Email Encryption

E-mail is not secure by default, in theory anyone with access to an e-mail as it travels across the Internet can view the contents. The content of an insecure e-mail is similar to a postcard while it is going through the postal delivery system.

The diagram below illustrates a simple e-mail journey without encryption, it is unlikely that someone with access to the route taken by the e-mail across the Internet will be able to read it, but it is possible.

Encryption can be used to reduce the risk of e-mails being viewed during transmission between e-mail systems.

Encryption of e-mail is recommended for any e-mail containing personal data, doing so will ensure that no matter how lucky or clever a hacker is they will not be able to read the contents of the e-mail while it is travelling across the Internet.

There are many different options for encrypting e-mail, some of which are easier to use than others, though the choice of which encryption method to use should be primarily based on the sensitivity of the e-mail.

There are three e-mail encryption options available in Hwb:

Encryption based on TLS (this is the same encryption that is used for secure access to websites, for e-mail it is often referred to as STARTTLS) is optional for e-mail servers exchanging e-mail across the Internet.
The diagram below illustrates the scope of TLS effectiveness when used for communication between e-mail servers.
It should be noted that after e-mail has been delivered to the recipient’s e-mail server, subsequent encryption of e-mails is dependent on any onward routing of e-mail and also the recipient’s e-mail app configuration.
Most e-mail services, such as Office 365 and Gmail, can use TLS, but it is not universally supported, therefore it cannot be configured as a requirement for all e-mail to and from Hwb, doing so would prevent some e-mail systems from being able to send to or receive e-mails from Hwb.
However, with Office 365 it is possible to enforce TLS selectively, the Hwb e-mail service has been configured to provide the widest practical use of enforced TLS.
Hwb Configuration
Hwb has been configured to enforce TLS for all e-mails sent and received:
- Between Hwb users
- Between Hwb and trusted domains
There is no user action necessary, encryption is applied transparently according to pre-defined rules.
The configuration for enforced TLS on Hwb includes:
- A manual check of the destination domain’s DNS MX record
- Confirmation that the mail server supports STARTTLS
- Creation of an Exchange Online mail flow rule that requires TLS for all e-mail is based on:
  - Domain
    This tells Office 365 which e-mails the rule is applicable to.
    Configuration example: hwbcymru.net
  - Mail server address (from MX record)
    This helps to prevent malicious changes to DNS resulting in e-mail being routed to systems controlled by hackers.
    Configuration example: protection.outlook.com
  - Requirement for a CA issued TLS certificate
    This helps to ensure that the mail server is reliably ‘authenticated’ before e-mail is sent
The configuration is ‘fail safe’, the implication of which is that if encryption fails for any reason, the e-mail will not be sent.
Office 365 Message Encryption (OME) is a Microsoft service specific to Office 365, which has been licensed for all Hwb users.
OME uses a combination of encryption and rights management to enable protection that stays with an e-mail after it has been sent, this provides additional assurance that information will only be accessible by people it has been shared with.

Hwb Message Encryption has been configured to work automatically if a user includes the key words ‘secure mail’ or ‘post diogel’ in the subject line of an e-mail.
S/MIME should be considered for use with higher sensitivity information, especially where other controls, such as MFA, are not practical.
S/MIME works by using certificates, one is public and one is a private. The public certificate is shared with other people and can be used to encrypt messages. You will need someone’s public certificate if you want to send them S/MIME encrypted e-mails.
The private certificate is used to unlock e-mails, this certificate needs to be kept secret. After installation it is protected by the computer’s software. Any backup copies of the private certificate need to be stored securely.
It is this use of certificates that leads to the main benefit of S/MIME, a hacker would have to gain access to your device and the private certificate to be able to view S/MIME encrypted e-mails.
If a hacker guesses your password and is able to login to Hwb, but without access to your device, they will be able to access all your e-mails, but any S/MIME encrypted e-mails will remain encrypted and inaccessible to the hacker.
S/MIME is an option that is available to any Hwb user. It requires a user to have a locally provisioned certificate, which can be configured locally and does not require the Hwb admin team to make any changes to Hwb.
An e-mail protected using S/MIME will only be accessible on devices configured with the corresponding certificates, if a mailbox is compromised from a different device S/MIME e-mails will not be accessible.
Notes:
- Sender and recipient both need their own certificate
- Users with S/MIME setup must choose to encrypt e-mails in Outlook (otherwise the e-mail will be sent normally)

The following table summarises potential usage scenarios and considerations for use for each of the options available in Hwb.

