The purpose of this article is to identify concerns and considerations of changing or adopting e-mail policies to include the sending of confidential information.
Most of the concerns in this article are centered about the human aspect of e-mail systems and not about technology. For the purpose of this article I will assume that confidential information is information that is currently secured within databases or other systems that require security authorization to access. I do not consider other confidential information such as business knowledge that is known by individual users.
Once an entity decides to allow individuals to e-mail confidential information the users will automatically assume all aspects of the email systems are secure. This is a natural tendency since the users are accustomed to systems with all encompassing security. An average user does not normally question the security of their enterprise database system. Most will assume that if it allows them to perform a task the task is within their security criteria and is acceptable. This can be a risky attitude for an e-mail system since e-mail systems are designed to be very open with direct channels to both internal as well as external entities. The following lists some concerns with using email systems to send confidential information:
Reduction in granularity of security. Normally systems that process and contain confidential information have security mechanisms that control access to information at a user level. It should not be expected that a user of an e-mail system would have this same control information. Even if they did this information would quickly be out of date. Once a user sends confidential information in an e-mail they are making the security decision that the receiving user should have access to the information.
Accidental dissemination of confidential information. Most users of e-mail systems will admit to sending an email to an incorrect recipient. The way in which e-mail clients try to help us by making email address reflect a person and by making the look up of an e-mail address more automated contributes to the risk of sending to the wrong person.
Intentional or un-intentional re-routing of email. Most e-mail clients allow a user to define rules for routing email. A common application for this is a user that does not have a company issued smart phone but wants to receive e-mail on a personal phone. The user can simply define a rule within their e-mail client to forward a copy of all their email to an external address.
Many of the concerns can be addressed by technology. Here is a break down of the technologies you would need to implement to help control emailing confidential information:
Data loss prevention (DLP)- These are systems that combine both end point protection as well as gateway protection. Most of these systems are built to identify confidential information both at rest and in movement. Email primarily relies on data in motion protection. The more sophisticated systems have work flow built in so that if an email is found to have confidential information it can set off a chain of events. The workflow action may be as simple as blocking the email, notifying the sender, notifying a supervisor or security office. The choice to send or not send the email may be given back to the user.
Encrypted email gateways- These system give a user the ability to encrypt confidential information as they email it. If the receiving party cannot decrypt the email on their client then they are given a link to retrieve the email from a secure web site. Most implementations do not encrypt all outgoing email but leave it to the users to decide what should be encryped.
There is a significant cost for implementing and maintaining these technologies. The solutions that address these issues are not 100% accurate. They may significantly reduce the incidence of data loss but they will probably not eliminate it.
To achieve a higher confidence in the technology solution the system will probably become more cumbersome then it previously was. They will also add significantly to your administration costs. As you tighten the data controls more human intervention will be needed. Many organization already see a need for DLP solutions so this may not an additional software/hardware cost. There certainly will be an added cost due to the policy change. More incidents will occur and therefore incident management cost will increase. There is a major cost increase to solve the problem of reduction in granularity of security. A lot of resources both technical and human are needed to solve the granularity problem. You would need to build your ERP security rules into the DLP rules. DLP would need to protect data passing from one user to another instead of protecting at an institution level.
In conclusion the changing or adopting of an e-mail policy to allow sending of confidential information is probably a larger decision then it appears initially.