The big advantage of an encryption gateway approach is that the responsibility of knowing which messages to encrypt...
is taken out of the hands of the user. Even the best user-training program won't cure all ills; we're talking about educating humans, who make mistakes. Given the brand damage and liability at stake if private data is breached, I recommend adding another layer of security to your data -- i.e. some sort of automated check -- to keep the users honest.
Gateways figure out what messages need to be protected based on a variety of attributes. Policy triggers can include sender, recipient, subject lines, body content, attachments and lots of other data points. Once a message is deemed to require protection, there are lots of options to encrypt the data as well. A number of email security gateways can transparently send the message to an email encryption engine (PGP, Voltage, Tumbleweed, etc.) for processing. Messages can also be securely stored on a staging server, which securely stores the message and presents it to the recipient through an authenticated webmail-like interface.
On the downside, a workflow needs to be established for how to deal with false positives, false negatives and policy violations. Since email (the messages that would be encrypted, anyway) is pretty sensitive, you probably don't want a message quarantined or diverted that has valuable information.
Another potential downside is the ongoing challenge of key management, especially in an inter-enterprise situation. For as long as email encryption technology has been around, these issues continue to plague its adoption.
For more information:
Dig Deeper on Data security strategies and governance
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ...continue reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.