What is S/MIME, and is it right for the modern organisation?

Egress | 30th Nov 2019

The search for an email encryption solution that suits your organisation’s needs can be a bewildering experience.

There are many options available, and many protocols and acronyms to understand, but most organisations in this increasingly interconnected, cloud-based world are looking for the same thing:

Software that is easy to use, reliably secure and cost effective, which also complements existing working practices by integrating with email clients.

The Secure/Multipurpose Internet Mail Extensions standard, or S/MIME, is an email encryption method that often comes up during preliminary research into email encryption products.

So, what is S/MIME, and is it suitable for the modern, flexible organisation?

How it works

S/MIME is an open standard for digitally signing and encrypting email data using public-key cryptography.

Signing an email certificate digitally provides message authentication, non-repudiation and data integrity. Put simply, these features allow recipients to know that the email was sent by the person who claims to have sent it, and that the email is the same as the one the sender originally sent.

Still, signed certificates don’t ensure message privacy; emails sent with digital signatures can provide sender validity but they are sent in plaintext and open to interference.

Accordingly, S/MIME also provides message encryption. SMTP-based email is vulnerable to man-in-the-middle attacks and snooping, since the emails can be read by unwanted third parties in transit and at rest. Message encryption solutions amend this by ensuring only the intended recipients can view the email contents, and protects the email data as it is travelling to the recipient.

Obviously, an encrypted email that isn’t digitally signed is open to similar problems as unsigned plaintext email: the identity of the sender cannot be proved. Email encryption used in conjunction with digital signatures consequently delivers a high level of security and mitigates each of these weaknesses.

S/MIME is somewhat related to PGP encryption, though distantly. PGP covers security issues in plaintext emails but S/MIME extends this to all kinds of email data and attachments. As well as using different key exchange mechanisms, S/MIME differs from PGP in some beneficial ways. S/MIME is already integrated into many email products, from Outlook to Apple Mail and Lotus Notes; there’s no need to download additional software. It’s also supported by Office 365, which is crucial for cloud-based organisations.

So, what’s the problem?

Though the combination of email encryption and digitally-signed certificates provides confidentiality and authentication, things get complicated in practice.

Digital signatures

Although S/MIME integrates into many email solutions, before using it each user needs to obtain an individual certificate from an in-house certificate authority or by buying one. The costs involved with either creating a certificate authority or buying a certificate for each sender may well be prohibitive and the process overly complex.

Users of webmail clients like Gmail or Hotmail may struggle too, since they generally do not provide native S/MIME certificate support. Indeed, it’s often not feasible since the certificate is required to be kept on the server, excluding end-to-end encryption.

It also adds complexity to the recipient experience. General users may not understand what to look for in terms of verifying digital signatures, plus not all email clients support SMIME certificates so the ‘smime.p7s’ attachment that gets added in lieu of integrated support may leave recipients confused.

Message encryption

Message encryption in S/MIME can interfere with organisation’s usual email practices. The end-to-end encryption it involves precludes email search, so users can’t search through historic emails, except for subject line and attachment names. However, users are ever resourceful and have a tendency to modify subject lines to be more descriptive about the contents – potentially giving out sensitive information.

In the same way, S/MIME can interfere with anti-virus scanning, data loss prevention (DLP) and archiving tools that the organisation currently relies on for information security. The encrypted emails can be scanned before being sent, but gateway scanning on the recipient end is done while the message is encrypted, and hence its contents are hidden from the anti-virus and DLP processes.

An alternative to S/MIME

It is true that for closed communities with close relationships that don’t need malware and virus scanning, and that can manage the complexity of certificates, S/MIME can be an effective method for secure data transmission. For the 21st Century enterprise however, the above concerns remain valid.

So, where to next?

Well, the user experience, cost and integration issues are the very things that Egress Switch is designed to solve. By offering encryption at the gateway, Switch Secure Email and File Transfer enables proper functioning of anti-virus, malware scanning and archiving tools, as well as encrypting the messages and attachments.

The complete integration into Outlook, Office 365 and other mail clients does not require any additional work for either sender or recipients; no certificate signing or key exchanging. By being so user-friendly, it provides the best possible chances for the user uptake that is so fundamental to any email encryption solution.

Switch Secure Vault also solves the issues around archiving encrypted content, allowing users to access historic sent and received emails, both plaintext and Switch-encrypted content. Additionally, the solution provides admins with analytics tools for e-discovery and compliance-related requests.

Integrated DLP in the Switch Secure Email Outlook add-in means emails and attachments are scanned for sensitive keywords before being sent, and it can even recommend or force encryption and / or classification based on this DLP scanning.

Taken together, these features solve and then go beyond the weaknesses built into so many other email security platforms, helping Switch be the solution of choice for the modern organisation.