I am an email native. It may have been the very early days of email, and much has evolved and changed since in the user interface and rich media experience, but I communicated with my lecturers at UCL via email in the mid 1980’s. After graduating I had the pleasure of working at UCL on international collaborative projects, we used email as the primary communication. My working life has been the same, with email as a core form of communication – it has been a primary working tool.
Today’s so called digital natives do not see email in the same light. Email is something:
- used to communicate with parents
- you have to have to create a social networking account
- you need to provide to online service providers (shopping etc)
- forced upon you at work.
It is certainly not seen by them as the primary communication tool. Indeed organisations such as ATOS have banned internal email to enhance working conditions. The article “Could cloud computing change how we communicate?” discusses how use of other file sharing and workflows systems are also leading to a migration away from email.
My experience is this is hard for email natives to understand, a view of “when they get into a business environment they will find out the true role of email” prevails. While other organisations (ATOS) are embracing digital natives and anticipating productivity gains.
As a person who has spent a large part of their career on working on open standards, to enable open communication, at first sight seems a backward step – communication is now between closed user groups on social platforms (Jive, SalesForce, Huddle, LinkedIn, Twitter…), what if the person you need to talk to is outside the group?
As a security professional, it could be argued the apparent demise of email is not such a bad thing. As an industry we have failed to deliver secure open email. We’ve delivered open email and we’ve delivered security architectures, protocols and standards. We have not delivered (to open groups) confidentiality and integrity of emails (see my blog on Why has encrypted email not taken off? for more on this).
The side of the business responsible for security management are rightly concerned with the proliferation of closed communication channel “how am I going to implement a retention plan” or “what happens if we get hit with e-discovery orders”. The management challenge is do you impose the use of tools you can control, with a risk of forcing use of popular tools underground. Or do you embrace the new methods of working?
Part of the attraction of closed communication systems is confidentiality and integrity is easier to deliver. By migrating from open to closed systems, it could be argued we are more secure; but right now it does not feel like that. I believe this is a reflection of the state of maturity of the cloud and social networking market. My expectation is as these systems mature, we will start to see service differentiation based on the security controls; there is evidence of this starting to happen with G-Cloud. These differentiated services will then bring with them the security management tools needed (we can see the embryos of this is the Cloud Security Alliance STAR registry. Will this lead to the further decline of email?
Once Upon a Camayoc 
The thing about e-mail is that it goes everywhere, and each end user can choose their user-interface independently without losing contact with the rest of the world.
Moving to closed-community systems causes a balkanisation of communication. We already see this with some banks, which only want to send messages to their own ‘secure mail’ service. This ultimately fails, as everyone then ends up having to poll N communication channels every day where N is a large and growing number. To make matters worse, the user-interface and security procedures for these services are extremely varied. I am not convinced that they contribute to security either: in the banking case for example this could encourage users to expose their credentials far more often than they actually need do if just managing their accounts. The social-network sites are trying to grab the majority of their users’ eyeball-time, and by rolling in closed-community communication they limit people’s horizons. Many Facebook users for example cannot communicate with non-Facebook-users at all.
I would suggest that secure e-mail standards have not been widely used largely because the existing systems are not hurting enough. Thinking of banks again, they still have not finished switching from swipe-cards to chip-and-pin and that is largely because the level of fraud on the swipe-cards is not high enough to force the issue (even though it is already in telephone-number ranges). The same is true of DNSSEC and even IPv6… The world would actually benefit from signed e-mail becoming the norm, but the very organisations that could lead by example are not doing it.
The technology is out there – most mail clients can do S/MIME, and almost all MTAs can do SMTP over TLS. If you turn it on it gets used – over 30% of the mail arriving on my systems comes in on TLS connections. Admittedly this is not doing any real verification of the communicating parties, but it is protecting against passive eavesdroppers.
If we really want secure e-mail to take off we need to work with the user-interface people. The UIs need to take people through a registration and certificate-generation process as a standard part of the setup. If this were made easy to do (and hard to avoid) in the top few MUAs then we would have a good proportion of signed/encrypted email within 5 years.
Andrew
LikeLike
Andrew, I agree with the first half of your comment, but not the second. The challenge we face is after 20 years of trying, S/MIME and PKI etc have been shown not to be able to deliver secure open email (see my previous blog — https://colinrobbins.me/2012/08/13/why-has-encrypted-email-not-taken-off/ — for why I believe this to be the case.
LikeLike
…and in turn I agree with part of that post but not all of it!
Maybe we have been trying too hard to deliver perfect security. Most of the world won’t notice if we succeed, though they will hear a lot about failures.
PKIs are a large part of the deployment problem, and that is because they are trying to centralise ID verification. The physical ‘non-e’ world is not like that. Even PGP gets it wrong with the typical instructions for key-signing parties (‘bring some recognised government-issued ID”). Real trust is about continuity, not about bits of paper from the government – “the entity I know as Colin Robbins is a good chap who knows mail systems” – so I want a signature system that gives me confidence that the message I am reading really came from you and has not been tampered with. I don’t care whether you have a birth certificate or passport with that name on it. I don’t care where you live, and I don’t care whether you are a good credit risk. A PKI to support this communication hardly needs any infrastructure, as the trust is accumulated on a 1:1 basis. That’s the bit that PGP gets right – you run your own CA, and that is how it should be.
I think a lot could be achieved with a bottom-up approach, based on people generating their own certs and routinely including them in e-mail messages (which should also be signed as a matter of course). Everyone can then build up a store of known certs, and their MUAs can alert when a cert changes.
Organisations may want to be more organised about it. That’s OK – they can run a big CA or contract it out. The end-user experience does not have to change for this to be useful. (“This e-mail from my bank has the same signature that all my statements have, so I can trust it”, “This e-mail from my bank has a different signature and my MUA has outlined it in red so I am suspicious”). This does not need a globally-known CA.
There will inevitably be MUAs that do not support signatures. That’s OK too. Those in the know will be wary when using them. Others will see attachments that they cannot open and will put pressure on the suppliers to support signatures.
So, by lowering the target from “global PKI that proves anyone’s ID to anyone else” to “individual certs that prove continuity of ID” we get something that can grow organically. It should also be more resistant to hacked Registration Authorities, state interference etc. It is closer to ‘non-e’ life too – you made up your own handwritten signature didn’t you?
Andrew
LikeLike