A realistic alternative that companies that cannot stop "PPAP" should take: What is "security measures that do not burden the field"?


With new digital communication tools emerging, email is an integral part of your business. It's not uncommon for companies to use message tools for communication within teams and organizations, and email for communication outside the company.

However, email has security challenges such as targeted attacks, spoofing, and misdelivery. Among them, the one that can cause a serious accident is "wrong transmission of attached files". For example, there are cases where the destination of internal circulation data includes an external email address, or the data that should have been sent is different from the original data. Therefore, it is required to pay sufficient attention to the contents and destination of the attached file. However, it is difficult to completely eliminate these problems with the efforts of each employee. Against this background, PPAP (a method of encrypting email attachments in ZIP format and sending the decryption password in another email) has been adopted as a security measure for email.

"I can't stop" while "PPAP" is being shouted

PPAP benefits both senders and receivers. First of all, the attached file is encrypted, so even if you send it by mistake, the information will not be viewed unless you know the password. Also, you can check the file just by using the password you received in the second email, and you do not need to install any special software.

PPAP began to be used in the early 2000s, and systems that automate the compression and transmission of files and the transmission of encrypted mail became widespread. Currently used by many businesses and government agencies, it has become the de facto standard for email security. However, according to Mr. Fumiya Ishikawa of Canon IT Solutions, who is in charge of supporting email security products (Technical Support Division, Engineering Department, Cyber ​​Security Technology Development Headquarters), there have been voices that have long questioned the effectiveness of PPAP. ..

Canon IT Solutions Fumiya Ishikawa

"First of all, even if it is encrypted, it is difficult to collect or destroy the file itself that was sent by mistake. Also, if you have a system that automates PPAP, the file and password are the same in one transmission operation. Since it reaches the destination, it is not a countermeasure against erroneous transmission. Similarly, since the file and password are sent using the same route in one transmission operation, an attacker can easily steal all information. Furthermore, if the file is encrypted, even if the original data contains malware, it may not be detected, so it may be exploited by an attacker. "(Mr. Ishikawa)

While there were many challenges, it was said that "it still has advantages over complete inaction", and the use of PPAP continued. This is because the work of "sending a file by e-mail" was suitable for business sites even if the security strength was reduced due to automation.

In the midst of such a situation, Takuya Hirai, Minister for Digital Transformation, announced in November 2020 that "the use of PPAP in central ministries and agencies will be abolished." With this statement as a trigger, the movement to review PPAP has become active even in private companies.

Canon Marketing Japan Ayumu Yamazaki

However, many companies are confused because the government has not specifically shown alternatives to PPAP. Ayumu Yamazaki of Canon Marketing Japan, who is in charge of developing and selling mail security products (Chief, Security Solution Product Planning Section 2, Security Solution Planning Headquarters) said, "The larger the company, the more difficult it is to change the conventional system. It seems. Even if the management wants to follow the government's intentions, the work in the field should not be confused. The IT department is in a situation of being caught up in the situation, "says the actual situation of the company.

What is an easy-to-use and highly secure "PPAP alternative"?

There are three main alternatives to PPAP. "Use of cloud storage" "Use of file exchange service" "Download link of attached file".

The method of using cloud storage is to expose a part of the cloud service area used by the company to external business partners. While it has the advantage of being able to share large files without hassle, there are concerns about problems such as the trouble of setting public permissions and the tendency for information leakage to occur due to setting mistakes.

The method of using the file exchange service is that the user who wants to send the file uploads the file to the cloud storage and sends a link for download by e-mail or the like. The recipient can download the file at the received link. Since cloud storage is used, large files can be exchanged, but the risk of erroneous email transmission remains.

Download linking of attachments combines the advantages of PPAP and the aforementioned method. When the sender attaches a file to an email and performs a send operation, the system automatically separates the attached file and uploads it to the download server, and the email contains the automatically generated download link and sends it. The recipient downloads the file from the link received.

How to improve email security comprehensively

Canon Marketing Japan has incorporated a download link function for attachments into the information leakage countermeasure product group "GUARDIAN WALL" developed and provided by the company. Mr. Ishikawa explains the reason as follows.

"If the operations that were performed in the conventional work change too much, the burden on the user will be heavy, and the productivity of the work will decrease and security accidents will easily occur. No more burden than" sending an email "to the site. , I decided that the download link of the attached file is the best way to achieve both convenience and safety. "(Mr. Ishikawa)

The GUARDIANWALL series consists of two product groups: "GUARDIANWALL Mail Security" that protects emails and "GUARDIANWALL Web Security" that prevents information leakage from the Web. Among them, the mail filtering product "GUARDIAN WALL Mail Filter" and the mail archiving product "GUARDIAN WALL Mail Archive" are said to utilize the Japanese language processing technology researched and developed by Canon Marketing Japan.

