Slashdot Mirror
Ask Slashdot: What Is the Best Email Encryption Gateway For a Small Business?
Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"
Outlook.com offers great features, is fully encrypted and offers everything a small (or larger) business needs. I can truly say how happy I am with their service. It also works great with your existing Microsoft stack.
I'd ask for a different account rep. I've used Voltage for about 10 employees to great results. I've never encountered this professionalism problem you report.
Be very, very careful what you put into that head, because you will never, ever get it out. -Thomas Cardinal Wolsey
gmail supports encryption and you can use feature rich email clients like MS Outlook with it. Do you really need to have a mail server in-house anymore these days?
The one that you (or someone you trust) can effectively manage.
I'm in my right mind and I have the answer to everything!
Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund
It's a small company but have absolutely stellar encryption and archiving products and good service. http://www.proofpoint.com/products/privacy/email-encryption.php
I'm really easy to get along with once you people learn to worship me.
Use PGP/GPG for god's sake. Since when do you delegate encryption and integrity to any gateways? You cannot trust ANYONE except yourself when signing private documents. Do you delegate signatures in sensitive and confidential cases to your co-workers?
I use and like Entrust Entelligence PKI solution. Signed and/or encrypted email, used by most US gov. agencies for easier interoperability.
I use it as well and it works great.
seem like a gimmick. taking steps like ensuring your MTA always delivers using a TLS connection is probably the most interoperable decision, seeing as endpoint encryption requires two mta's to be using the same hardware or software to encrypt/decrypt, assuming its PKI. endpoint encryption raises big questions like at what point does the message become decrypted? where are keys stored? how do you independently verify key integrity or revoke keys that have been compromised? is there a 'barracuda back door?' and can the system be arbitrarily bypassed. These tend to be the kinds of questions that force vendors to seem standoffish or unprofessional because they dont know the answers.
if you need real crypto, then use an open standard thats auditable and verifiable. assign keys to users, and revoke them when they become compromised or the employee leaves. you might consider configuring your mailserver to reject unencrypted messages, which can be detected using spamassassin or plain regex to ensure compliance. Make sure the stakeholders on your end are well informed as to the SLA and method/type of crypto being employed (TLS tunnel vs actual message or even both.) Encrypted messages have the potential to make collaboration cumbersome if not outright impossible without defeating the crypto at some point, while encrypted gateways can cause problems in the event certificates are checked against an authority for self-signature, or expiration. its also worth nothing once again that just because an email system is encrypted, does not mean you will receive less UBE (spam) or phishing attempts (in fact a compromised key makes these attacks far more effective.) encrypted email by nature also requires you to reveal envelope headers in plaintext, and does not excuse a mail administratior from considering or employing SDF and DKIM signatures.
disclaimer: ive done email for more than a decade for search engine companies.
Good people go to bed earlier.
I've worked for companies who have used this in the past and it has worked quite well.
Rather than an encryption gateway, having your email client handle encryption avoids the problem of man-in-the-middle attacks between the gateway and the client.
I don't have much reason to encrypt, but Thunderbird has my certificate installed and does my digital signing. This is not unusual for a modern email client.
Bruce Perens.
I would recommend Zix http://www.zixcorp.com/ or ProofPoint http://www.proofpoint.com/ Both are very good solutions and both have given me no issues with implementation. We sell both and have quite a few satisfied customers with both products. No one is perfect but these are our best vendors.
I worked at a small 25 bed hospital, we implemented the Sophos email appliance. It was fantastic, the basic setup was incredibly easy to do. When you send an encrypted email out the recipient gets an email asking them to register, they create a password and are then mailed a PDF protected with the password they set. That same password will encrypt all of the PDFs they receive until they don't receive one for a period of time that you choose, at which point they create a new password. An outlook add-in is available that will allow you to quickly and easily stamp an email to be encrypted. It also functioned as our spam / virus filter and was fantastic at it. We never setup or configured the scanning of outbound emails to force encryption although that was an option. Loved it 5/5 wish we had it at my current place of employment. After I put it in place and configured it, I almost never touched it again.
But then again, which one is the typo?
There are two types of people in the world: Those who crave closure
Most SMTP servers can communicate over SSL or TLS with each other these days and if you set it up correctly (eg. Postfix), it will do so and fallback on non-encrypted methods.
For message encryption, you're better off giving each person a personal SSL certificate (setting up a PKI should've been done for other purposes already) and all of the clients I know off support SSL encryption.
Custom electronics and digital signage for your business: www.evcircuits.com
To ease the GPG pain*. Enigmail does a great job but it's only half the battle. How you are going to reconfigure every Recipients client without causing sheer panic is going to be interesting. Please report back when you do.
[*] - http://www.enigmail.net/home/index.php
Join the Slashcott! Feb 10 thru Feb 17!
Voltage is a slimeball company though. They typically sell to really big institutions for many times the original quoted costs once you figure in all the 'appliances', upgrades, support contracts, implementation engineers and contractors and then their product usually doesn't deliver. They're the PWC, PeopleSoft or Gartner of e-mail.
