Secure Organisational Email

Mobile: voice, text, email

Common challenges

Challenges related to mobile security for organizations include:

people using their own devices
mobile friendly secure chat for distributed teams
staff communications while traveling to low internet access locations

When staff use their own devices

Why is this a problem?

lack of IT support on own devices
many different setups that complicates support and sometimes workflow
it is used by other people that observe different security practices
more difficult to impose security changes for privately owned devices
there is less separation between private information/communication and professional
information ends up on not secure devices
there is no way to completely restrict people use their own devices for work
it is mostly awareness and behavioral element - there is just limited technical solutions here
phones are an acute example of this problem

What are some solutions for organizations?

embrace that people will use own devices, or it is a part of the contract (staff needs to have their own laptop, phone, etc.)
every new staff member receives security briefing (installation of tools on their devices, training on how to use them, awareness of risk and threats), there is one briefing when person starts (101) and then after each 6 months with all staff
clear, internalized policy of information & communication management (specifying e.g. caring info out of the office, use own devices, accounts, etc.) part of the contract
Provide the device for all staff (onboard the person on using the laptop only if the person read/understood SiaB - check!)
spectrogram what information org is managing and which is public, internal, confidential - use this taging later, set separate policy rules for each type:
- public: just backup
- internal: list of allowed services
- confidential: e2e encrypt
create support mechanism - people can come and ask for help with something, bring device and get it checked, reinstalled, tools installed, etc.

Tools

Google Apps (could be a good solution for an organisation because it has two step authentication)
Chat for mobile:
- surespot
- signal (group)

Secure VoIP and chat

Many organizations rely on Skype. Why?

It's free.
Skype provides both mobile and desktop clients. They are easy to use and run in the background.
It offers features such as: video conference, screen share, connects to telephones, chat and voice.
For the most part, it is reliable: high quality sound and good performance even on low bandwidth connections.
Many people already use Skype so it saves time to not have to teach the person you're communicating with, how to use the tool.

But in many cases, Skype is not a good option for organizations. Here are some reasons why replacing Skype may be a security priority for an organization:

Users don't realize they are storing their chat history on their computers.
Skype does not offer two step verification, which leaves accounts vulnerable to hacking.
Skype, as a company, is not necessarily trustworthy. Their source code is closed to the public, so while they say information sent over Skype is encrypted, it's impossible for the community to verify its veracity and quality.
Furthermore, Skype is collecting metadata on its users. What is it doing with this information?
Skype does not offer end to end encryption that Microsoft cannot decrypt. (more information on this on the EFF website)
There is a propagation of spam and phishing attacks on Skype, and is currently a popular channel for FinFisher.
There are more secure solutions available that offer security features like: "Off the record", deniability, and verification

So, what are the alternatives?
Ideally an organization would use multiple of these options.

Tools

Jitsi [we need more info on this – is this referring to JitsiMeet?]
- open source
- offers the feature: "Off the record"
Video conference calls (webrtc)
- JitsiMeet
- Appear.in
- Talky.io
Chat:
- Pidgin – chat client
  - offers the feature: "Off the record"
- IRC
  - can be self-hosted
  - hard to have archived history (which could be good or bad, depending on situation)
- Tor messenger
- Cryptocat
- Mattermost – an alternative to Slack
Mobile:
- Signal
- Telegram
- Whatsapp

Common challenges

You should be prepared to address some common challenges that organizations have when moving away from Skype, such as:

When communicating with teams that don't prioritize security, they are often brought down to the lowest common communication channel, which is often Skype.
It takes extra time and effort to get those outside of your organization on-board with your team's preferred communication channel.
It's just so easy to go back to Skype because it's what they know. And sometimes workflow efficiency trumps security.

Raising awareness

So, what has helped convince organizations that moving away from Skype is worth it, despite the challenges above?
Well, there's the "scare approach":

With the team, you could demonstrate how far back history goes in a Skype chat so users understand how much information about their communications could be collected.
You could share examples of how Skype, the company, has partnered with governments to surveil their citizens: the United States National Security Agency, China, and others).

But you might prefer to take a most positive approach:

Skype isn't all that great anyway, right? You have to pay to have more than 2 people on a video call, and the updates rely on the user to initiate.
You'll love the alternatives! Look at the great tools built on WebRTC (Web Real-Time Communication) – cross-platform, browser-based, and so very easy to use!

Ways to implement secure VoIP

The organization may agree that moving away from Skype is a good idea. Now what are your options to move forward? Here are some options for how to move the organization away from Skype, in order from slow and practical to ideal:

Multiple phases: get staff away from Skype but still us roprietary tool, moving in the direction of more secure options:
- Change to Google Apps and Google Hangouts, if you are already using Google as an organization .
  - Ensure 2-step is on and train on other security features
  - ISSUES: Dependency on Google, doesn't address metadata/e2e encryption issue
Move to Jitsi or Pidgin with OTR
Do you continue using gmail accounts? Or do you get a more trusted XMPP acco unts?

Policies

Once you've figured out your plan for how to move the organization away from Skype and onto something more secure, you'll want to help create some policies to guide staff on how to use VoIP safely:

If it is a scheduled meeting, send a link to a webrtc

If the organization decides to continue using Skype (and if it's likely that staff will continue to use Skype) you may want to also include policies such as:

Don't send files over Skype
Decide on history retention
Hardline approach to skype use :
- Use local group policy
- Use centralized policies
- Set rules in anti-virus to delete file
- ISSUES: Controversial. Relies on org owning computer. May not work in many scenarios where structure doesn't allow this level of control

Resources

EFF's Secure Messaging Scorecard can help you and the organization find a messaging tool that addresses their security concerns.

Policy framework ideas for secure communications

Make a policy of options for communication considering sensitivity types of info and local context:
Voice:

unsecure: phone call
better: skype voice
better: google hangouts
secure: signal (voice chat)
secure meet.jit.si (available also on the phone) or jitsi client program

Text:

unsecure: SMS
unsecure: facebook
unsecure: twitter
unsecure: viber
better: whatsup
better: skype
better: telegram (secure chat)
secure: crypto.cat
secure: jitsi
secure: signal text

see: https://www.eff.org/secure-messaging-scorecard

Email:

unsecure: yahoo, hotmail, outlook, ...
better: gmail
better: hushmail
even better: riseup
even better: tutanota
secure: pgp and org. email service

In this page: