TLS Encryption – Securing Email Communications
This article addresses the the topic of TLS Encryption – Securing Email Communications, along with the surge of questions and interest concerning ‘security’. Additionally, this article further covers other important details on securing sensitive data transmitted within an email message.
As more businesses begin leveraging (and certainly requiring) secure transmission of sensitive information between businesses (such as partners, subsidiaries, etc.) one can easily find through inspection the level of effort with which to implement messaging encryption has become drastically more simplified and streamlined. Yippee!
From recent reviews of several Office 365/Exchange Online (EOL) business environments, specifically bi-directional transmission of external email and communication practices, it was discovered (unbeknownst to the business) an inordinate number of unsecured communications, containing sensitive information, were found being sent and received outside the organization (between vendors, business partners, etc.) – specifically sensitive legal, human resources, purchasing, etc. information. However, before getting nervous or calling in the troops, let’s put this into the proper perspective.
The security challenge, referred to herein, occurs when an email leaves the business destined for another (external) business. To put a “not-so-techie-spin” on this – sensitive email typically becomes a security matter, or concern, the moment it’s sent to an external recipient. This data could include social security numbers, purchasing history, legal matters, etc.
Without jumping head-on into discussions concerning internal emails (or TLS Encryption); this wouldn’t “typically” be a matter of concern. However, where concern does exist, several remediation methods can be employed to address internal transmission of sensitive information (e.g. message signing and encryption, transport rules, etc.).
If sufficient reason does exist, emails can be signed, encrypted and secured to ensure end-to-end security, thus providing controls over who can open, forward and print messages. However, when one is utilizing a SaaS based email solution like Office 365/EOL, email remains sufficiently secure within the confines of the business.
If you or a business partner using Office 365/EOL sends email between your businesses, these messages are (by default) encrypted utilizing opportunistic TLS Encryption. No configuration is really needed. This is very good news for those who presently have their business on Office 365/EOL. (click for more information)
However, in some cases, businesses managing their own email systems ought to take advantage of this particular feature by enabling and making it available to your customers, business partners, etc.
Implementing TLS Encryption
There exists many articles or consultants who can help with, clarify or implement these security elements. This article though doesn’t cover the necessary “per se” steps. The purpose of this is to increase the awareness, advantages and benefits of why a business might undergo this effort. Simply put, the real benefit to enabling secure email is knowing all communications sent between your organization and another will not be subject to prying eyes or eaves dropping.
Businesses today have many partners and external entities. The first step is to make a list identifying those where sensitive information enforcement is required. The next step is to launch an initiative to secure these communication channels without impacting production. Although only lightly touched above, other methods can be employed to further secure email transmissions.
To reiterate, as mentioned above, opportunistic TLS is enabled (by default) for all Office 365/EOL customers. Meaning, email which traverses between EOL customers is fully encrypted. This can be validated by analyzing message header information. This is also of particular interest because customers looking to enable or provide TLS communications, who currently reside on Office 365/Exchange Online, already have this feature. This is certainly a plus point. Another plus point is most major SaaS based email provides, such a gMail, offer (TLS) secure transmission of email.
Unless specifically configured, businesses who manage their own mail services, which do not reside on Office 365/EOL, typically do not have this feature enabled. This could include a Lotus Notes deployment, Exchange on-premises implementation, Iron Port (SPAM/Malware inoculation, SMTP relay), etc.
What does this mean? It means simply there is an opportunity to make these more secure. The good news is, it can be readily enabled with very little effort.
TLS Integration: Notifications
There are a few other facets one ought to analyze and inspect when transitioning a business to a SaaS email service (such as Office 365/EOL). For instance, most businesses need to maintain some form of internal alerting or notifications via email. Or perhaps your business maintains an internal database which performs weekly email batches for clients. Most often, this can include lower forms of sensitive information (e.g. Server names, IP Address, customer billing information, etc.). An SMTP relay server is designated for this very purpose – for transmitting internal emails to your EOL or other environments. Minimally, one ought to look into enabling and certainly validating TLS is enabled and functioning between your on premises and EOL tenant. This by default is not enabled.
