CISO FYI 2011021001

Security through Encryption Overview: As many companies begin the migration of their internally hosted email to cloud providers such as Google, several items that need to be discussed come to my mind to ensure your corporate privacy and security is maintained. There are plenty of crossover implications for personal privacy and security as well.

Encryption technology is at the top of my list today.

Encryption is the process of encoding information so that it cannot be accessed by others unless they have the encoding key. Encryption is normally used to protect highly sensitive documents, but it’s a good way to stop people from looking at your personal stuff.

As more information goes into your email client, the more opportunities for people looking for specific information in your email store increases. If I wanted to break into your online or domain accounts, or if I wanted the recipe to the company’s secret sauce, my first target would probably be the email system. How many times have you established accounts with a company and they email you the username and password in clear text? How many times have you passed access credentials around to your co-workers that contained access credentials to customer sites or other online services? How many times do you reuse the same password for many of your other accounts like banking? Email traffic is easy to intercept. Email is one of the largest conduits for criminals to both phish and fool you into taking the bait and getting yourself taken advantage of.

Bottom line, if you store sensitive, personal, secret, or some form of mission critical information electronically on your local drive, storage media, corporate file storage, or places like Google Apps, please consider encrypting the information first.

In the spirit of free open source software, I’ll recommend the very easy to use AESCrypt for file encryption. Browse over to for more product information and the download link is here: AESCrypt currently supports Windows, Mac OS X, and Linux (32-bit and 64-bit versions).

I will also recommend the enormously powerful and versatile TrueCrypt located here: for more product information and the download link is here: TrueCrypt currently supports Windows, Mac OS X, and Linux (32-bit and 64-bit versions).

A word of caution concerning encryption applications:

  1. If you send a file that you have encrypted to another person, generally, they will need the same application to decrypt the file.
  2. Typically, only enterprise encryption products support “manager’s key” functionality for recovery of those lost passwords.
  3. Many file encryption programs will encrypt your file but will leave the original as well. Once you encrypt a file, you should delete the un-encrypted original.

One final note. Please consider supporting the authors of open source software if you find their work beneficial.