Clash of the e-mail encryptors
E-mail security solutions from PGP, PostX, Sigaba, and Tumbleweed compete on flexibility, power, and ease
Tumbleweed has every right to brag about Secure Messenger’s policy engine, but as with PostX Enterprise Platform, such configurability comes at a cost. There are so many options and ways to assemble lists and policies that you can quickly become lost in a maze of choices. After I spent some time using the system, navigating wasn’t nearly as difficult as at first, but policy creation still made my eyes cross.
Like PostX, Tumbleweed uses a digital envelope metaphor for delivering encrypted e-mail, whether the user receives the message via a mail client in-box or a Web-based mail service such as Hotmail. Secure Envelope contains the message, the decryption key, and the decryption engine all in one package, so it does not require the recipient to be online in order to open the message.
For browser-based mail-users, the envelope is an encrypted HTML attachment. Simply open the attachment with your browser and enter your password. Everything needed to decrypt the message is included in the envelope. It's similar to Sigaba's SendAnywhere, but does not require the recipient to be online to open the message.
Tumbleweed provides a great deal of administrative flexibility, which could result in some users accidentally sending sensitive messages in the clear. As a safeguard, Secure Messenger also allows you to create a policy that would route such a message to the secure portal and replace the original message with a custom message containing a link. There, the user logs into Secure Messenger’s Web portal and retrieves their mail in an SSL-secured session.
Unlike PGP, PostX, and Sigaba, Tumbleweed does not provide any way to encrypt e-mail at the desktop. Whether this is a security shortcoming or an advantage seems to be in the eye of the beholder. According to Tumbleweed, mail clients that use RPC to communicate with the mail server, such as Microsoft Outlook and Lotus Notes, are already safe from snooping. Further, encrypting at the desktop can prevent messages from being properly inspected at the gateway. For IT managers, the question ultimately boils down to whether you trust your local network.
Click for larger view.