Ask Slashdot: What Is the Best Email Encryption Gateway For a Small Business?

Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"

Outlook.com

[tretre]

Outlook.com offers great features, is fully encrypted and offers everything a small (or larger) business needs. I can truly say how happy I am with their service. It also works great with your existing Microsoft stack.

Re:Outlook.com

[RobbieCrash]

BES offers a shitload of benefits if you want to use them. Blocking things like the camera or SMS, limiting WiFi connectivity, security configuration, password requirements, etc, on company owned and paid for phones is a requirement for many large enterprises. Additionally, ActiveSync isn't as feature complete with syncing in most cases (Android doesn't do tasks or notes for example), while BES provides complete bi-directional sync between BlackBerrys and Exchange. Remote software management, an always on administrator controlled VPN connection is another benefit.

We had issues with our Exchange server's gateway and it wasn't able to get to the internet, however the tunnel to our location that had BES was up and it had internet connectivity, so our BBs were receiving email communicating what was going on and who was doing what. Sure we could've done that with personal email or with BBM/GTalk, but this way we didn't need to.

BES is a pain in the ass when you don't need any of the above and all you're doing is syncing email, calendar and contacts. But those are all critical features in many places.

Re:Outlook.com

[sneakyimp]

I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client and, in trying to set this up with one of my clients, I found that a) the documentation on this process using Outlook is very poor, b) one must pay to purchase a Digital Certificate for Outlook, and c) once my client did purchase a Digital Cert from one of the vendors listed on microsoft's website, windows and/or Outlook 2010 could not find this certificate or did not recognize it. A waste of time and money.

I found it much easier to configure Thunderbird with a self-signed certificate and OpenPGP. The email is encrypted on my computer and decrypted on the client's computer. However, it's probably not feasible to train a bunch of tech-challenged workers to do this themselves and would likely introduce too much of a training/support burden for any sizeable IT shop.

I realize that M$ may offer some handy tools for IT managers tasked with managing a large organization -- if you are willing to pay for it. I also find it extremely disappointing that client-based email encryption is not more widespread and easy to implement.

Re:Outlook.com

[Flavianoep]

Are you serious? (hint: "Poe's Law")

Re:Outlook.com

[cultiv8]

I second this, and highly recommend sharepoint for all you collaboration and intranet purposes as well. As a developer, I can truly say how happy I am when I need to work on a Sharepoint site. Sharepoint even integrates with Outlook! Amazing integration with your existing Microsoft stack!

Re:Outlook.com

[v1]

I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client

THIS. Once it gets off your LAN, there are SO many ways for you to get tapped into. Not counting the illegal ways, look at all the options the govt has and is well known to use, often ignoring or pencil-whipping judicial oversight. They can subpoena your ISP, whoever is doing your email encryption, whoever is providing them with their SSL keys, or their ISP.

If you are serious about protecting your privacy, make darn sure your data is secured before it leaves your property. At least then, if they want to snoop, you're a lot more likely to at least know it's happening. And that will keep out most of your threats, short of spear-phishing, stray bait flash drives left in your parking lot, and internal threats. (malicious employees)

In the short term, get everyone an email certificate, and USE them to sign and encrypt outgoing email. (any decent email client will support signing and encryption) That data could still be subpoenaed from the group you get them from though. You can roll your own if you want to also, but you won't be easily able to revoke if need be.

Re:Outlook.com

[mysidia]

BES is a pain in the ass when you don't need any of the above and all you're doing is syncing email, calendar and contacts. But those are all critical features in many places.

About that... my complaint about BES is that it's this Java application, that requires this huge install of SQL server just to function, you wind up needing a server with 4GB of RAM, to provide 20 users with mail synchronization.

This is almost as many resources as the complete Exchange system requires....

Re:Outlook.com

[St.Creed]

I know your comment is meant to be funny (and it is), but what I really don't get is why everyone is talking about Outlook (argh) and sharepoint (*shudder*), and not about Lotus Domino. I'm also a bit... confused about why Lotus Domino isn't the default choice for anyone even remotely thinking about secure mail.

