Digital Trusts In Communication
What Is Digital Trusts
Digital trust is what enables individuals and businesses to engage online with confidence that their footprint in a digital world is secure. With digital transformation expanding the use cases for PKI, trust has now become the backbone for security in the connected world: for securing users, software, servers, devices, digital content, documents, digital rights, identity and more.
Digital trust is about more than a product or service. It is established upon four key building blocks:
1) Industry and technology standards that define what constitutes trust .
2) Compliance and operations that govern delivery of trust .
3) Unified trust management platforms for certificate lifecycle management of public and private trust .
4) Extension of trust through ecosystems such as connected devices, software supply chains and digital content provenance .
Securing Email : Digital Trust In Communication
With phishing attacks now commonplace, corporate information security programs routinely train on how to avoid email compromise. However, the frequency of email attacks has dramatically accelerated over the last couple of years. In their most recent quarterly report, the Anti-Phishing Working Group reported the highest level of phishing activity on record: four times the number of attacks since early 2020. Other organizations reported staggering increases in suspicious emails targeting remote workers at the start of the pandemic, taking advantage of changing work habits.
The business impact of phishing activity is not inconsequential. In May of 2022, the Federal Bureau of Investigation released a report documenting US$43 billion in domestic and international financial losses between 2016 and 2021 from business email compromise.
Step 1: Establish trust
The foundation of trust in email security is the S/MIME digital certificate. S/MIME stands for Secure/Multipurpose Internet Mail Extension, an industry standard for email signature and encryption supported by most corporate email clients. S/MIME certificates enable users to digitally sign emails, verifying the authenticity of the sender and indicating that the email contents have not been altered. S/MIME digital certificates can also be used to encrypt emails, protecting email communication containing sensitive information from data interception.
Step 2: Manage trust
The next step to consider is the management of S/MIME certificates within an organization. IT leaders note that when measures that improve security are optional or dependent on actions taken by a non-technical corporate user, adoption can be a challenge. Companies can solve this problem by automating the provisioning of digital certificates such as S/MIME. To accomplish this, companies can leverage PKI management solutions that integrate directly with corporate directory services to automate the installation, renewal and revocation of certificates. This reduces the burden on IT technical support, ensures adherence to preferred security measures or corporate policy, and eliminates any provisioning or revocation gaps that can impact productivity or security. Encryption may be required in industries where sensitive data is transmitted by email, such as financial services firms communicating personal financial data or healthcare companies communicating personal health information. It may also be required by corporate policy for specific types of internal or external communications to protect data confidentiality or intellectual property.
Step 3: Extend trust
Digital trust architects can next consider whether they need to secure email within an organization or between organizations. If email communication is staying within the corporate domain, IT professionals can use private S/MIME certificates chaining up to a private CA or intermediate.
If companies are securing email sent outside of corporate boundaries, then public S/MIME certificates must be used that chain up to a publicly trusted root such as DigiCert. Companies can also consider setting up a public dedicated intermediate CA that can be branded with their organization name. The ICA can chain up to the publicly trusted root but will allow certificates to inherit the ICA branding of the organization.
DMARC & VMCs
Companies can also adopt other measures to combat phishing within an organization, such as implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC is an email authentication, policy and reporting protocol that helps prevent organizations against phishing.
Companies that have adopted DMARC can use Verified Mark Certificates (VMCs) to display a verified organization logo alongside emails. VMCs validate that a company has implemented DMARC and that the logo being displayed is a trademarked entity of the organization. Email messages with brand logos indicate that the sender has met the strong security and authentication requirements of DMARC and VMCs. Over time, the widespread adoption of VMCs can be another vehicle for enabling email recipients to easily distinguish digitally certified emails from business email imposters.
DNS traffic monitoring
Finally, companies can look to their DNS service as another key component of their email trust initiatives. DNS traffic is a rich source of data that can be analyzed using machine learning to show what is and isn’t normal for a domain. Traffic anomaly detection can detect and predict suspicious or unusual activity, enabling IT professionals to thwart directed attacks.
With email attacks on the rise, corporate training programs may be insufficient by themselves to enable employees to adequately protect their organization’s confidential or sensitive data or their personal credentials. And with phishing strategies becoming more sophisticated, it can be increasingly difficult for consumers to know when they are interacting with a trusted brand or an email imposter. Implementing a strong foundation of digital trust in email communication can help prevent credentials, sensitive data, or financial compromise. That is where digital trust meets the real world.
1 Comment
Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!