Email Encryption in the Financial Sector


Historically, encryption technology has been seen as too cumbersome, complicated and expensive for organisation to invest in, with too little return.

Within the financial services sector, this lack of usability has meant that the Internet has not been fully exploited as a communications channel between the various stakeholders, whether customers, partners or suppliers. This article examines the reasons for the slow take-up of encryption technology and will endeavour to dispel the myth that it can be expensive and complicated to implement, so encouraging the case for an accelerated take-up in the near future. We also discuss the means by which encrypted email can be scanned and accommodated within a policy-based content security system cost effectively.

There are obvious costs savings to be enjoyed if financial service companies can communicate securely with their customers over email. However, confidentiality is imperative in financial transactions. Improving email security technology is one key issue, but another is calming customer fears about using the Internet generally, and specifically when using online banking. Recent publicity around the issue of online banking scams in Australia and the USA has done little to help allay these fears.

Recent research findings by the banking and analyst house US Tower Group revealed that the majority of Internet banking sites have done little to communicate Internet security preventive measures and implement bank policies around security breaches. The report also encourages banks to be more forthcoming about their indemnification policies for unauthorised online activity.

Email encryption within the financial sector should be an established "best working practice". The ground-breaking email encryption technology - Public Key Infrastructure (PKI) - became commercially available in 1994. Five years later, the Gramm-Leach-Bliley Act (GLB) in the USA mandated privacy and protection of customer records maintained by financial institutions. The security requirements include encryption of electronic customer information. So, in theory, the technology was available and the regulations were in place to drive the take-off of secure electronic communications in the financial sector.

Traditional Encryption - Cumbersome, Complex and Expensive

Many financial organisations have looked seriously at the use of PKI as a solution to securing email communications. Most of these investigations never passed the pilot stage, as organisations realised the complexity and cost of such solutions. In 2001 Wells Fargo, speaking at the PKI Forum, said it had spent $250,000 per seat on PKI. It had eight users and had spent $2 million. Equity investment firm, RS Investments, estimates that 80% of PKI pilot projects have never moved to full implementation.

This failure is not because PKI technology does not work, but because its use is not transparent to the end-user. With PKI solutions, administrators must install client software on individual PCs and issue a digital certificate to each email user. Then they must train users and help them to adjust to using the new technology. Finally, users must exchange public keys with other users to establish the infrastructure necessary to send and receive secure email. Even when these steps are completed, employees frequently forget, or simply do not use, encryption for sensitive information, because of the added steps and complexity involved. In short, it is complex, costly and "too difficult".

PKI tried to alter fundamentally the way in which business is done. Classical PKI required all electronic users to commit to employing common business methods, practices and security approaches. Finally, PKI systems have been unable to scale up to service large numbers of users.

Of greater concern is that encrypted messages may not be readable by email filtering technology. This could allow corporate e-policy rules to be ignored and enable inappropriate content to enter or leave the organisation, thereby exposing it to a wide spectrum of risks. One of these is non-compliance with legal and corporate governance rules. The Sarbanes-Oxley Act of 2002 in the USA, for example, requires executives and auditors to document and certify the effectiveness of internal controls and procedures related to financial reporting.

To address the complexity issues of PKI-based encryption solutions, vendors and end user organisations developed solutions based on secure Web staging servers. In these solutions, confidential information is stored on a secure Web server. Message recipients receive a notification that a confidential message is waiting which includes a URL to the secure site. Users are required to authenticate themselves in order to read the encrypted content.

While such solutions solve some of the complexity issues that make PKI-based solutions difficult to implement, they are not without their own problems. Among the most significant of these problems is the impact of storing external user email content on the organisation's network. Over time this can become a costly issue, as the organisation must deal with increasingly complex issues of storage management and retention.

Another serious issue with the staging server approach is that message recipients are forced into a separate, Web-based email application, rather than being able to use their email application of choice. Email users do not want to have a separate email application for each organisation they want to deal with - they want to use their standard email application.

New Secure Email - Direct Delivery Without the Hassle

New email encryption solutions that eliminate the need to use staging servers for content storage are now available. These provides financial service companies with secure email and secure statement delivery, utilising Advanced Encryption Standard (AES) and authentication methods to simplify the message receipt and decryption process.

This new technology uses a single encryption key per email and relies on a shared secret between the sender and recipient. The shared secret might be a user name or password or some other authentication device. This "Key Server" approach is typically simpler to use and is highly performing. Using this method, encrypted email can be delivered to recipients without the recipients needing special skills or software installed on their systems, in advance of receiving the first encrypted message.

With the "Key Server" method, message recipients receive the entire content of their encrypted email using their email application of choice. The encrypted content is enclosed in a standard message attachment. Opening the message requires the recipient to identify him/herself using a pre-arranged password. The key is then sent and the message decrypted on the recipient's desktop. This process is transparent to the end-user.

This technology makes it easy for a bank employee to email secure statements, generated by automatic back office processes. Secure statements might include invoice statements, credit card statements, financial trade information or any other standard form a financial organisation might send to an individual or other business (usually through the postal service) on a regular basis.

Message recipients benefit from this new approach in several ways. First, email users can use their preferred email application, including Web-based programs, such as MSN Hotmail and Yahoo Mail. Since the solution uses Web-based processes for message decryption, there is no need to install specialised software or manage complex encryption keys or digital certificates. SEE BELOW IN BOX OUT

Scanning Encrypted Email

The financial services industry is strictly regulated and many industry watchers predict that this regulation will become even more stringent. The way that financial organisations can implement such regulation in their email communications is through the maintenance of an e-policy and compliance with the policy through email scanning.

The best way of tackling this is by viewing encryption as just one of the many facets of e-policy. The user at the desktop within an organisation takes no special action to secure an email he or she is sending. Instead, gateway software examines the email, automatically and consistently applying the appropriate policy, which may include secure delivery through the use of encryption.

Similarly, if the recipient works for an encryption-enabled company, messages can be decrypted at the gateway and delivered to the intended recipient as defined in the organisation's email security policy. For example, email can be decrypted, scanned for content-based threats, then delivered to the recipient in the clear, making the entire encryption process completely transparent to both the sender and the recipient.

It is evident that since employees no longer need to make decisions about whether a message needs to be encrypted or not, encrypted email usage will be significantly increased. An organisation's e-policies define whether encryption is or is not required and the whole process is transparent to both the user and the recipient.

The new Key Server technology is now opening new doors for the financial services industry. It will provide these companies with the means to offer complete e-banking and take full advantage of the Internet.

Paul Rutherford is Chief Marketing Officer, Clearswift


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.