Clash of the e-mail encryptors

E-mail security solutions from PGP, PostX, Sigaba, and Tumbleweed compete on flexibility, power, and ease

Jerry didn’t mean to read the boss’ e-mail, but he did. It was just too tempting. Now Jerry checks his boss’ mail on a regular basis, “just for fun.” Sure, Jerry felt a little guilty, but the things he found out -- about his boss' crumbling marriage, his co-worker's drug problem, and the contractors being let go -- kept him coming back. Who knew, with a bunch of big contracts coming due, he might even learn something that could make him rich.

Was Jerry sneaking into his boss’ office or logging into his e-mail account secretly? No, Jerry was using a packet sniffer he installed on one of the network’s proxy servers. He originally installed the freeware utility to troubleshoot a network problem, but when he found out the same tool would let him reconstruct other network traffic, specifically SMTP and POP3 e-mail traffic, he thought he had hit the mother lode.

You can substitute your own nightmare scenario. But whether you're in government, financial services, healthcare, or any other business with sensitive information to protect, Jerry and his packet sniffer should be cause for concern. SMTP traffic is especially vulnerable because, by default, it is sent "in the clear" -- that is, all of the header, sender, recipient, and message body data is sent in plain text. Because SMTP is the protocol that mail servers use to send mail back and forth around the world, someone could be reading your mail almost anywhere.

Depending on what industry your company is in, and whether you're doing business with the government, the decision of whether to secure your e-mail may already be made for you. Health care providers must make sure patient privacy is protected, and financial and government institutions must provide similar safeguards over their data. Regulations may prohibit certain kinds of information from being transmitted in the clear, and that e-mail header information may need to be encrypted so that no one can snoop the packets and collect the data. Federal agencies and their contractors may be required to meet certain standards of encryption.

How do you meet all of these requirements? There's more than one way to secure e-mail. You can even use features built into your existing mail clients and servers. Many mail clients, such as Microsoft Outlook, allow senders and receivers to encrypt and decrypt e-mail, but this requires implementing a PKI. For the enterprise, trying to create, distribute, and maintain digital certificates for large numbers of users isn’t very practical. Try to extend the PKI to outside business partners, and the problem only gets worse.

It's easier to turn to a third-party solution. A number of vendors offer software solutions that let you centrally manage secure messaging, including digital certificates and keys, not only for your local enterprise, but also for users outside your network. Typically, they also provide smooth and flexible mail delivery that works in a variety of situations. At best, the end user doesn’t know anything is different. Encryption and decryption can take place at the desktop, the mail gateway, or somewhere in between.

When evaluating this type of software, IT managers should ask themselves a series of questions: Can I trust my internal network to be secure, or should messages be encrypted from the desktop? Must encrypted messages be accessible from the end user's mail client, or from a Web-based mail system such as Hotmail? Must encrypted messages be accessible when mobile users are unplugged; is security more important than convenience? How will readers of encrypted mail be authenticated and how will I manage business partners and other users outside my enterprise?

In this roundup, I reviewed four solutions that provide excellent end-to-end mail security. PGP Universal, PostX Enterprise Platform 5.0, Sigaba Secure Email 5.0, and Tumbleweed Secure Messenger 6.0 all handled my test scenarios without a problem, securely delivering encrypted e-mail to both standard mail clients and to SSL-secured Web portals.

All four products install on a server separate from your mail server, acting as a proxy for all inbound and outbound traffic. Because they sit directly in the mail stream, they have the opportunity to do additional processing on the messages. For example, both PostX and Tumbleweed come with very flexible and powerful mail-routing capabilities. As messages move in or out of the gateway, they can be blocked or diverted based on header information and message contents. With some forethought, you can automate a lot of your mail processing. All four vendors allow you to scan for viruses at the gateway as well as enforce some level of content filtering.

Security is the foremost reason for investing in one of these products. The strength of the ciphers they use plays a big part in their overall effectiveness. AES (Advanced Encryption Standard), one of the strongest ciphers available, is included in all four products. Once the darling of encryption, 3DES is supported in all but PostX’s offering. For server-to-server encryption of entire messages, headers and all, all four support the S/MIME protocol, and all with the exception of Sigaba support TLS (Transport Layer Security). Instead of TLS, Sigaba substitutes its own proprietary protocol. In addition to S/MIME, PGP supports the proposed open standard OpenPGP.

Click for larger view.

Another important consideration, especially for federal government agencies and companies doing business with them, is whether the product has received FIPS (Federal Information Processing Standards) 140 validation. Created by the National Institute of Standards and Technology (NIST), FIPS 140 is a U.S. government standard for cryptographic products. Only PGP has been validated to FIPS 140-2, with Sigaba and Tumbleweed each validated at FIPS 140-1. PostX does use RSA cryptos that have been validated at FIPS 140-1, but as a whole, PostX is still undergoing FIPS validation.

Finally, it's also important to consider how users are added and removed from the system, and what kind of auditing and reporting is included. Should users be allowed to auto-enroll in the system? PostX, Sigaba, and Tumbleweed allow new users to create accounts automatically, while PGP restricts deliveries to previously validated e-mail users. All four vendors provide some form of logging and reporting, with PostX and Tumbleweed providing the most comprehensive capabilities here.

