The big advantage of an encryption gateway approach is that the responsibility of knowing which messages to encrypt is taken out of the hands of the user. Even the best user-training program won't cure all ills; we're talking about educating humans, who make mistakes. Given the brand damage and liability at stake if private data is breached, I recommend adding another layer of security to your data -- i.e. some sort of automated check -- to keep the users honest.
Gateways figure out what messages need to be protected based on a variety of attributes. Policy triggers can include sender, recipient, subject lines, body content, attachments and lots of other data points. Once a message is deemed to require protection, there are lots of options to encrypt the data as well. A number of email security gateways can transparently send the message to an email encryption engine (PGP, Voltage, Tumbleweed, etc.) for processing. Messages can also be securely stored on a staging server, which securely stores the message and presents it to the recipient through an authenticated webmail-like interface.
On the downside, a workflow needs to be established for how to deal with false positives, false negatives and policy violations. Since email (the messages that would be encrypted, anyway) is pretty sensitive, you probably don't want a message quarantined or diverted that has valuable information.
Another potential downside is the ongoing challenge of key management, especially in an inter-enterprise situation. For as long as email encryption technology has been around, these issues continue to plague its adoption.
For more information:
This was first published in June 2007