E-mail Encryption Gets Practical
E-MAIL ENCRYPTION, available from a handful of vendors for years, has been used in only a small portion of electronic exchanges. While 36 percent of companies said they had adopted the technology in a recent Forrester Research survey, encryption is often restricted to certain departments or to communication with a small group of customers. But that could be shifting. Data security regulations and simplified ways of encrypting messages may lead more companies to adopt the technology.
The move to encrypted e-mail—if it really occurs—is probably long overdue. Sending an unencrypted e-mail “is like sending a postcard,” says Richi Jennings, a Ferris Research analyst.
To date, much e-mail encryption has used Secure Multipurpose Internet Mail Extensions (S/MIME) or Transport Layer Security (TLS) technology. Both employ Public Key Infrastructure (PKI) in which users need both a public and private key before communicating. The public key encrypts e-mail that is sent; a private key decrypts received messages. The problem is that a cumbersome infrastructure is required to support key management, and that has slowed adoption.
“While [PKI] can be easy to set up in a controlled environment, the perception is that, in many cases, it can be messy,” says Jennings.
One fast-growing alternative, however, is identity-based encryption (IBE). Its leading vendor, Palo Alto, California-based Voltage Security, offers a solution, Secure-Mail, which automatically creates an encryption key based on the recipient’s email address, the time of day, and other algorithms. Voltage’s more than 1.5 million registered users can send and receive messages from any e-mail client. While most corporate senders use Microsoft Outlook and, to a lesser extent, Lotus Notes, consumer recipients are most likely to use Web mail programs.
For message originators, it’s necessary to add a Voltage plug-in to their e-mail client; they can then use a “send secure” button. Clicking on the message, recipients see an envelope with the logo of the sending organization along with instructions. Users click on an html link, which opens a Web browser.
If they are not yet registered, they will almost always be asked for verifying information. A number of financial institutions have included challenge questions, for example. Users then create a password, or enter one they’ve already created, before reading the message. Once registered, recipients can opt to have their messages automatically decrypted.
“With [IBE], you don’t have to worry about the preenrollment problem,” says Jennings. “You can get others enrolled on the fly after they receive a message.” IBE also tends to be less expensive than PKIbased systems, he says.
Vendors that have traditionally used PKI are also simplifying their products and adding new features. Palo Alto, California-based PGP’s Universal Gateway Email, for instance, recently introduced two new delivery solutions. “PDF Messenger” lets recipients open their message in PDF format. “Certified Delivery” logs successful deliveries.
“We’re receiving a lot of interest from financial institutions and other companies that want to reduce paper statements and save money,” says John Dasher, PGP’s director of product management. Such firms also know secure communications will help them comply with data privacy regulations, he says.
Some companies run messages through scanning software to identify sensitive content; those e-mails are then encrypted. For example, when the Illinois-based Career Education Corp., which operates more than 75 professional training schools, began encrypting messages several years ago, it combined a PGP product with Vontu’s Network Data Monitoring and Prevention Software.
When outgoing messages reach Career Education’s IronPort messaging gateway, they are scanned with Vontu’s data-matching technology. Messages requiring encryption are then sent through PGP’s product before leaving the company.
The system helps reduce human error, says Michael Gabriel, the firm’s corporate information security officer. That is important because “most leaks are accidental,” Gabriel says. His company plans to use PDF Messenger and Certified Delivery to electronically send grades and enrollment information.
Some e-mail encryption vendors are also integrating their technology with inbound protection. Cisco, Tumbleweed, and Secure Computing, for example, combine their message encryption products with antispam and antivirus solutions.
Some of the firms looking most closely at encryption are in the heavily regulated financial services and healthcare industries, according to Voltage senior product manager David Thompson. Government and state agencies are also adopting at a quick pace. Another factor driving the technology’s growth is the flurry of reports in recent years of lost laptops containing unencrypted data, including emails, says Ferris’ Jennings.
For Nick Shelness, another Ferris analyst, e-mail encryption is getting simpler. “But is it good enough for people to start encrypting? Will there be a tipping point?” He says he’s not sure. “But certainly there are communications where people have to be secure and willing to put up with some pain.”