Clash of the e-mail encryptors

E-mail security solutions from PGP, PostX, Sigaba, and Tumbleweed compete on flexibility, power, and ease

Jerry didn’t mean to read the boss’ e-mail, but he did. It was just too tempting. Now Jerry checks his boss’ mail on a regular basis, “just for fun.” Sure, Jerry felt a little guilty, but the things he found out -- about his boss' crumbling marriage, his co-worker's drug problem, and the contractors being let go -- kept him coming back. Who knew, with a bunch of big contracts coming due, he might even learn something that could make him rich.

Was Jerry sneaking into his boss’ office or logging into his e-mail account secretly? No, Jerry was using a packet sniffer he installed on one of the network’s proxy servers. He originally installed the freeware utility to troubleshoot a network problem, but when he found out the same tool would let him reconstruct other network traffic, specifically SMTP and POP3 e-mail traffic, he thought he had hit the mother lode.

You can substitute your own nightmare scenario. But whether you're in government, financial services, healthcare, or any other business with sensitive information to protect, Jerry and his packet sniffer should be cause for concern. SMTP traffic is especially vulnerable because, by default, it is sent "in the clear" -- that is, all of the header, sender, recipient, and message body data is sent in plain text. Because SMTP is the protocol that mail servers use to send mail back and forth around the world, someone could be reading your mail almost anywhere.

Depending on what industry your company is in, and whether you're doing business with the government, the decision of whether to secure your e-mail may already be made for you. Health care providers must make sure patient privacy is protected, and financial and government institutions must provide similar safeguards over their data. Regulations may prohibit certain kinds of information from being transmitted in the clear, and that e-mail header information may need to be encrypted so that no one can snoop the packets and collect the data. Federal agencies and their contractors may be required to meet certain standards of encryption.

How do you meet all of these requirements? There's more than one way to secure e-mail. You can even use features built into your existing mail clients and servers. Many mail clients, such as Microsoft Outlook, allow senders and receivers to encrypt and decrypt e-mail, but this requires implementing a PKI. For the enterprise, trying to create, distribute, and maintain digital certificates for large numbers of users isn’t very practical. Try to extend the PKI to outside business partners, and the problem only gets worse.

It's easier to turn to a third-party solution. A number of vendors offer software solutions that let you centrally manage secure messaging, including digital certificates and keys, not only for your local enterprise, but also for users outside your network. Typically, they also provide smooth and flexible mail delivery that works in a variety of situations. At best, the end user doesn’t know anything is different. Encryption and decryption can take place at the desktop, the mail gateway, or somewhere in between.

When evaluating this type of software, IT managers should ask themselves a series of questions: Can I trust my internal network to be secure, or should messages be encrypted from the desktop? Must encrypted messages be accessible from the end user's mail client, or from a Web-based mail system such as Hotmail? Must encrypted messages be accessible when mobile users are unplugged; is security more important than convenience? How will readers of encrypted mail be authenticated and how will I manage business partners and other users outside my enterprise?

In this roundup, I reviewed four solutions that provide excellent end-to-end mail security. PGP Universal, PostX Enterprise Platform 5.0, Sigaba Secure Email 5.0, and Tumbleweed Secure Messenger 6.0 all handled my test scenarios without a problem, securely delivering encrypted e-mail to both standard mail clients and to SSL-secured Web portals.

All four products install on a server separate from your mail server, acting as a proxy for all inbound and outbound traffic. Because they sit directly in the mail stream, they have the opportunity to do additional processing on the messages. For example, both PostX and Tumbleweed come with very flexible and powerful mail-routing capabilities. As messages move in or out of the gateway, they can be blocked or diverted based on header information and message contents. With some forethought, you can automate a lot of your mail processing. All four vendors allow you to scan for viruses at the gateway as well as enforce some level of content filtering.

Security is the foremost reason for investing in one of these products. The strength of the ciphers they use plays a big part in their overall effectiveness. AES (Advanced Encryption Standard), one of the strongest ciphers available, is included in all four products. Once the darling of encryption, 3DES is supported in all but PostX’s offering. For server-to-server encryption of entire messages, headers and all, all four support the S/MIME protocol, and all with the exception of Sigaba support TLS (Transport Layer Security). Instead of TLS, Sigaba substitutes its own proprietary protocol. In addition to S/MIME, PGP supports the proposed open standard OpenPGP.

38FEgov_ch.gif
Click for larger view.

Another important consideration, especially for federal government agencies and companies doing business with them, is whether the product has received FIPS (Federal Information Processing Standards) 140 validation. Created by the National Institute of Standards and Technology (NIST), FIPS 140 is a U.S. government standard for cryptographic products. Only PGP has been validated to FIPS 140-2, with Sigaba and Tumbleweed each validated at FIPS 140-1. PostX does use RSA cryptos that have been validated at FIPS 140-1, but as a whole, PostX is still undergoing FIPS validation.

