Email encryption has come a long way since the mere mention of "PKI" was enough to drain the blood from an administrator's face. Simplified and/or offloaded key and certificate management make many of the products and services on the market easy to swallow at a time when regulatory compliance and fear of sensitive data leakage are prompting many organizations to take a fresh look.
Encryption has become an essential component of every major email security vendor, generally through partnerships or acquisitions. Trend Micro Inc., which chose the latter route when it bought U.K.-based Identum Ltd. in February, announced its Email Encryption Gateway today. The product, which will be available Dec. 1, sits beside Trend's InterScan Messaging Suite as a VMware Inc. virtual appliance.
"As industry best practice organizations are going to realize they better do something about protecting the content of email," said Michael Osterman, principal of Osterman Research Inc. "I think a lot of them will invest in it; part of it is that email encryption is really not all that hard to do -- it's fairly easy to implement."
Easing or removing the burden of key management is critical to opening up the encryption market. Trend addresses the issue by managing keys in the cloud, enabling identity-based encryption, which is, sending an encrypted email to any legitimate address without requiring pre-enrollment. Trend leverages its own certificate authority to take the burden off the company.
What are the pros and cons of using an email encryption gateway? In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses the pros and cons of using an email encryption gateway to prevent data leakage.
Worst practices: Encryption conniptions:Through the years, SearchSecurity.com's expert contributors have no doubt spent much of their time pointing out a variety of security best practices.
"When we ask customers what they want, what's nirvana when it comes to email encryption, they talk about the ability to control their secure messages just like any other email, " said Todd Thiemann, Trend's senior director of data management.
Regulatory compliance, particularly for HIPAA, is sparking most of the interest in email encryption. While the regulations are nothing new, companies are starting to see tighter scrutiny. Although HIPAA's guidelines for protecting patient information are broad, Thiemann said, "the interpretation for them is evolving," as auditors and healthcare organizations have more experience with them. "They need to make sure patient information going out of the hospital is encrypted."
In addition, Osterman thinks the business climate following the implosion in the financial services sectors will lead to tighter regulatory enforcement.
"I think we'll see more legal scrutiny, regulatory scrutiny on a wide number of levels as a result of the bailout and so forth, and I think encryption is going to be one of those things that people are starting to look at," he said. "We've had encryption as a compliance issue for a long time, but I think it's going to be much more of a top of mind issue for a lot of people."
What haven't been on the books for a long time are new personal data protection laws in Nevada and Massachusetts. The Nevada law, which went into effect Oct. 1, requires that transmission of personally identifiable information over public networks is encrypted. The Massachusetts law, which takes effect Jan. 1, is more far reaching, requiring encryption not only in transmission, but also on laptops and removable storage devices. While myriad state breach disclosure laws have accelerated adoption of encryption, these new statutes -- and those likely to follow -- should push more organizations to encrypt.
Nonetheless, email encryption is still a developing market. Pure-play vendors like PGP Corp., Voltage Security Inc., ZixCorp, Entrust Inc. and DataMotion Inc. figure heavily on their own or through partnerships with email security companies. In addition to Trend Micro, IronPort, which is part of Cisco Systems, added encryption from its acquisition of PostX, and Secure Computing, which was recently acquired by McAfee, offers encryption as part of its IronMail email security package.
Gartner estimated the market at $120 million in 2006, predicting steady annual growth of 10% to 15%. Osterman's own survey of 205 North American and European companies (commissioned by messaging security company CertifiedMail), showed that nearly half lacked the ability to encrypt email at the desktop, and only 13% had policy-based email encryption.
Automated encryption based on policy is a critical piece of most of the products available, taking the decision out of the users' hands. That assures compliance and makes the process transparent to the user, who might otherwise not know if encryption is appropriate, forget or simply not bother. Email Encryption Gateway can enforce policy from InterScan Messaging Suite or from third-party email security products.
Trend's Email Encryption Gateway completes the Identum integration, which began with a client-only solution for small organizations in July, followed by a hosted service in September. The Gateway is sold on a subscription model, at $60 per user. The service is $18 per user. Theimann said the early introduction of the service reflects the emphasis Trend places on the growing Software as a Service (SaaS) market.
That's underscored by consolidation of the hosted email security market, as the three biggest players have been acquired, starting with Microsoft's purchase of FrontBridge Technologies in 2005, Google's acquisition of Postini last year and Symantec's purchase of MessageLabs in October.
Email encryption services take a particularly knotty and expensive security function off IT managers' plates. In addition, they allows companies to roll email encryption out in stages, by group, depending on priority and budget.
"A lot of IT people, particularly those that have been in the business 10 years or more, still have sort of a bad taste in their moth about the original PKI infrastructure, and the lack of scalability and the cost and having to manage keys," said Osterman. "A hosted service offloads that headache; there's no capital expense, no key management; just turn it on. That's going to be a very appealing scenario for a lot of people."