Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, September 14, 2007

Email Encryption Gets Easier

But are these new methods enough to convince enterprises to secure their messages with in-house systems – or that they even need to?x

Remember the OpenPGP and S/MIME email encryption wars?  Back then, it was all about which encryption protocol would become the standard for protecting email messages from prying eyes.  The headache and complexity of using encryption keys for messaging wasn’t appealing to the typical organization or end user.  “The way a traditional PKI works, it’s useless to make the majority of information workers send and receive email” with it, says Richi Jennings, an analyst with Ferris Research.

But email encryption technology is actually getting easier to deploy and manage today, with new approaches such as identity-based encryption (IBE) from companies like Voltage Security and Identum that match users to their more tangible email addresses or logons. 

So far, email encryption is still mainly used by organizations with highly sensitive missions or information, or paranoid security types who know too much.  But enterprises, especially those under the heaviest regulatory microscopes like healthcare and financial services, are starting to look more closely at email encryption.

Aside from Voltage Security’s SecureMail, which uses a special algorithm that turns a user’s logon or email address into a public/private key pair, email encryption pioneer PGP yesterday rolled out a new feature for its PGP Universal Gateway product that lets you send encrypted mail to an organization or recipient that doesn’t have secure messaging.  “It’s [email encryption] becoming more usable,” says Christopher Gervais, enterprise architect for Partners HealthCare System, a Boston-based network of hospitals and research labs, who says email encryption may be an option for the company in the near future.

“Some of the email encryption experience for end users has become more integrated—there’s no more goofy manual certificate management, or [having to decide] do I encrypt this or that.  Integro Insurance, for instance, runs Voltage’s appliance for internal email among its 13 locations worldwide, and then with a Web-based setup for external messaging.  “Encryption has to be painless or people are not going to do it,” says Fred Danback, principal and head of global technology services for Integro Insurance Brokers.  “The [win] was largely due to the security of our infrastructure and our ability to send and receive encrypted messages.”  “That’s not what encryption maestros call desktop-to-desktop, but it means certain email is not going unencrypted over the public Internet.”

Posted on 09/14