The secure messaging market is hampered by too many standards and deployment options, according to new research by Burton Group.
The lack of a universal framework impedes interoperability and makes it difficult for an enterprise to deploy secure messaging for communications with partners and clients outside of the organization, said Randall Gamby, analyst at the Midvale, Utah-based research and consulting firm.
As a result, most organizations are deploying systems that enable email content encryption and confidentially on a limited basis – for example, a single department – instead of enterprise-wide, he said.
"What we're finding is if there's a 10,000-person organization, you probably have 100 people doing secure messaging," he said. "I call it a glass ceiling because of this interoperability issue."
There are several different standards for secure messaging: S/MIME, SSL and its successor TLS (Transport Layer Security), OpenPGP, and Identity-Based Encryption (IBE). "Each vendor in this market decides which standards they're going to support and they don't support all four," Gamby said.
On the decryption side, there are multiple methods for key management such as message keys and per recipient keys. Then, there are seven deployment options, including an external website access "pull" method for retrieving messages, an external client interface "push" system, encrypted PDF messages, and a hosted site.
"If you have trusted partners, then maybe you can do something on the infrastructure side [for secure messaging], but if it's millions of clients, how do you handle everything under the sun?" Gamby said.Companies have told Burton Group that they would like secure messaging incorporated into their corporate messaging solution. IBM has indicated strong interest in the market, Gamby said, and is beginning to explore secure messaging to non-Lotus Notes/Domino environments. Also, Microsoft teamed with Voltage Security on the software giant's hosted Exchange encryption service.
The market for secure messaging is fragmented with no one vendor commanding a substantial share, Gamby said. They offer solutions in three basic categories, as integrated software plug-ins, email gateway appliances or software, and software-as-a-service (SaaS).
Gamby said there doesn't appear to be much hope, at least in the foreseeable future, for a universal framework for interoperable secure messaging. But e-discovery demands and regulatory requirements are increasing interest in secure messaging, he said, adding, "The regulations will start to drive this a little harder."
John Dasher, director of product management at PGP Corp., an email and data encryption company based in Menlo Park, Calif., said Gamby raises important questions for customers, but added that just as standards allow people with different email systems to communicate, they allow for secure messaging. "If you're using standards-based products, you're pretty much in the clear," he said.