TLS: Out with Old Risks, In with New Features


Thought Leadership

TLS: Out with Old Risks, In with New Features

Neil Farquharson

Many organizations try to reduce the risks of email by implementing transport layer security (TLS) between email servers. TLS is a protocol that’s designed to provide privacy between communicating servers and their users on the Internet. When an organization’s server and the recipient’s server communicate, TLS can ensure that no third party may eavesdrop or tamper with any message.

The Limitations and Risks of TLS
Traditionally, TLS is implemented through two methods – Mandatory and Opportunistic. Mandatory TLS requires a TLS connection be present before sending an email. If a TLS connection cannot be ensured on the recipient end, then the email is bounced. Mandatory TLS is the safer method of the traditional two options. However, it requires each TLS connection be set-up manually, and as a result, it is cumbersome, costly and time consuming.

Opportunistic TLS, or unsafe TLS, does not have the time or resource costs of Mandatory TLS. However, it introduces significant security and compliance risks. In Opportunistic TLS, servers are configured to try to send the email via TLS, but if TLS is not available, the email messages are still sent in plain text, allowing anyone to intercept the sensitive information contained in the message. Also, most opportunistic TLS will accept any level of authentication and encryption, including self-signed certificates and 64-bit encryption.

Regardless of the sender methods used in Opportunistic TLS or Mandatory TLS, neither option can ensure secure reply. It’s not always possible for the sending organization to ensure the receiving organization has forced TLS for the response to a message. In fact, in many cases, the reply to a secure message is sent in the clear and includes the content of the original message - thereby defeating the purpose of secure email.

The New Superior Solution to TLS
With the release of ZixGateway® 4.3, ZixCorp enhances TLS support beyond any competing solutions. Superior support is provided by integrating TLS directly into ZixGateway’s encryption policies and incorporating TLS in the ZixCorp Best Method of Delivery. With these components in place, ZixGateway customers benefit from unique TLS features, including:

•Secure, bidirectional transparency – ZixCorp’s Best Method of DeliverySM chooses the most secure and transparent delivery method available for each message. TLS, as generally used in the market today, has a major flaw; it cannot guarantee the encryption of replies. ZixCorp’s S/MIME solution provides bidirectional transparency, guaranteeing encrypted replies. If S/MIME is not available, TLS can be configured as an alternative transparent delivery method.
•Simplified management of mandatory TLS – By making TLS a part of the sender’s email encryption policies, TLS can be added as a delivery method with the click of a button. By replacing the need for individual TLS configurations, ZixGateway allows organizations to avoid the cost and time typically associated with managing each TLS connection.
•Increased delivery control – TLS used to be all or nothing. By making TLS a part of the ZixGateway policies, TLS can be used where appropriate.
•Reporting capabilities – ZixGateway offers superior visibility for compliance officers by providing reports that log how each message was delivered, including TLS encrypted email, and who it was delivered to.
•Branding of recipient messages – Every message sent via TLS can be marked to indicate that it was sent securely, providing confidence to your recipients that the email and its sensitive content were delivered securely.

Secure, bidirectional transparency, simplified management of mandatory TLS, increased control through policy-management, reporting capabilities for increased visibility and security branding are features not available in competing TLS email solutions.

To learn more and take advantage of these exclusive TLS features, visit ZixCorp’s booth – no. 550 – at the RSA Conference on February 27 – March 1, 2012, or contact 866-257-4949.