E-mail encryption has been around almost as long as e-mail itself, but due to quirky installation and support requirements, the security technology hasn’t been very popular with many enterprises. Fortunately, the current crop of e-mail encryption products and services includes options that are easy to deploy and use and that don’t require a great deal of IT support to operate.
One such easy-to-deploy option is Hushmail Business, an entirely hosted solution from longtime e-mail encryption player Hush Communications Canada. As a hosted service, the Hush offering carries no client-side installation requirements. However, the company does offer an Outlook plug-in that works with Exchange and automatically handles the authentication and exchange encryption keys-something that used to be a major support headache. On the server end, administrators need only configure a company e-mail domain with Hush to handle the encrypted e-mail traffic.
This hosted arrangement can be a plus or a minus, depending on your organization’s particular circumstances and bias toward maintaining servers on premises. Hush is working on an update, slated for availability later in 2010, that would allow companies to choose whether to support encrypted communications for selected users rather than the entire domain.
The basic business account starts at $24 a year per user for 50MB of storage; a premium service offering more storage (currently 250MB, soon to be expanded to 10GB) costs $48 a year per user. In addition, Hush offers a free personal version of the service that has most of the features found in the business product but tops out at 2MB of storage.
Other encryption products, such as those from PGP and Voltage Security, cost several times Hush’s basic price, so Hush’s main advantages are cost and speed of implementation, given that there is nothing that needs to be installed. The service will interoperate with PGP e-mail, once the appropriate keys are exchanged. The administrative features are spare, but that makes it easier for corporations looking to get started quickly with encryption.
You have two options for your e-mail client: Use Hush’s Web client or download an Outlook plug-in. Whichever method you use, all your e-mail can be archived for an extra $10 a month per domain-something new to the current version.
While I was impressed with the plug-in, I hit a snag during my tests with Outlook XP (newer versions are fine) that caused problems with forwarded and replied messages. I found that messages I sent using the plug-in reached recipients either as blank messages or as blocks of encrypted data.
To resolve this issue, I had to install Microsoft Office XP Service Pack 2 and the update referred to in Microsoft Knowledge Base Article 812262.
Another problem I had with the plug-in is that I had to be connected to the Internet to use it, meaning that I couldn’t compose offline encrypted messages. If your company has a lot of frequent travelers who want to compose their e-mails when away from a broadband connection, this could be an issue.
From the Hush Web client, I was able to encrypt my messages, digitally sign them (so that recipients will know they weren’t tampered with during transmission) and request receipts. If you choose to encrypt a message to a user who isn’t listed on Hush’s key server, you will be given a choice of a question and a passphrase that will be presented to the user when he or she first gets the encrypted message. If the recipient answers the question correctly, the message will be decrypted and presented to that person. While this isn’t as secure as exchanging crypto-keys, it does protect your e-mails from being intercepted in transit.
The Hush service includes an optional Java applet that encrypts messages typed into the Webmail interface on the client side before that content reaches the Hushmail servers. For users who don’t have Java installed or don’t wish to use it, the content is encrypted after it reaches Hush. Either way, the content travels across an SSL (Secure Sockets Layer) connection, so users still have some protection.
It is a minor point, but it does show that Hush is going the extra mile. The company seems determined to plug as many possible attack entry points as possible, and for that it should be commended.
Hush’s preferences page isn’t quite as robust as that of Gmail or some other Webmail products, but there are a fair number of options to choose from. For example, you can automatically encrypt all outgoing messages, display all e-mails in plain text or HTML, set up automatic responses and append a footer text to all messages.
Admin features and forms
One thing lacking from Hush is that you don’t have the automatic user self-registration that other vendors such as PGP and Proofpoint offer. This means that all users need to be preregistered and set up in the system first. The other products allow users to receive encrypted e-mails and then register themselves.
All of the business accounts for a domain can be managed for $10 a month per domain, and include features such as usage reports, whitelist and blacklist controls, and e-mail forwarding configurations.
One of the nice features of the business client is the ability to include secure forms to handle encrypted communications from the general public at no additional charge if they host the forms, or for $4 per month if you want to host the form on your own Website. This makes it easier for your customers and suppliers to communicate with you and still take advantage of encrypted messages, without having to set up anything on their end.
You set everything up online with your Web browser and can make any modifications to the raw HTML code. Within a few minutes, your form will be online. When a visitor to your Website fills out the form, the content is e-mailed securely to a special inbox.