Lotus had a place for storing certificates since they were invented. In fact, ALL authorization is done using keys. It's been designed to work with them from the ground up. If the admin manages to remove his ID from the database, he's just as thoroughly holed under the waterline as any user. Inside the company everything can remain encrypted and when going out you can use encryption for everyone you have the certificates for, or make it impossible to send unencrypted mail. Using Lotus there is absolutely no barrier to using encryption (only to using the damn client in the first place - the GUI has issues).

Ofcourse, one can also keep on bolting random software on top of other software, like that factory in Bangladesh: at some point, the foundation can't hold the weight anymore and you're done.

Voltage is pretty good

[seanmcelroy]

I'd ask for a different account rep. I've used Voltage for about 10 employees to great results. I've never encountered this professionalism problem you report.

Re:Voltage is pretty good

[Obfuscant]

I'm not sure that I'd rate a failure of the account rep to predict every issue that a "stakeholder" might come up with and tell the purchaser how to deal with it in advance a "lack of professionalism". That sounds a lot like trying to aim at a moving target to me. "Oh, can your product also do X? It has to do X, which I just thought of..."

Re:gmail

[egcagrac0]

Do you really need to have a mail server in-house anymore these days?

That really depends on the confidentiality requirements of your email.

If I were the business was healthcare, a law firm, or an accounting firm... yes, I'd feel a need to run the email in-house.

Proofpoint

[Rinoa]

It's a small company but have absolutely stellar encryption and archiving products and good service. http://www.proofpoint.com/products/privacy/email-encryption.php

PGP

[koinu]

Use PGP/GPG for god's sake. Since when do you delegate encryption and integrity to any gateways? You cannot trust ANYONE except yourself when signing private documents. Do you delegate signatures in sensitive and confidential cases to your co-workers?

Re:PGP

[SpaceCadetTrav]

So who is going to teach Gladys from accounting how to store her contacts' PGP keys and encrypt her email? And are you also going to train everyone she sends email to, as well? Out here in the real world we have to support non-techies and gateways are the most reasonable compromise.

Re:PGP

[HiThere]

What you meantion is a valid problem with the PGP type solution.

Unfortunately, the solution of "let joe do it" opens you up not only to joe, but also to anyone who snoops the unencrypted transmission between Gladys and joe.

In each case you evaluate how much the security matters to you, and to others. The more it matters, the closer to the origin the encryption needs to be done. (You'll have noticed I didn't encrypt this at all.) PGP is pretty good if there's enough importance for you to ensure that it's properly used. If you aren't, then "let joe do it" for, again, varying values of joe. Internal IP is probably more secure than someone outside, but you need to care enough to ensure that they do the job properly. (An easier job then ensuring that every Gladys does her encryption properly, but less easy than delegating it to someone outside.) At every step removed, the security decreases, and the ease increases. Make the trade off that YOU deem appropriate.

Re:PGP

[Arrogant-Bastard]

Gateways are NOT a "compromise": they are total failure. That say to the world "we care about the appearance of security/privacy/integrity; we just can't trouble ourselves to actually, really, truly, provide those things."

Speaking as someone who's taught Gladys from accounting how to use mutt and GPG -- several thousand Gladys, actually -- it CAN be done. It requires effort, it requires time, it requires budget: but it can be done. Consider it an investment: is it better to spend these resources on Gladys, our valued employee, or is it better to spend these resources on a vendor?

Re:PGP

[Bert64]

The IT department provides all staff with a client that is already configured to send and receive PGP email...
The client is configured to automatically encrypt when sending mail to a recipient for which it has a public key, and displays a warning if it doesn't have a key available.
When it receives a public key via email it prompt the user to import it.

It's really not terribly difficult if done right, and users will soon be sending encrypted mail without even realising it.

