Vendors emphasize simplicity in e-mail security
Vendors emphasize simplicity in e-mail security
- By William Jackson
- Feb 17, 2005
SAN FRANCISCO'Regulatory requirements for both the private sector and government mandate that sensitive information be protected and communications documented, creating a market for new e-mail encryption products and services.
'For the first time since the inception of spam, we are seeing something besides spam driving this market,' said Matt Anthony, director of product marketing for CipherTrust Inc. of Alpharetta, Ga.
But regulatory compliance is complicated by the dynamic character of e-mail communications.
'People are still trying to figure out what they need,' Anthony said.
At this week's RSA Security Conference, CipherTrust is offering a new version of its IronMail Secure Web Delivery Server that provides a Web delivery system for encrypted e-mail.
'We have been surprised to find how well this meets the needs of many of our customers,' Anthony said.
For those whose needs are not met by IronMail, a host of other schemes for Web and hosted services are being offered by exhibitors.
IronMail began as a hardened appliance at the gateway to filter inbound and outbound e-mail for spam, malicious code, phishing and policy compliance. The Secure Web Delivery Server adds a staging server that provides access to encrypted mail that cannot be delivered to the desktop.
IronMail applies policy to decide if an outgoing message should be encrypted. If an encryption key or a Transport Layer Security connection is not available for the recipient, the message is encrypted and routed to a server, which generates an e-mail notice for the recipient with a link. Access to the message can be controlled by password or by other authentication methods.
The new version of the product includes improved administrative tools, along with the ability to send secure attachments and return them in secured replies.
The scheme is not perfect. Although it enables replies, it can only be initiated by one party.
'Where we find it is not a powerful solution is when you have a lot of back-and-forth traffic with remote employees who want complete functionality of attachments at their end,' Anthony said.
PostX Corp. of Cupertino, Calif., also uses a Web browser to deliver encrypted e-mail. Its PxMail is offered as a hosted managed service for deployments of fewer than 5,000 seats. The company wants to target smaller government agencies and offices where a public-key infrastructure is not practical.
'This is a tremendous push,' said vice president of product strategy Scott Olechowski. 'They have done a lot of PKI stuff, and that isn't always useful with a broader audience.'
A variety of policies or flagging methods can be used to select e-mail for encryption. Encryption is done by the customer with 256-bit-key Advanced Encryption Standard, usually at the gateway. Keys are managed by PostX.
The encrypted message is packaged as an attachment in an HTML file, which opens in the recipient's default browser. Access and decryption are password- or certificate-protected. The recipient must be enrolled in the service to open the attachment, but it requires no software on the recipient's desktop.
Privacy Networks Inc. of Fort Collins, Colo., offers e-mail security and management in its Internet Communications Security Suite.
'We are tying together the entire flow in securing computer communications, inbound and outbound,' chief executive officer Todd Massey said.
ICSS has four components:
- Validation, which uses antivirus, heuristics and statistical analysis to block unwanted e-mail
- Mobility, which can redirect selected mail to a mobile device
- Encryption on the gateway
- Vault, for record retention.
The goal is corporate-level control of all traffic, not just e-mail, Massey said.
'The technology can be deployed on voice over IP,' he said.
NFR Security Inc. of Rockville, Md., wants to focus on VOIP.
'We're an intrusion prevention company, and we're going to release a protection package for VOIP,' CEO Andre Yee said. 'There are very few exploits targeted at VOIP now, but there is a need for ensuring attacks don't occur.'
Because there have been few VOIP attacks, NFR Sentivist uses a technique called confidence indexing to calibrate the level of confidence that incoming traffic is valid. To start with, confidence will focus on VOIP protocol compliance, Yee said. The customer will set the confidence threshold to determine the level of security and protection against false positives.
Sentivist is now available, but so far there have been few buyers.
'We are seeing a great amount of interest,' Yee said. 'It's still early.'
It probably is too early for the federal market, he said. Although there is a lot of government interest in VOIP, there has been little implementation so far.
William Jackson is a Maryland-based freelance writer.