June 02, 2009, 9:33 AM — You probably know by now that any e-mail that isn't encrypted traverses the Internet in clear text that can easily be viewed with little skill and just some patience. So what are you doing to protect your company's sensitive e-mail?
The right way is to encrypt e-mail messages in their entire path from sender to receiver. You also need to digitally sign them, to ensure that no one else has tampered with them in transit.
The problem is that, not long ago, encryption products had two big drawbacks. First, they required a lot of effort devoted towards key management tasks to make sure that everyone's encryption keys were properly exchanged and properly maintained. Public/private key encryption meant that you exchanged the public keys in order to read each other's messages, and in the past this exchange was cumbersome at best. Also, when someone left a corporation, that person's key had to be expired so that they would no longer have access to their e-mail stream.
Second, the products were designed to work between two people who were using a matched set of the same tools. If you sent an encrypted e-mail to some random correspondent who was likely not using any encryption, they couldn't read the message and needed to install the same tool you used to decrypt it.
Today, however, there are a number of low-cost, easy-to-use packages that have gotten around these problems in some clever ways. For this review, I looked at three solutions: Hush Communications' Hushmail for Business, Voltage Security Inc.'s Voltage Secure Network and Connected Gateway and PGP Corp.'s Universal Server.
To test these three products, I created a situation in which a small company had already set up Outlook clients and Microsoft Exchange servers to handle its e-mail and wanted to add a layer of encryption on top of that with as little effort as possible. I assumed the company wanted to be able to send and receive encrypted e-mails to a wide variety of correspondents, and didn't want to install a lot of software on each desktop.
Hush Communications has been around a long time in the encryption world. Its basic business account, which is the least expensive of the three solutions reviewed here, starts at $24 a year per user. (There is also a free personal version that has most of the features found in the business product, with the exception of having your own domain names to send and receive the encrypted e-mails.)
Hush is a completely hosted service: there is nothing to install on the client end, and you just have to set up an e-mail domain on their servers. This can be a plus or a minus depending on your biases toward having your own server on premises. All you need to do is to specify the MX mail account records to point to their mail server for your domain. It lacks the automatic registration for external users that the other vendors offer and the administrative features are spare, but that means that for small companies looking to get started quickly with encryption, Hush is worth taking a closer look.
You have two options for your e-mail client: use Hush's Web client or download an Outlook plug-in. While the plug-in is nice -- it will work with Exchange as well -- there is a bug in Microsoft Outlook 2002 that causes problems with forwarded and replied messages. (Outlook 2007 works fine.) The message that goes out will either appear to the recipient to be blank, or the recipient will see encrypted data, but the data will not decrypt. To resolve this issue, you need to install Microsoft Office XP Service Pack 2 along with the Office 2002 update.
Another issue with the plug-in is that you have to be connected to the Internet to use it, meaning that you can't compose offline encrypted messages. If you have a lot of frequent travelers who want to compose their e-mails when away from a broadband connection, this could be an issue.
If you use the Hush Web client, you can choose to encrypt your message or send it unencrypted, and to digitally sign your message as well.
If you choose to encrypt a message to a user that the Hush key server doesn't know about, you will be offered a question-and-answer dialog that will be presented to the user when they first get an encrypted message. If they answer the question correctly, the message will be decrypted and presented to the recipient.
Hush has also spent some time understanding the issues with running Java. For an extra layer of security, Hush can use Java to encrypt your messages before the data leaves your PC. This means that none of your e-mail traffic is stored in plain text anywhere, so if someone were to use a disk recovery utility, they still couldn't read your e-mail.
One of the nice features about the business client is the ability to include secure forms that will encrypt communications from the general public at no additional charge if Hush hosts the forms, or $4 per month if you want to host the form on your own Web site.
Hush's main advantage is cost and speed of implementation (given that there is really nothing to install). It will exchange encrypted e-mail with PGP desktop users once the appropriate keys are exchanged.
PGP Universal Gateway Email
PGP (for Pretty Good Privacy), the granddaddy of e-mail encryption, started as a pet project of Phil Zimmermann (who is still associated with the company) and has been on its own now since 2002, after breaking away from Network Associates, Inc. PGP offers a plethora of products, including whole disk encryption, desktop e-mail encryption clients and its Universal server, which runs its own variation of the Linux operating system on a very limited collection of hardware that it lists on its Web site or on VMware virtual machine images.
