The big advantage of an encryption gateway approach is that the responsibility of knowing which messages to encrypt...
is taken out of the hands of the user. Even the best user-training program won't cure all ills; we're talking about educating humans, who make mistakes. Given the brand damage and liability at stake if private data is breached, I recommend adding another layer of security to your data -- i.e. some sort of automated check -- to keep the users honest.
Gateways figure out what messages need to be protected based on a variety of attributes. Policy triggers can include sender, recipient, subject lines, body content, attachments and lots of other data points. Once a message is deemed to require protection, there are lots of options to encrypt the data as well. A number of email security gateways can transparently send the message to an email encryption engine (PGP, Voltage, Tumbleweed, etc.) for processing. Messages can also be securely stored on a staging server, which securely stores the message and presents it to the recipient through an authenticated webmail-like interface.
On the downside, a workflow needs to be established for how to deal with false positives, false negatives and policy violations. Since email (the messages that would be encrypted, anyway) is pretty sensitive, you probably don't want a message quarantined or diverted that has valuable information.
Another potential downside is the ongoing challenge of key management, especially in an inter-enterprise situation. For as long as email encryption technology has been around, these issues continue to plague its adoption.
For more information:
Dig Deeper on Data security strategies and governance
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading