In the first of this two-part series, below, Brien Posey explains when to use digital certificates and digital signing to keep your email from being viewed by third-party eyes. In part two, he'll explain how to configure email encryption in Microsoft Outlook.
For many people, email has become as commonly used a communications tool as the telephone. This being the case, we quickly forget that email is anything but secure. An entire message between you and your recipient can easily be viewed by someone using a protocol analyzer to capture and reassemble packets as they flow across the wire. If you are just sending someone a joke or maybe a party invitation, this probably isn't a big deal. If you are sending sensitive information, you should probably encrypt your message.
Sensitive messages
The definition of a sensitive message differs from person to person. In my opinion, if you wouldn't want a copy of the message posted for anyone in the world to see, then you should treat the message as sensitive. It might contain technical information related to your computer system (which could be used to hack into the system), information about your identity or finances or anything personal or potentially embarrassing.
Email encryption methods
If you decide you do want to encrypt your email messages, the next step is to figure out how. Third-party products can be used to encrypt email messages, but if you're using Microsoft Outlook, you've got almost everything you need.
Before you can encrypt messages through Outlook, you will need a digital certificate, which is basically the key for an algorithm used to encrypt email messages and their attachments. Such a certificate can also be used as a digital signature; it signs a message electronically to tell the recipient that the message really is from you and not from an imposter. It also guarantees that the message has not been altered in transit.
Digitally signing messages might not seem important at first, but digital signatures can protect you against fraud. For example, someone once had a real hoot impersonating my email address and sent a few nasty letters to one of my editors. Since I wasn't in the habit of signing my messages, I had no way of proving the messages were fraudulent. Fortunately, my editor knew my writing style well enough to recognize that I didn't write the message. Had the message gone to someone else, things could have ended much differently.
So where do you get a certificate? There are several companies that provide digital certificates. My personal preference is VeriSign, which offers a Class 1 digital certificate for about $20 per year. Large companies can save a significant amount of money by deploying their own certificate authority. Windows Server 2003 can function as a certificate authority without requiring you to purchase any additional software.
|
HEADS UP: If you do decide to deploy your own certificate authority, you must aggressively protect the server against all threats. If someone were to compromise your certificate server, he could pretty much own your network. Furthermore, losing the certificate store on that server due to hardware failure or natural disaster could be devastating to your network.
|
|
Stay tuned for part two on how to configure email encryption in Microsoft Outlook.
About the author: Brien Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
