You probably know by now that any e-mail that isn't encrypted traverses the Internet in clear text that can easily be viewed with little skill and just some patience. So what are you doing to protect your company's sensitive e-mail?
The right way is to encrypt e-mail messages in their entire path from sender to receiver. You also need to digitally sign them, to ensure that no one else has tampered with them in transit.
The problem is that, not long ago, encryption products had two big drawbacks. First, they required a lot of effort devoted towards key management tasks to make sure that everyone's encryption keys were properly exchanged and properly maintained. Public/private key encryption meant that you exchanged the public keys in order to read each other's messages, and in the past this exchange was cumbersome at best. Also, when someone left a corporation, that person's key had to be expired so that they would no longer have access to their e-mail stream.
Second, the products were designed to work between two people who were using a matched set of the same tools. If you sent an encrypted e-mail to some random correspondent who was likely not using any encryption, they couldn't read the message and needed to install the same tool you used to decrypt it.
Today, however, there are a number of low-cost, easy-to-use packages that have gotten around these problems in some clever ways. For this review, I looked at three solutions: Hush Communications' Hushmail for Business, Voltage Security Inc.'s Voltage Secure Network and Connected Gateway and PGP Corp.'s Universal Server.
To test these three products, I created a situation in which a small company had already set up Outlook clients and Microsoft Exchange servers to handle its e-mail and wanted to add a layer of encryption on top of that with as little effort as possible. I assumed the company wanted to be able to send and receive encrypted e-mails to a wide variety of correspondents, and didn't want to install a lot of software on each desktop.
Hush Communications has been around a long time in the encryption world. Its basic business account, which is the least expensive of the three solutions reviewed here, starts at $24 a year per user. (There is also a free personal version that has most of the features found in the business product, with the exception of having your own domain names to send and receive the encrypted e-mails.)
Hush is a completely hosted service: there is nothing to install on the client end, and you just have to set up an e-mail domain on their servers. This can be a plus or a minus depending on your biases toward having your own server on premises. All you need to do is to specify the MX mail account records to point to their mail server for your domain. It lacks the automatic registration for external users that the other vendors offer and the administrative features are spare, but that means that for small companies looking to get started quickly with encryption, Hush is worth taking a closer look.
You have two options for your e-mail client: use Hush's Web client or download an Outlook plug-in. While the plug-in is nice -- it will work with Exchange as well -- there is a bug in Microsoft Outlook 2002 that causes problems with forwarded and replied messages. (Outlook 2007 works fine.) The message that goes out will either appear to the recipient to be blank, or the recipient will see encrypted data, but the data will not decrypt. To resolve this issue, you need to install Microsoft Office XP Service Pack 2 along with the Office 2002 update.
Another issue with the plug-in is that you have to be connected to the Internet to use it, meaning that you can't compose offline encrypted messages. If you have a lot of frequent travelers who want to compose their e-mails when away from a broadband connection, this could be an issue.
If you use the Hush Web client, you can choose to encrypt your message or send it unencrypted, and to digitally sign your message as well.
If you choose to encrypt a message to a user that the Hush key server doesn't know about, you will be offered a question-and-answer dialog that will be presented to the user when they first get an encrypted message. If they answer the question correctly, the message will be decrypted and presented to the recipient.
Hush has also spent some time understanding the issues with running Java. For an extra layer of security, Hush can use Java to encrypt your messages before the data leaves your PC. This means that none of your e-mail traffic is stored in plain text anywhere, so if someone were to use a disk recovery utility, they still couldn't read your e-mail.
One of the nice features about the business client is the ability to include secure forms that will encrypt communications from the general public at no additional charge if Hush hosts the forms, or $4 per month if you want to host the form on your own Web site.
Hush's main advantage is cost and speed of implementation (given that there is really nothing to install). It will exchange encrypted e-mail with PGP desktop users once the appropriate keys are exchanged.
PGP Universal Gateway Email
PGP (for Pretty Good Privacy), the granddaddy of e-mail encryption, started as a pet project of Phil Zimmermann (who is still associated with the company) and has been on its own now since 2002, after breaking away from Network Associates, Inc. PGP offers a plethora of products, including whole disk encryption, desktop e-mail encryption clients and its Universal server, which runs its own variation of the Linux operating system on a very limited collection of hardware that it lists on its Web site or on VMware virtual machine images.
To start things off, you install PGP Desktop or its Outlook plug-in on a client computer and set up PGP Universal on a separate server to handle the external communications. If you send an encrypted message to an external user, they will get a message with a URL pointing them to the Universal Server's Web Messenger and the automatic registration process.
This is the whole point to the product: You don't have to manage a bunch of certificates and can begin communicating with your external correspondents immediately.
The Web Messenger works simply and effectively for users new to the encryption game, and the messages are encrypted at the edge of the enterprise network and across the Internet; Web access is via HTTPS and no information is stored on the client machine.
When a user clicks on the embedded URL, they are taken through a series of steps to register their identity, pick a passphrase and select how they want to receive subsequent communications from among four different options: