The best email encryption products: A comprehensive buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Email encryption software, as the name implies, encrypts email messages and attachments in transit from sender to receiver to protect their contents from unauthorized disclosure. Email encryption software may function automatically, encrypting messages based on content, attachment type or other attributes. Or it may function manually, requiring the user to choose an encryption option for each email message to be protected.
Email encryption software has been around for many years, and there are many different use cases for enterprises. The first generation of products is based on public key infrastructure (PKI), which can be extremely costly to set up and maintain. PKI-based email encryption software also suffers from usability problems, because it requires manual key exchange to send emails, particularly to recipients outside the organization. Users faced with performing these key exchanges often send the wrong keys to each other or encounter recipients who do not have keys, and therefore could not receive emails until they had learned how to generate keys.
The second generation of email encryption products, which is in much wider use today compared to the first generation, is not PKI-based. These generate keys dynamically and handle all or virtually all of the key management behind the scenes. This article primarily covers second-generation email encryption products.
Second-generation products selected for evaluation are Cryptzone Secured eMail, DataMotion SecureMail Desktop and DataMotion SecureMail Gateway, ProofPoint Email Encryption, Trend Micro Email Encryption and Voltage SecureMail (Enterprise Edition). In addition, this article covers one first-generation product, Symantec Desktop Email Encryption.
It can be intimidating to determine which email encryption product is the best fit for an enterprise, especially when vendors start using lingo like "identity-based encryption." To get organizations started in their product-evaluation processes, this article describes how these top products meet the basic criteria for email encryption product evaluation.
Email encryption vendors should have adequate responses to all six of these evaluation criteria. If a vendor is not forthcoming with answers to these fundamental principles of email encryption, organizations should consider evaluating other products where the information is more freely available.
Internal and/or external user support
An email's typical path from sender to recipient includes the following: sender's email client to sender's email server, sender’s email server to recipient’s email server, and recipient’s email server to recipient’s email client. Typically, there are different encryption mechanisms in place for encrypting messages sent to external recipients than there are for internal recipients, because the former requires the use of external email servers versus only internal email servers.
The second generation of email encryption products provides support for both internal and external users, but the nature and level of this support varies considerably among products. For example, Cryptzone Secured eMail only provides manual encryption (encryption specifically requested by the sender) and does not provide automatic encryption (encryption automatically applied by the gateway based on enterprise policies). On the other hand, Trend Micro Email Encryption and Voltage SecureMail (Enterprise Edition) both offer manual and automatic encryption for internal and external users.
One of the most important decisions to make before evaluating products is whether automatic and/or manual encryption is needed for external and/or internal users. Products that offer all of this functionality may be a great fit or may be overkill. Consider both the organization’s current needs and future needs, and also be sure to contemplate how email encryption services might be able to take the place of other enterprise services, such as automated secure file transfers.
Existing email infrastructure integration
Another criterion to consider is whether the email encryption product integrates with an organization’s email infrastructure, both clients and servers. Generally speaking, email server interoperability is merely a concern with first-generation products, such as Symantec Desktop Email Encryption, which only supports Microsoft Exchange and Lotus Domino Server. Second-generation products generally work as appliances or cloud-based services, independent of the organization's email server. An exception is Cryptzone Secured eMail, which is only a client-based product.
Evaluating the supported email clients is tricky, because -- in many cases – it is simply not relevant. If an organization is only going to perform automatic encryption at the server layer, and not manual encryption at the client, then the client support does not matter. But if encryption at the client is a concern, then it is very important to consider which clients are supported.
All vendors support Microsoft Outlook, with Trend Micro Email Encryption and Voltage SecureMail (Enterprise Edition) supporting Microsoft Outlook only. DataMotion SecureMail Desktop supports Microsoft Outlook and Lotus Notes. The widest range of clients is supported by Cryptzone Secured eMail: Microsoft Outlook, Mozilla Thunderbird, Lotus Notes and Apple Mail. (Note: as this article deals specifically with desktop/laptop clients, support for mobile operations and cloud email services such as Google Apps and Microsoft Office 365 is not covered here.)
Be wary of selecting an email encryption product that will necessitate migrating users to a new email client because of the inconvenience and frustration this will inevitably cause.
Strength of cryptography
The cryptographic algorithm currently considered the best practice for encryption is the Advanced Encryption Standard (AES) algorithm. AES uses a minimum of a 128-bit key, but most vendors have been moving to 256-bit keys in their products for greater cryptographic strength. The longer the key, the more resistant the encryption is to brute-force attacks over time.
All of the second-generation products reviewed in this article support AES; the DataMotion products support both AES and Triple Data Encryption Standard (3DES). While 3DES support is included for backwards compatibility, AES is stronger than 3DES, so it is recommended to configure DataMotion products to use AES, not 3DES. Cryptzone Secured eMail, ProofPoint Email Encryption and Trend Micro Email Encryption all publicly state they use 256-bit AES keys.
