December 01, 2009, 2:20 PM — As we all should know by now, any email that isn't encrypted traverses the Internet in clear text that can easily be viewed with little skill and just some patience. If businesses want to make sure that no one else can look at their messages, they need to encrypt them in their entire path from sender to receiver. They also need to digitally sign them, to ensure that no one else has tampered with them in transit.
Previous encryption products required a lot of effort towards key management and usually required a matched pair of programs to communicate between sender and receiver. That is thankfully a thing of the past, and there are several different products on the market today that make encryption easier, almost effortless. They are fairly low-cost, too. There are two distinct types of products:
- The first type makes use of a gateway appliance inside your firewall, and automatically works in the background to encrypt and decrypt message traffic in conjunction with your mail servers and data loss protection (DLP) and other security devices. This includes Voltage SecureMail Connected Gateway, PGP Universal Server, Sophos Email Appliance, Proofpoint Protection Server, and Mimecast's Unified Email Messaging. The hardest part about choosing one of these products is that each vendor doesn't offer a single solution but a myriad of email protection products, with encryption being just one of the items in a general email security package.
- The other type works with a Web service that is hosted by the vendor on the public Internet and users connect via a browser to read and send messages. This includes Voltage Secure Network, Hush Communications Hushmail for Business, Proofpoint on Demand, PGP's Web Messenger and Mimecast's Closed Circuit Messaging. The Web service is optimal for universal correspondence, so that your recipients don't have to download any special software when they get an encrypted message from you. Some of the appliance products, such as Sophos, incorporate some of this functionality in their solutions. Others combine both types together to deliver a complete solution.
All of these products offer the same basic functionality: they provide the encryption key management, so that you don't have to worry about expiring keys from ex-employees. They automatically self-register your correspondents so they can claim their messages and decrypt them without having to involve your IT staff. They have their own plug-in for Microsoft Outlook so users can summon their features at the click of a mouse. They will work with DLP-style dictionaries or keywords to automatically encrypt the most sensitive messages that contain Social Security numbers or other personally identifying information, which is a big improvement over earlier products that required special keywords in the Subject line or message body.
The more automated rules processing that these gateway products offer means that they will do a better job of automatically encrypting sensitive emails without a lot of user intervention, taking away worrying about compliance lawsuits for data leaks.
Some of the products, such as Proofpoint and Mimecast, come with DLP security as an additional option, making it easier to have a single secure view of your entire mail processing empire. Others such as Voltage's have snap-in modules work with specialized DLP appliances, such as Code Green's DLP solution.
How do they differ? Each product has a different collection of pre-built policies and mail processing rules, and applies these rules in somewhat different fashion. We have taken a few screenshots to give you an idea of their command layouts, but you'll want to spend some time looking over each one carefully and seeing how they integrate into your enterprise Exchange or other email provider and authentication mechanisms.
The most basic service is Hushmail for Business, which just offers a Web service without any corresponding gateway appliance. Think of it as a secured version of Gmail. It does offer the ability to add a way for your correspondents to use Web-based forms securely, as you can see from this screen shot:
Mimecast has the ability to archive messages based on particular DLP policies, as well as provide a rich Web client with a threaded inbox view of your email messages - most of the others don't have as capable a Web client. Mimecast also keeps the delivery information separate from the messages, so again giving admins some additional flexibility when they are trying to track down whether someone actually received a message. Their DLP solution doesn't seem as robust as the others, because they have pre-coded their logic to search for keyphrases such as this screen showing how they track whether a random nine-digit number is a valid Social Security ID or not. Their Outlook plug-in, shown below, has a variety of options, too.
Proofpoint encrypts each message using a separate symmetric key pair, and the keys are maintained in the cloud as part of their service offering. This means more work on their end to keep each message straight, but it also means that an administrator has more flexibility when it comes time to search for particular messages. They also have put a lot of work into their DLP features, as you can see in the associated screen shot that shows some of their rules around detecting Social Security numbers.
Voltage has one of the most well developed partner networks, and integrates with the widest number of third party email vendors. But you can see that its Web interface is a bit simplistic and spare:
PGP has been a desktop presence for more than a decade, but they are decidedly old-school and their interface could use some sprucing up. There are dozens of options for the Universal product that can be difficult to navigate and they have the worst key management tools of any of the vendors, mainly because of their legacy desktop encryption line. On the other hand, they offer a lot of options for how your correspondents can communicate with you (see the screenshot below).
Sophos has an interesting twist on the self-registration process: instead of sending you to a Web site where you can decrypt and view your messages, they send you a password-protected PDF attachment that you can view offline. The downside is that your email traffic remains stored in the clear on your internal servers.
Realize that regardless of what product you will choose, encrypted mail will still account for a tiny minority of your email traffic - in most places I saw less than 5% of total messages use encryption. But it could be an important segment, such as for human resource correspondence or executives negotiating contracts.
If you want to just get started with encryption, then by all means try the Hushmail service. It can be set up in a matter of minutes, and you can get a feel for how the basic encryption process works, for minimal investment.
If you are facing (or fear) potential lawsuits of leaked information and are looking at deploying a new DLP solution, then either Proofpoint or Mimecast make sense to start out with because they come with that option already integrated into their products. If you correspond with a lot of people who already use PGP on their desktops, then PGP Universal is a natural place for you to start looking.
What can you expect to pay for the peace of mind that these products offer? Getting to the bottom line isn't easy, because each vendor has a very complex series of pricing rules that almost equal their mail processing ones. And prices vary depending on the number of seats included in their license. At the lowest end is Hush, with its basic business account starting at $24 per user per year. Most of the other products start somewhere around $100 a seat for their basic packages and with fewest features. You can typically expect the products to come close to $25 a seat if you are purchasing 1,000 or more licenses.