End-to-end encryption for email and other cloud services is growing in popularity. Given that email is one of the top two cyberattack vectors, this is no surprise.
According to Verizon’s annual 2022 Data Breach Investigations Report, mail servers accounted for 28% of all affected hardware, and 35% of ransomware activities involved email. The EU Agency for Cybersecurity’s 2022 report noted that ransomware accounts for 10 terabytes of data stolen per month with 60% of companies likely to have paid a ransom. A 2021 Gartner study, updated for 2022, reported that about 40% of ransomware attacks start with email.
To address these challenges, Google, Microsoft and Proton, whose Proton Mail service was a first-mover in secure email, both moved to expand end-to-end encryption offerings.
- Google and Microsoft’s new email encryption
- Proton’s new applications
- Proton’s long game: An encrypted ecosystem
Google and Microsoft’s new email encryption
In a blog post last month, Google announced a beta of client-side encryption services for Gmail on the web. Google Workspace Enterprise Plus, Education Plus and Education Standard customers may apply for the beta until Jan. 20, 2023.
Noting that it encrypts all data at rest and in transit in Google Workspace between its facilities, Google said client-side encryption “helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs.”
According to Google, client-side encryption is already available for Google Drive, Google Docs, Sheets, Google Slides, Google Meet and Google Calendar.
Google explained that to add client-side encryption to any message, users need only click the lock icon and select the option for additional encryption. Composing and adding attachments goes per normal operation.
Microsoft, which last updated its message encryption in 2019, announced last April that Windows 11 would receive security updates in new releases, reportedly to address both phishing and malware threats.
If so, Microsoft will likely incorporate end-to-end encryption as well, as it currently uses Transport Layer Security encryption for Office 365 Message Encryption. While the company explains that this service lets users encrypt and rights-protect messages bound for internal and external recipients using Office 365, non-Office 365 email applications, and web-based email services such as Gmail.com and Outlook.com, it does not prevent phishing or malware attacks as effectively as E2EE.
SEE: Mobile device security policy (TechRepublic Premium)
Proton’s new applications
Google’s announcement followed that of Proton, an encrypted cloud storage platform launched in 2013 in Geneva, Switzerland by CEO Andy Yen. The company last fall expanded its encryption offerings with a focus on mobile devices, including secure cloud storage and a secure calendar feature, with apps for both iOS and Android devices.
Proton Drive, which became available in late September as a free encrypted cloud service and was released on iOS and Android in December, lets users securely upload, save, and share files to and from their phone.
According to the company, Proton Drive:
- Encrypts any uploaded file on the user’s device before it is stored on Proton servers.
- Encrypts metadata such as names of files and folders, file extensions, file sizes and thumbnails.
- Includes file expiration and passwords for viewing, allowing for secure sharing with non-Proton users.
Proton said that since the launch of Proton Drive last September — with over half a million users participating in the beta — it has seen, on average, one million files uploaded per day, about half of which are photos.
For individual users, Proton offers a free tier of its encrypted drive with 1GB of cloud storage, plus two additional levels of service for a price: Drive Plus with 200GB storage is $4.99/month or $47.88 per year, and Proton Unlimited with 500GB for $11.99/month or $119.88 per year (Figure A).
The company also launched pricing tiers for enterprise users:
|Feature||Mail Essentials||Proton Business|
|Price||$7.50/month per user||$11.70/month per user|
|Storage||15 GB per user||500 GB per user|
|Custom email domains||3||10 (plus unlimited aliases)|
|VPN||1 free||10 free|
There is also a custom-pricing tier that includes a dedicated manager and unlimited storage.
SEE: How to enable end-to-end encryption in Facebook Messenger (TechRepublic)
Proton launched the Calendar iPhone app in December after having released it for Android and the web in April 2022. According to Proton, the new app:
- Integrates with Proton Mail, letting users manage invitations or add events to the calendar without leaving the inbox
- Besides end-to-end encryption, uses elliptic curve cryptography (ECC Curve25519) to secure data and schedules
- Invites are blind encrypted so Proton does not know their identity. This significantly enhances the anonymity of the participants.
- Is open source, as is the web app, and independently audited with code available for inspection (Figure B).
Proton’s long game: An encrypted ecosystem
A spokesperson said the calendar represents the larger strategy of creating a fully-fledged privacy ecosystem.
“We’re seeing huge demand for encrypted services — that’s why over 70 million people have signed up to private services like Proton, and it proves that surveillance capital isn’t the only business model that works in tech,” said the spokesperson.
The company, which also offers Proton VPN, which competes with the likes of AtlasVPN, Nord, Express and HIDEme, has a two-fold rationale for creating Proton Calendar, according to the spokesperson: First, since a calendar is a repository of sensitive time and location user data, it constitutes a threat target; second, it’s part of Proton’s larger secure cloud services strategy.
“As far as privacy is concerned, Proton is today the most complete ecosystem,” Yen said. “There is nothing from either Google or Apple that is as comprehensive, as their encrypted offerings are limited (for example, Google’s email encryption is only available for business users).”
He asserted that a key difference with competitors is business model and business practices.
“Proton, as a Swiss company, is not subject to the surveillance laws and practices of the U.S., and unlike Google and Apple, who both have robust advertising businesses, Proton’s only business is privacy,” he said. “We therefore have no conflict of interest when it comes to user privacy.”
Cybersecurity training for IT will be key to facing down challenges in 2023, be they from email threats, malware, social engineering, botnets or other novel attacks on the rapidly expanding threat landscape. If you want to get your teams standing on a solid foundation, download the Complete 2022 CompTIA Cyber Security & PenTest Super Bundle here.