One thing our DoD does extremely well is provide an information security structure that you are forced to operate within.  While oppressively burdensome at times, you see the bright spots after you’re gone.

Was building system accreditation packages one of the worst jobs on Earth? Yes!

But could everyone take a lesson from the concept of having to be that accountable? No doubt.

Private industry is ad-hoc and chaotic by comparison when it comes to compliance.  Even if DoD systems don’t meet every required control to harden a system, at least they know they’re supposed to.  There’s a mandatory framework.

With respect to email, DoD nailed email a long a time ago, at least as far as civilian contractors are concerned.  Civilian contractors were mandated to use ECA PKI for digital email signing and encryption, albeit loosely.  My policy was very clear: sign everything, encrypt judiciously.

I managed these programs for years, across multiple contractor organizations and ECA vendors.  They weren’t very fun, but once you mastered the nuances, it was tolerable for one person to support fifty or so users in a certificate program.

Most private companies do not leverage these kinds of programs, which is a shame.  In this age of email-borne game ending ransomware and whaling (C-level spear phishing), digital signatures offer at least some measure of identity assurance.

Certificates do not replace your baseline due diligence in evaluating email, but who could disagree that they are a powerful augmentation.  If you have a solid signing and encryption culture and something comes through out of character – unsigned – you have immediate skepticism.  Phishing doesn’t get far in organizations that operate with this level of information security maturity.

No matter what your industry, I implore you to adopt a signing and encryption strategy, not only in your most sensitive business units, but enterprise-wide.  There are interoperability considerations for certain web mail and mobile scenarios, but explore them.  Plan a manageable, supportable PKI ecosystem, and make the investment.

cp