ORMS Today
Skip main navigation

September 17, 2024 in Tech Tips

Implementing Email Attachment Security

SHARE: PRINT ARTICLE:print this page https://doi.org/10.1287/orms.2024.03.09

Businesses typically send documents to their customers via email as part of their operations. These documents could include renters or vehicle insurance, medical receipts, online transaction receipts and more. Documents are sent as attachments and contain customers’ personal data, which make them easy targets for hackers and prone to fraud. This process is vulnerable to security threats, leading to phishing and fraudulent attacks. In addition, if these emails are mistakenly forwarded to the wrong person, data can be compromised. To help avoid fraudulent activity, this article discusses how to implement security practices on email attachments.

I would like to propose two layers of security to be implemented to avoid fraud and secure email communications, using Amazon Web Services (AWS) and Python libraries.

Methodology

Emails and attachments can be made secure with the following:

  1. Password-Protected Attachments: There are a few open Python libraries, such as pyminizip [1],that we can use to easily password protect attachments and keep personal details known only to the email sender and appropriate receiver. The password does not need to be hard coded in the emails, and we are still able to avoid any confidential information passing through emails into the wrong hands.
  2. Avoiding Attachments: Utilizing s3 signed URLsinstead of traditional file attachments significantly reduces the size of emails, leading to faster email delivery and reduced load on email servers. This link is valid for a specific number of days, after which the files are unable to be downloaded, adding an additional layer of security.

Steps for Technical Implementation

Here are the keys steps to take to ensure security:

  1. Each of the files that need to be attached are password encryptedusing python’s pyminizip library and then zipped into a folder.
  2. These password-protected zipped folders are preserved in Amazon S3 (simple storage service). The file is also stored in our private S3 bucket with advanced encryption standard (AES)-256 encryption, so the data is secure at rest (in addition to within the attachment).
  3. For each zipped folder, a new presigned URLis created by AWS Lambda code, which is valid for seven days [2].
  4. Using Amazon Simple Email Service (SES), Lambda sends emails to all respective users [3].
  5. There is no need to create explicit AWS identities when sending emails to dynamic users. This utility is created in a nonproduction account, and SES supports dynamic receivers (unverified accounts) in such accounts. Therefore, I can send emails to both unverified and verified accounts in my organization.

For simplicity, passwords are set as each user’s personal details, which only the user knows, and therefore the user won’t be required to reach out to anyone for password information. This whole utility was automated to enhance end-to-end security utilizing features such as S3 presigned URL and password encryption.

Now we have secure attachments, along with the following benefits:

  1. Attachments are now being sent as password-encrypted files, making them secure from any phishing attacks.
    1. Using S3 presigned URLs allows for secure attachments because (1) there is no physical file attached to the email, (2) Lambda execution is fast (cost saving), and (3) the presigned URL is valid for limited time, which makes it less vulnerable.
  2. No hard-coded password or IT support team is needed.

Flow Diagram

email attachment security flow diagram

Dependencies

  1. The AWS Lambda function uses Identity and Access Management (IAM) user credentials to generate tokens that are valid for 90 days [4].
  2. SES has a limit to send out 40 emails per second, so I added an explicit for one second between each email.

Conclusion

After implementing this technical tip, emails received won’t have any actual attachments, and the URL shared will be clickable to download a password-protected local file that is valid for a week.

final secure email snapshot

References

  1. https://pypi.org/project/pyminizip/
  2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
  3. https://docs.aws.amazon.com/ses/latest/dg/send-email.html
  4. https://aws.amazon.com/premiumsupport/knowledge-center/presigned-url-s3-bucket-expiration/

Gaurav Mittal

Gaurav Mittal is a seasoned IT manager with 15+ years of leadership experience, adept at guiding teams in developing and deploying cutting-edge technology solutions. Specializing in strategic IT planning, budget management and project execution, he excels in AWS Cloud, security protocols and container technologies. Gaurav is skilled in Java, Python, Node.js and CI/CD pipelines, with a robust background in database management (Aurora, Redshift, DynamoDB). His achievements include substantial cost savings through innovative solutions and enhancing operational efficiency. Gaurav is recognized for his leadership, problem-solving abilities and commitment to delivering exceptional IT services aligned with organizational goals.

SHARE:

Keywords:
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree