Secure messaging complications result in limited protection |
 |
By Marcia Savage, Information Security magazine
27 May 2008 | SearchSecurity.com |
|
|
The secure messaging market is hampered by too many standards and deployment options, according to new research by Burton Group.
|
|
|
|
|
What we're finding is if there's a 10,000-person organization, you probably have 100 people doing secure messaging.
Randall Gamby,
analyst, Burton Group
|
|
|
|
|
|
|
|
|
|
The lack of a universal framework impedes interoperability and makes it difficult for an enterprise to deploy secure messaging for communications with partners and clients outside of the organization, said Randall Gamby, analyst at the Midvale, Utah-based research and consulting firm.
As a result, most organizations are deploying systems that enable email content encryption and confidentially on a limited basis – for example, a single department – instead of enterprise-wide, he said.
"What we're finding is if there's a 10,000-person organization, you probably have 100 people doing secure messaging," he said. "I call it a glass ceiling because of this interoperability issue."
There are several different standards for secure messaging: S/MIME, SSL and its successor TLS (Transport Layer Security), OpenPGP, and Identity-Based Encryption (IBE). "Each vendor in this market decides which standards they're going to support and they don't support all four," Gamby said.
On the decryption side, there are multiple methods for key management such as message keys and per recipient keys. Then, there are seven deployment options, including an external website access "pull" method for retrieving messages, an external client interface "push" system, encrypted PDF messages, and a hosted site.
|
| Secure messaging: |
Quiz: Secure instant messaging: A five-question multiple choice quiz to test your understanding of the content presented in the Secure instant messaging lesson of SearchSecurity.com's Messaging Security School.
Podcast: Top 5 quick tips for safer instant messaging: Michael Cobb of Cobweb Applications counts down five quick tips that can secure IM in the enterprise. Cobb discusses account naming rules, acceptable use policy, and instant messaging.
Messaging Security School: What is messaging security? The answer differs for every enterprise. To some, it means keeping malicious code out of end-users' inboxes. To others it's all about wireless devices and mobile malware. Still others know how critical it is to keep tabs on instant messaging use. Yet an effective enterprise messaging security strategy incorporates all these elements and more. |
|
|
|
|
"If you have trusted partners, then maybe you can do something on the infrastructure side [for secure messaging], but if it's millions of clients, how do you handle everything under the sun?" Gamby said.Companies have told Burton Group that they would like secure messaging incorporated into their corporate messaging solution. IBM has indicated strong interest in the market, Gamby said, and is beginning to explore secure messaging to non-Lotus Notes/Domino environments. Also, Microsoft teamed with Voltage Security on the software giant's hosted Exchange encryption service.
The market for secure messaging is fragmented with no one vendor commanding a substantial share, Gamby said. They offer solutions in three basic categories, as integrated software plug-ins, email gateway appliances or software, and software-as-a-service (SaaS).
Gamby said there doesn't appear to be much hope, at least in the foreseeable future, for a universal framework for interoperable secure messaging. But e-discovery demands and regulatory requirements are increasing interest in secure messaging, he said, adding, "The regulations will start to drive this a little harder."
John Dasher, director of product management at PGP Corp., an email and data encryption company based in Menlo Park, Calif., said Gamby raises important questions for customers, but added that just as standards allow people with different email systems to communicate, they allow for secure messaging. "If you're using standards-based products, you're pretty much in the clear," he said.
|
|
|
|