Email Encryption

Usage Scenario

Considerations

Enforced TLS

Standard control

Recommended as the minimum for any e-mails containing personal data

No user action necessary.

Configured by the Hwb Team

BUT, it only works for partner organisations that support it (add link).

Office 365 Message Encryption

Enhanced control

For sharing sensitive information with controlled circulation.

Suitable for e-mails that can’t be protected using other options, for example e-mails to parents.

Different restrictions possible for different levels of sensitivity.

Can help to reduce the risk associated with the use of personal devices.

External recipients that do not have a Microsoft account will need to have HTML enabled in their e-mail client.

S/MIME

Enhanced control.

Suitable for the highest sensitivity information and where strong assurance is required that only intended recipients will have access to the contents.

Both sender and recipient(s) need a S/MIME certificate.

Hwb is not currently configured to support the use of S/MIME with Outlook on the web. This can only be used with the Outlook desktop client.

Not well suited to large distribution groups.

Trusted Domains

Hwb has been configured to enforce TLS for all e-mails sent and received to these trusted domains.

SchoolsEdu @schoolsedu.org.uk
Swansea-edunet @swansea-edunet.gov.uk
Ysgol Plas Brondyffryn @ypbd.co.uk

Blaenau Gwent County Borough Council	@blaenau-gwent.gov.uk
Bridgend County Borough Council	@bridgend.gov.uk
Caerphilly County Borough Council	@caerphilly.gov.uk
Cardiff Council	@cardiff.gov.uk
Carmarthenshire County Council	@carmarthenshire.gov.uk or @sirgar.gov.uk
Ceredigion County Council	@ceredigion.gov.uk
Conwy County Borough Council	@Conwy.gov.uk
Denbighshire County Council	@Denbighshire.gov.uk
Flintshire County Council	@flintshire.gov.uk
Gwynedd Council	@gwynedd.gov.uk or @gwynedd.llyw.cymru
Isle of Anglesey County Council	@ynysmon.gov.uk
Merthyr Tydfil County Borough Council	@merthyr.gov.uk
Monmouthshire County Council	@monmouthshire.gov.uk
Neath Port Talbot County Borough Council	@neath-porttalbot.gov.uk or npt.gov.uk
Newport City Council	@newport.gov.uk
Pembrokeshire County Council	@pembrokeshire.gov.uk
Powys County Council	@powys.gov.uk
Rhondda Cynon Taf County Borough Council	@RCTCBC.gov.uk
Swansea County Borough Council	@swansea.gov.uk
Torfaen County Borough Council	@torfaen.gov.uk
Vale of Glamorgan Council	@valeofglamorgan.gov.uk
Wrexham County Borough Council	@Wrexham.gov.uk

alphaplus	@alphaplus.co.uk
BFC Networks	@bfcnetworks.com
BTL	@btl.com
CareersWales	@careerswales.com
Method4	@method4.co.uk
Microsoft	@microsoft.com
NHS Wales	@wales.nhs.uk
Salamandersoft	@salamandersoft.co.uk
SRS	@srswales.com
Welsh Government	@Gov.Wales
WJEC	@wjec.co.uk

SchoolsEdu	@schoolsedu.org.uk
Swansea-edunet	@swansea-edunet.gov.uk
Ysgol Plas Brondyffryn	@ypbd.co.uk

Email Encryption

Enforced TLS

Hwb Configuration

Office 365 Message Encryption – Enhanced Control

S/MIME - Enhanced Control

Trusted Domains

Local Authority

Education

Third Party