You've Got Safe Mail

webbusiness.cio.com –

A new communication tool is turning the stereotype of lawyers as paper chasing, slow technology adapters on its head. The product, ZixMail, encrypts electronic documents. And many tech-savvy attorneys, like Tony Pierce, are hooked.

Pierce, a litigator at Akin, Gump, Strauss, Hauer & Field's Washington, D.C. office, can now e-mail large documents to co-counsels and clients without fear of interception. And his firm's IT department didn't built an encryption network or fork out thousands to a vendor. Pierce simply downloaded ZixMail's free interface. Every time Pierce sends an e-mail through this interface it carries the message from his desktop to ZixMail's Worldwide Signature Server in Dallas, Texas, which encrypts his correspondence and attachments and routs them through his e-mail account. Only Pierce's addressees, all of whom have ZixMail accounts, can decode his e-mails.

Despite its apparent simplicity, the technology behind ZixMail is complex. And some analysts worry that this vendor is bundling some responsibilities that its clients' IT departments should retain.

The grand scheme of e-mail encryption

Ever since it became clear, three years ago, that e-mail was the Internet's one and only true killer app, people have been trying to come up with a way to make e-mail messages secure. Many people who encrypt their e-mail messages work for companies with public key infrastructures (PKIs) and certificate authorities (CA). Before sending encrypted messages, users send copies of their PKI-generated keys, which are chunks of code, to recipients, who use them to decode the messages. These keys reside within digital certificates that authenticate users before they send and access e-mail messages and are cleared by certificate authorities.

But building a PKI is not easy. A company must configure hardware and software and establish policies for issuing, authenticating and managing keys and certificates. If the IT guys opt not to outsource digital certification to a company like VeriSign or Entrust, they must build a certificate authority (CA) server and create policies for authorizing users. And after all that, PKI's often don't work.

A report by The Robert Frances Group claims that, because IT departments have a hard time mandating that users obtain digital certificates and create keys, many users don't bother, which makes their encryption efforts fruitless. Instead of using PKIs, the Robert Frances Group suggests, companies that can afford them should go with virtual public networks (VPNs). The trouble is, relatively few companies are willing to construct, pay for and maintain VPNs.

This is where ZixMail, in theory, steps in to provide a more transparent solution for companies that want to avoid the hassle of building and maintaining server-to-client VPNs or their PKI and CA counterparts. ZixMail identifies, authorizes, and authenticates users and encrypts their correspondences.

ZixMail's environment is essentially transparent to the users. Pierce, for example, doesn't have to send his public key to all recipients and keep a database of others' keys. Instead, he asks recipients to download ZixMail, which works alongside most e-mail programs, including Lotus Notes, Eudora, AOL and Hotmail. After he and a client swap encrypted messages once, ZixMail saves their keys and seamless adds them to later exchanges.

If it looks too easy, it probably is

Jonathan Penn, a Senior Industry Analyst at Giga Information Group, says companies lose more than they gain when they use ZixMaiil, which is proprietary and works only within its own community of users. "It's hard enough for a company to force ZixMail on its entire enterprise," says Penn. "Its ability to force product decisions on companies it does business with is extremely limited."

And because ZixMail does not integrate into e-mail systems, says Penn, users are forced to switch between their ZixMail and regular e-mail program's interfaces.

IT departments also have to make trade-offs. "ZixMail's certificates," says Penn, "don't fit into a company's scheme in terms of going to one place for certificates and to learn who's who and who can access what." Goals of instituting a single logon are impossible when using ZixMail.

Likewise, Forrester Research's Frank Prince wonders if ZixMail should assume three responsibilities that companies have traditionally handled separately: identifying, authenticating, and authorizing users. "People who authorize what you do are different from those who ID who you are," says the senior e-business infrastructure analyst. "In more complicated situations, tying authentication and authorization together could be bad." Prince recommends that larger companies that want to avoid unconsolidated certification schemes and inappropriate security clearances stay involved with and integrate their certification solutions.

ZixMail's market

Despite such concerns, ZixMail is catching on. Since the application launched in December 1999, attorneys from over ten of the nation's largest law firms -- including Fulbright & Jaworski and Pierce's Akin Gump -- have signed on, as well as web companies like ObjectSpace, Inc., a B2B services provider, and Matchmaker.com, an network of web communities.

Giga's Penn, however, predicts the success of encryption outsources like ZixMail and competitors like PrivateExpress (http://www.privateexpress.com/), Wellance (http://www.regedoc.co.uk/en/index_about.html), and Tumbleweed (http://www.tumbleweed.com) will be limited as long as they force users to remain within their communities.

"Maybe they'll end up with a nice small business, with a half million users," says Penn. "But they won't become standard. There's limited opportunity because there are no good solutions now."

Forrester's Prince agrees. He thinks that ZixMail may gain some momentum with small customers and those without intricate IT departments, like law firms and new dotcoms. But larger companies, Price predicts, will decide that outsourcing such an integral solution is too much of a hassle.

"The technology isn't special," he says, "it's simply a redesign. Once the market stabilizes, the large organizations' [system] design teams could work with the [encrypted] e-mail providers and develop a solution that works for them."

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies