This content is part of the Essential Guide: Secure email servers on Exchange, Office 365 or both

How to build the best email encryption policy

Admins run the risk of trouble whenever users are in control of encryption, so your safest bet is to avoid that risk altogether.

Encryption is an old school security control that can lock down Exchange Server. But an email encryption policy is difficult to implement, especially in larger environments. While Exchange's Transport Security Layer encrypts messages in transit with remote servers, helping with encryption, it isn't all-encompassing. Considering the amount of personal email and cloud file-sharing options available, it's nearly impossible to ensure all messages are secure.

Email encryption is a security control that IT and security professionals often take for granted. And most end users are oblivious to whether or not their messages are being encrypted; many don't even know what encryption means.

Most organizations have an email encryption policy in place, but many don't even follow their own policies. For example, far too many users are told to encrypt email messages before sending them -- without being told how to actually do so.

I believe IT and security teams should set end users up for success by using technology behind the scenes to get users out of the equation. You just can't rely on users to ensure their email messages are secure.

Even with the best email encryption policy and training, you expose your business, users and yourself to trouble when you put users in the driver's seat. All it takes is one unencrypted email containing personally identifiable information or intellectual property passing through your Exchange system to stir things up. Your business might not just fall out of compliance with regulations or safe harbor rules; it could expose sensitive information that shouldn't have left the building unprotected in the first place.

Tools and tricks to lower your security risk

You can't claim you've encrypted your messaging platform until you've implemented all necessary tools and validated that the performance works. Ensure that Exchange is using Transport Layer Security (TLS) to minimize business risks. Then, combine TLS with a third-party email content filtering tool or a cloud file-sharing tool that's automatically used for all email and attachments containing sensitive information -- or, better yet, all messages.

But Exchange admins need to go beyond the technology. Inform end users if and where email encryption is taking place. Setting proper expectations is half the battle.

Monitor the network for unsecure email usage with a network analyzer. It's virtually guaranteed that someone or some system is sending or receiving emails containing sensitive information via unencrypted protocols such as POP3, SMTP or webmail via HTTP.

About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.

Dig Deeper on Exchange Server setup and troubleshooting