Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What Is the Best Email Encryption Gateway For a Small Business?

Posted by Soulskill on from the randomize-all-outbound-communications dept.

Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"

9 of 155 comments (clear)

  1. Outlook.com by tretre · · Score: 5, Funny

    Outlook.com offers great features, is fully encrypted and offers everything a small (or larger) business needs. I can truly say how happy I am with their service. It also works great with your existing Microsoft stack.

    1. Re:Outlook.com by RobbieCrash · · Score: 5, Informative

      BES offers a shitload of benefits if you want to use them. Blocking things like the camera or SMS, limiting WiFi connectivity, security configuration, password requirements, etc, on company owned and paid for phones is a requirement for many large enterprises. Additionally, ActiveSync isn't as feature complete with syncing in most cases (Android doesn't do tasks or notes for example), while BES provides complete bi-directional sync between BlackBerrys and Exchange. Remote software management, an always on administrator controlled VPN connection is another benefit.

      We had issues with our Exchange server's gateway and it wasn't able to get to the internet, however the tunnel to our location that had BES was up and it had internet connectivity, so our BBs were receiving email communicating what was going on and who was doing what. Sure we could've done that with personal email or with BBM/GTalk, but this way we didn't need to.

      BES is a pain in the ass when you don't need any of the above and all you're doing is syncing email, calendar and contacts. But those are all critical features in many places.

      --
      Keep on knockin'
      https://robbiecrash.me
    2. Re:Outlook.com by sneakyimp · · Score: 5, Informative

      I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client and, in trying to set this up with one of my clients, I found that a) the documentation on this process using Outlook is very poor, b) one must pay to purchase a Digital Certificate for Outlook, and c) once my client did purchase a Digital Cert from one of the vendors listed on microsoft's website, windows and/or Outlook 2010 could not find this certificate or did not recognize it. A waste of time and money.

      I found it much easier to configure Thunderbird with a self-signed certificate and OpenPGP. The email is encrypted on my computer and decrypted on the client's computer. However, it's probably not feasible to train a bunch of tech-challenged workers to do this themselves and would likely introduce too much of a training/support burden for any sizeable IT shop.

      I realize that M$ may offer some handy tools for IT managers tasked with managing a large organization -- if you are willing to pay for it. I also find it extremely disappointing that client-based email encryption is not more widespread and easy to implement.

  2. PGP by koinu · · Score: 5, Insightful

    Use PGP/GPG for god's sake. Since when do you delegate encryption and integrity to any gateways? You cannot trust ANYONE except yourself when signing private documents. Do you delegate signatures in sensitive and confidential cases to your co-workers?

    1. Re:PGP by Arrogant-Bastard · · Score: 5, Insightful

      Gateways are NOT a "compromise": they are total failure. That say to the world "we care about the appearance of security/privacy/integrity; we just can't trouble ourselves to actually, really, truly, provide those things."

      Speaking as someone who's taught Gladys from accounting how to use mutt and GPG -- several thousand Gladys, actually -- it CAN be done. It requires effort, it requires time, it requires budget: but it can be done. Consider it an investment: is it better to spend these resources on Gladys, our valued employee, or is it better to spend these resources on a vendor?

  3. email encryption gateways by nimbius · · Score: 5, Insightful

    seem like a gimmick. taking steps like ensuring your MTA always delivers using a TLS connection is probably the most interoperable decision, seeing as endpoint encryption requires two mta's to be using the same hardware or software to encrypt/decrypt, assuming its PKI. endpoint encryption raises big questions like at what point does the message become decrypted? where are keys stored? how do you independently verify key integrity or revoke keys that have been compromised? is there a 'barracuda back door?' and can the system be arbitrarily bypassed. These tend to be the kinds of questions that force vendors to seem standoffish or unprofessional because they dont know the answers.

    if you need real crypto, then use an open standard thats auditable and verifiable. assign keys to users, and revoke them when they become compromised or the employee leaves. you might consider configuring your mailserver to reject unencrypted messages, which can be detected using spamassassin or plain regex to ensure compliance. Make sure the stakeholders on your end are well informed as to the SLA and method/type of crypto being employed (TLS tunnel vs actual message or even both.) Encrypted messages have the potential to make collaboration cumbersome if not outright impossible without defeating the crypto at some point, while encrypted gateways can cause problems in the event certificates are checked against an authority for self-signature, or expiration. its also worth nothing once again that just because an email system is encrypted, does not mean you will receive less UBE (spam) or phishing attempts (in fact a compromised key makes these attacks far more effective.) encrypted email by nature also requires you to reveal envelope headers in plaintext, and does not excuse a mail administratior from considering or employing SDF and DKIM signatures.

    disclaimer: ive done email for more than a decade for search engine companies.

