Moving encryption to the enterprise edge involves trade-offs
The Energy Department is adopting a cloud-based appliance to handle encryption of unclassified e-mail, taking the processing of encryption off the desktop and easing the department’s burden of handling digital certificates. But, “it’s not a good solution for everybody,” said Michele J. Thomas, the Energy Department’s PKI program manager.
As with any other tool, there are tradeoffs, the first of which is cost for acquiring and maintaining the appliance. “Some agencies might not have the resources to do it,” she said. “That can be a substantial consideration, with budget cuts.”
DOE is using the Entelligence Messaging Server from Entrust, an appliance that sits with the e-mail server and encrypts outgoing e-mail at the edge of the enterprise, whether it is being sent from a desktop or mobile device in the field. Thomas called the adoption of EMS a cost-effective alternative for DOE to manage its own digital certificates. But she said a department or agency must have a bona fide business case for bringing a new piece of equipment into the enterprise.
The evolution of the Personal Identity Verification card, which includes digital certificates for authentication, encryption and digital signing, along with infrastructures such as the Federal PKI Bridge that can leverage trusted certificates from other organizations, can make it easier to enable secure communications without a boundary encryption tool. But neither of these is fully mature.
The move away from static desktops to a more mobile environment in which workers use personal devices to access resources can muddle the picture, making a new appliance a more attractive alternative.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.