Custom electronics and digital signage for your business: www.evcircuits.com
Trusting in someone that could be forced by law to give your encrypted communications (after all they have the right to see all your mails), or modify packaged software to let them in is risky this days. You maybe could trust in the FBI as in a concept, an entity that won't be interested in your trade secrets, but there are people working for them, and people and corporations giving orders to them directly or indirectly that have no problem abusing the power they have.
Open source, widely tested encryption and secure channels are your best options.
I've dabbled with a variety of solutions, but it really depends on what it is you are trying to secure, between whom, and where.
GPG/PGP has been around a while, but it usually requires some third party software/plugins. I seems a little clunky to me as most email clients already have S/MIME support built in which brings me to...
S/MIME requires you get a cert through a third party (Thawte used to provide free email certs). By just sending a signed email to somebody they will then have your public key.
If you are talking about securing email between two email relays, then you can just configure the relays to enforce TLS.
If you are talking about securing the link between clients and email sending/receiving, you can just configure the mail server (if it isn't already) to only accept connections on pop3s/imaps/smtps/etc.
Other ideas is setting up encrypted tunnels between relays (like how ssh can do port forwarding), etc.
/me goes to decode the above message to find out what he TRUELY said...
Your thin skin doesn't make me a troll
Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund.
Then I can't (won't) read any email you send me.
To read Cisco IronPort mail you must install software from Cisco.
To install the software from Cisco you must sign an EULA - which makes a BIG POINT of being a binding contract.
The EULA has anti-reverse-engineering terms that, were I to sign them, would (IMHO) make me unemployable in the computer security field.
Therefore I will not install the software.
Therefore I cannot decrypt "secure" email you send me.
Therefore I will not do business with your company.
Do you REALLY want to FORCE your clients to CONTRACT WITH A THIRD PARTY and SIGN AWAY THEIR RIGHTS in order to exchange important email with you?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If you are not getting what you need from your contact, please feel free to reach out to me directly.
There are millions of happy users across thousands of enterprises around the world using Voltage SecureMail either on-premise or from the Voltage SecureMail Cloud to secure emails and files end to end. Banks from the likes of Wells Fargo and JPMC use it universally, Cloud providers for Exchange including Microsoft use it as a security option for Office365 cloud offerings, and smaller businesses such as lawfirms, credit unions, and financial agencies also enjoy its simplicity in enabling privacy, even to and from popular smartphones. The cloud version simplifies deployement for SMBs in particular, and deployment can even be hybrid cloud to suit particular needs.
We are very pround of our reputation with our customers, proven by exceptional long term relationships and repeat business across our data security product set.
I look forward to helping resolve whatever issue caused the concern.
For the record - we license by active user count, not appliances, in respect to the comment on price.
Best regards,
Mark Bower
VP Product Management
contact : info@voltage.com - ask to reach me personally
Djigzo email encryption gateway is open source, you can download a free version from www.djigzo.com. It supports S/MIME, it has a lot of cool features. Used by major corporations all over the world. Just give it a try, it's free.
no, I don't have a sig
I hear they have excellent decypt...I mean encryption. I'm sure they'd be delighted to handle all your sensitive information for you! Also saves them the trouble and bandwidth of having to rerouting your email to them.
You hit the problem on the head. And your description of the problems dealing with Voltage hit the problem I have with them on the head as well.
The truth is that all men having power ought to be mistrusted. James Madison
I'm the CTO at Voltage, and I'm disappointed to hear that the original poster is having a poor experience with us. While I'm not going to claim the Voltage's gateway product is the ideal solution for every small business, we do feel like we do a great job helping businesses of many sizes that handle and exchange sensitive data comply with privacy requirements. There are a lot of security solutions that have been mentioned in this thread, ranging from GPG to SMTP over TLS. All of these solutions have value, depending on the problem that you are trying to solve. Our product focusses on encrypting email messages to end users without needing to enroll those users into a traditional certificate structure, and allowing those users to decrypt those messages with minimal difficulty. Regardless, I'd like to solve the original poster's problem. I'd ask that he contacts me at Voltage, and I'll handle any issue he's having at the moment.
Can work through their or standalone web service. They also have just about the best customer service of any company I have ever worked with.
https://www.barracuda.com/products/emailsecurityservice
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
People fuss to much about the security of the passphrase and such things. The effect is that almost nobody uses encryption.
Make a Thunderbird extension that automatically sets up a default configuration that works from the get-go.
In this default configuration the private key could be stored in a local file encrypted with a passphrase that is hardwired into the program.
Totally insecure if there is a virus that targets this arrangement, but still a million times safer than sending everything over the wire in the clear.
Add simple functions to synchronize the security parameters, including the private key(s), on multiple laptops and computers.
Have the extension generate a mail that can be sent to yourself or stored in the drafts folder of your IMAP account, containing the synchronization data.
Upon opening such a mail, or even just upon downloading it, the extension should know what to do and do it.
