Google recently announced an easier way for Gmail users to send encrypted messages to any email platform—a capability the company hopes will reduce IT pros’ pains when having to deploy the protection mechanism.
“We’ve heard from businesses all over the place, across the board: ‘This is too hard for us. It’s not automatic. It’s not as easy as just opening a message and sending it out.’ And they’re frustrated by that,” Julien Duplant, security product manager for Gmail, told IT Brew.
Using the encryption standard S/MIME, for example, requires the installation of certificates to an email client, along with the protection of a recipient’s private, message-opening key.
The company announced on April 1 that “with just a few clicks in Gmail,” emails could be protected at rest, “regardless of who they are being sent to,” with encryption keys controlled by the customers and not available to Google servers.
The feature is at beta stage, but approaching general availability in the next few months, according to Google Workspace spokesperson Ross Richendrfer.
The company, in its announcement, shared:
- When the recipient is a Gmail (enterprise or personal user), Gmail sends an end-to-end encrypted (E2EE) email, with automatic decryption.
- When the recipient is not a Gmail user, Gmail sends them an invitation to view and reply to the E2EE email in a restricted “guest mode.” (“That means they also own the user account that’s there and that’s provisioned for the user. The data never actually leaves their organization at all,” Duplant said during the demo.)
- When the recipient has the E2EE standard S/MIME configured, Gmail sends an E2EE email via S/MIME.
“We’ve made it so you type a normal email and it's going to do all that provisioning in the background,” Duplant told us.
Similarly, Microsoft Purview Message Encryption offers organizations the ability to send encrypted messages inside and outside of the organization. A non-Outlook user will receive a message containing a link to a web version of Outlook or a prompt to receive a one-time passcode to read the message in-browser.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“More security, more encryption is better. This is just Google catching up to the rest of the market that has been doing this for a while for enterprise customers,” Peter Firstbrook, distinguished VP analyst at market intelligence firm Gartner, told IT Brew.
When Audian Paxson, principal technical strategist at email-security platform Ironscales, directed product management for Iconix around 2010, he often searched for encryption services to authenticate messages containing sensitive details like legal documents or technical specs.
For a standard like S/MIME, he had to ensure ahead of time that the recipient had a valid certificate and had shared their public key, which was then used to encrypt the message; the recipient would use their private key, stored locally, to unencrypt the message.
“Even if the other person was equally as paranoid as I am, after a while, the cumbersome nature of it made us say, ‘Ah forget it. Let’s just go ahead and start doing regular email,’” he said. “It doesn’t mean it’s not valuable. It just wasn’t easy.”
Paxson sees Google’s feature as a win for mainstream privacy , but he also sees threat actors taking advantage of the “shiny new thing” and trying to send fraudulent encryption notifications to achieve account takeovers.
“Encryption protects the data. It doesn’t protect people,” he said.
Google, which recently announced the acquisition of Wiz as well as an AI threat -model for Gmail, will deploy encryption notifications, similar to ones sent for Google Drive file-sharing alerts. According to Richendrfer: “The protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well.”