Entrust

[sinij]

I use and like Entrust Entelligence PKI solution. Signed and/or encrypted email, used by most US gov. agencies for easier interoperability.

email encryption gateways

[nimbius]

seem like a gimmick. taking steps like ensuring your MTA always delivers using a TLS connection is probably the most interoperable decision, seeing as endpoint encryption requires two mta's to be using the same hardware or software to encrypt/decrypt, assuming its PKI. endpoint encryption raises big questions like at what point does the message become decrypted? where are keys stored? how do you independently verify key integrity or revoke keys that have been compromised? is there a 'barracuda back door?' and can the system be arbitrarily bypassed. These tend to be the kinds of questions that force vendors to seem standoffish or unprofessional because they dont know the answers.

if you need real crypto, then use an open standard thats auditable and verifiable. assign keys to users, and revoke them when they become compromised or the employee leaves. you might consider configuring your mailserver to reject unencrypted messages, which can be detected using spamassassin or plain regex to ensure compliance. Make sure the stakeholders on your end are well informed as to the SLA and method/type of crypto being employed (TLS tunnel vs actual message or even both.) Encrypted messages have the potential to make collaboration cumbersome if not outright impossible without defeating the crypto at some point, while encrypted gateways can cause problems in the event certificates are checked against an authority for self-signature, or expiration. its also worth nothing once again that just because an email system is encrypted, does not mean you will receive less UBE (spam) or phishing attempts (in fact a compromised key makes these attacks far more effective.) encrypted email by nature also requires you to reveal envelope headers in plaintext, and does not excuse a mail administratior from considering or employing SDF and DKIM signatures.

disclaimer: ive done email for more than a decade for search engine companies.

Not really the best practice

[Bruce+Perens]

Rather than an encryption gateway, having your email client handle encryption avoids the problem of man-in-the-middle attacks between the gateway and the client.

I don't have much reason to encrypt, but Thunderbird has my certificate installed and does my digital signing. This is not unusual for a modern email client.

Email Encryption

[SecurityPro]

I would recommend Zix http://www.zixcorp.com/ or ProofPoint http://www.proofpoint.com/ Both are very good solutions and both have given me no issues with implementation. We sell both and have quite a few satisfied customers with both products. No one is perfect but these are our best vendors.

Re:Zixmail

I setup a ZixGateway appliance and it's worked quite well for encrypting mail. Users can enter a keyword in the subject line and it will encrypt the messages, or if it scans a message and finds something that's in one the lexicons it encrypts it. They were very professional during initial setup and every time I've had to contact support things have gone well with quick responses. Not sure how small of a company you're working for but we're under 100 people and this solution works well for us.

Re:Zixmail

[bill_mcgonigle]

I'm working with one currently. It's postfix under the covers, so you can at least see what it's doing. The app is tomcat. More importantly, many of their business partners use the same solution, so they have an easy, if proprietary way to interconnect.

My e-mail is on the TLS list so it goes through normally, but if I got the "You've got a new message from foo@exmaple.com, go to this website for your message" e-mail instead of a real one, I'd probably just delete it.

I understand why people do this, but the results are too close to phishing and scams for me to participate.

My e-mail systems can all do end-to-end and transport-layer encryption; the gateways are so often so others don't have to bother with a decent setup. And often the others are customers of large ISP's who don't know any better. But the problems aren't technical so much as ease-of-use and integration.

Re:Not Voltage's problem: buyer error.

[guruevi]

Voltage is a slimeball company though. They typically sell to really big institutions for many times the original quoted costs once you figure in all the 'appliances', upgrades, support contracts, implementation engineers and contractors and then their product usually doesn't deliver. They're the PWC, PeopleSoft or Gartner of e-mail.

Re: gmail

[DuckDodgers]

Gmail has hundreds of millions of users, and provides ad revenue for Google. It's not going anywhere. I would also assume Google Plus, Google Search, Google Ad Sense, and Android are fundamental to the future of the company and safe to use. (That's not an endorsement, just a guess that those services will last as long as the company.)

And while Google App Engine is less essential to the company future, and is as vulnerable to the axe as Google Wave and Google Reader, there's an open source implementation of the APIs called "AppScale" which offers a migration path if Google shuts App Engine down.

Re:gmail

I love the idea of those places running things in house, but in my experience, specifically with law firms, they do not even when they are big enough for it to make a huge difference. They are also some of the most technologically misinformed and lazy people I have met. I've got three really good examples of this.

First example is Dropbox and other services like it. A local attorney was in a big surprise when Dropbox complied with a subpoena and turned over all documents they had that the attorney and his client had uploaded to their dropbox accounts. The court had a special master review them for confidential information and turned over a ton of documents and data. Suffice it to say, they "lost" the divorce case when the information included pictures of a second home (complete with GPS coordinates), multiple cars and other hidden assets.