    --
    Good people go to bed earlier.
  4. Not really the best practice by Bruce+Perens · · Score: 5, Informative

    Rather than an encryption gateway, having your email client handle encryption avoids the problem of man-in-the-middle attacks between the gateway and the client.

    I don't have much reason to encrypt, but Thunderbird has my certificate installed and does my digital signing. This is not unusual for a modern email client.

    --
    Bruce Perens.
  5. Re:gmail by Anonymous Coward · · Score: 5, Interesting

    I love the idea of those places running things in house, but in my experience, specifically with law firms, they do not even when they are big enough for it to make a huge difference. They are also some of the most technologically misinformed and lazy people I have met. I've got three really good examples of this.

    First example is Dropbox and other services like it. A local attorney was in a big surprise when Dropbox complied with a subpoena and turned over all documents they had that the attorney and his client had uploaded to their dropbox accounts. The court had a special master review them for confidential information and turned over a ton of documents and data. Suffice it to say, they "lost" the divorce case when the information included pictures of a second home (complete with GPS coordinates), multiple cars and other hidden assets.

    The second is that many solos and small firms (about 40% of practicing attorneys) use the email service provided by the state bar association. The email service that does not have SSL or TLS support. Webmail, pop3, IMAP, SMTP, LDAP and the rest are all unencrypted. When I asked the tech guy at the association about why it was unencrypted, he pointed me to the board minutes, where at every meeting, they refused to approve a certificate because, as one put it, "it was a waste of money." During an experiment conducted at a legal education program (which I'll detail below), they came up with quite the large amount of information.

    The third is the experiment I mentioned. At a legal education program, they partnered with a security group and they set up a device to log all the attempts to connect to wireless networks as well as real access points. The access points were protected by WPA2, but the password was given with the materials. It then had a screen presented with a TOS and privacy policy that they had to agree to before being granted access. The TOS gave all this away and included a button to click so we could see how many people actually read them (the people who clicked saw a stat page, which included a bar graph so you could see it over time). The access point was setup to log all the traffic (which ended up being gigabytes of data, they said, due to all the videos people watched) as the traffic came in. They then analyzed it for key words and statistics. A team of attorneys and people from the ethics committee cleared all the info that was presented in the speech about safety and being careful online. They talked about all the video, and news people checked, and then it slowly got more personal. They started referencing people's email, a snippet of a person's VOIP session and a document uploaded to some service. They then talked about safety steps like TLS, truecrypt and being careful and that you need to check that you are connecting to who you think you are as well as other things. The best part was right at the end, the speaker said "Jody wants you to remember to pick of a pizza on the way home," and about 25 people all went for their phones to see if they were talking about them. Incidentally, after the presentation, encrypting the bar association's email was added to their 5-year plan for year 5(!), but I guess it is better than nothing.

    Last thing I will note is the mixed advice. For example, the latest, or maybe previous issue, of the ABA magazine had an article detailing the dangers of the cloud, especially dropbox as it is unencrypted, they keep your files after you delete them, and you can get them anywhere. Less than 20 pages later was an article that declared dropbox a "MUST HAVE" app for any attorney for the exact same reasons that the previous said were dangerous.

  6. Then I can't (won't) read email from you. by Ungrounded+Lightning · · Score: 5, Informative

    Cisco IronPort. We use it and rely on it heavily for secure emails regarding pii for our pension fund.

    Then I can't (won't) read any email you send me.

    To read Cisco IronPort mail you must install software from Cisco.

    To install the software from Cisco you must sign an EULA - which makes a BIG POINT of being a binding contract.

    The EULA has anti-reverse-engineering terms that, were I to sign them, would (IMHO) make me unemployable in the computer security field.

    Therefore I will not install the software.

    Therefore I cannot decrypt "secure" email you send me.

    Therefore I will not do business with your company.

    Do you REALLY want to FORCE your clients to CONTRACT WITH A THIRD PARTY and SIGN AWAY THEIR RIGHTS in order to exchange important email with you?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way