The other vendors, meanwhile, do not specify a key length. This information should be made publicly available, however, as it limits potential customers' ability to properly compare these vendors' products with others for this criterion. Although 128-bit keys may be acceptable in the short term, 256-bit keys are preferable today and a necessity in the future.
The first-generation product, Symantec Desktop Email Encryption, is based on the OpenPGP and Secure/Multipurpose Internet Mail Extensions (S/MIME) protocols. These protocols are based on well-respected international standards, so they may be cryptographically sound, but their usability suffers in comparison to second-generation products.
First and foremost, it is critically important that any email security product be able to encrypt email file attachments. Failure to do so should be a showstopper when it comes to product evaluation. All the products covered in this article support encryption of file attachments.
Various second-generation products provide additional file security options besides file attachment encryption. One is to support large file attachments, larger than the email systems themselves can normally support; this is possible because the recipient is receiving a link to a Web-based interface for retrieving the attachment, instead of directly receiving the attachment itself. Some products support large file transfers natively: DataMotion SecureMail Gateway supports 100 MB file transfers natively, while Cryptzone Secured eMail supports 200 megabyte file transfers natively. Both DataMotion and Voltage SecureMail (Enterprise Edition) offer add-on products enabling them to handle even larger file transfers. If an organization needs to securely transfer large files, particularly to external recipients, doing so through email encryption software is worth considering.
Another file security option offered through some second-generation products is the ability to have encryption "stick" with a file after the file has been downloaded and is no longer part of an email message. While none of the products natively offer this ability, Cryptzone Secured eMail, DataMotion SecureMail Gateway and Voltage SecureMail (Enterprise Edition) sell add-ons that do. Again, if an organization has a need for encryption to "stick" to its files, this may be a feature worth seeking out.
Mobile device support
With so much of today's work occurring on mobile devices -- smartphones and tablets -- it is critical for users of manual encryption to have access to the technology from these devices. Fortunately, all of the second-generation products offer a Web-based interface accessible through any mobile device Web browser and/or offer apps for the most common mobile platforms (iOS, Android, Blackberry, etc.). It is recommended that during the evaluation process, an organization test these mobile interfaces to ensure they function properly and are sufficiently usable for their mobile environment.
Policy- and identity-based encryption
Policy-based encryption simply means email encryption decisions are made automatically based on enterprise policies, such as encrypting all emails containing credit card numbers or encrypting all emails sent by human resources. Today’s second-generation email encryption products use policy-based encryption. Any product that accepts enterprise policies for encryption is, by definition, using policy-based encryption. This is to be expected with all second-generation products.
Any product that accepts enterprise policies for encryption is, by definition, using policy-based encryption. This is to be expected with all second-generation products.
Identity-based encryption is the automatic generation of keys based on a characteristic of the recipient, typically the recipient's email address. Some products, notably Trend Micro Email Encryption and Voltage SecureMail (Enterprise Edition), support international standards for identity-based encryption. Other products do not state how they handle keys, other than that they generate and manage keys dynamically behind the scenes.
Frankly, this level of detail may be too deep in the weeds to be analyzed as part of an evaluation. Organizations should not consider it a deal breaker if the product they are evaluating does not have formal identity-based encryption support.
What should be of interest instead, however, is whether recipients have to register, provide a password or give other credentials in order to decrypt an email. This is more common with identity-based encryption products, such as Trend Micro Email Encryption, because they need a way to get a private key to the recipient, but most second-generation products offer options for authenticating recipients, otherwise anyone who intercepted the email destined for the recipient might be able to simply follow the hyperlink in the email and gain access to the encrypted resources.
There are a wide variety of second-generation email encryption products available to safeguard email messages and attachments as they are carried across networks. These products perform all key management in the background, so they all provide highly usable email security products that strongly encrypt sensitive data, protecting it from observation while in transit between sender and recipient.
There are significant differences, however, in how smoothly these products can be integrated into any particular environment. For instance, which email clients they support if manual encryption is desired.
Any of the second-generation email encryption products profiled in this article would be a good choice for enterprise deployment, with the Trend Micro Email Encryption and Voltage SecureMail (Enterprise Edition) products being particularly strong, flexible candidates. That being said, the criteria presented here give a basis for differentiating products from each other to help ensure an organization gets a product that does everything that is needed for its particular environment.
Email encryption products can also take the place of existing workarounds -- such as manual secure file transfer methods -- so organizations should carefully consider how these products benefit their environment, not just in the present, but in the future as well.
Learn more about the two primary types of encryption available today
Discover which email encryption products are ready for international use