Google updated Gmail for its' Workspace customers adding end-to-end encrypted (E2EE) messaging. The feature, announced Tuesday, allows Google Workspace customers to send an E2EE secure email to any inbox whether it be Outlook.com, Yahoo Mail or even AOL Mail.
The feature launched in beta on Tuesday, enabling E2EE between Gmail users from the same organization, with eventual plans to make Gmail’s E2EE work regardless of the recipient’s email provider.
“We’ve invented an entirely new type of encryption,” said Google Workspace Senior Product Manager Johney Burke and Product Manager Julien Duplant in an email to SC Media.
This new encryption scheme aims to remove the complexity and implementation challenges of traditional E2EE models such as Secure/Multipurpose Internet Mail Extensions (S/MIME), which requires both the sender and recipient to have S/MIME enabled.
“Alternatives to S/MIME, such as encryption features from email providers or proprietary point solutions, present significant drawbacks as well: the former requires sharing encryption keys, increasing data privacy and sovereignty risks, while the latter complicates end user experiences with custom applications, portals and browser extensions,” Google said.
Google explained that its new feature, launched on Gmail’s 21st birthday, will allow enterprise Gmail users to send E2EE encrypted emails to any inbox without overly complicated processes. The feature is driven by client-side encryption, meaning data is encrypted prior to transmission or storage by Google, restricting access solely to the sender and recipient.
"Google's announcement marks an important step in making client-side encryption more accessible to enterprise Gmail users. While the underlying encryption capability has existed for some time, the general availability helps streamline adoption for regulated industries and privacy-conscious organizations," said Piotr Wojtyla, head of threat intelligence at Abnormal Security, in an email to SC Media.
Emails from an enterprise Gmail account to any other Gmail account (including personal accounts) will automatically be encrypted and then decrypted in the recipient’s inbox, Google explained, while emails to recipients who have S/MIME will be encrypted and decrypted via S/MIME.
Non-Gmail recipients without S/MIME enabled will be able to view E2EE in a restricted version of Gmail, using a guest Google Workspace account that allows them to securely reply, according to Google.
Google plans to expand the beta feature to allow E2EE emails to any Gmail inbox in the coming weeks, with the full capabilities planned to release by the end of this year.
Google is also adding additional features such as a setting for organizations to make all Gmail messages end-to-end encrypted by default, classification labels to mark message sensitivity, data loss prevention features to automatically classify and take action on certain emails, and a threat protection AI model to enhance spam and phishing detection and prevention.
SlashNext Email Security+ Field CTO J Stephen Kowski told SC Media that E2EE offerings like Gmail's may create a false sense of security, as humans continue to be the "weakest link" when it comes to email protection.
"Just like we saw with the Signal-related breach, which was 100 E2EE, we found that perfect encryption doesn't protect against users making mistakes or falling for social engineering tricks," Kowski noted.
How Gmail’s end-to-end encryption compares to Microsoft Outlook
Google Workspace, which includes its business Gmail offering, boasts a 50.34% share of the productivity software compared with the 45.46% share of Microsoft Office 365, which includes the Outlook business email client, according to ElectroIQ.
Microsoft Outlook includes E2EE via S/MIME and Microsoft Purview Message Encryption, the latter of which, similar to Gmail’s new feature, allows non-Outlook users to open encrypted emails in a dedicated portal. Users can sign into this portal using with Microsoft, Google, Yahoo or a one-time password, according to Microsoft.
Google’s Gmail announcement emphasizes that users will control their own encryption keys, which are stored away from Google’s infrastructure. Microsoft’s Purview Message Encryption relies on Microsoft Purview Information Protection, which uses Azure Rights Management Services (RMS) for email protection and encryption.
According to the latest information available from Microsoft, Microsoft manages the root key for Microsoft Purview Information Protection, formerly Azure Information Protection, by default, but offers a “bring your own key” option that can be set up by the user.
"The bigger challenge for both platforms remains ease of use and broader adoption, especially when encryption adds friction to collaboration and compliance workflows," Wojtyla said.
Sectigo Senior Fellow Jason Soroko noted, in an email to SC Media, that client-side encryption "is only as secure as the environment in which it's used" and requires organizations to ensure they can properly protect their encryption keys.
"If a user's device is compromised by malware or other vulnerabilities, the encryption keys (and therefore the encrypted data) might be at risk," Soroko said.
