THE DANISH DATA PROTECTION AGENCY’S NEW REQUIREMENTS FOR SECURE E-MAIL COMMUNICATION (IS ENCRYPTION MANDATORY?)
Listen to how you make compliance with GDPR when you send e-mails that contain personal information – and how you take it a step further and think actual IT security in relation to e-mails.
You could easily be led to believe that the Danish Data Protection Agency makes a new non-negotiable requirement for encryption of e-mails if you read the press release, Stricter practice in relation to encrypted e-mails issued by the authority on 23 July 2018.
That is, however, not the case.
The approach by GDPR and the Danish Data Protection Agency to safeguard personal data is risk-based. It means that the higher the risk that personal data falls into the wrong hands and the larger the adverse effect it may cause, the better you will have to safeguard your data.
Encryption is a possible security measure, but ...
- It all depends on your infrastructure and the individual categories of data you must secure, as one of the technicians of the Danish Data Protection Agency told us.
MAKE A RISK ASSESSMENT
However, the Danish Data Protection Agency has a deadline for compliance with GDPR in the field of e-mails. On 1 January 2019 businesses must have secured personal data which is distributed both internally and externally through e-mails.
But how do you become compliant when security depends on infrastructure? How does precisely your business avoid that the Danish Data Protection Agency comes for you with fines?
Well, in this respect the Danish Data Protection Agency could have worded their commandments a bit clearer. In its information material and statements to the press, there is, however, the outline of a procedure.
The first thing you have to do is to make a risk assessment. That is mandatory. Everybody who distributes personal data through e-mail, must make it.
It consists of...
- A mapping of all the risks that the processing (of personal data, editors) entails and a categorisation (scoring, likelihood and severity) thereof.
... And then ...
- An assessment of what constitute adequate technical and organisational measures to ensure that the regulation is complied with and this can be documented.
Some businesses also have to make an impact assessment. Both assessments will shed light on how the infrastructure of the business is designed, which personal data that the business sends and how it should be protected.
ENCRYPTION APPLIES TO CONFIDENTIAL AND SENSITIVE PERSONAL DATA (IN CONTRAST TO ORDANARY PERSONAL DATA)
Personal data is not just personal data. They come in three different categories that should be safeguarded at different levels.
When the Danish Data Protection Agency speaks about encryption, this typically applies to the so-called confidential and sensitive personal data. You will see which data that is in the chart below:
ENCRYPTION DURING TRANSMISSION COULD MEAN FORCED TLS (ATTENTION: WE ARE BECOMING A BIT TECHNICAL)
Encryption is also a broad term. The Danish Data Protection Agency talks about encryption during transmission (or submission), which i.a. is different from “encryption at rest” or what is also called End to End Encryption. TRUSTZONE delivers the latter through the so-called PersonalSign S/MIME certificates.
If we are going to express it in technical terms, the most widespread type of encryption during transmission is what is called Forced TLS (Transport Layered Security).
These days, most mail servers support TLS. That applies to e.g. Gmail, Outlook and Hotmail.
If both parties support the technology, TLS will encrypt your e-mail on its way from the sender to the recipient. That is, during the transmission.
That takes place in the same way as a connection is encrypted between a browser and a https-secured website server.
TLS creates a kind of tunnel between the sender and the recipient. A third party cannot, e.g. through malware - capture, read and involve in the communication. The contents, i.e. e-mails sent forth and back through the tunnel, are not encrypted, but the communications channel through which the contents passes, is. That way, third parties are prevented from looking through the walls of the tunnel and gaining access to the contents.
However, it is a problem that the standard TLS setting on chiefly all mail servers is only “opportunistic TLS”.
This means that the sender’s server prefers TLS during transmission (but makes no requirement to that effect).
If the recipient’s mail server does not support TLS, the e-mail will nonetheless be sent to the recipient’s server, which in this case is typically an unencrypted POP3 or SMTP server. Thus, the communication can be captured, manipulated or otherwise compromised relatively easy.
The same applies on the way in the transmission. In some scenarios, a hacker can arrange that TLS server stations are missing en route, and if there are no alternatives, the sender’s mail server will use an unencrypted server as an intermediary station. Here, the communication can again be captured and compromised.
However, the problem can be avoided by using the setting “Forced TLS”. With this setting, the mail server requires that the recipient’s server and stations in transit all use TLS. If there are servers en route that do not support TLS, the sender gets a message that the e-mail cannot be sent to the said address.
This setting, this type of encryption will “normally (... ) be a suitable security measure - to both public and private players (... ) in the transmission of confidential and sensitive personal data by e-mail through the internet.”
This is the way we must interpret the message from the Danish Data Protection Agency.
