Protecting E-Mail, Your Weakest Link

I-managers who aren't convinced that e-mail is their weakest link should be prepared to say goodbye to valuable intellectual property - and they may be leaving themselves open to corporate espionage, public relations fiascoes and legal liability.

I-managers who arent convinced that e-mail is their weakest link should be prepared to say goodbye to valuable intellectual property — and they may be leaving themselves open to corporate espionage, public relations fiascoes and legal liability.

Atabok, an e-mail security technology provider, estimates that about 60 percent of a companys intellectual capital can be found in digital form somewhere in its e-mail messaging system. "You can quickly see the potential risk that you face," says Jeff Wyne, Ataboks vice president of marketing.

With Internet e-mail, any digital document accessible by an employee is subject to mass distribution. And in addition to potentially letting sensitive and proprietary data slip outside the firewall, e-mail also poses problems in the courtroom. Digital versions of documents that have otherwise been destroyed have a funny way of showing up once a subpoena has been served.

"There have been public cases, like Microsoft, where not managing e-mail archives becomes a major issue," says John Dawes, vice president of product marketing of Omniva Policy Systems, formerly called Disappearing Inc. "Large companies undergo a lot of litigation, and the prime target these days is e-mail."

E-mail security companies such as Atabok, Authentica, Omniva and ZixIt say their products are designed to keep e-mail messages — and their contents — under lock and key.

These systems seal e-mail messages with strong encryption, using some version of public key infrastructure (PKI) technology to ensure that only the intended recipient can read the message and to allow the sender to manage what happens with the message after its been sent.

Tools to prevent personal messages from being distributed have long been available, but Dawes says those programs have only recently been made robust and manageable enough for wide-scale corporate use.

A June report by the Hurwitz Group indicates that businesses are beginning to see the value in secure messaging. Nearly 43 percent of survey respondents have already implemented some kind of e-mail security, while another 32 percent are either planning to deploy it in the next year or are evaluating current solutions.

"Everyone recognizes this as something you want to have the capability of doing," says Pete Lindstrom, Hurwitzs director of security strategies. "Theyre still trying to figure out how to deploy it within their enterprises and their data centers."

Landor Associates, a San Francisco brand design and management firm, uses Ataboks VCNMail program to protect its clients. Landor handles branding campaigns for big-name companies such as Ford Motor, The Gillette Co. and Kellogg. In the process of developing new corporate images, the company needs to send large files — sometimes as large as 500 megabytes.

"If a new identity for a company were leaked out in advance of that company deciding it was time, that would not be good," says Aaron Everhart, Landors technology manager.

When a Landor designer sends an e-mail, Ataboks VCNMail applies 256-bit encryption to the file, and uses a certificate management system to verify the identity of the recipient. To decrypt and read the document, the recipient has to be a registered user and must download a small software client from the Web that can verify his or her identity.

Neither VCNMail nor any other e-mail security platform uses standard PKI systems — such as those from Baltimore Technologies or VeriSign — because the vendors have deemed it too difficult for customers to manage. Instead, they offer their own versions that automatically distribute authentication certificates to users.

"We like to think weve taken the traditional PKI process, removed all the difficult burdens of it, and kept all the strengths of encryption and digital signatures," says Ted Hull-Ryde, ZixIts vice president of product strategy.

ZixIts ZixMail service, which costs $24 per year, gives a sender the additional option of mailing the document to ZixIts Web site, and then sending a user name and password to the intended recipient. The recipient would view the document on a Web site rather than in his e-mail inbox.

A common process among these secure e-mail platforms is that every time someone wants to open that document, an automatic query shoots over the Internet to an authentication server — hosted by either the customer or a service provider — inquiring about the current permission status for that message. That way, senders can apply some form of post-delivery control — even shutting off access if they no longer wish the message to be viewed. Other levels of permission can be applied, such as how long messages can be viewed; whether they can be forwarded, copied or saved; and whether they can be viewed offline.

"The fact that the policies and keys remain under your control gives you the ability to change your mind later on," says Jim Hickey, Authenticas vice president of marketing. This is especially useful for temporary employees or workers who have been fired.