In a move aimed at reducing e-mail privacy concerns, Microsoft will debut message encryption for Office 365 early next year.
Office 365 Message Encryption will enable users to send automatically encrypted e-mails to recipients outside of their own organisations, irrespective of their destination. Replies and forwards of the original e-mail will be automatically encrypted too.
"No matter what the destination - Outlook.com, Yahoo, Gmail, Exchange Server, Lotus Notes, GroupWise, Squirrel Mail, you name it - you can send sensitive business communications with an additional level of protection against unauthorised access," Shobhit Sahay, product marketing manager for the MS Exchange team, said on the company's blog.
According to Uriel Rootshtain, business lead for the Office division at Microsoft SA, there are many scenarios where this functionality could be leveraged - basically any time a company is sending private or sensitive information by e-mail to its customers or partners.
"Today, there are many businesses in SA that e-mail private or sensitive information without taking any precautions to protect the data, thereby leaving their customers' information vulnerable to theft and abuse," he explains.
"This is especially true for small businesses, many of which are using consumer e-mail platforms or e-mail services with basic inherent security features. By leveraging the economies of scale made possible by our cloud solutions, we are able to offer this capability to qualifying Office 365 and Azure customers at no additional cost, thereby making a secure messaging solution more accessible and more affordable."
An issue of identity
Cryptography expert Ian Farquhar says one of the most difficult areas in computer security is the issue of authenticity. "Is something what it claims to be?"
He says it becomes an issue of identity. "This is an area a lot of people don't think about: who vouches for your identity? In the offline world, we have traditionally left this to government, which has issued us instruments like passports and driver's licences. We also trust third parties, like banks, to issue other instruments, which others may accept as evidence of identity, such as credit cards or banking cards."
In the digital world, we have identity providers, Farquhar explains. "In fact, we have an awful lot of them. The original PKI certificate authorities tried with personal e-mail encryption certificates. There was Liberty Alliance (2001-2009), Microsoft Passport (and various names since), OpenID, Mozilla Persona (2011) and many others. There is also SAML - the standard Security Assertion Markup Language - for transferring identities between identity providers and service providers."
However, he says by far the most successful identity providers have been social media companies - Microsoft, Facebook, Twitter, LinkedIn, Google and others - all of which now provide identity services.
"But an assertion of identity requires identity assurance, and the reality is that all of these schemes depend on the level of identity assurance. The social media providers have very little identity assurance, because they don't need it. Some (notably Google) have been attempting to increase it slightly with two-factor authentication schemes using phones as a second factor, but that's really about theft of the identity, not mapping it to an individual."
Taking a short cut
For Farquhar, an excellent, highly-workable and interoperable e-mail encryption scheme is already available - S/MIME. "It already works in most major mail clients, and I myself used it for years. So why aren't people using it?"
Again, he says it's about identity. "For it to work, you have to obtain a Secure/Multipurpose Internet Mail Extensions or public key infrastructure certificate. Even finding a major provider to sell one to you these days is a major exercise -Digicert, Thawte and Verisign don't do it any longer. Free ones are available, but they actually just assign a cert to an e-mail address, which is no better than the social media companies."
Higher levels of validation - where they check that you are who you say you are - cost money and are difficult to obtain, because they require the production and verification of other pieces of identity evidence. "I've done it a few times, but few people bother," he says.
"What Microsoft is doing here is to leverage its Office 365 ID to identify people," he explains. "But they're taking a shortcut. By tying it to corporate purchases of Office 365, or to individual subscriptions backed by some purchase, such as a credit card, they are leveraging someone else's identity assurance activities. A company assigns e-mail addresses and presumably has done some identity verification: Microsoft is leveraging off that."
He says this is both clever and reasonable, but questions whether it will work. "Never say never, but I'm dubious. Messages seem to be sent as an embedded ZIP file, although they claim that the 'attachment opens in a new browser window', which then requires you to authenticate against an Office 365 ID. I am sure Microsoft would love to be the identity provider for the entire planet, but I'm dubious that this would ever be the case. Without an Office 365 ID, you can't send someone encrypted e-mail."
Farquhar believes Microsoft will have some success in certain markets, especially in verticals with strong compliance requirements, such as healthcare. "But have they found the solution to make e-mail encryption easy and ubiquitous? No."
Share