- Handling of personal information is regulated by law
- Information security in e-mail is weak by default
- So how can I protect my e-mail?
1. Handling of personal information is regulated by law
If you have to handle personal information in your work at the OUAS, it has to be done in ways approved by the Finnish law: The Personal Data Act (See the unofficial translation ) restricts the handling of personal information. When the handling of personal information is justified, your responsibility is to deal with the information in a way that the information does not end up in the hands of other than those people who need the information in order to complete the work task at hand (to the person himself and to the persons who take care of the matter). For instance, a contract of employment where there is an identity number, should not be sent as such to an external e-mail address in the ordinary e-mail because the ordinary e-mail is unprotected in the external network.
2. Information security in e-mail is weak by default
The Information security of electronic communication can be depicted with the use of the traditional CIA (Confidentiality, Integrity, Availability) triad. It consists of these three items:
Confidentiality: Only the target group in question is able to see the contents of the message
Integrity: The contents of the message must not change
Availability: The information must be within reach of the target group in question when it is needed
In connection with the aforementioned terms, also non-repudiation and digital signatures are often mentioned. In other words, one wants to know that the communication has been successfully performed and that the message is from the right person. The confidence problem of electric communication and data communications culminates in the fact that you can be relatively sure only about your own devices, networks and servers, (or at least try to keep your own systems safe). When a message leaves your own network, you have no control over the information security of the network and server of neither the target organization, nor the networks and servers in-between you. This means that when you are messaging outside the OUAS’s network, you have to trust the information security of the external data networks fairly blindly.
E-mail is a very old invention in the information technology perspective. As is true for other old protocols, the use of digital signatures, encryption methods or other protection methods are not typically used in the transmission of the e-mails between servers. The operators of the networks where your e-mail travels through, are able to see the sender information and receiver information on your message as well as the contents of your message as such. Do notice that this indeed means all the servers on the way to the final destination of the message. (However, when you read your OUAS e-mail with Outlook or OUAS web mail, the connection between the OUAS server and your e-mail client uses a protected connection, so from the server to you the e-mail travels safely.)
3. So how can I protect my e-mail?
The good news is that you can protect your e-mail; here are a couple of options:
- Office 365 encrypting (recommended for the students and staff of the OUAS
- Compress your e-mail attachments in a password protected zip file
- PGP
Office 365 encrypting
Because we use the MS Office 365 cloud service, this is the recommended way to encrypt your messages at the OUAS:
Compress your e-mail attachments in a password protected zip file
Another easy way is to use a separate zip program, for example the 7-Zip which supports the passwords of zip files and AES encryption. You just need to pack your attachment files to a zip file and set a strong password that is required when the zip file is decompressed. Then just send the zip file as a usual e-mail attachment to the receiver. It is also a good idea to give this link http://www.7-zip.org/download.html in the e-mail message so that the receiver can download the 7-zip program if she or he does not have it already: The receiver will need the program to be able to open the file you sent. You need to send the password to the receiver. Note that you must not use unprotected e-mail, but rather send the password via a text message or fax.
How to make a password protected zip file in 7-Zip:
- Select the files (or folders) which you want to have in the 7-Zip file.
- Click the right mouse button and move the mouse’s cursor to the 7-zip section from which the menu of 7-zip quick functions opens
- Select the ”Add archive” option
- In the opening window:
- Give a name to the file
- Select the archive format, (preferably 7z .because then the receiver will immediately identify that the file must be opened on 7-zip and not on some other zip program).
- Select the compression level (for example ultra).
- Then in the Encryption section, type the password you want to use and select AES as the encryption method. N.B.! Choose a good password!
- Finally, press OK.
- Wait that 7-zip adds the password protection to your files and compresses them to a file.
- By default, the zip file is saved in the same folder where the compressed files are, unless you did not change the target folder earlier. If you now try to open the zip file, you will first be asked the password and you are not able to open the file without it. Notice that it is probably a good idea to leave the original files as they are, as if you remove them and later forget the password of your zip file, you cannot open the file any more and there is no way you can bypass the protection if you have forgotten the password.
PGP – the “traditional” way
PGP – Pretty Good Privacy (http://en.wikipedia.org/wiki/Pretty_Good_Privacy ) is a “traditional” way to protect your e-mail. PGP uses strong encryption and digital signatures. The message to be sent has to be encrypted using the receiver’s PGP key, so using PGP means that both the sender and the receiver need to be PGP users. PGP is not that widely used and the numbers are just declining, not even the inventor of PGP uses PGP anymore (because it doesn’t run well on the OS he uses)! The reasons for PGP not to have become more popular may be the inadequate understanding about the necessity of such a service, especially at the time it was invented, and that some people (ok, I have to admit: most people) find PGP somewhat difficult to use. There are a few different PGP versions available: GnuPGP is a good alternative, it is free and you can download it from here: http://www.gnupg.org/download/