Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the pros and cons of using an email encryption gateway?

In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses the pros and cons of using an email encryption gateway to prevent data leakage.

My company is considering whether to encrypt confidential emails. Can policy-based encryption meet our needs, and what are the pros and cons?
Since it's not clear what your needs are, it's hard for me to determine whether email encryption will help. If you tend to send private data or intellectual property to trading partners frequently, then investing in a gateway-based encryption capability is a good idea. Some other potential use cases include customer service reps that communicate with customers via email or chat. You may have regulatory filings that are sent to various governmental agencies electronically. All of these situations could be a good fit for a policy-based email encryption gateway.

The big advantage of an encryption gateway approach is that the responsibility of knowing which messages to encrypt...

is taken out of the hands of the user. Even the best user-training program won't cure all ills; we're talking about educating humans, who make mistakes. Given the brand damage and liability at stake if private data is breached, I recommend adding another layer of security to your data -- i.e. some sort of automated check -- to keep the users honest.

Gateways figure out what messages need to be protected based on a variety of attributes. Policy triggers can include sender, recipient, subject lines, body content, attachments and lots of other data points. Once a message is deemed to require protection, there are lots of options to encrypt the data as well. A number of email security gateways can transparently send the message to an email encryption engine (PGP, Voltage, Tumbleweed, etc.) for processing. Messages can also be securely stored on a staging server, which securely stores the message and presents it to the recipient through an authenticated webmail-like interface.

On the downside, a workflow needs to be established for how to deal with false positives, false negatives and policy violations. Since email (the messages that would be encrypted, anyway) is pretty sensitive, you probably don't want a message quarantined or diverted that has valuable information.

Another potential downside is the ongoing challenge of key management, especially in an inter-enterprise situation. For as long as email encryption technology has been around, these issues continue to plague its adoption.

For more information:

  • Learn which public keys are used for email encryption.
  • In this SearchSecurity.com Q&A, security expert Ed Skoudis examines if email forwarding can be prevented.
This was last published in June 2007

Dig Deeper on Data security strategies and governance