Proofpoint Makes Encryption Easier

By David Strom  |  Posted 2010-04-21

Proofpoint Makes Encryption Easier

If you have multiple e-mail applications in use in your enterprise and are looking to consolidate them with a single vendor, while adding the ability to provide e-mail encryption, it makes sense to try out Proofpoint's On Demand Protection Server v It operates either as a Web service with nothing to install on the client end or as a hardware appliance that can be installed on an enterprise's premises. The software features are the same for either product.

The Protection Server starts at $4,000 for up to 250 users and comes with a dizzying array of modules. If you opt for all of them, the price quickly rises to more than three times that amount.

I tested Version 6.0 of the Proofpoint Messaging Security Gateway Model P340

appliance on a test network the vendor set up for me. The encryption feature, which adds at least another $2,000 to the base price, is interesting because of the way the product works: Proofpoint encrypts each message using a separate symmetric key pair, and the keys are maintained in the cloud as part of the service offering. Most of the other encryption vendors use a single key to encrypt all messages.

The pair approach requires more work on Proofpoint's end to keep each message straight. However, since everything is stored on the Proofpoint server, an administrator has more flexibility when searching for a particular message.

This encryption strategy is a change for Proofpoint. Prior to developing its own encryption module, the company licensed software from Voltage Security and offered it at higher cost to its customers. The Voltage SecureMail 3.3 server is still part of the product offering for supporting existing customers, but it was turned off for my review.

Like Hushmail, Proofpoint offers several options for sending a message: in the clear, encrypted or digitally signed. When the recipient receives the encrypted message, there will be an embedded Web link leading to a registration system if this is the first time that individual has corresponded with one of your employees.

Key management is effortless. If a user forgets the password needed to decrypt the message, he or she can easily reset it. Compare this with the old days when you had to register each user's key with a specific server. With this system, everything happens under the covers, and you don't have to worry about what software your recipients are using to exchange encrypted messages.

You can also set up policies to automatically encrypt any outbound message that contains certain keywords or credit card numbers, for example.

Proofpoint encryption is hard-coded to limit the size of attachments, which are encrypted up to 20MB for secure outbound messages. Administrators can get this changed if they contact the vendor, but they can't do it themselves.

Setting Up Features

Setting up the encryption feature requires answering a few questions, such as what the domain name to be used is, and configuring at least one of what the company calls response profiles, giving the actions available to recipients of encrypted messages. For example, you can allow messages to be forwarded within the original sender's or recipient's domain. You can have different profiles that are mapped to particular users or groups, too.

After the initial setup, you press a "test" button in the administrative interface to make sure you've done everything properly, and the software will report any errors. This is a nice feature.

Administrators have granular control over the Proofpoint encryption keys. You can undelete previously deleted keys, change the expiration timestamp for a key and toggle the access to a secure message for each recipient of the message.

Proofpoint has some caveats when using Outlook and Exchange for encrypted messages. First, you should examine two Microsoft Knowledge Base articles (912939 and 958881) to set up Exchange to work properly with Proofpoint's Encryption. If using the combination of Outlook 2007 running on Windows Vista, when a user receives an encrypted message, he or she should open (rather than save and then open) the attachment in order to authenticate and decrypt the message. The decryption routine won't work if the attachment is saved first.

I uncovered another issue when I used Microsoft's proprietary Exchange Rich Text message format to send encrypted messages. Proofpoint recommends turning off this option in Exchange globally-or for users who do frequent encryptions-because this special format can't be sent to non-Exchange/Outlook recipients.

As mentioned above, administrators can easily search for particular messages, including the encrypted ones. Also included in the product is a large collection of preset reports on top senders, common viruses detected and other message trends. This is fairly typical for e-mail products of this class. You just scroll down the list of reports and select the reporting period (such as last day, week or month) and click on the report. You can export the information to a spreadsheet, e-mail it or further customize the output.

There's a lot more than encryption in Proofpoint's Protection Server. It offers a powerful e-mail policy and rules processing engine, similar to old standards such as Sendmail's Sentrion and other e-mail heavyweights. If you're looking to upgrade your e-mail server with a single security device, this might be the ticket.

There are modules for anti-spam processing, for antivirus (licensed from F-Secure) and for general e-mail firewall tasks, such as blocking messages with large attachments or attached executable files. These all cost extra and are licensed for a particular number of user mailboxes. The pricing scheme is complex, one might say annoyingly so.

Proofpoint has also put a lot of work into its data loss prevention rule sets. While not as fully featured as a dedicated DLP product from Code Green or others, these rule sets have the ability to add compliance rules around detecting Social Security numbers and credit card strings that are included in e-mails. But Proofpoint charges dearly for this module, too, reflecting the higher fees DLP providers can get for their offerings.

The bottom line is that Protection Server is a worthwhile product (or service, if you purchase the Web version) that you may want to look at if your existing e-mail system is ready to be replaced.

David Strom is a writer, blogger and speaker with years of experience in the information technology field.

Data Box

Proofpoint On Demand Protection Server v

P340 Proofpoint Messaging Security Gateway

892 Ross Drive

Sunnyvale, CA 94089

408 517 4710


Up to 250 Users: $3995

Encryption: +$2025

Anti-Spam: +$4000

Anti-Virus: +$3200

Zero-Hour: +$2720

Regulatory Compliance: +$6950

There are two bundles of these modules that are less expensive. Prices go up for additional users.


Rocket Fuel