When choosing a secure messaging tool, there are a lot of factors to take into account, such as the functionalities and infrastructure.
When discussing this with organizations, we have noted that oftentimes there is not a clear picture of what such a messenger should be capable of – time for us to list the ins and outs of secure messaging!
- Encryption in transit and at rest
- Intrustion prevention and intrusion detection systems
- Code tested by independent party
- Pin on mobile
- Two-factor authentication
- Remote wipe
- Show data in notifications
- Virus scanning of attachments
Why choose secure messaging?
Luckily, the awareness surrounding messaging for work purposes has increased tremendously. The fact dat data concerning, for example, patients or clients and their treatment needs to be handled with care is now generally acknowledged and the notion that most messaging services do not adhere to the guidelines set for data security has also become clear.
Legislation regarding data security
Obviously, governments provide legislative guidance regarding data security and, more specifically, safeguarding privacy. On a European level, the General Data Protection Regulation will apply from the 25th of May 2018 (after a two-year transition period). The primary objectives of the GDPR is that privacy rights will be strengthened and expanded and the responsibilities of organizations will increase.
Trust of patients / clients / customers
When your organization deploys a secure messenger for communication concerning / with patients and clients, this can be seen as a sign that the organization takes data security seriously. This will inspire confidence and lower the threshold when people are asked for their personal details.
Security of internal data
Besides having to secure patient / customer data, it is also important to handle, for example, employee data with care. Organizations have a lot of personal information regarding their employees at their disposal and must obviously prevent this information from leaking. Besides, there are plenty of other internal company data (statistics, intellectual properties, etcetera) which may well be relevant for, for example, competitors.
A lot can be said about the technical specifics of a secure messaging service – however, in this article we skip the deeper technical properties. The factors listed below should give a basic idea of what requirements a messenger should meet, before checking further technological specifications.
Encryption in transit and at rest
A core ingredient for secure messaging is, naturally, the encryption of data. All information that is being sent via messenger, should be encrypted both as it is sent (in transit) and when it is stored (at rest).
There are several ways to encrypt data – the most common way is AES (Advanced Encryption Standard, also known as Rijndael), with a key length of 128, 192 or 256 bits. The key length determines the amount of transformation round repetitions necessary to convert the input (plaintext) into the final output (ciphertext). Simply stated: the longer the key length, the more secure the data.
Some organizations specifically require end-to-end encryption (in Alterdesk we call this ‘hyper secure chats’) – this basically means that messages are encrypted on the device of the sender and will only be decrypted on the device of the receiver. The server only transports the encrypted messages and cannot read them.
Intrusion prevention and intrusion detection systems
Intrusion detection systems guard activities in the messenger and keep track of the kinds of actions that take place. When this system detects suspicious activity, the intrusion prevention system will put the user from which this activity originates in ‘quarantine’. The suspect will not be able to access the messenger while in quarantine.
Code tested by independent party
It is certainly a good sign when an independent party has tested your secure messaging service – no development team is absolutely perfect and this is the way to track down any mistakes and to hear from an external party that the quality of the messaging service is as promised.
Pin on mobile
A useful functionality for a secure messenger is the option to enable users to provide their mobile messaging accounts with an extra layer of security by means of a pin code.
Passwords do not provide the same degree of security as before – malware is often aimed at obtaining passwords and finding out whether your account has been compromised is not all that easy.
Two-factor authentication (also known as 2FA) is a method that requires the user to enter their username and password, AND a verification code in order to log in. This verification code must usually be generated by an external system, such as the Google Authenticator app for smartphones.
Not everyone is equally careful with their mobile phone and some are just unlucky – if one of your team members loses their smartphone, there could be a risk of data leaks.
That is why it is a big plus if a messaging account can also be signed out remotely (by either the user or the company administrator), so that unauthorized persons cannot gain access to the data in the messenger.
Show data in notifications
Some organizations require that company data cannot be shown anywhere outside of the messaging app – not even in notifications (push notifications or email notifications) sent from the messenger itself. That is why it can be handy if the messenger provides organizations with the option to switch off the visibility of communicated data in such notifications.
Virus scanning of attachments
Most malware is spread as an attachment to, for example, email messages. Messaging systems that support file sharing could then also pose a risk to your organizations – if the attachments are not properly scanned for malware.
In the Alterdesk messenger, virus scanning is done as follows: if the messenger detects malware or a file extension that has been blacklisted, the file is simply not sent. The user will receive a notification that the attachment in question has not been approved.
Naturally, the company developing the messenger should be helpful, accessible and pleasant to communicate with, but there are also issues related to the developing company that may influence the level of security their product has to offer.
Think of, for example, the location of the hosting company the developer uses – is this hoster based in Europe or (as is the case for many international messaging services) in America? When messaging data is stored on American servers, this information falls under the American Freedom Act (the successor of the Patriot Act), which means that data sent by means of this messenger can be made accessible to the American government.
It is also a good idea to find out what kind of revenue model the messaging service has. Free services are hardly ever simply free – think of Facebook and, by extension, WhatsApp, where the user is, in fact, the revenue model (which is realized by means of targeted advertising). Even services that claim to be ‘free, for now’ will eventually need to earn their keep – be sure to find out how they plan to do this sooner rather than later.
(To be clear: users are allowed to try the Alterdesk messenger for free. For more extensive / prolonged use we provide licenses, either through us or one of our partners. The costs of such a license depend on multiple factors, such as the amount of users necessary.)
Specific requirements and preferences
Every organization has its own specific procedures and plans for the future that need to be taken into account when choosing a secure messaging service.
Does the messenger need to be integrated in a specific system? Should the messenger be available in specific languages or on a certain kind of smartphone or perhaps even a wearable?
These are all issues that should be considered, so that your organization does not end up with the limited system which has no place in the vision the organization has for the future.
Would you like to know more about what Alterdesk can offer your organization in terms of secure messaging? Feel free to contact us, we would love to hear from you!