Zixmail run in Google’s data center. GAME uses the ZixMail encryption engine and services, matched to the email rules capability of Gmail.

Virtru: An encryption-in-place service that integrates with Google Apps that runs in the Chrome Browser, Outlook on Windows desktops, and on mobile devices. Virtru includes features such as forwarding blocks and email expirations. Data loss prevention rules for HIPAA compliance are available at an additional cost.

As GAME is a version of ZixMail, we will look at ZixMail and Virtru in more detail. ZixMail and Virtru operate differently, each with its own advantages and limitations.

ZixMail

ZixMail operates as an email encryption gateway. Emails are sent via a secure connection from Google Apps to the ZixMail Gateway servers. Users can tag messages for encryption in the subject line or body of the message. In addition to encrypting tagged messages, ZixMail scans messages not tagged for encryption using its proprietary heuristics and any additional business rules that have been configured.

Recipients receive a message that they have a secure email. Clicking the link, the recipients are directed to create and verify their identity and to setup a password that they can then use for any future secure messages received via Zixmail. Once verified, recipients can access the message, reply, and download attachments. Messages remain available for a set period of time.

If the recipient also users ZixMail, encrypted messages are decrypted before delivery to the recipient’s inbox, as the system knows that the connection is secure and the recipient has been validated.

Virtru

Virtru operates by encrypting messages in-place, before they are sent, and decrypting them after they have been received and saved. As such, Google Apps will be storing email messages that have already been encrypted by Virtru. Users trigger encryption after installing a Chrome extension or Outlook Add-On, turning on the feature, and selecting “Secure Send”. Optionally, and at an additional cost, you can implement rules that will scan all other messages for possible PHI and HIPAA compliance.

Recipients receive a message notifying them that they have a secure email. Clicking the “Unlock Message” button, the message will be decrypted if the recipient has Virtru. If the recipient does not have Virtru, they are directed to a secure reader in a new web browser tab. The recipient will verify their identity via a “Verify Me” link sent to the recipient. Once verified, the recipient can read the message and reply securely. Because Virtru encrypts in place, messages do not expire.

If the recipient installs the Virtru browser extension (or Outlook Add-On), future messages will decrypt without opening the secure reader in a browser tab.

PROs and CONs

Both services support HIPAA, PCI, Personal Identifiable Information ("PII"), Family Educational Rights and Privacy Act ("FERPA"), Security and Exchange Commission Rule 17 ("SEC 17"), Financial Industry Regulatory Authority ("FINRA)", and Consumer Financial Protection Bureau ("CFPB") compliance. While priced comparably for most small and mid-size businesses, ZixMail and Virtru each have their advantages and limitations.

ZixMail

ZixMail provides compliant services for HIPAA, PCI, PII, FERPA, SEC 17, FINRA and other regulatory standards and requirements.
As a gateway based service, Zixmail does not require any browser extensions or Outlook add-ons, reducing the impact or potential for conflict with other software.
The ZixDirectory enables transparent encryption between users of ZixMail, reducing the need for recipients to use the portal for authentication.
Because ZixMail encrypts messages after they are sent and decrypts them before they are received, Zixmail does not interfere with Google Apps Vault or other archive/ediscovery services. In Vault, you can search, flag, and export messages in clear text and without the need for additional processing or tools.

Virtru

Virtru requires a browser extension or Outlook plug-in to operate correctly. Browser selection is limited to Chrome. Virtru can impact performance, and the extension may conflict with others installed the user.
With encryption in place, Virtru provides compliant services for Criminal Justice Information Services ("CJIS") and International Traffic in Arms Regulations ("ITAR") in addition to the regulations listed above.
With encryption in place, Virtru encrypts messages before they are sent and decrypts them after they are received. If you use Google Apps Vault, the Vault will archive the messages in their encrypted form. In order to read messages in Vault, you will need to export them and use a separate decryption utility (at an additional cost). In addition to the extra cost, this process introduces additional steps and due diligence when producing content under subpoena. You will need to manage discovery matters, audit trails, and chain of custody outside of the Google Apps Vault system.

Picking Your Solution

When deciding which Google Apps email encryption solution is right for you, consider the following checklist:

Are you using Google Apps for Work or Google Apps Unlimited?
Are you running Google Apps Vault or another email archive/discovery service?
What are your regulatory compliance requirements? Which standards must you meet?
What are your internal policies regarding information privacy and protection?
Which individuals or groups need email encryption to safely and effectively perform their jobs? How many people are included?
How do you access Google Apps/Gmail: Chrome browser, MS Outlook, mobile devices, other browsers or email clients?

Answering these questions will help guide you to the solution that best matches your needs and will help you avoid unnecessary costs.