Clash of the e-mail encryptors
E-mail security solutions from PGP, PostX, Sigaba, and Tumbleweed compete on flexibility, power, and ease
Jerry didn’t mean to read the boss’ e-mail, but he did. It was just too tempting. Now Jerry checks his boss’ mail on a regular basis, “just for fun.” Sure, Jerry felt a little guilty, but the things he found out -- about his boss' crumbling marriage, his co-worker's drug problem, and the contractors being let go -- kept him coming back. Who knew, with a bunch of big contracts coming due, he might even learn something that could make him rich.
Was Jerry sneaking into his boss’ office or logging into his e-mail account secretly? No, Jerry was using a packet sniffer he installed on one of the network’s proxy servers. He originally installed the freeware utility to troubleshoot a network problem, but when he found out the same tool would let him reconstruct other network traffic, specifically SMTP and POP3 e-mail traffic, he thought he had hit the mother lode.
You can substitute your own nightmare scenario. But whether you're in government, financial services, healthcare, or any other business with sensitive information to protect, Jerry and his packet sniffer should be cause for concern. SMTP traffic is especially vulnerable because, by default, it is sent "in the clear" -- that is, all of the header, sender, recipient, and message body data is sent in plain text. Because SMTP is the protocol that mail servers use to send mail back and forth around the world, someone could be reading your mail almost anywhere.
Depending on what industry your company is in, and whether you're doing business with the government, the decision of whether to secure your e-mail may already be made for you. Health care providers must make sure patient privacy is protected, and financial and government institutions must provide similar safeguards over their data. Regulations may prohibit certain kinds of information from being transmitted in the clear, and that e-mail header information may need to be encrypted so that no one can snoop the packets and collect the data. Federal agencies and their contractors may be required to meet certain standards of encryption.
How do you meet all of these requirements? There's more than one way to secure e-mail. You can even use features built into your existing mail clients and servers. Many mail clients, such as Microsoft Outlook, allow senders and receivers to encrypt and decrypt e-mail, but this requires implementing a PKI. For the enterprise, trying to create, distribute, and maintain digital certificates for large numbers of users isn’t very practical. Try to extend the PKI to outside business partners, and the problem only gets worse.
It's easier to turn to a third-party solution. A number of vendors offer software solutions that let you centrally manage secure messaging, including digital certificates and keys, not only for your local enterprise, but also for users outside your network. Typically, they also provide smooth and flexible mail delivery that works in a variety of situations. At best, the end user doesn’t know anything is different. Encryption and decryption can take place at the desktop, the mail gateway, or somewhere in between.
When evaluating this type of software, IT managers should ask themselves a series of questions: Can I trust my internal network to be secure, or should messages be encrypted from the desktop? Must encrypted messages be accessible from the end user's mail client, or from a Web-based mail system such as Hotmail? Must encrypted messages be accessible when mobile users are unplugged; is security more important than convenience? How will readers of encrypted mail be authenticated and how will I manage business partners and other users outside my enterprise?