GROUP Business Software – The Email Compliance Company

1. What is the purpose of email encryption?
2. What does a digital signature do?
3. What are certificates and keys?
4. What is the difference between symmetrical and asymmetrical encryption?
5. What is the best way to encrypt, decrypt and digitally sign incoming and outgoing email?
6. What are the benefits of server-sided encryption?
7. How can encrypted communication with external personnel be accomplished?
8. What role does encryption play within the context of Email Management?
9. What are the most important considerations when implementing email encryption?
10. How does iQ.Suite help when implementing email encryption?
11. How are iQ.Suite Crypt used for encryption and digital signatures?

Email encryption ensures that electronic messages can only be read by the desired recipients, and thus remain confidential. This protection is especially important for sensitive data. The encryption process turns an email into an encoded message with a seal of authenticity.

Various cryptographic algorithms such as symmetrical and asymmetrical encryption are used to encrypt and decrypt emails. A cryptographic algorithm is considered secure when it is difficult to decrypt a message without the encryption key - even when the algorithm being used is known. In practice, "difficult" means that the message cannot be decrypted within a reasonable timeframe.

Encryption certificates (public keys) are used to create and verify digital signatures, and to encrypt data that only the user of a corresponding private key can decrypt. Unlike private keys, public keys do not need to be protected from unauthorized access, and in fact should be made available to everyone.

Encryption certificates (public keys) are certified by a trusted third party. A public key and corresponding private key together create a "key pair."

The private key is used to digitally sign data and to decrypt data encrypted with the public key. Private keys must thus be carefully safeguarded by their owners.

A certificate contains:

• A clearly identified serial number
• The clearly identified name of the owner
• The public key of the owner
• Usage notations and validity timeframes
• The digital signature of the trusted third party

A common standard for certificates is X.509.

Encryption and digital signatures can be implemented together or independently within the enterprise.

Symmetrical encryption uses private keys to secure each individual communications channel. Each private key is used for both encryption and decryption.

Asymmetrical encryption uses public and private keys (key pairs). Messages are encrypted with the receiver`s public key. The receiver must then use his or her corresponding private key to decrypt the message. The major benefit of this approach is that the public key of each participant within the network must be made available only once for all to use.

Encryption, decryption and digital signature endorsement should take place centrally on the mail server - iQ.Suite makes this possible - and be in compliance with corporate guidelines. This allows businesses to check emails for viruses and other negative content before encryption/decryption and delivery. When client-based encryption solutions are used, running such checks centrally is not possible because incoming and outgoing emails are already encrypted by the time they get to the server.

With iQ.Suite, each outgoing email is first scanned for viruses and content and then archived before being encrypted and delivered. The process is slightly different for incoming emails: first decryption, then virus and content checks, and then archiving and delivery. In this way, all important security checks are made with minimal administrator effort before an outgoing email leaves the house or an incoming email reaches its recipient.

Implementing server-based encryption with iQ.Suite requires significantly less effort and is much more cost-effective than implementing traditional client-based encryption. Client-based encryption solutions require creation and management of a separate key for each user on each client machine. iQ.Suite`s server-based approach completely eliminates this administration effort. It also eliminates the need to train users to use encryption functions correctly.

Another important benefit: Client-based encryption can lead to serious compliance problems. For example, when an employee leaves the organization, that employee`s encryption key becomes invalid with the consequence that the entire body of the employee`s email correspondence can no longer be accessed to resolve legal issues or meet the requirements of an audit. Server-based encryption requires only one key for each cryptographic algorithm being used in the company, rather than one key for each user, making it impossible for this problem to occur.

Even when server-based encryption is being used, communications partners are free to use either server-based or client-based encryption. Client-to-server or client-to-client encryption is necessary, for example, when communicating with freelancers or other external personnel. In this case, the only requirement is that both communication partners use the same encryption algorithm.

From the time they enter the business to the time they are archived or deleted, emails go through numerous processing steps. One such step is the security check, which in addition to spam and virus checking includes encryption, decryption and digital signature endorsement. Additional steps in the email management include email classification, compliance and archiving.

• Security requirements of the organization (corporate guidelines)
• Selection of encryption software. The detailed knowledge of the principles, mechanisms and functionality of the various encryption algorithms and the encryption software currently available on the market is absolutely essential!
• User-friendliness and user acceptability issues
• Ability to be administered

iQ.Suite`s server-based, automated encryption and decryption processes provide a reliable and robust implementation of encryption that complies with corporate guidelines. The selection of encryption algorithm plays a less important role with iQ.Suite because all of today's standard algorithms PGP, GnuPG and S/MIME, for example are supported.
Because encryption takes place on the server, users don't have to interact in any way with the encryption process, eliminating the possibility of user error. Administration effort is also minimal: the administration of keys and certificates is centralized on the server and is for the most part completely automated. Clients require neither installation nor administration of encryption software.

iQ.Suite`s server-side encryption is provided by iQ.Suite Crypt. This module makes it possible to use any common cryptographic algorithm PGP, GnuPG or S/MIME for example on its own or in parallel. Which algorithm is to be used for which user can also be configured in iQ.Suite's rule-based framework. iQ.Suite Crypt eliminates the need to create a private key for each user, and the need to create and maintain an administration-intensive Public Key Infrastructure. Existing PKIs can, however, be easily connected to iQ.Suite. And when special, high-security communication requirements exist between specific departments, for example it is also possible to use individual encryption keys.

iQ.Suite Crypt centralized, server-based email security that requires no end-user interaction. The large investment required to create and maintain an encryption key infrastructure is eliminated, as is the need to distribute software and educate users. A combined solution providing integrated encryption, spam and virus protection ensures secure and integrated email business processes that increase worker productivity.