Throughout the European Union, parties required to uphold professional secrecy are obliged to encrypt e‑mails and data. These parties include public authorities, industry handling classified information as well as lawyers, patent attorneys, auditors, notaries, tax consultants and more. This obligation to uphold privacy is enshrined in the General Data Protection Regulation (GDPR). The KRITIS Ordinance issued by the Federal Office for Information Security (BSI) also includes the email encryption requirements for the healthcare sector.
However, issues of privacy are bigger than just legislation, they are being brought to the fore by factors, such as numerous known email security incidents, accelerated digital transformation driven by the global pandemic and the trend towards remote work. All of these factors are bringing the topic of e‑mail encryption ever more into sharp focus.
Public authorities that have to meet confidentiality requirements play a pioneering role when it comes to deploying email encryption. In Germany, these authorities are entitled to send data up to ‘restricted’ classification level (‘VS-NfD’—for official use only) by email—but only in encrypted form. However, many organizations in Germany do not use email encryption to exchange this kind of classified data, but instead rely mostly on Chiasmus software, a tool for stationary file encryption. Chiasmus does not support asymmetric cryptography, instead the encrypted files can be made accessible via a shared directory or sent as an e‑mail attachment. This means, however, that the key must be transferred manually. The current BSI approval for Chiasmus is set to expire on 31 December 2021 and is not expected to be renewed. This will leave many organizations searching for new encryption tools. The optimal chaise will be a user-friendly and flexible solution that delivers email encryption and data encryption as one functional unit.
Figure 1. How email communication and data exchange according to ‘restricted’ classification level (VS-NfD) works ©Bundesdruckerei
Leading organizations in Germany may consider D‑TRUST, a company of the Bundesdruckerei Group that specializes in secure identities and supplies personal certificates for email encryption. To meet compliance regulations, these certificates are ‘Made in Germany’ and BSI-certified according to the ‘Secure CA operation’ technical guideline (BSI TR-3145). When used, the certificates show the recipient who actually sent the message and whether they really are who they claim to be. These identities also ensure the integrity of the information transmitted and that it can only be read by the authorized recipient. As evidence of security, D‑TRUST issues an individual certificate for each key pair. This certificate is automatically linked to the identity of the holder.
Custom certificate and machine identity management solutions are needed to ensure the availability of high-quality certificate products automatically within a few seconds. In particular, the V-PKI (administration PKI) is a solution that supports the increased security requirements for communications in ‘classified’ environments. Our Certificate Service Manager (CSM) integrates with the Venafi Control Plane for Machine Identities to offer a web-based managed PKI for central certificate management and requesting.
To comply with privacy regulations, you’ll need to ensure that all IT security requirements are fully observed, even during short-term peak loads. To support the rigors of current challenges as well as future requirements, mobile working measures should have a modular design and be geared specifically to the intended purpose.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.