Opinions on email encryption & Voltage
Posted on 2016-09-02
Our organization currently is on MS Exchange 2010 (with Outlook clients) without encryption.
We are contemplating to embark on encryption using Voltage.
a)Voltage allows users to choose to encrypt & it can also not let the users have the option but
enforce encryption for all emails. Can Voltage be set (or is it smart enough) that if emails
don't go through Internet, then it doesn't encrypt them but otherwise encrypt them?
b)if users can't be trusted to decide to encrypt emails even if users is fully aware the content
of the emails is sensitive, I suppose this means we ought to enforce encryption regardless
of the email's sensitivity. What if the emails are only sent within the organization's LAN (ie
don't go thru Internet nor point-to-point WAN links), is encryption still essential?
My view is it is essential because if there are highly-sensitive emails (say news by the top
to acquire another company at a certain share price), we don't want a staff who has a
sniffing device or Wireshark to intercept such emails (though the local LAN is a 'trusted'
network but internal staff who is not supposed to know certain info tapped onto the
LAN to intercept)
c)If unencrypted emails travel between our various offices in different countries via point-to
-point leased circuits (ie not thru Internet) & the links are not encrypted (say by site-to-site
VPN or using hardware encryption at both ends), can it be intercepted or subject to MITMA
by external parties (say Telco staff or people who have access to the telcos' exchanges) ?
d)If emails are sent from trusted source to trusted destination but the emails go thru the Internet,
what's the best practice out there? I suppose currently most people don't encrypt but the
extent of unencrypted emails being intercepted by MITMA on the Internet must be quite
e)For encryption & decryption at the other end, does both ends need to use Voltage? If the
emails are between our various branches in different countries, we can make both ends
use this same product but if it's with our suppliers & customers, can encryption using such
appliances still be feasible? Or we are only left with the option that users have to zip (with
a password) sensitive data into an attachment & send them as this is the most universal
encryption/decryption method or am I mistaken (ie different vendors appliances at both
ends could still allow encryption & decryption as long as they adhere to a certain protocol,
say AES-256)? In this case how does the keys exchange work ?