E-Mail Encryption: Lots of Choices, Plenty of Tradeoffs

A study says 84 percent of high-cost security incidents involve insecure transmission of company data outside the firewall. E-mail encryption can help reduce that risk, but there are a lot of choices to consider.

 By Drew Robb
Page of   |  Back to Page 1
Print Article

Corporate espionage is big business these days. So it makes sense to deploy some kind of encryption system to ensure that prying eyes can't decipher anything garnered from intercepted messages or from stolen computers. Whether it is customer data, employee data, intellectual property or confidential financial information, losing anything can be seriously detrimental.

"Lost or stolen data can cripple a business's reputation and financial standing," says Than Tran, product marketing manager at PGP Corp. of Palo Alto, CA. "A business must ensure e-mails containing sensitive information are kept secure and that they comply with privacy laws to assure safe transactions for their customers and the privacy of their employees."

Encryption Systems

Tran explains that there are several different methods of e-mail encryption. Endpoint-to-Endpoint represents full encryption from the originating device to the recipient device. This method provides the highest level of security by allowing no intervening points at which plaintext data can be read by anyone but the intended parties. The drawback is that this mode also creates the greatest amount of complexity from an implementation, administration and management perspective. This complexity mainly results from the fact that encryption software must be installed and maintained on the endpoint that integrates with the client email reader software.

Gateway-to-Endpoint is one way to simplify things. It provides full encryption from a gateway system within the sender's network to the recipient's endpoint. In this scenario, the message leaves the sender's desktop in plaintext and is encrypted by a gateway located within relative proximity to the email server. This mode eliminates the need for any encryption software or user interaction on the sender's side.

"Another variation on this is Gateway-to-Gateway," says Tran. "It is like Gateway-to-Endpoint, but adds an encryption gateway on the recipient's side, thus eliminating desktop software and administrative costs on that end as well."

Finally, there is Gateway-to-Web which provides access to sensitive data via a Web server, possibly co-located on the gateway itself. The data is typically protected via transport layer encryption, such as Secure Sockets Layer (SSL). This allows secure communication to occur with any recipient, regardless of its architecture or level of sophistication.

"In this scenario, a standard message is sent to the recipient, advising that a secure message is waiting at the gateway," says Tran. "The recipient retrieves this message via a secure connection, which may also require authentication with credentials delivered by an out-of-band mechanism."

PGP Encryption

PGP offers several solutions to ensure secure and simple email encryption. PGP Universal Server enables organizations to control deployment, automate user and key management, enforce policy, and centralize reporting for one or more encryption applications. The company can start with a single encryption application, growing a deployment across the enterprise and out to customers and partners. The application scales well as new systems are added and integrates easily with the existing infrastructure. PGP Universal Server automates the creation of user accounts, management of user keys, delivery of policy updates to applications, installation of software updates and also does logging and monitoring.

It is supplemented at the desktop level by PGP Desktop Professional, which is managed by PGP Universal, to secure email, data stored on disk and AIM traffic. It also provides digital signature capability.

"PGP Whole Disk Encryption technology is used for full disk encryption, securing all date including often overlooked temporary, swap, and hibernation files that include copies of sensitive data, files and e-mails," says Tran. "As a business grows and requires more bandwidth/security it is best to then upgrade to PGP Universal Series, a robust and scalable e-mail encryption platform."

A perpetual license for PGP Desktop Email 9.6 for Windows costs $149.

Choose Wisely

Tran offers some advice for businesses with regard to email encryption.

"The challenge for email encryption is to select a solution that will support the growth and changes within the business's email architecture and will also be leveraged by non-email applications requiring encryption services," he says. "It is absolutely vital for a company to encrypt not just e-mails but also files that contain sensitive information with the highest level of protection. It can be a costly and devastating set back to a business, if sensitive data is exposed to unintended personnel."

Reason? According to Gartner Inc. of Stamford, CT, 84 percent of high-cost security incidents occur when insiders send confidential data outside the company without properly securing the data.

"Different companies have different needs and should assess its own risk before deciding to implement a security solution," says Tran. "Furthermore, it is critical that a business conducts frequent audit of its security procedures, processes and technologies in order to comply with ever changing regulations."

Article courtesy of Enterprise IT Planet

This article was originally published on Aug 24, 2007
Get the Latest Scoop with Networking Update Newsletter