End-to-end Encryption for Email and Shared Documents

On April 24, 2020, a little more than a month after the U.S. started shuttering businesses and urging citizens to stay at home whenever possible, the National Security Agency (NSA) issued official guidance for securing collaboration services during the COVID-19 pandemic. While written for U.S. Government employees and military service members working remotely during office shutdowns, the guidance is largely applicable to any business. During this unsettling time, office parks are empty while home offices, dining tables, and living room sofas are full with employees doing their daily work.

Though remote work in 2020 is hardly uncommon, before the stay-at-home rules were in place, most businesses could count on 20-30% of their employees working remotely at a time, not 100%. Further, the current work-from-home situation and its instant implementation means that additional employees may be using personal devices more often, and those devices may be accessible to similarly quarantined family and/or friends. Last but not least, the physical separation created by this crisis has meant that companies suddenly needed tools that allowed employees, customers, and partners to communicate and collaborate productively from afar.

Usher in greater use video conferencing and document/file collaboration tools. Though many vendors already had enterprise editions of their products on the market, no one was prepared for the explosive uptick in use. Several companies made their offerings freely or inexpensively available, and panicked businesses, academic institutions, healthcare organizations, and more availed themselves of the technology. In doing so, cyber security mistakes were made or revealed, leading to concern about privacy and risk.

In the wake of a few very public security disasters, the NSA codified security guidance for use of collaboration tools into a 3-page document outlining how to select and use a secure collaboration service.

The NSA document lists nine security criteria to consider when choosing a service:

  1. Does the service implement end-to-end encryption?
  2. Are strong, well-known, testable encryption standards used?
  3. Is multi-factor authentication (MFA) used to validate users’ identities?
  4. Can users see and control who connects to collaboration sessions?
  5. Does the service privacy policy allow the vendor to share data with third parties or affiliates?
  6. Do users have the ability to securely delete data from the service and its repositories as needed
  7. Has the collaboration service’s source code been shared publicly (e.g. open source)?
  8. Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?
  9. Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

The last point is inapplicable to any firm outside the government or military, and the eighth could go either way, but the first seven should be considered security essentials when choosing, implementing, and using collaboration technology, pandemic aside.

Collaboration controls

Anyone reading this article likely knows that cyber attacks and data breaches are on the rise. The reasons for the rise are myriad but grounded in digital transformation (which feels like an outdated term, given the current state of most organizations’ ubiquitous use of digitization) and the preponderance of data shuttled back and forth across systems every day. Every company deals in sensitive data, and we employees are busier than ever, constantly looking for ways to do our jobs more efficiently and effectively...and sometimes that means shortcuts when more secure alternatives aren’t available: Storing sensitive documents in insecure places. Accidentally using our personal email address for work-related activities. Setting a short, easily guessed password for a device or service we use often. These actions aren't uncommon across the workforce.

As such, when security controls aren’t in place to ensure data isn’t accessible to unauthorized parties or inadvertently leaked, that's when problems arise. This is why encryption and multi-factor authentication should be used whenever possible, and why policies and procedures for evaluating security (e.g., the ability to see who is accessing systems, files, data; secure data destruction; auditability) are critical for mitigating cyber risk and why the NSA’s guidance is relevant at any time.

Simplicity is key

The first two criteria in the NSA guidance were the topic of conversation during a recent briefing with PreVeil, an end-to-end encryption provider founded by a UC Berkeley security professor and two serial entrepreneurs. PreVeil’s email and file security platforms were built for simplicity plus the security requirements of the Cybersecurity Maturity Model Certification (CMMC). Why these two principles? Because, said Co-founder and Chairman, Sanjeev Verma, “if it’s not easy, companies won’t use it, and if it’s not aligned with CMMC, no one in the Defense Industrial Base can use it. We wanted to build something to the highest security standards, not something that would sound great but didn’t deliver. I’d rather PreVeil fail than provide security theater.”

We’re pretty sure they won’t fail.

For one thing, encryption isn’t a new concept, and its use has been increasing over time. Though according to a recent encryption trends study by the Ponemon Institute, only 45% of respondents say their organization has encryption deployed consistently. The reasons cited in the study are compatible across other industry studies and what we hear from TAG Cyber’s enterprise clients: Companies struggle to know what data they have, where it resides, and its level of sensitivity; and encryption technology can be costly and arduous to deploy across the entire organization.

Despite these statistics, the outcry within the security community upon learning Zoom wasn't using end-to-end encryption made walls shatter.

If end-to-end encryption is the gold standard, enterprise adoption should be higher. Yet it isn’t because implementation isn’t easy enough. This is the problem PreVeil solves with its email and drive solutions.

Cloud-based, easy installation

PreVeil Email is a cloud-based service that is compatible with Outlook, Gmail, Apple Mail, and on browser and mobile devices. After a simple installation, the software creates a new set of mailboxes for encrypted communications. When a user wants to send an encrypted message, they simply type in the recipient’s email address. If the recipient does not have PreVeil installed (or if it’s not known), a message appears letting the sender know the status. The sender can then send a message which requires the recipient to install PreVeil, which can be done in a click or through an app store download.

I asked Verma what happens if the recipient is suspicious, isn’t familiar with PreVeil, and won’t click a link or download software from a company they haven’t thoroughly researched, a.k.a., a security practitioner. “If that happens, the user cannot communicate in an encrypted fashion and should not send sensitive materials,” he said. Fair enough, but the user can always use their regular mailbox, which is a workaround.

After implementation, PreVeil adds an encrypted mailbox to the existing provider account using the user’s existing email address. The user can then send and receive encrypted emails just like regular email, only now the emails are encrypted end-to-end. This means they are encrypted on the sender’s device, remain encrypted through transmission and storage, and are only decrypted on the recipient’s device. Messages are stored on PreVeil’s AWS cloud servers and cannot be decrypted by anyone, not even PreVeil.

PreVeil doesn’t use passwords for account access. Instead, cryptographic keys are automatically created when the account is established. These keys are stored on the user’s device and enable a user to access their account without having to remember passwords. Unlike passwords, though, attackers cannot guess keys or remotely log into the user’s account.

PreVeil Drive, works in a similar fashion; once the software is installed, end-to-end encrypted file sharing and storage is accessible for all authorized users, from any of their devices. The administrative console allows admins to create, modify, and delete users and groups and set up access control, device management, and recovery policies. All activity is logged and easily auditable. PreVeil also allows admins to control access to files and folders at a device level. For instance, if a user’s device has been lost or stolen, an admin can block or remove the device in a few clicks.

Will buy-in prevail?

With PreVeil, end-to-end encryption and data control seems very easy—no more messing with VPNs or remote desktops. The challenge here is buy-in. Every security practitioner knows end-to-end encryption is the gold standard. Actual organization-wide implementation is slower. With technologies like PreVeil, many obstacles are eliminated, but it might be just as easy for organizations using Microsoft to turn on O365 encryption, even if it isn’t end-to-end. However, PreVeil is cross-platform, which makes it attractive to non-Microsoft users.

Although we didn’t have the time to discuss other considerations like infected endpoints, Verma admits that while PreVeil is end-to-end encryption for email and collaboration tools, it’s not intended to be end-to-end security. The problems they’re trying to solve are unauthorized data access and overexposure of sensitive data via email and file sharing. Given how easy PreVeil is to use, their dedicated offerings are sure to move adoption of encryption in the right direction.