Finally, it's also important to consider how users are added and removed from the system, and what kind of auditing and reporting is included. Should users be allowed to auto-enroll in the system? PostX, Sigaba, and Tumbleweed allow new users to create accounts automatically, while PGP restricts deliveries to previously validated e-mail users. All four vendors provide some form of logging and reporting, with PostX and Tumbleweed providing the most comprehensive capabilities here.

PGP Universal

PGP Universal is a pure e-mail security product, providing mail encryption, anti-virus scanning, and attachment filtering, along with PGP’s zero-footprint Web-mail interface, Web Messenger. While you don’t get the e-mail routing engine or secure statement delivery offered in PostX and Sigaba, Universal does allow administrators to easily create different encryption and signing policies for various mail domains and quickly manage individual user’s keys.

Depending on the mail client your company is using, and whether you want to encrypt at the desktop or at the gateway, you may or may not need to deploy PGP Universal’s desktop application, PGP Satellite. Satellite handles encryption and decryption of messages automatically in the background on the user's Windows PC or Mac. If your company is using Microsoft Outlook and IMAP, and encrypting at the gateway is good enough, Satellite isn't strictly necessary. However, if your users plan on sending and receiving mail through Microsoft Outlook Web Access, then PGP Satellite is a must.

Universal is not the Swiss army knife of e-mail security products, nor is it meant to be. What you get is a scalable, high-performance platform for providing rock-solid, end-to-end encryption, via S/MIME or TLS. Universal comes with a wide range of ciphers, including AES, CAST, IDEA, Twofish, and 3DES. Clients can manage their own keys, and you can expire keys automatically after a specified period of inactivity. Optionally, Universal comes with Norton AntiVirus for scanning file attachments as they pass through the gateway. You can also create a list of file types to block, such as preventing users from mailing .exe or MP3 files.

If you were to compare PGP Universal against the other products in this review strictly on the number of clickable items in the user interface, Universal would be a distant last – but that isn’t necessarily a bad thing. PGP Universal’s clean and easy-to-navigate GUI hides complexity, abstracting much of the domain and policy management required by other products. Defining mail domains and choosing the default encryption and signing settings is literally a three-step process, allowing you to manage more domains with less chance of error.

I was able to create policies for two domains in my test bed in a matter of minutes, one for the local domain, which included Universal, and one for my external domain. For each domain, I could choose whether to encrypt all mail or none, and whether digital signatures were required. Unfortunately, you don’t get the super-granular policy management found in PostX and Tumbleweed.

Universal provides a number of ways to handle messages sent to "untrusted" users, or users who don’t already have a key. You can bounce the mail back to the sender, send it through unencrypted, send it with a link back to the Web-based Web Messenger portal, or send it with a Smart Trailer. A message with a Smart Trailer is sent in the clear, but includes a link to a Web page where the user can enroll and create a key.

Web Messenger is the most graceful way to send mail to new users. An e-mail from the Web Messenger service lets the recipient know there is a secured message waiting for them. A link takes them back to the SSL-secured Web portal, where they then create an account, log in, and download the PGP Satellite client. They can then read and reply to the message and download any attachments. Unlike PostX and Tumbleweed’s mail portals, PGP's does not allow users to create new mail or manage folders.

PostX Enterprise Platform 5.0

PostX Enterprise Platform provides e-mail security by mixing in advanced mail routing capabilities with WebSafe, one of the best Web-mail portals going. PostX provides a flexible way of sending secure e-mail without requiring client-side utilities or plug-ins, while still giving you control over user authentication. Content filtering is available through rules-based policies called Matchers, but anti-virus duties are left to third party solutions. Enterprise Platform comes with ARC4 and AES ciphers, and uses S/MIME or TLS for server-to-server communication. You can easily custom-brand your PostX system to present a common look and feel to your users. A module for managing the delivery of secure statements and other business documents rounds out the offering.

38FEgov_in2.gif
Click for larger view.

Securing e-mail in Enterprise Platform is based on the concept of envelopes. The patented PostX Envelope wraps the original e-mail message and includes a JavaScript decryption engine. PostX has three types of envelopes: Registered Envelope, Offline Envelope, and PKI Envelope. Registered Envelopes use symmetric keys stored in the PostX keyserver database. When a user receives a Registered Envelope, they simply provide their user name and password to the decryption engine, which in turn authenticates them and retrieves the key from the server over SSL.

Registered Envelopes have a couple of features that make them attractive. First, because the user must authenticate back to the PostX server to retrieve the decryption key, this event is logged, providing positive auditing of message retrieval. Second, it allows you to "shred" or lock out keys based on failed log-in attempts or inactivity. The one drawback to Registered Envelopes is that users must be online in order to authenticate and retrieve the key for decryption, but you can optionally allow users to cache the key locally after opening the message, in order to access the message again offline.

