Google, on Dec. 16, announced client-side encryption (CSE) for Gmail to increase customer data privacy. Users with accounts in Workspace Enterprise Plus, Education Plus, or Education Standard can now try out the beta version of the client-side encryption.
Gmail will allow for encryption within its web browser and encrypt the email’s body and attachments—but not the heading or recipients list. On private keys—that is the central aspect of client-side encryption—Google warned that any customer keys lost or deleted will be on the customer and not Google, saying, “Your keys are managed at your discretion and at your own risk.”
Client-side encryption will ensure that emails remain private from prying eyes on servers. The integration of message encryption is welcome news, especially since a spate of email compromises and social media attacks had business administrators worried about security.
Setting Up Client-Side Encryption with Google
Workspace administrators will be able to set up client-side encryption with Google by following several steps. The setup process outlined in detail on Google’s Support page is as follows:
- Creating a new GCP project and enabling Gmail API
- Allowing domain-wide access to the service account
- Making a test group of Google users
- Preparing certificates
- Setting up configuration key services and IDP
Once Workspace administrators receive approval by following the steps, they can set up client-side encryption for users. Each user will have their own key pair and S/MIME certificate, uploaded via Google’s API.
Once set up, all users will need to do is click the “Turn On” button under the “Additional encryption” heading. When receiving an email with client-side encryption, recipients will see the words “Encrypted message” below the sender’s name.
Why Use Client-Side Encryption?
Google Workspace already provides encryption—but not client-side encryption with private keys. Client-side encryption encrypts information before it goes to Google’s cloud-based servers, giving users more privacy and security.
According to Google Support, the two main reasons for enabling client-side encryption are increased privacy and regulatory compliance. Regulatory compliance is especially important in highly regulated industries such as financial services, government, or national defense. Moreover, compliance will help businesses avoid incurring huge fines for data breaches.
Google’s CSE is currently available for Google Drive, Google Meet, and Google Calendar. But the features vary depending on the web, desktop, or mobile applications.
Client-Side Encryption vs End-to-End Encryption
Client-side encryption is not the same as end-to-end encryption (E2EE). End-to-end encryption secures two-party communication from any prying third party, but it doesn’t provide security at the cloud services when the data is at rest. However, when it comes to client-side encryption, not even the cloud providers can decrypt the emails. This provides for that crucial at-rest security that E2EE doesn’t have.
Under client-side encryption, a third-party key generation service generates a private key known to the servers. Once the information undergoes the steps, it becomes encrypted, and the service providers will be unable to decrypt it.
Additionally, this provides for Zero-Knowledge architecture—a data management technique that prevents cybercriminals from decrypting information even if they successfully compromise a provider. This is the most useful way to protect information nowadays, as even state departments and mega-corporations, whose networks are completely secured, are falling victim to advanced cyberattacks.
That said, however, encryption is only one essential element of a robust security policy. Client-side encryption should be implemented in tandem with powerful firewalls, regular patching, network monitoring, and multi-factor authentication. All combined, these provide a robust framework to defend against attacks.
Data Encryption—Becoming a Common Security Requirement
Apple introduced E2EE for cloud data earlier this month, but messaging platforms like Signal, Threema, WhatsApp, iMessage, Viber, Tox, Keybase, XMPP, and Skype are already using E2EE. They’re choosing message encryption because it shields data from cybercriminals, even in the event of a network breach. And, had Twitter implemented E2EE, it could have avoided a breach in July 2020 when cybercriminals read and downloaded messages and attachments from the inboxes of its employees.
To bring the potential of encryption full circle, companies need to consider client-side encryption alongside E2EE. While E2EE provides security when data is in transit, client-side encryption gives it security inside centralized servers, ensuring that not even the providers can sell or manipulate the data. But, at the risk of belaboring the point, encryption represents only one aspect of network security.
Power Lies with the Network Administrators
Client-side encryption will give individual users more privacy and security against third-party interference. But, network administrators especially will wield its true potential. They can use client-side encryption to fulfill compliance requirements and ensure security.
In today’s businesses, network administrators have become central in protecting information on servers. Google Workspace administrators, for instance, can monitor the encrypted files and even revoke user access. With great power comes great responsibility, and network administrators now stand at the frontlines of business security.