The second is that many solos and small firms (about 40% of practicing attorneys) use the email service provided by the state bar association. The email service that does not have SSL or TLS support. Webmail, pop3, IMAP, SMTP, LDAP and the rest are all unencrypted. When I asked the tech guy at the association about why it was unencrypted, he pointed me to the board minutes, where at every meeting, they refused to approve a certificate because, as one put it, "it was a waste of money." During an experiment conducted at a legal education program (which I'll detail below), they came up with quite the large amount of information.

The third is the experiment I mentioned. At a legal education program, they partnered with a security group and they set up a device to log all the attempts to connect to wireless networks as well as real access points. The access points were protected by WPA2, but the password was given with the materials. It then had a screen presented with a TOS and privacy policy that they had to agree to before being granted access. The TOS gave all this away and included a button to click so we could see how many people actually read them (the people who clicked saw a stat page, which included a bar graph so you could see it over time). The access point was setup to log all the traffic (which ended up being gigabytes of data, they said, due to all the videos people watched) as the traffic came in. They then analyzed it for key words and statistics. A team of attorneys and people from the ethics committee cleared all the info that was presented in the speech about safety and being careful online. They talked about all the video, and news people checked, and then it slowly got more personal. They started referencing people's email, a snippet of a person's VOIP session and a document uploaded to some service. They then talked about safety steps like TLS, truecrypt and being careful and that you need to check that you are connecting to who you think you are as well as other things. The best part was right at the end, the speaker said "Jody wants you to remember to pick of a pizza on the way home," and about 25 people all went for their phones to see if they were talking about them. Incidentally, after the presentation, encrypting the bar association's email was added to their 5-year plan for year 5(!), but I guess it is better than nothing.

Last thing I will note is the mixed advice. For example, the latest, or maybe previous issue, of the ABA magazine had an article detailing the dangers of the cloud, especially dropbox as it is unencrypted, they keep your files after you delete them, and you can get them anywhere. Less than 20 pages later was an article that declared dropbox a "MUST HAVE" app for any attorney for the exact same reasons that the previous said were dangerous.

Re:Sophos Gateway

[dskoll]

One thing I don't understand about these things: If an adversary can intercept your email, he/she can intercept the email asking for registration and create a password.

Without an out-of-band way to register, I fail to see how these things add security.

Then I can't (won't) read email from you.

[Ungrounded+Lightning]

Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund.

Then I can't (won't) read any email you send me.

To read Cisco IronPort mail you must install software from Cisco.

To install the software from Cisco you must sign an EULA - which makes a BIG POINT of being a binding contract.

The EULA has anti-reverse-engineering terms that, were I to sign them, would (IMHO) make me unemployable in the computer security field.

Therefore I will not install the software.

Therefore I cannot decrypt "secure" email you send me.

Therefore I will not do business with your company.

Do you REALLY want to FORCE your clients to CONTRACT WITH A THIRD PARTY and SIGN AWAY THEIR RIGHTS in order to exchange important email with you?

Re:Then I can't (won't) read email from you.

Complete bunk. What software? We use Ironport, and specifically picked Ironport because it's message based encryption (PostX) didn't require anything more than a web browser and an Internet connection to decrypt messages. If you are talking about the outlook plugin on the sender side to "encrypt" it, that's totally unnecessary - all it does is mark the message (by modifying the subject I believe) so that the Ironport appliance can recognize it and apply encryption. (Rather than using that, we just have people set the "sensitivity" to "confidential" and use that as a trigger to encrypt.) There is no software on the desktop related to Ironport that does actual encryption/decryption there (other than a common non-proprietary web browser).

That said, a couple things are missing in the original post, like "what are your requirements for encryption?". The large majority of financial institutions, for example, are only concerned with protecting the message "in transit" over public networks (i.e. the Internet) - i.e. TLS. The reason being that they feel (right or wrong) that other security measures protect the mail "at rest" on their inhouse servers (very few major financial institutions would trust something like email in the cloud). More importantly, message based encryption prevents auditing, virus scanning, spam filtering, or effective archiving, which is all important to these organizations.