Offline Envelopes package the message content and encrypted key together, negating the need for the recipient to be online to read the message. The decryption key is encoded using ARC4 or AES, and the user's name and password unlock the e-mail. As long as your company enforces a strong password policy -- eight or more characters with at least one non-alpha character, for example -- privacy should be sufficiently protected.

PKI Envelopes are available for those with an existing PKI infrastructure. PKI Envelopes have many of the same characteristics as offline envelopes, but security is bolstered by the session key being encrypted using RSA.

Because all of these envelopes rely on Java technology, there is the slight chance that they won't work with a recipient's OS or browser. To combat this, PostX allows the user to choose Open Online, a feature that sends the message back to the PostX server and opens it on the server, where the recipient can read and reply to the e-mail over SSL. For situations where Java is not available -- or stripped out, as in the case of Microsoft Outlook Web Access -- Open Online is a great option. PostX also offers a Windows application that you can install on users' desktops, if security requires messages to be encrypted at the client, or if you simply want to speed up the process by handling encryption and decryption automatically in the background.

WebSafe is PostX’s powerful Web-mail portal system. Designed with all of the features of a Hotmail-style system, WebSafe allows users to create, reply to, and manage e-mail messages in a secure environment. WebSafe is completely integrated with the PostX system so that all user access is logged for auditing purposes.

PostX Enterprise Platform is so flexible that it can be quite overwhelming. By using Matchers, you can specify the exact path e-mail will take through your system, optionally routing messages to other services based on various criteria. For example, I was able to create a Matcher that checked for a regular expression in the subject field of the message and, if true, would then deliver it via Registered Envelope instead of Offline Envelope. Using combinations of Matchers and applications, you can create policies and work flows that meet your business processing and security needs.

But again, this flexibility comes at a price. PostX Enterprise Platform is not the most intuitive product to work with, and it will take some time and experimentation to get your mail processes defined and bug free. With the help of PostX support, I was able to create rules for various mail domains and situations. Make sure you keep the documentation handy.

Sigaba Secure Email 5.0

Sigaba Secure Email takes a granular view of secure mail processing through extensive use of rules and object lists. SendAnywhere is Sigaba’s zero-footprint delivery technology and Sigaba Vault provides a secure Web-based portal system. Secure Email includes support for AES and 3DES. Server-to-server transmission is secured using S/MIME or a proprietary Sigaba protocol, but TLS is not supported. Sigaba Secure Email includes a HIPAA (Health Insurance Portability and Accountability Act) keyword list to ensure compliance, and optional add-ons include content filtering and McAfee anti-virus. Custom branding and secure statement delivery are also part of the system.

38FEgov_in3.gif
Click for larger view.

Like the other products in our review, Secure Email can deliver e-mail to recipients in a variety of ways. Sigaba SendAnywhere allows users to send encrypted messages and reply securely without special client-side software. As with PGP and PostX’s Registered Envelopes, Click for larger view. SendAnywhere requires recipients to be online in order to decrypt the message, which is done by opening an HTML attachment and authenticating to the Sigaba server via the Web. This requirement makes offline decryption impossible. Nor is SendAnywhere designed to deliver mail to "untrusted" users. Sigaba does not support self-registration; an account must be created by an administrator before a recipient can receive secure mail.

38FEgov_in3b.gif
Like the other products in our review, Secure Email can deliver e-mail to recipients in a variety of ways. Sigaba SendAnywhere allows users to send encrypted messages and reply securely without special client-side software. As with PGP and PostX’s Registered Envelopes, Click for larger view. SendAnywhere requires recipients to be online in order to decrypt the message, which is done by opening an HTML attachment and authenticating to the Sigaba server via the Web. This requirement makes offline decryption impossible. Nor is SendAnywhere designed to deliver mail to "untrusted" users. Sigaba does not support self-registration; an account must be created by an administrator before a recipient can receive secure mail.

Sigaba provides a plug-in for all the major Windows e-mail clients that handles encryption and decryption automatically, much like the one found in PostX. The plug-in handles user authentication back to the Sigaba keyserver and, like SendAnywhere, requires users to be online in order to encrypt and decrypt messages. Opened messages can be saved in the clear for offline reading.

The Sigaba Vault is Sigaba's method for delivering secure mail through a Web portal. Similar to PostX’s and Tumbleweed’s online portals, Sigaba Vault provides a way to deliver encrypted messages to end users without relying on client-side software; recipients simply click a link directing them back to Sigaba Vault, where they log in via SSL with a username and password. Vault presents all of their e-mail to them already decrypted. Like PGP Web Messenger, Sigaba Vault does not allow users to create new mail or organize messages in folders.