For businesses who wish to enable TLS (or encrypted) email for their managed email system, one would need to purchase an x509 certificate from a reputable provider, such as Go-Daddy, Network Solutions, etc. The DNS “hostname” would need to be registered with your DNS provider, and likewise would need to match the subject name on your purchased x509 certificate. There are also other various certificate requirements that must be met. One could also leverage certificate wildcards or subject alternate names (SAN) if utilizing multiple email servers. As far as the configuration of your managed email server, one would need to refer to your vendor provided the documentation of how to implement TLS.
Additionally, where appropriate, your internet facing email services (whether Lotus Notes, Exchange or an SMTP relay) ought to be made available in a secure fashion being placed in secure location, opening only those needed communication ports (e.g. inside a DMZ, in a secure location on Azure or Amazon Web Services, etc.).
On Office 365/EOL, if your business is implementing secure TLS with an external entity (e.g. partner), a bit of configuration is required. One would need to implement inbound, and likewise outbound connectors with the appropriate restrictions to negotiate (or enforce) with the remote SMTP server.
Anyway, I hope this overview helps.
Shawn May, Principal Architect
- Implementing correct solutions
- Bringing the correct talent (professional-staff-augmentation or project team)
- Alignment to the business functional & functional direction
- Maintaining agility with communication and options
- Ensure to have a properly scoped project and accurate roadmap eliminating fluff
Dynamic Technical Solutions is one of the best in the business. I had the pleasure of working and learning a great deal from their team members in the past four years. DTS’ work ethic is unlike any I have ever seen. I have always known them to follow through until the job is completed correctly.
R.T., Senior IT Infrastructure & Ops Manager, E-470 Public Highway Authority
I had a pleasure working with Dynamic Technical Solutions very closely on a very complex, critical project with a lot of moving parts and unknowns. Not only did DTS quickly grasped all the complexities of the project, they helped bring clarity and order to it. Their dedication and professionalism are tremendous. They are team members whom you can always count on to be there and deliver what’s required and then some. Their technical abilities have allowed us to develop and implement great solutions. DTS’ understanding of IT security helped us not only come up with a robust technical solution, but also a very secure one. I’ll gladly work with them any time again.
I.S., VP Technology at Barclays Capital
I have had the pleasure of working with Dynamic Technical Solutions over the last year servicing the same customer. DTS demonstrates an exceptional technical aptitude, attention to detail and work ethic that makes their service delivery extraordinary. Anyone requiring solid directory services architectural or technical guidance will benefit from what DTS brings to the table. I recommend their work.
N.K., Microsoft - Senior Technical Account Manager
I had the pleasure of working with Dynamic Technical Solutions at The Children's Hospital and found them to be an extremely knowledgeable in respect to Microsoft Windows Engineering. Their precision, dedication, thoroughness and understanding in Microsoft Active Directory design and support are impeccable. They take pride in continuously learning, adapting and implementing all of the knowledge they possess and have shown such aptitude in technical writings of Kerberos, DNS and Microsoft products as a whole. I would welcome the opportunity of working with DTS again and hope to do so in the future.
M.D., The Children's Hospital
We contracted with DTS to perform an upgrade/migration of our existing Active Directory and Exchange environments onto new equipment. The entire process was extremely painless and we were very happy with the results. I can honestly say that our DTS consultants exceeded our expectations. It took less time than we had anticipated, and some of the issues we were afraid of running into did occur, but our DTS consultants were very quick at finding a working solution.
DTS is technically competent, their work is very thorough, and their attention to detail is the best I have seen. I would not hesitate in recommending Dynamic Technical Solutions to anyone looking for Microsoft professionals.
R.B. Information Technology Director, Colorado City Government – Town of Vail
CH2M Hill is a $5B IT and engineering firm based in Denver, Colorado. CH2M Hill has utilized DTS for complex IT management and support projects. During the time that DTS supported our efforts for one of our customers (a Fortune 500 company), their consultant exhibited significant technical competencies. Furthermore, our DTS consultant is a professional, receiving high marks from the customer for program management as well as communication skills.