Add a good user interface to perform key management tasks and to configure all these dangerous things, like turning off some automatic actions, or adding a true user-selected password to the private key file.
Add a feature, active by default, to include in all MIME-encapsulated mails an attachment containing your public key,
and another feature to automatically harvest all public keys that your Thunderbird installations come across. If you send a mail to some party with a known public key, encrypt automatically. If you receive an encrypted mail, decrypt automatically.
If one copy of Thunderbird does not have the private key it needs to decrypt a mail it has received/downloaded, generate a special request mail that other instances of Thunderbird will know to answer if they have the private key requested. Etc.
If such an extension becomes included in the standard distribution, more and more people will begin using it, and then other people will hear about it and request it from their mail application vendors.
There is no substitute for common sense. Especially, no body of rules will do.
www.totemo.ch - somewhat pricy, but very nice handling:
based upon a ruleset, it can send mails encrypted with PGP or S/MIME (if keys are known), as encrypted PDF (sender gets password for manual transmission) or store the message on a webserver and just give login/password to the recipient.
if no prior key exchange happened, the PDF-solution creates a PGP-key and a S/MIME cert and sends both public keys with the PDF, so the recipient can choose whatever they want.
when receiving mails with attached PGP/SMIME public keys/certs, totemo takes the certs and stores them for future communication in the opposite direction.
I've seen other solutions, but Totemo seems pretty mature and works very well for me with several companies.
- Hubert
The one that satisfies your needs. It's like on /g/ when someone says "What's the best Linux distro" to start a flamewar (it works), or what's the best motorcycle to ride, or what's the best chef's knife to wield in your kitchen.
The answer is always "It depends."
It depends on how much you want to spend and your technical expertise - whether you want to farm it out or DIY. There are arguments for and against both. To ask third parties that aren't intimately knowledgeable of your situation what's the "best" anything for you is silly.
--
BMO
-----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.14 (MingW32) hQIOAy7t6bIA+H1sEAf7BBJ/h/p1oGgPcpLDPChJu99apWYTPGxThrgrFLS1o5N5 Sr8b+fFcTGVByvKGvrfDQTr2vnCJ7ezLyLyBnj2H+C/RdKOqFfp8PWjWpzhVXquW JAA4eLVC5B9eLQKcYFufvtS/Ad0I1SRc/vlDcrtezcZf5ify8SRLKIRxMMuRhunw WktClayAGrhgfofg3wN2B6F6TB3afpPL4HQLqaz7PL8ZrDcwqof0ExJw8kx+Jx2t Q58YBtwnKuN4ynXTxImjpZBncsWsRztIQa53Xt00gy2yhdWHaIdoEtif5u6AhiP8 GVLYvmJNKBUozsyO2HyKuCwh6phaQMlPts8boL3pvAgA5RMWxAmrXDE+D0IlJWks 58NGo4D+/0xvKC3UT6ZscSRKDc6fdt7Eec1eYJ4MW1i+qlP+9JCYVFGa7uANc8St 2wCSAa1FIV4scytAZIbTvpHCyQ51faS1m23WXHkmBg7/AiaKuh+YOvaCzdGueFXc stBWzYVSjiEKp4vAJjD4GDyx3v1flgSwUl2kKFErbRRerKeTxRvfL+c7VCID+vh4 7JTLT0ySAYr3xCDys1W6NLEIdkNBlojh+laQmo8/8tCCLKST0D2KMmI2RKuf+rS4 TOrMceKGZ8WcgGPckhsSnR883hU/iUPU887Mfb3iUfBiKZsBTyeAIwaKSM8O0agX I8ky7LMBuYdTuLoF+wGsNqsudjfxkaTH3mnjdcAdlQPVkPjoDTO9XIljLkQh4cTM BDQ4vu4= =keTX -----END PGP MESSAGE-----
You are welcome!
1) You encrypt with the public key(s) of the recipient(s). Then, only him can decrypt the content using its private key.
2) You sign with your private key. Then, anybody can verify your signature using your public key. The content really comes from you as long as your private key wasn't compromised.
Everything I write is lies, read between the lines.
please pretty please kill these gateway "hacks" just send mail correctly using a standard http://en.wikipedia.org/wiki/S/MIME
We use Voltage here, the Outlook plug-in is what users see, and it is trouble-free.
But we have 65,000 users. YMMV.
deleting the extra space after periods so i can stay relevant, yeah.
The privacy threat that people are MOST LIKELY TO FACE is the government investigating you as a "person of interest" for various reasons. Once they get your private messages, it's fairly easy to become a target for harassment. Sure, they could always get a search warrant and pressure you to decrypt the information. But hardly any of these "investigations" are backed by enough evidence to justify that tactic. The "invisible hand" prefers to work invisibly. Most email providers will quietly hand over your information to the government without so much as a whimper of protest.
Encryption that won't survive a subpoena of your ISP or email service provider is simply not worth doing. Client-based encryption is tough to set up because your contacts need to do the encryption and decryption on their machines. But it works.