PGP Universal

PGP Universal is a pure e-mail security product, providing mail encryption, anti-virus scanning, and attachment filtering, along with PGP’s zero-footprint Web-mail interface, Web Messenger. While you don’t get the e-mail routing engine or secure statement delivery offered in PostX and Sigaba, Universal does allow administrators to easily create different encryption and signing policies for various mail domains and quickly manage individual user’s keys.

Depending on the mail client your company is using, and whether you want to encrypt at the desktop or at the gateway, you may or may not need to deploy PGP Universal’s desktop application, PGP Satellite. Satellite handles encryption and decryption of messages automatically in the background on the user's Windows PC or Mac. If your company is using Microsoft Outlook and IMAP, and encrypting at the gateway is good enough, Satellite isn't strictly necessary. However, if your users plan on sending and receiving mail through Microsoft Outlook Web Access, then PGP Satellite is a must.

Universal is not the Swiss army knife of e-mail security products, nor is it meant to be. What you get is a scalable, high-performance platform for providing rock-solid, end-to-end encryption, via S/MIME or TLS. Universal comes with a wide range of ciphers, including AES, CAST, IDEA, Twofish, and 3DES. Clients can manage their own keys, and you can expire keys automatically after a specified period of inactivity. Optionally, Universal comes with Norton AntiVirus for scanning file attachments as they pass through the gateway. You can also create a list of file types to block, such as preventing users from mailing .exe or MP3 files.

If you were to compare PGP Universal against the other products in this review strictly on the number of clickable items in the user interface, Universal would be a distant last – but that isn’t necessarily a bad thing. PGP Universal’s clean and easy-to-navigate GUI hides complexity, abstracting much of the domain and policy management required by other products. Defining mail domains and choosing the default encryption and signing settings is literally a three-step process, allowing you to manage more domains with less chance of error.

I was able to create policies for two domains in my test bed in a matter of minutes, one for the local domain, which included Universal, and one for my external domain. For each domain, I could choose whether to encrypt all mail or none, and whether digital signatures were required. Unfortunately, you don’t get the super-granular policy management found in PostX and Tumbleweed.

Universal provides a number of ways to handle messages sent to "untrusted" users, or users who don’t already have a key. You can bounce the mail back to the sender, send it through unencrypted, send it with a link back to the Web-based Web Messenger portal, or send it with a Smart Trailer. A message with a Smart Trailer is sent in the clear, but includes a link to a Web page where the user can enroll and create a key.

Web Messenger is the most graceful way to send mail to new users. An e-mail from the Web Messenger service lets the recipient know there is a secured message waiting for them. A link takes them back to the SSL-secured Web portal, where they then create an account, log in, and download the PGP Satellite client. They can then read and reply to the message and download any attachments. Unlike PostX and Tumbleweed’s mail portals, PGP's does not allow users to create new mail or manage folders.

PostX Enterprise Platform 5.0

PostX Enterprise Platform provides e-mail security by mixing in advanced mail routing capabilities with WebSafe, one of the best Web-mail portals going. PostX provides a flexible way of sending secure e-mail without requiring client-side utilities or plug-ins, while still giving you control over user authentication. Content filtering is available through rules-based policies called Matchers, but anti-virus duties are left to third party solutions. Enterprise Platform comes with ARC4 and AES ciphers, and uses S/MIME or TLS for server-to-server communication. You can easily custom-brand your PostX system to present a common look and feel to your users. A module for managing the delivery of secure statements and other business documents rounds out the offering.

Click for larger view.

Securing e-mail in Enterprise Platform is based on the concept of envelopes. The patented PostX Envelope wraps the original e-mail message and includes a JavaScript decryption engine. PostX has three types of envelopes: Registered Envelope, Offline Envelope, and PKI Envelope. Registered Envelopes use symmetric keys stored in the PostX keyserver database. When a user receives a Registered Envelope, they simply provide their user name and password to the decryption engine, which in turn authenticates them and retrieves the key from the server over SSL.

Registered Envelopes have a couple of features that make them attractive. First, because the user must authenticate back to the PostX server to retrieve the decryption key, this event is logged, providing positive auditing of message retrieval. Second, it allows you to "shred" or lock out keys based on failed log-in attempts or inactivity. The one drawback to Registered Envelopes is that users must be online in order to authenticate and retrieve the key for decryption, but you can optionally allow users to cache the key locally after opening the message, in order to access the message again offline.

Offline Envelopes package the message content and encrypted key together, negating the need for the recipient to be online to read the message. The decryption key is encoded using ARC4 or AES, and the user's name and password unlock the e-mail. As long as your company enforces a strong password policy -- eight or more characters with at least one non-alpha character, for example -- privacy should be sufficiently protected.

PKI Envelopes are available for those with an existing PKI infrastructure. PKI Envelopes have many of the same characteristics as offline envelopes, but security is bolstered by the session key being encrypted using RSA.

1 2 Page 1