A neat feature not found in the other products is the Affiliate Gateway. The Gateway installs on a business partner’s server and provides authentication, encryption, and policy enforcement, allowing you and your business partner to easily exchange encrypted e-mail without requiring changes to their mail system. No client software is needed and all mail is decrypted at the gateway.

Rule sets and lists in Sigaba allow you to fine-tune your mail flow. You can define specific inbound and outbound policies based on users, domains, and message subject, as well as on header tags and strings found in the body of the message. Sigaba also supports the use of regular expressions in search strings for even more control.

Tumbleweed Secure Messenger 6.0

Tumbleweed Secure Messenger doesn’t miss a beat when it comes to mail security, providing all of the necessary pieces to the secure messaging puzzle. Secure Messenger has a very powerful and flexible policy engine that allows you to create rules based on domain, message, and user, among other things. Secure Messenger also performs virus scanning, spam filtering, and content filtering. Secure Messenger can even perform weighted word analysis to help detect messages that might fail to comply with HIPAA or other regulations. 

Secure Messenger provides universal message delivery, allowing end users to receive messages using their desktop mail client or Web-based mail system. E-mail is encrypted using AES or 3DES, with S/MIME and TLS available for site-to-site protection. To speed up the enrollment of business partners, you can even let Secure Messenger harvest S/MIME certificates on inbound messages to auto-associate users and keys.

The heart and soul of Secure Messenger is the policy engine. There are so many different criteria that can be applied to a message, there is realistically no situation that Secure Messenger cannot handle. Policies can be applied to either the sender or recipient, and messages routed or otherwise manipulated by the policy engine. For example, I created a policy to catch inbound messages that contained executable files. When triggered, the file attachments were removed and text was inserted into the body of the message alerting the recipient that an executable file was stripped. Secure Messenger then placed a copy of the original message in an archive and tagged it "Executable" for later inspection. 

Tumbleweed has every right to brag about Secure Messenger’s policy engine, but as with PostX Enterprise Platform, such configurability comes at a cost. There are so many options and ways to assemble lists and policies that you can quickly become lost in a maze of choices. After I spent some time using the system, navigating wasn’t nearly as difficult as at first, but policy creation still made my eyes cross.

Like PostX, Tumbleweed uses a digital envelope metaphor for delivering encrypted e-mail, whether the user receives the message via a mail client in-box or a Web-based mail service such as Hotmail. Secure Envelope contains the message, the decryption key, and the decryption engine all in one package, so it does not require the recipient to be online in order to open the message.

For browser-based mail-users, the envelope is an encrypted HTML attachment. Simply open the attachment with your browser and enter your password. Everything needed to decrypt the message is included in the envelope. It's similar to Sigaba's SendAnywhere, but does not require the recipient to be online to open the message.

Tumbleweed provides a great deal of administrative flexibility, which could result in some users accidentally sending sensitive messages in the clear. As a safeguard, Secure Messenger also allows you to create a policy that would route such a message to the secure portal and replace the original message with a custom message containing a link. There, the user logs into Secure Messenger’s Web portal and retrieves their mail in an SSL-secured session. 

Unlike PGP, PostX, and Sigaba, Tumbleweed does not provide any way to encrypt e-mail at the desktop. Whether this is a security shortcoming or an advantage seems to be in the eye of the beholder. According to Tumbleweed, mail clients that use RPC to communicate with the mail server, such as Microsoft Outlook and Lotus Notes, are already safe from snooping. Further, encrypting at the desktop can prevent messages from being properly inspected at the gateway. For IT managers, the question ultimately boils down to whether you trust your local network.

All four of these products are powerful, sophisticated, and effective at locking down e-mail. PostX and Tumbleweed provide the greatest flexibility, while PGP and Sigaba offer more straightforward security. Deciding on which system to implement will depend heavily on your business and what you are trying to accomplish. If you want powerful rules-based processing to automate much of your mail security, then take a hard look at both PostX and Tumbleweed. If you want desktop-to-desktop encryption, then PGP is the best choice, with strong support from Sigaba and PostX. If you must fit a broad range of users and guard against every contingency, PostX comes closest to covering all the bases.

38FEgov_in4.gif
Click for larger view.
InfoWorld Scorecard
Security (25.0%)
Value (10.0%)
Setup (10.0%)
Flexibility (20.0%)
Management (15.0%)
Standards (20.0%)
Overall Score (100%)
PGP Universal 9.0 9.0 9.0 6.0 8.0 9.0 8.3
PostX Enterprise Platform 5.0 9.0 8.0 8.0 9.0 8.0 8.0 8.5
Sigaba Secure Email 5.0 9.0 7.0 8.0 7.0 8.0 8.0 8.0
Tumbleweed Secure Messenger 6.0 9.0 8.0 8.0 8.0 8.0 9.0 8.5
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies