As fears spread about anthrax-contaminated paper mail, secure e-mail is finally arriving.
The technology to make e-mail encryption a reality for businesses has often been criticized for being too difficult to implement, manage and teach to employees.
But the dream of secure e-mail is more alive today than ever, as technology emerges that takes the difficulty out of encryption, and the complexity out of the hands of the user.
“Its a prime time, in that youre getting regular press attention,” said Ken Beers, product line manager of Tumbleweed Communications, which provides tools for secure e-mail content distribution. “Everybodys talking about it and everybodys asking about it. And what weve seen is people beginning to understand it and the premise of it and start to go down that path.”
A recent Meta Group report stated that 47 percent of security departments surveyed planned to implement e-mail encryption within the year.
The facilitator of encrypted e-mail has also been its problem: public key infrastructure. It is considered a highly secure architecture for exchanging encrypted documents – utilizing two security keys, one public and one private. Baltimore Technologies, Entrust, RSA Security and VeriSign are PKIs biggest supporters.
But PKI is considered too difficult to implement on a wide scale, and too hard for most people in a business to use, because they have to encrypt each message.
New software available on the market today, however, takes the complexity out of encrypted e-mail, while maintaining most of the security. One of these solutions, Tumbleweeds Secure Mail, uses PKI, but requires only one key because it protects inbound and outbound messages at the enterprise gateway and not at the desktop.
Before using Secure Mail, I-managers can set the system up to automatically encrypt messages between particular individuals, departments or partners outside the network perimeter. For example, a company would most likely want to encrypt communications with its law firm.
Beers equates gateway-to-gateway encryption for e-mail with the way Secure Sockets Layer encryption has been used for years on the Web, encoding communications without the user ever even needing to know, let alone activate anything. “Whats really needed in the e-mail space is that same ease of use the Web has had for years,” Beers said.
Caelen King, product marketing manager of Baltimore Technologies, said while PKI is difficult to implement for desktop-to-desktop secure e-mail, it shouldnt necessarily be avoided for all business uses. “Gateway-to-gateway encryption wouldnt be acceptable in merger and acquisition cases,” King said. “But if you want to bulk encrypted messages, gateway-to-gateway is perfectly feasible.”
Sigaba, another e-mail security company, takes a slightly different approach, scrambling the message from desktop to desktop so that even the e-mail gateway doesnt have an unencrypted copy. The solution appends the e-mail message with an encrypted HTML attachment and the recipient needs a password to open it.
Another resolution in the industry has been the overwhelming support for Secure Multipurpose Internet Mail Extensions (MIME) as a standard for sending encrypted mail over Pretty Good Privacy. The major e-mail platforms from IBMs Lotus Development, Microsoft and Netscape have adopted S/MIME.
The government has supported the use of encryption between businesses to secure online commerce transactions. Recent laws requiring financial institutions and health care companies to secure communications have driven wider-scale use of e-mail encryption, King noted.
“From a business perspective, the government views [e-mail encryption] as essential for real electronic commerce to take place, for secure communications as a super set of secure e-mail,” he said.
Robert Cook, CEO and chairman of Sigaba, said up until now, I-managers have been faced with unsympathetic senior-level executives on the topic of secure e-mail.
“Theres a disconnect between the CEO that thinks theres no problem, and the IT guy who cant budget for it,” Cook said.
With talk of cyberterrorism and the anthrax scare in the news, that disconnect has been resolved.