Should security be compromised for the sake of functionality? And what should we choose, encryption or virus scanning?
Clearly, there are requirements for encrypting e-mail. In 2001, Euro MPs encouraged businesses to encrypt their e-mails to prevent the Echelon program reading their messages. Sophos warned of the dangers of this at the time, reminding users that encryption prevents e-mails from being virus scanned. Most organisations have the capability to provide encryption services to users today, but often it is not without a cost.
It is not just virus scanning that proves difficult when e-mails are encrypted, content scanning and e-mail retention will create problems for security managers in the future. There is a growing requirement to monitor or spot check e-mails for racist comments, profanities, obscenity or any comment that might land the sender's organisation in trouble.
Changing laws surrounding e-mail retention could also create problems because encrypting keys may need to be retained with the e-mail, rendering it less than secure.
Barriers to compliance
The nature of an encrypted e-mail means a third-party product, compliance officer or security manager cannot look inside, examine the contents, identify any harmful content and remove or disable it.
I first encountered this problem in 1998 when working as head of security for an investment bank in the City. Key staff needed to send encrypted e-mail, but the security team were keen to ensure that all outgoing mail was thoroughly virus-scanned by at least two different anti-virus products, one on the user's desktop and one on the mail gateway.
The encrypted messages could not be scanned on the gateway, so we had to let them go through and risk infecting another bank with a virus - that was our compromise.
Virus scanning e-mail at the desktop after a mail has been decrypted is not always sufficient. Many companies have two or more points at which they may scan e-mails (exchange server, mail gateway and desktop). As mixed-supplier solutions are becoming common, this demonstrates just how serious viruses are considered in today's businesses.
With each new major virus outbreak we see one of the leading five anti-virus suppliers release an antidote. It can be hours before the others catch-up and offer the same, so it makes perfect sense to reduce your risk by betting on two or more suppliers.
You can have encrypted e-mail without eliminating one or more of your anti-virus checkpoints, but many organisations seem to be avoiding the issue by not encrypting e-mail. This could be the real reason why PKI (public key infrastructure) appeared to stall and encrypted/signed e-mails are not as common as we expected them to become.
Being unable to easily scan encrypted mails has been a problem since encrypted e-mail first appeared. So why has this only just become a major issue?
Virus infection via e-mail has increased dramatically in the past two years, so much so that few users can survive without anti-virus software. Three years ago it was rare to receive a virus via e-mail, now they arrive daily - sometimes several in one day.
It is unfortunate that at the time encrypted e-mail became accessible to everyone, viruses and Trojans via e-mail rose to epidemic levels.
Encrypted e-mail was once something for only the technically blessed. Using PGP (Pretty Good Privacy) in its early form - from the Unix command line to create encrypted data and then include that in an e-mail - was not done in the click of a mouse. The dialogue with the intended recipient to exchange keys was also "clunky" to say the least. With the introduction of digital certificates (X.509), it was suddenly possible to conduct otherwise complex tasks such as encryption or digital signing of data in seconds.
As a security manager, I would certainly not be expected to choose between weakening my defences and stopping a user securing data for transit over the internet, but that is what many businesses are faced with.
There are solutions to the problem but on the surface they appear to be highly complex. In simple terms, one solution is to take a copy of an outgoing message, decrypt it and examine the contents. If the message is free from a virus or inappropriate content then the original encrypted message can be sent out.
For a solution like this to work, the two identical messages must have been encrypted to include an additional decrypt key (ADK), often used for compliance or data recovery purposes. The ADK would be used by the system processing outgoing mail, but there would be no capability for this system to re-encrypt mail as this would generate trust issues.
One copy of the e-mail is decrypted and scanned, if it is clean, the other copy is sent without being decrypted. This method would still allow full end-to-end encryption.
For incoming messages the same process would apply, but a copy of the recipient's key would either have to reside on the mail server or the sender would have to encrypt messages with a key that the mail server has.
Encryption at the gateway
Another solution would be to lose the end-to-end encryption capabilities and move the responsibility for encryption to a key system such as a mail gateway. This allows the encryption to take place after all scans and content monitoring have occurred. Unfortunately, this approach means that messages are in clear text from the user's desktop and over the corporate Lan.
Symantec-owned PGP offers an enterprise solution to scan and encrypt/decrypt messages within one software solution. Most other anti-virus companies will offer some interoperability with one of the solutions outlined earlier.
The final option is to use one of the many outsourced solutions that are becoming available to decrypt, scan and process the messages. There are some benefits to such a solution. Many are web-based and have added bonuses such as spam filtering, but outsourcing such a critical part of your operations can introduce risk management issues.
I am certain that more and more businesses will face this challenge over the coming months and I hope that they address it head on and do not compromise their security either way.
Phil Cracknell is chief technical officer at IT security company netSurity
This was first published in October 2004