Encrypting Outgoing Emails

Organizations often opt to encrypt outgoing emails to share sensitive information securely with the intended recipients while preventing access to others.

Avanan supports these two methods of secure email transmission:

Selecting between Avanan Email Encryption and Microsoft 365 Email Encryption

When deciding between Microsoft 365 Email Encryption and Avanan Email Encryption, consider these factors:

  • Maintaining user experience - If you already use Microsoft 365 Email Encryption, triggering it through the Avanan DLP policy might be a good idea to have the same experience for your end users and external recipients.

  • Price and quality - If you are unsatisfied with Microsoft 365 Email Encryption regarding price or quality, Avanan Email Encryption is highly recommended.

Microsoft Encryption for Outgoing Emails

Microsoft 365 provides the ability to encrypt the outgoing emails using Microsoft 365 Email Encryption. Encryption can be applied automatically for emails detected as sensitive by the DLP engine.

Note - The Microsoft 365 Email Encryption is available only for the outgoing emails.

For more information about the Microsoft 365 encryption mechanism, see the Microsoft Documentation.

Required License for Encrypting Outgoing Emails

In Monitor only mode, you can use the existing license of Office 365 as the minimum requirement. However if you want to use Microsoft Encryption as an action in policy, you must have license with Office 365 Message Encryption (OME) capabilities. For more details, see Microsoft plans with OME capabilities and Microsoft Documentation.

Encrypting Outgoing Emails

To encrypt emails using Microsoft, you must create a transport rule. To configure it, contact Avanan Support. Once the transport rule is configured, select the required DLP workflow that has encryption (Email is allowed. Encrypted by Microsoft or Email is blocked and user can resend as encrypted). Based on the workflow defined, the emails are encrypted automatically.

All outgoing emails that has data leak will be sent with a header:

  • Microsoft Encryption: X-CLOUD-SEC-AV-Encrypt-Microsoft: True

Encrypting Outgoing Emails using Avanan Email Encryption

Avanan Email Encryption allows you to send emails containing sensitive information in a secured manner so that the external recipient can see the email in a secured portal, while the email and its content are stored only in the Avanan's tenant.

Activating Avanan Email Encryption

To activate Avanan Email Encryption:

  1. Create or edit an existing Office 365 Mail DLP policy. For more information, see DLP Policy for Outgoing Emails.

  2. Set the policy protection mode as Prevent (Inline).

  3. Under Scope, select Direction as Outbound.

  4. Select a DLP workflow for Avanan Email Encryption as required. For the supported workflows, see Avanan Email Encryption Workflows.

  5. Click Save.

Note - By default, the Avanan logo appears on the Avanan Email Encryption web pages and email notifications. To customize the logo, see Custom Logo.

Accessing Avanan Email Encryption Encrypted Emails

Validating the Identity of the External Recipient

When an external recipient receives a secured email notification from Avanan Email Encryption, the recipient must validate to view the email.

To validate the identity, the external recipient must do these:

  1. Click the link in the email notification to access the secured portal.

    By default, the link is valid only for 10 hours.

  2. Click Authenticate to receive the one-time authentication code.

    The recipient receives the authentication code through email. By default, the authentication code is valid only for 10 minutes.

  3. Enter the code and click Submit.

  4. After successful authentication, the recipient can view and respond to the email.

    Also, Avanan adds a cookie to the browser. By default, it remains valid for 30 days, and the recipient is not required to authenticate again from the same browser. After the cookie expires, the recipient must authenticate again.

    To configure the default time and validity of the cookie, see Configuring Avanan Email Encryption Parameters.

External Recipients Interacting with Emails Vaulted by Avanan Email Encryption

After successful authentication, the email opens in a secured portal and allows the recipient to:

  • Read the email

  • Download the attachments (if any)

  • Reply to the sender.

Storage of Emails by Avanan Email Encryption

Avanan stores the secured emails by Avanan Email Encryption only in the Avanan servers associated with the data residency region of your Avanan tenant. The email and its attachments are stored encrypted by SSE-S3 encryption.

By default, these emails will be available only for 14 days, and you cannot access them later. To change the number of days they are available, see Configuring Avanan Email Encryption Parameters.

Configuring Avanan Email Encryption Parameters

You can configure the security and retention parameters of the Avanan Email Encryption security engine. To do that:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Avanan Email Encryption.

  3. In the Subject field, enter the email's subject in the Avanan Email Encryption email notification.

  4. In the Body field, enter the required information in the email notification.

  5. In the Email lifetime in days field, enter the number of days before the emails expire. By default, Avanan Email Encryption emails expire after 14 days.

  6. In the Code expiration in minutes field, enter the expiration time for the authentication code. By default, the code expires in 10 minutes.

  7. In the Cookie expiration in days field, enter the expiration for the cookie. By default, the cookie expires after 30 days. After this period, the recipient must authenticate again.

  8. In the Link expiration in hours field, enter when the secured link in the email notification expires.

    By default, the link is valid only for 10 hours. After this period, the recipient cannot access the vaulted email using the encrypted link. However, the recipient can request a new link from the old encrypted link.

  9. Click Save.

Emails Encrypted by Avanan Email Encryption - End User (External Recipient) Experience

When Avanan detects sensitive information in an email, the email is vaulted, and the recipient receives an email notification from Avanan Email Encryption.

00:00: This video walks you through the steps the recipient must follow to view the encrypted emails through a secured web portal. 00:07: If the administrator configured an outgoing DLP policy to encrypt sensitive emails with Check Point Avanan Email Encryption, these emails will be delivered securely to the external recipients. 00:19: When such sensitive information is detected in an email sent outside your organization, Harmony Email and Collaboration encrypts it and sends a Avanan Email Encryption email notification to the recipient with information about the sender and the email subject. 00:35: To read the encrypted email, the recipient must click the link provided in the email. 00:41: A secure web portal opens and requests for authentication. 00:45: Click "Send Authentication Code". 00:48: The recipient receives an email with the authentication code. 00:52: In the secured portal, enter the code and click "Go to the Email". 00:56: After successful authentication, the encrypted email opens in the secured web portal. 01:02: To reply to the email, click "Reply to Sender". 01:06: Type in the response and click "Send". 01:09: The response is sent as an email to the original sender, and the secured portal shows the email delivery status. 01:16: This is how the response sent from the secured web portal appears to the original sender within the organization. 01:23: Thanks for watching the video.

To view the secured email, the external recipient must do these:

  1. Click the secured link in the email notification.

    Note - By default, the secured link is valid only for 10 hours. After it expires, you must request a new link. To do that, click Send link from the Encrypted Link Expired page.

    You will receive an email with the new secured link.

  2. To read the email, click Read the Message.

    The secured portal opens and requests for authentication.

  3. Click Get Authentication Code.

    The recipient receives an authentication code through an email.

  4. Enter the authentication code in the secured portal and click Go to the Email.

    After successful authentication, the original email appears.

  5. To reply to the email, click Reply to Sender.

  6. Enter the required information and click Send.

    The response is sent as an email to the original sender and the secured portal shows the email delivery status.