If, on the other hand, you do want end to end encryption, there are solutions like S/MIME and pgp plugins that are installed in your desktop client, which has the client encrypt it before submitting it to your email gateway. This ensures the message is encrypted from you to the recipient, and is protected "at rest", but is also intrusive on the sender and recipient - you typically have to buy or generate a certificate/key for each sender and manage that (i.e. configure their desktop/email client, copy it to each PC they use, deal with expired/compromised keys, etc), often requires software/plugins be installed on the sender and recipients computers, and tends to require an exchange of keys with each recipient you communicate securely with - a nightmare that has pretty much kept things like S/MIME from ever succeeding.

The OP mentioned a gateway product - this kind of presumes that they don't want to do all this per user key management and desktop config. In this case, the sender typically tags the message in some way (prefixing the subject with a keyword, setting sensitivity, etc) so that the gateway identifies it as needing encryption. The gateway then does the encryption (so it's not end-to-end, but sender gateway to recipient endpoint). These often offer "universal" solutions, in that they encrypt it in such a way that the recipient only needs a browser that runs javascript and an Internet connection to decrypt. Some of these solutions are "hosted" in that the message is redirected to a "secure" web server and the message is replaced with a https link to the "encrypted" message, with the concern then being that your mail is stored in the cloud, with all the security concerns and subpoena concerns that has. (There are solutions that allow you to do this with self hosted appliances/software as well - there's almost an unlimited number of approaches to this problem...) FWIW, with Ironport's message based encryption, at most Cisco manages key exchange between sender and recipient, but never sees the actual message, even in encrypted form (another reason we selected it).

BTW, Ironport is excellent (even after being bought by Cisco), but is *not* cheap, so may not realistically apply to a small business.

One final point - securing the mail assumes that both sender and recipient want it secure. The fatal flaw in any email encryption solution is if the recipient doesn't take appropriate care, and forwards it, or copies/pastes the content and resends it without any protection - ultimately, because of this, it's impossible to completely protect anything 100%. (Another reason why in a general purpose solution like this, TLS may be enough...)

Please contact me to fix this

[TerenceSpies]

I'm the CTO at Voltage, and I'm disappointed to hear that the original poster is having a poor experience with us. While I'm not going to claim the Voltage's gateway product is the ideal solution for every small business, we do feel like we do a great job helping businesses of many sizes that handle and exchange sensitive data comply with privacy requirements. There are a lot of security solutions that have been mentioned in this thread, ranging from GPG to SMTP over TLS. All of these solutions have value, depending on the problem that you are trying to solve. Our product focusses on encrypting email messages to end users without needing to enroll those users into a traditional certificate structure, and allowing those users to decrypt those messages with minimal difficulty. Regardless, I'd like to solve the original poster's problem. I'd ask that he contacts me at Voltage, and I'll handle any issue he's having at the moment.

Develop a Thunderbird extension to automate

[Cacadril]

People fuss to much about the security of the passphrase and such things. The effect is that almost nobody uses encryption.

Make a Thunderbird extension that automatically sets up a default configuration that works from the get-go.
In this default configuration the private key could be stored in a local file encrypted with a passphrase that is hardwired into the program.
Totally insecure if there is a virus that targets this arrangement, but still a million times safer than sending everything over the wire in the clear.

Add simple functions to synchronize the security parameters, including the private key(s), on multiple laptops and computers.

Have the extension generate a mail that can be sent to yourself or stored in the drafts folder of your IMAP account, containing the synchronization data.
Upon opening such a mail, or even just upon downloading it, the extension should know what to do and do it.

Add a good user interface to perform key management tasks and to configure all these dangerous things, like turning off some automatic actions, or adding a true user-selected password to the private key file.

Add a feature, active by default, to include in all MIME-encapsulated mails an attachment containing your public key,
and another feature to automatically harvest all public keys that your Thunderbird installations come across. If you send a mail to some party with a known public key, encrypt automatically. If you receive an encrypted mail, decrypt automatically.
If one copy of Thunderbird does not have the private key it needs to decrypt a mail it has received/downloaded, generate a special request mail that other instances of Thunderbird will know to answer if they have the private key requested. Etc.

If such an extension becomes included in the standard distribution, more and more people will begin using it, and then other people will hear about it and request it from their mail application vendors.