To start things off, you install PGP Desktop or its Outlook plug-in on a client computer and set up PGP Universal on a separate server to handle the external communications. If you send an encrypted message to an external user, they will get a message with a URL pointing them to the Universal Server's Web Messenger and the automatic registration process.
This is the whole point to the product: You don't have to manage a bunch of certificates and can begin communicating with your external correspondents immediately.
The Web Messenger works simply and effectively for users new to the encryption game, and the messages are encrypted at the edge of the enterprise network and across the Internet; Web access is via HTTPS and no information is stored on the client machine.
When a user clicks on the embedded URL, they are taken through a series of steps to register their identity, pick a passphrase and select how they want to receive subsequent communications from among four different options:
- Via Web Messenger, meaning that they continue to use a Web browser to view their e-mails
- Via a background PGP service that is installed on their client, what PGP calls Universal Satellite
- Via the full PGP Desktop client or an S/Mime e-mail client
- Via e-mail as password-protected PDF attachments
You can also limit these choices globally for all users on the Universal Console.
The biggest drawback to using Universal Server is that it is a complex product and has many options that might be intimidating to people new to PGP products or encryption in general. There is a Web control panel that is used to set up policies and users, collect reports and set up other configuration parameters; that has numerous key management options that could be overwhelming, such as controlling how keys are generated and authenticated, and whether they are stored on clients or just the server.
The advantage to using PGP is that if you have correspondents who have implemented encrypted e-mail, chances are high that they are familiar with PGP and are using its desktop products.
Voltage SecureMail Connected Gateway
Voltage Security, like PGP, offers a wide variety of encryption packages, including two server-based products. The first is Voltage Security Network (VSN), which is a complete hosted e-mail solution, similar to what Hushmail offers in that the company hosts your e-mail domain and deals with the encryption to and from the domain. Voltage also offers a SecureMail Connected Gateway appliance for those companies that want to handle the encryption on premises.
The process of setting up VSN is on a par with setting up Hush -- you change your domain records to point your e-mail traffic to their service. Voltage's advantage is that you can send encrypted e-mails to anyone, and they will self-register using the Zero Download Messenger solution. This is similar to PGP's Web Messenger: if you try to send someone an encrypted message and they're not known to the system, they will get an e-mail with a URL that will direct them to register and then to decrypt their message.
For this review, I actually tested the on-premises Connected Gateway product. (Voltage will sell the hardware necessary, or you can install their software on your own computer system.) Once you run the software to create the appliance, you still need to change the domain and MX mail records for your domain. When I tried it, it all took less than an hour. Connected Gateway automatically sets up two policies for encryption and decryption, and you can add other policies in the same way you'd do on any firewall console.
Voltage offers an Outlook/Outlook Express plug-in that supports automatic encryption -- it's really a custom-generated Windows MSI file that your users install. Once this is accomplished, a process that takes a few minutes, you almost don't realize that you are exchanging encrypted messages because everything happens under the covers. It is that effortless and easy, and one of the reasons that I like the Voltage solutions.
No matter which combination of Voltage products you choose, you don't have to worry about key or certificate management -- that is all taken care of automatically and on the fly. This is one of the big advantages of the Voltage products; they automatically digitally sign each encrypted message as well. If you want more flexible options such as how keys are managed, then you are going to want to look at PGP's Universal solution.
The biggest distinction between the Connected Gateway and VSN solutions is that the former lacks the PGP and S/MIME interoperability that is available on the latter. Both have Web-based consoles -- the Connected Gateway console is fairly spare but I didn't find it limiting in terms of exchanging encrypted e-mails.
The main drawback for the Connected Gateway is price -- $115 per user annually versus $65 for the hosted VSN solution, about on par with what PGP charges.
The good news is that all three of these solutions work easily and will protect your e-mails from end to end. They aren't difficult to implement and won't take up a lot of IT support resources handling key management issues either. If you need the security of keeping your e-mails private, they are all worth a closer look. And while they aren't effortless to set up, they are fairly effortless for end users on a daily basis.
My recommendation is to start off with either the free Hushmail product or the Business version and see if hosted e-mail is right for your needs. If you want to run your own encryption inside your firewall, then move to Voltage's Connected Gateway. If you anticipate communicating with a lot of existing PGP users, then install its Universal product.