"For example, make sure that only important emails that contain specific keywords in the subject, body, and attachments of the email are approved by the superior, and whether the information contained in the email contains personal information. In addition, in response to the recent increase in awareness, we have added a function to extract and report character strings related to harassment. Both have strengths in "language processing for double-byte characters," which is difficult for overseas products. It is a function that makes the best use of this. "(Mr. Ishikawa)

From August 2021, cloud product "MailConvert on Cloud Premium" (MailConvert) with attachment download linking function and product "Outbound Security" for companies using or considering migration of "Microsoft 365" for Microsoft 365 "will be added sequentially. MailConvert supports download linking of attachments as an additional feature of existing services.

MailConvert automatically separates attachments when sending an email and forwards it to the download server, and sends an email with a download link to the destination (recipient). Recipients will be able to access the download link and select "Issue One-Time Password" or "Social Login" to authenticate and then download the attachment.

Image of using the download link function of attached files on the sender side (Source: Canon Marketing Japan provided materials)


Social login is a function that uses the recipient's Microsoft or Google account information to verify their email address and identity. "As mentioned earlier, passwords in PPAP are laborious and risky to handle. Using social login eliminates the need for all password exchanges," (Mr. Ishikawa).

By default, attachments uploaded to the download server can be set to "private". If the sender sets "public setting" on the management screen of GUARDIAN WALL, the recipient can view the file. If there is an erroneous transmission, the file will not be viewed unless the public setting is made. By the end of 2021, we plan to release "MailConvert on Cloud Basic," which limits the functions and further reduces the management burden.

Outbound Security for Microsoft 365 makes it easy to use the attachment download linking feature as an Outlook add-in. It will be possible to introduce PPAP measures according to the company scale, budget, and system configuration. It also has a self-check function when sending emails, and you can check the subject, To, Cc, Bcc destination, etc. in a pop-up window, so you can send emails more safely.

Outbound Security for Microsoft 365 can be easily introduced as an add-in for Outlook (Source: Canon Marketing Japan)

These features allow you to "de-PPAP", but some companies do not allow web downloads. GUARDIANWALL can also use the method of attaching a ZIP encrypted file when sending an email to such a company as before. "The feature of GUARDIAN WALL is that it can be set flexibly according to the recipient" (Mr. Yamazaki)

When de-PPAP, I want to reduce internal and external confusion as much as possible. The GUARDIAN WALL series can be said to be one of the optimal solutions. This is because on-site confusion can be a security vulnerability.

"If the operation is changed significantly or complicated, users will find a way out from the inconvenience. It can be a security hole, so the GUARDIAN WALL series is a transition that combines ease and safety. We are considering to be able to do it "(Mr. Yamazaki)

One of the strengths of purely domestic products is that they can quickly respond to domestic issues such as PPAP. In the future, Canon Marketing Japan will continue to emphasize the ease of use for users and administrators, and will promote plans to strengthen functions that correspond to the diversification of communication tools and to strengthen cooperation with other cloud storages.

Related Links

Copyright © ITmedia, Inc. All Rights Reserved.

Hot Articles

How to Save Websites as PDF on iPhone or PC | Business Insider Japan

How to Save Websites as PDF on iPhone or PC | Business Insider Japan

Sign up for a free e-mail newsletter We'll send you a Business Insider Japan e-mail newsletter at 17:00 on weekdays. Check the terms of use You can save the website as a PDF from various web browsers including Safari on iPhone. Photo: Takuma Imamura Web page suddenly ...

 It's okay if you forget to record the news!How to see the famous scenes of the Olympics later on your smartphone

It's okay if you forget to record the news!How to see the famous scenes of the Olympics later on your smartphone

Explaining how to use the archive distribution The Tokyo Olympics attracts attention not only for players' play but also for unique commentary. Even if you miss it even though it became a hot topic, or if you did not record it, you can do it at your favorite timing later ...

Yahoo! News Digitalizing the traditional "small pattern dyeing" pattern Crisis of disappearance, challenge of long-established president

Yahoo! News Digitalizing the traditional "small pattern dyeing" pattern Crisis of disappearance, challenge of long-established president

In the file in front of Mr. Atsushi Tomita, a well-preserved paper pattern is included so that it is not exposed to the air as much as possible. To prepare for digitization and prevent deterioration = Taken by Hiroyuki Kondo on the morning of December 10, 2021 at Tomita Dyeing Crafts in Shinjuku-ku, Tokyo ...


Related Articles