According to an article in Version2, the Danish Data Protection Agency further recommends that as a minimum it is the second-most recent TLS 1.2 with the AES standard that the businesses should use for encryption during transmission.
FORCED TLS POSES CIRTAIN PROBLEMS
There are reasons why Forced TLS is not simply set as a new default setting on marked leading mail servers supporting TLS (Gmail, Outlook, Apple mail etc.).
According to IT security expert Hanno Böck there are several major issues at play:
One obvious problem is that the setting prohibits mail servers from talking to other servers not supporting TLS.
- Actually, a German mail host began offering such an option, but explicitly warns that it might stop mails from being delivered. Notably, the second largest political party in Germany opposed STARTTLS.
- But there's a subtler problem, Hanno Böck continues … and that's the certificate issue. I briefly mentioned it in this article on trustzone.com (i.e. many mail servers don't have valid certificates. Add to it that mail servers in general don’t consistently check certificate validity). … Even if certificates were successfully validated, there would still be other issues. Here's some background, the german security expert writes us in a mail.
FORCED TLS IS NOT ALWAYS SECURE ENOUGH
But how certain are you then as being compliant with GDPR in this area?
Well, if it turns out that a hacker would somehow gain access to your e-mail account, then encryption during transmission would not prevent the hacker from reading, changing or cheating persons by sending e-mails in your name. In such case, Forced TLS will neither curb breaches of the confidentiality, integrity or authenticity of data.
The hacker could gain access by guessing or finding out your or the recipient’s password. In half open and easily accessible office environments, hackers would fairly easily be able to steal personal data while the responsible employees were absent.
Have a look at e.g. the small offices along the corridors of the Denmark’s hospitals. Here, security should perhaps be increased to protect the patient files which contain very sensitive data.
It is with such contemplations at the back of the mind that IT experts and specialists apparently think that the Danish Data Protection Agency sets the bar low by its focus on encryption during transmission. Forced TLS creates a good basis, the point is, but it rarely becomes an adequate solution in itself.
COULD TRUSTZONE BE OF HELP?
How could we at TRUSTZONE help with our products and expertise?
Well, there are certain advantages in our PersonalSign S/MIME certificates from which you can benefit as a customer. In combination with Forced TLS, you become more than compliant almost irrespective of your infrastructure. At the same time, PersonalSign is a solution that is easy to use every day.
More secure external e-mail communication
You can use the S/MIME technology of the PersonalSign certificates to encrypt the contents of your e-mails and not only the communications channel (the tunnel) between the sender and the recipient.
But we cannot use PersonalSign to encrypt the contents of e-mails which e.g. are sent to private individuals. Encryption and decryption (of contents, mind you) require that both the sender and recipient have an S/MIME certificate installed on their devices. We cannot expect that from the general private individual or our B2B contacts for that matter.
In the external communication, a PersonalSign certificate can nevertheless contribute by a digital e-mail signature. The recipient can easily see that without a certificate on its device.
With a digital signature you confirm your identity as a sender of the e-mail, and you confirm that the contents of the e-mail have not been changed during the transmission. If the contents had been changed, the recipient will not be able to see the signature.
With S/MIME you thus confirm authenticity and the integrity of data to external parties. The certificate contributes to an extra security layer in relation to Forced TLS. In addition to man-in-the-middle attacks (MITM), it protects against phishing and spear-phishing in the external communication.
As regards external communication, a PersonalSign certificate will provide the following additional value in addition to Forced TLS:
- Digital signature, i.e. safeguarding of the integrity of data and the authentication of the sender.
- Protection against phishing, spear-phishing, MITM attacks, malware etc.
Internal communication of confidential and sensitive personal data
Often, there is a tendency to e-mail personal data internally than externally out of the organisation. Here PersonalSign can contribute with the possibility of true “End to End Encryption”.
When you encrypt an e-mail via PersonalSign, others simply cannot read it unless they have access to the recipient’s e-mail account and in addition to the recipient’s private encryption key. PersonalSign thus delivers the most secure type of e-mail encryption that exists.
A Digital Signature will also prevent internal phishing and spear-phishing such as SEO fraud.
In short, PersonalSign can add the following increased value in relation to securing data in the inhouse communication:
- Digital signature, i.e. safeguarding of the integrity of data and the authentication of the sender.
- End to End Encryption, i.e. the confidentiality of data, including protection against malware, MITM attacks, phishing and spear-phishing.
We do agree at it is not always easy to assess the risks that you run as a business or an organisation, and thus find the right security measures for precisely your activities.
TRUSTZONE is, however, ready to help you. You are always welcome to call one of our experts on +45 88 33 10 00.
Published September 3, 2018