How Secure Is Gmail and Outlook For Business?
Most companies default to GSuite and Microsoft when thinking about increasing their email security but the offerings provided are often complicated and features are broken up in a tiered pricing system.
This post aims to simplify the features and tiers whilst explaining how a third-party email security provider like Pie Security can sit on top of your existing GSuite or Microsoft infrastructure and provide similar security features all for a fraction of the cost.
Inbound Email Scanning
The most basic feature of an email security tool is to have inbound email scanning. This service can vary but will include link scanning, attachment scanning, sender domain reputation filtering and checking against black list sites, anti-phishing, anti-spoofing and an email quarantine feature for emails that are scanned and deemed to be malicious.
Symantec’s 2019 Threat Report discovered that, compared with 2018, cybercriminals are using less malicious URLs and refocussing on malicious attachments.
Office files now account for 48% of malicious email attachments. 1 in 412 emails was considered malicious in 2018. This is the average and if you split the figure by company size, it is actually the smaller organisations who have a higher chance of receiving a malicious email.
Tools like DKIM, SPF and DMARC are used to spot and protect users against phishing or spoofing emails (where an email pretends to come from someone else). Now let's see how these tools are used in Gmail and Outlook.
- Basic Package
At the very basic level, Google has a good inbound scanning tool for business users which sees marketing emails added to the ‘Promotions’ tab while spam is immediately put in the spam folder (with completely customisable settings). Google also uses Machine Learning to enhance their own algorithm and learn from itself.
Other features of a free Gmail account are click warnings when you click on untrusted links, images or attachments. If an email is not authenticated (as in, SPF, DKIM and DMARC aren’t verified) then Google will display a question mark next to the sender’s name. You can choose to quarantine a message or set quarantine rules that automatically place a message in the quarantine folder.
- Business and Enterprise Levels
Whether or not you have labelled someone a safe sender, Gmail still performs the checks above. It also scans for malware in email attachments although you can use settings to enforce additional attachment security.
There are also additional settings you can adjust for scanning and filtering URLs and for spoofing. For example, you can choose to warn users when an email appears to come from someone with the same name as a contact in your address book but the domain does not appear to be the same as your internal domains. This can be additional protection against spoofing.
At a very basic level, Office 365 comes with Exchange Online Protection (EOP) which has content filtering, sender reputation checks, quarantine and URL inspection and attachment scanning for malware. EOP uses spam and blacklists to check URLs and domains for known threats.
There is some level of policy and rule building at this level; for example, you can send notifications to users based on scan results or chose to remove attachments when malware is detected. This can be customised at a group level. You could also adjust spam settings such as filtering messages written in specific languages.
The Pie Security gateway sits between your email server and the internet, scanning incoming and outgoing emails for viruses.
This allows the tools to decrypt and scan all incoming and outgoing mail and attachments for viruses. Anything suspicious would be put into quarantine. Additional rules can be set up but these are explained in the section on Data Loss Prevention section.
When sending emails securely, end-to-end encryption should be a fundamental feature and yet most email security tools struggle to enforce encryption because you cannot control how recipient email servers or devices are configured (something I talk about in another blog [link to “4 Ways to Encrypt Emails post]).
An example of failure in this area is the lack of support from Outlook to use S/MIME in the Outlook mobile app. If you want to support remote working and still remain secure, this is a huge gap because mobile devices typically send email in plain text which means, without encryption: anyone can read your emails!
Another issue with email encryption is a disruption to other services like URL scanning. If an email is fully encrypted then email security software won’t be able to read it and scan it for malware. Be wary when anyone is marketing a tool as fully encrypted and check the fine print as they will often say “encrypt where possible” which means you cannot guarantee the message will be encrypted.
- Basic and Advanced
At all levels of the GSuite offering, Google offers TLS encrypted emails “where possible”. This basically means that the receiving server needs to be set up to accept TLS encryption. You have the option to check in the details of the message, whether or not a sent message has been encrypted.
Figure 1 - https://www.datamotion.com/gmail_tls_email_encryption_good_enough/
Google says that at enterprise-level, you can incorporate S/MIME to;
“Seamlessly encrypt/decrypt email during transport. Add S/MIME signatures for all outbound emails for additional security.”
However, much like with their basic TLS package, both the sender and recipient must have S/MIME Certificates to ensure that encryption of the message content takes place. Organisations need to buy their own certificates for each user and deploy this option using GSuite’s advanced settings. This works well enough for internal emails but like the basic level, external emails cannot guarantee encryption. It also creates a vulnerability point when employees leave your organisation if certificates are not revoked. Presumably, organisations have to manage and store the certificates in-house at an additional cost.
- E3 and E5
Email encryption is provided through Office 365 Message Encryption which is part of the E3 and E5 licenses and can be included in lower level licenses for an additional fee. Exchange uses TLS Certificates to encrypt information. It is programmed to run through a list of ciphers by most secure to least secure or none until both servers can agree on an exchange. If you’re sending emails internally this works well but like Gmail, if you’re sending an email to someone who doesn’t have encryption enabled, the message will be sent unencrypted.
You can choose to force encryption if needed but this could mean that information will not be readable on the recipient side.
Alternatively, like Gmail there is an option to Bring Your Own Keys (BKIM) and this would mean having your own certificate infrastructure and configuring Outlook to accept your root certificate for S/MIME.
