EXPERT RESPONSE
Since it's not clear what your needs are, it's hard for me to determine whether email encryption will help. If you tend to send private data or intellectual property to trading partners frequently, then investing in a gateway-based encryption capability is a good idea. Some other potential use cases include customer service reps that communicate with customers via email or chat. You may have regulatory filings that are sent to various governmental agencies electronically. All of these situations could be a good fit for a policy-based email encryption gateway.
The big advantage of an encryption gateway approach is that the responsibility of knowing which messages to encrypt is taken out of the hands of the user. Even the best user-training program won't cure all ills; we're talking about educating humans, who make mistakes. Given the brand damage and liability at stake if private data is breached, I recommend adding another layer of security to your data -- i.e. some sort of automated check -- to keep the users honest.
Gateways figure out what messages need to be protected based on a variety of attributes. Policy triggers can include sender, recipient, subject lines, body content, attachments and lots of other data points. Once a message is deemed to require protection, there are lots of options to encrypt the data as well. A number of email security gateways can transparently send the message to an email encryption engine (PGP, Voltage, Tumbleweed, etc.) for processing. Messages can also be securely stored on a staging server, which securely stores the message and presents it to the recipient through an authenticated webmail-like interface.
On the downside, a workflow needs to be established for how to deal with false positives, false negatives and policy violations. Since email (the messages that would be encrypted, anyway) is pretty sensitive, you probably don't want a message quarantined or diverted that has valuable information.
Another potential downside is the ongoing challenge of key management, especially in an inter-enterprise situation. For as long as email encryption technology has been around, these issues continue to plague its adoption.
For more information:
Learn which public keys are used for email encryption.
In this SearchSecurity.com Q&A, security expert Ed Skoudis examines if email forwarding can be prevented.
|
