Ask Slashdot: What Is the Best Email Encryption Gateway For a Small Business?

Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"

Email Encryption

[SecurityPro]

I would recommend Zix http://www.zixcorp.com/ or ProofPoint http://www.proofpoint.com/ Both are very good solutions and both have given me no issues with implementation. We sell both and have quite a few satisfied customers with both products. No one is perfect but these are our best vendors.

Re:gmail

I love the idea of those places running things in house, but in my experience, specifically with law firms, they do not even when they are big enough for it to make a huge difference. They are also some of the most technologically misinformed and lazy people I have met. I've got three really good examples of this.

First example is Dropbox and other services like it. A local attorney was in a big surprise when Dropbox complied with a subpoena and turned over all documents they had that the attorney and his client had uploaded to their dropbox accounts. The court had a special master review them for confidential information and turned over a ton of documents and data. Suffice it to say, they "lost" the divorce case when the information included pictures of a second home (complete with GPS coordinates), multiple cars and other hidden assets.

The second is that many solos and small firms (about 40% of practicing attorneys) use the email service provided by the state bar association. The email service that does not have SSL or TLS support. Webmail, pop3, IMAP, SMTP, LDAP and the rest are all unencrypted. When I asked the tech guy at the association about why it was unencrypted, he pointed me to the board minutes, where at every meeting, they refused to approve a certificate because, as one put it, "it was a waste of money." During an experiment conducted at a legal education program (which I'll detail below), they came up with quite the large amount of information.

The third is the experiment I mentioned. At a legal education program, they partnered with a security group and they set up a device to log all the attempts to connect to wireless networks as well as real access points. The access points were protected by WPA2, but the password was given with the materials. It then had a screen presented with a TOS and privacy policy that they had to agree to before being granted access. The TOS gave all this away and included a button to click so we could see how many people actually read them (the people who clicked saw a stat page, which included a bar graph so you could see it over time). The access point was setup to log all the traffic (which ended up being gigabytes of data, they said, due to all the videos people watched) as the traffic came in. They then analyzed it for key words and statistics. A team of attorneys and people from the ethics committee cleared all the info that was presented in the speech about safety and being careful online. They talked about all the video, and news people checked, and then it slowly got more personal. They started referencing people's email, a snippet of a person's VOIP session and a document uploaded to some service. They then talked about safety steps like TLS, truecrypt and being careful and that you need to check that you are connecting to who you think you are as well as other things. The best part was right at the end, the speaker said "Jody wants you to remember to pick of a pizza on the way home," and about 25 people all went for their phones to see if they were talking about them. Incidentally, after the presentation, encrypting the bar association's email was added to their 5-year plan for year 5(!), but I guess it is better than nothing.

Last thing I will note is the mixed advice. For example, the latest, or maybe previous issue, of the ABA magazine had an article detailing the dangers of the cloud, especially dropbox as it is unencrypted, they keep your files after you delete them, and you can get them anywhere. Less than 20 pages later was an article that declared dropbox a "MUST HAVE" app for any attorney for the exact same reasons that the previous said were dangerous.