Why use Transport Layer Security (TLS) for Email Encryption?

Why use Transport Layer Security (TLS) for email encryption?

Sending unencrypted messages increases the risk that messages can be intercepted or altered. TLS security technology is designed to protect confidentiality and data integrity by encrypting e-mail messages between servers and thereby reducing the risk of eavesdropping, interception, and alteration.

TLS is also a widely recognized standard issued by the Internet Engineering Task Force (IETF) for securing transmitted data and is now supported on most commercial mail servers. For those who may be new to TLS but already familiar with SSL it may help to know that TLS is the successor to the Secure Sockets Layer (SSL) protocol.

Who can use TLS?

Financial institutions can benefit greatly from the use of TLS. In fact, the general consensus among many financial institutions is that there is a need to protect the information that they exchange via e-mail from eavesdropping or tampering by third parties. And so many financial institutions have already implemented TLS or they plan to convert to TLS in the near future.

How does it work?

When TLS is enabled on the mail servers of both the sender and the receiver of the e-mail, information exchanged between the servers is encrypted in a format that encodes plain text into non-readable form. Mail servers use Simple Mail Transfer Protocol (SMTP) to send and receive messages. When sending encrypted messages, the mail exchange works as follows:

1. Each company’s e-mail gateway is configured to enable TLS communications for SMTP traffic
2. When the sending party (client) connects to the receiving party (server), the sending party checks whether TLS services are offered
3. If the receiver offers TLS services, the sender initiates a TLS handshake. The server sends its TLS certificate to the client
4. If the sender trusts the certificate of the receiver, a TLS session encryption key is negotiated, the TLS session starts, and the SMTP message is transmitted

What happens if one party does not want to use TLS?

The answer to this question depends on how your TLS implementation is setup. In most cases without TLS, you will still have the ability to receive and send emails. If the other firm does not implement TLS, your e-mails exchanged with that company can still go through although they will not be secure, and will continue to use the "unencrypted" mail transport protocols that have been in use.

Since there are risks associated with sending confidential information via email through the Internet. Some partners may choose that they only want TLS encrypted email to be sent and if not encrypted then the email message should fail. This is obviously done with high security projects in mind. This would be one way of ensuring that no mail went out that was not encrypted .

What are the overall benefits to using TLS?

E-mail over TLS provides the following advantages compared to traditional (unencrypted) e-mail:

• Protection: E-mail servers can be configured to enforce TLS encryption between named parties and confidential information can be exchanged with reduced risk of eavesdropping or interception

• Every e-mail sent and received is encrypted. When TLS is enforced, no individual review or decision is required to determine whether or not to encrypt an e-mail based on the email’s content.

• E-mail encryption is transparent to both the sender and the receiver. Both parties send and read e-mails the same way as they do today.

• TLS is globally accepted and currently available on most, if not all, e-mail servers.

• Industry Standard: There is a growing trend among financial institutions to use TLS. Many institutions have already implemented TLS or they plan to convert to TLS in the near future.

• E-mail can be easily inspected for viruses. With SMTP over TLS, encryption terminates at partners’ e-mail gateways. This means that after messages move inside a company’s DMZ firewall, they can be treated just like regular SMTP traffic. Messages can be inspected, scanned and analyzed for malicious content to comply with corporate security policies. This is not the case with PGP- or S/MIME-style encryption schemes, in which messages are decrypted only at the point of receipt.

• Reduced cost: When company-to-company encryption over TLS is in place, tactical person-to-person systems for encrypting messages are no longer needed. In addition, companies need only purchase TLS certificates for servers, rather than large numbers of enterprise S/MIME certificates for all clients. There typically is no out-of-pocket cost to implementing TLS, although there is some effort to set up and test TLS on the server, as there is no need to purchase any software.

• No overhead for end-users. Because no special software is installed on client machines, TLS encryption is “always on” for compliant partners; the process is completely transparent to end-users.

• Rapid deployment. Workstations do not require any additional configuration; only servers need to be modified. The configuration process is also straightforward. Time to value is measured in days and weeks, not months and years.

Efren Duarte is Managing Director, Products & Services and AVO Chief of Avocera Consulting and principal of the AVMI Group, a market research firm and think tank primarily focused on the business technology. You can read more blogs at http://www.avochief.com.