Proofpoint Makes Encryption Easier - Page 2

Setting up the encryption feature requires answering a few questions, such as what the domain name to be used is, and configuring at least one of what the company calls response profiles, giving the actions available to recipients of encrypted messages. For example, you can allow messages to be forwarded within the original sender's or recipient's domain. You can have different profiles that are mapped to particular users or groups, too.

After the initial setup, you press a "test" button in the administrative interface to make sure you've done everything properly, and the software will report any errors. This is a nice feature.

Administrators have granular control over the Proofpoint encryption keys. You can undelete previously deleted keys, change the expiration timestamp for a key and toggle the access to a secure message for each recipient of the message.

Proofpoint has some caveats when using Outlook and Exchange for encrypted messages. First, you should examine two Microsoft Knowledge Base articles (912939 and 958881) to set up Exchange to work properly with Proofpoint's Encryption. If using the combination of Outlook 2007 running on Windows Vista, when a user receives an encrypted message, he or she should open (rather than save and then open) the attachment in order to authenticate and decrypt the message. The decryption routine won't work if the attachment is saved first.

I uncovered another issue when I used Microsoft's proprietary Exchange Rich Text message format to send encrypted messages. Proofpoint recommends turning off this option in Exchange globally-or for users who do frequent encryptions-because this special format can't be sent to non-Exchange/Outlook recipients.

As mentioned above, administrators can easily search for particular messages, including the encrypted ones. Also included in the product is a large collection of preset reports on top senders, common viruses detected and other message trends. This is fairly typical for e-mail products of this class. You just scroll down the list of reports and select the reporting period (such as last day, week or month) and click on the report. You can export the information to a spreadsheet, e-mail it or further customize the output.

There's a lot more than encryption in Proofpoint's Protection Server. It offers a powerful e-mail policy and rules processing engine, similar to old standards such as Sendmail's Sentrion and other e-mail heavyweights. If you're looking to upgrade your e-mail server with a single security device, this might be the ticket.

There are modules for anti-spam processing, for antivirus (licensed from F-Secure) and for general e-mail firewall tasks, such as blocking messages with large attachments or attached executable files. These all cost extra and are licensed for a particular number of user mailboxes. The pricing scheme is complex, one might say annoyingly so.

Proofpoint has also put a lot of work into its data loss prevention rule sets. While not as fully featured as a dedicated DLP product from Code Green or others, these rule sets have the ability to add compliance rules around detecting Social Security numbers and credit card strings that are included in e-mails. But Proofpoint charges dearly for this module, too, reflecting the higher fees DLP providers can get for their offerings.

The bottom line is that Protection Server is a worthwhile product (or service, if you purchase the Web version) that you may want to look at if your existing e-mail system is ready to be replaced.

David Strom is a writer, blogger and speaker with years of experience in the information technology field.

Data Box

Proofpoint On Demand Protection Server v

P340 Proofpoint Messaging Security Gateway

892 Ross Drive

Sunnyvale, CA 94089

408 517 4710


Up to 250 Users: $3995

Encryption: +$2025

Anti-Spam: +$4000

Anti-Virus: +$3200

Zero-Hour: +$2720

Regulatory Compliance: +$6950

There are two bundles of these modules that are less expensive. Prices go up for additional users.