Pie Security supports S/MIME as an option, even allowing organisations to create strict rules trusting only valid, not expired and not revoked certificates.
Pie Security comes with its own built-in Certificate Authority which can be used to issue certificates to internal and external users including the automatic download and use of Certificate Revocation Lists and Certificate Trust Lists and compatible with email implementations such as Outlook, Lotus and Thunderbird. CipherMail also allows organisations to store certificates in-house on their own HSM if they wish to add that additional layer of security.
Sometimes encryption by S/MIME is not always preferred not just because there is an additional burden of certificate management and exchange but also because you cannot encrypt an email to a user who does not have an S/MIME certificate. CipherMail aims to solve the problem of external email encryption with PDF encryption.
PDF encryption will turn the entire email contents (including attachments) into an encrypted PDF and attach this to the email as an EML file. Recipients can use the CipherMail web portal to decrypt the email using a host of options (OTP, SMS send passcode or passcodes sent by sender) and once decrypted, they can reply within the web portal for a safe and secure return.
Data Loss Prevention Policies
Data Loss Prevention policies refer to the ability to set rules and policies for email security and encryption at an admin level. DLP tools allow organisations to personalise data loss policy depending on their needs. For example, users could create a rule that would encrypt emails based on message contents or attachments content. You could look for the word “password” or “login” or “username” and automatically encrypt contents without the need for users to do anything.
Of course, DLP doesn’t stop all data loss but it does help. The average DLP tool will allow you to look for specific types of personal information in the message body and attachments. It allows you to enforce actions such as quarantine, additional encryption or authentication or blocking a user from seeing it after sending.
Data Loss Prevention is only available in the Enterprise version of GSuite. The tools is much like others on the market. It detects email, social security numbers, credit or debit card information and other personal information and apply rules to these messages. Options for what you can do include:
- Reject email.
- Quarantine email.
- Deliver it with modifications.
Rules can be adjusted based on organisational unit with parent and child capabilities. Predefined content detectors are available for many countries.
The bonus of E3 or E5 packages is the additional use of DLP in SharePoint, OneDrive and other Microsoft cloud services. DLP is only available in E3 and E5 licenses where E5 has the addition of Microsoft Teams chat.
- E3 and E5
Like most DLP policy features, there are conditions that make it fully customisable. You can choose to scan documents for sensitive information and block access to certain groups or to create notifications and educate users.
Figure 2 - https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies
You can even create a policy tip to explain to users why their content conflicts with DLP policy and how they can update their actions to comply with DLP. Users can also send emails that conflict with DLP policy to their administrators to check for incident management.
The built-in Pie Security Data Loss Prevention module helps to prevent certain information leaving the organisation unsecured. Similar to GSuite and Microsoft, Pie Security DLP allows you to scan outgoing messages for certain keywords and regular expressions at a gateway, domain and user level. Messages can be blocked or quarantined when rules are violated or encryption can be enforced when a rule matches. DLP managers will be notified when a rule is broken and are responsible for releasing emails from quarantine.
Pie Security can monitor email content at:
- Attachments and
- Nested attachments.
Secure File Transfer
Sending files securely without an email security tool involves a little technical knowledge. Companies would have a difficult time ensuring each employee signs and encrypts each document with their own PKI certificate so, it makes a lot of sense to use email security tools that help automate this process.
Max file size depends on your email server settings and the general standard for sending files is 10MB, this can easily be surpassed with a large and high quality image or two. Email security tools get around this by providing additional cloud storage options that can help you bypass email attachment size.
All levels of GSuite plans allow you to send up to 25MB and anything over will be sent through Google Drive. At basic levels you get 30GB cloud storage, at Business and Enterprise level you get 1TB per user for fewer than 5 users and unlimited cloud storage for anything above 5 users.
File storage and transfer is provided by OneDrive. Outlook by default does not send attachments more than 20MB but depending on your mail server limits, this could be changed.
- E1 – Email hosting with 50 GB mailbox / File storage and sharing with 1 TB OneDrive storage
- Office 365 ProPlus – File storage and sharing with 1 TB OneDrive storage.
- E3 and E5 – Email hosting with 100 GB mailbox / 1TB Cloud storage for less than 5 users, unlimited for any plans 5 users or more.
Pie Security has no sending limits!
How to Get the Best Email Security Solution for My Business
Higher security comes at a higher cost in GSuite and Microsoft. With Microsoft, you can often get lost in the names of each service, how-to articles and hidden fees. Google doesn’t provide everything a business might need either, with a lack of security on the outbound side.
Most importantly, neither tool can guarantee email encryption to external users. Encryption just for internal emails negates the point of having email security in the first place, the biggest risks are often from external senders.
Many organisations feel they’re locked into Microsoft of Google because they already have an existing infrastructure with them, but email security solutions like Pie Security can sit on top of your existing email infrastructure, providing additional security features for a fraction of the cost.
Pie Security offers a no-risk email encryption solution that works with any SMTP compliant email system, including Microsoft Exchange, Google G Suite email and Office 365. Our email encryption products will secure your email and protect messages against unauthorised access, both in transit and at rest.
To learn more about Pie Security features, get a demo or a quote, please contact us today.