Oh, such a gloriously big and incomplete topic! First, I have to soapbox just a
moment...
<soapbox>
SMTP is old and insecure and needs to die. Our 'solutions' to email security
are always messy band-aids. This protocol should really be dead already in
favor of IM-based or SMS types of communications... That or email should never
be used for anything confidential/sensitive, at all.
</soapbox>
Ok, that's out of the way. I feel there are three types of email security
topics:
I) Email at rest (i.e. in your Exchange server stores or client app stores)
II) Email checking from a client app <-> server app
III) Message encryption
I'm going to assume you are talking about III: Message encryption. This means
if someone intercepts the email, they can't read it. In fact, any mail servers
in between the source and destination won't even be able to read anything
beyond the headers. Good stuff! And the stuff of good fluffy dreams for us IT
geeks.... *sigh*
There are two types of solutions to this problem.
1) User encryption/decryption of the message
2) Server/appliance that does this for you
1) User encryption/decryption is typically done with gnupg/pgp encyrption.
Hopefully I'm sure we're all aware of the challenges with this method, namely
key management, user training, and overhead on the client app side, both your
own users and those of your recipients. If this email is all internal to your
company, this might be manageable. If this is communcitions outside your
company, this can be a nightmare unless your recipients also use and are
familiar with this subject. Any IT admin who has had to deal with corporate
mail encryption knows the frustrations of getting users to understand how this
works and dealing with key management...ick.
2) Server/appliance email encryption solutions are misleading. They like to
tote that your message is never decrypted until the recipient reads it, which
is true. What they don't like to say is that the recipient needs to create an
account/password and log into the server's web portal to get the email. They
can't retrieve it user their own mail server or client. This is annoying and
terrible...but that's what we get with SMTP band-aids. My company uses a Zix
service [1] for email encryption. While this likely works great if your target
company also uses Zix (they can talk to each other, I believe), when you're
trying to send encrypted mail to some other user, say JohnDoe@blahblahblah.com,
John Doe will get a note saying he has a message waiting for him on the Zix
service. He then has to go to the Zix web site, log in, and retrieve the
message. Annoying, yes, but it does allow you to hit the checkmark for
encryption of confidential email when needed...just put "ENCRYPT" in the
subject line and it heads into Zix...
[1] http://www.zixcorp.com/
<- snip ->
By secure I mean the message itself being encrypted. However, I don't think
we'll be able to do anything as straightforward as a desktop-to-desktop
solution because of email archival on Exchange that needs to happen before the
message gets encrypted.
On 12/21/07, JD Brown <jd.brown (at) smallenoughtocare (dot) com [email
concealed]> wrote:
Hi list, I would like to get some suggestions regarding products out
there to secure email. Preferably, I'd like to see an appliance that
could make the process as transparent as possible to the user. Any
input would be greatly appreciated.
Thanks,
JDB
