Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/13/2007
08:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Email Encryption Gets Easier

But are these new methods enough to convince enterprises to secure their messages with in-house systems - or that they even need to?

Remember the OpenPGP and S/MIME email encryption wars? Back then, it was all about which encryption protocol would become the standard for protecting email messages from prying eyes.

The headache and complexity of using encryption keys for messaging wasn't appealing to the typical organization or end user. And now, about a decade later, most users still don't encrypt their email messages. "The way a traditional PKI works, it's useless to make the majority of information workers send and receive email" with it, says Richi Jennings, an analyst with Ferris Research.

But email encryption technology is actually getting easier to deploy and manage today, with new approaches such as identity-based encryption (IBE) from companies like Voltage Security and Identum that match users to their more tangible email addresses or logons. There are several email encryption service offerings as well, such as Goodmail for consumers, as well as from service providers like Yahoo. (See Six Hot Security Products.)

So far, email encryption is still mainly used by organizations with highly sensitive missions or information, or paranoid security types who know too much. But enterprises, especially those under the heaviest regulatory microscopes like healthcare and financial services, are starting to look more closely at email encryption. The recent epidemic of laptop thefts and customer data leaks has also spurred interest in giving email encryption a second look.

Aside from Voltage Security's SecureMail, which uses a special algorithm that turns a user's logon or email address into a public/private key pair, email encryption pioneer PGP yesterday rolled out a new feature for its PGP Universal Gateway product that lets you send encrypted mail to an organization or recipient that doesn't have secure messaging.

"At the end of the day, you can't dictate what's on the recipient's end. There has be some transparent way to communicate," says John Dasher, director of product management for PGP.

"It's [email encryption] becoming more usable," says Christopher Gervais, enterprise architect for Partners HealthCare System, a Boston-based network of hospitals and research labs, who says email encryption may be an option for the company in the near future. "Some of the email encryption experience for end users has become more integrated -- there's no more goofy manual certificate management, or [having to decide] do I encrypt this or that. It's becoming more automated."

Integro Insurance, for instance, runs Voltage's appliance for internal email among its 13 locations worldwide, and then with a Web-based setup for external messaging. "Encryption has to be painless or people are not going to do it," says Fred Danback, principal and head of global technology services for Integro Insurance Brokers. "Users get frustrated if they can't open a message they need."

Danback says he configured the appliance, which cost about $40,000, by registering it via the firm's Active Directory, not user by user, so it was simple to deploy. Each user gets a Voltage plug-in for Outlook, and then all they do is hit the "send secure" button to encrypt a message using their email address. "And oftentimes I don't know when a message to me was encrypted," he says, because it's automatically decrypted for him. Aside from a handful of policies (such as all messages with "HR bonus payoffs" or "open enrollment" automatically get encrypted), most email encryption at Integro is at the user's discretion, he says.

Email encryption has even become a sort of selling point for the company: Danback attributes a half-million-dollar deal the firm recently sealed with a New York investment bank to Integro's email encryption capabilities. "The [win] was largely due to the security of our infrastructure and our ability to send and receive encrypted messages."

And meanwhile, an in-house email encryption installation today also obviously must address the growing number of BlackBerries, Trios, and iPhones in organizations. Partners HealthCare's Gervais says adding handhelds to the equation would be a factor if he were to adopt email encryption: "We have more and more users getting their email on different types of devices -- BlackBerry, Trio, iPhones, etc., and users getting their mail through Web interfaces from different endpoints and nodes."

Whether email encryption truly goes mainstream isn't clear. For now, many firms merely use secure VPN connections to their business partners when sending sensitive mail, notes Ferris Research's Jennings. "That's not what encryption maestros call desktop-to-desktop, but it means certain email is not going unencrypted over the public Internet."

"I don't see a large percentage of email getting encrypted over the Internet [yet]... We're still in the very early days of email encryption," Jennings says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Voltage Security Inc.
  • Identum
  • Ferris Research

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cloud Security Threats for 2021
    Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
    Why Vulnerable Code Is Shipped Knowingly
    Chris Eng, Chief Research Officer, Veracode,  11/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Assessing Cybersecurity Risk in Todays Enterprises
    Assessing Cybersecurity Risk in Todays Enterprises
    COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27772
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
    CVE-2020-27773
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
    CVE-2020-28950
    PUBLISHED: 2020-12-04
    The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
    CVE-2020-27774
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
    CVE-2020-27775
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...