Problem: Email Encryption Vendor Selection
Does anyone have any recommendations for a vendor for a hosted or behind the firewall Email Encryption solution that is reputable? If so, could you give a me a brief summary of your experience and some information on the end user experience (e.g. easy to use, intuitive?)
Much Appreciated!!
Solution: Email Encryption Vendor Selection
I admit I find the question a bit vague too.
Here is the comment i made to a similar question a few days ago, focussed on sending secure email:
—————————
First step is to see what the receiving companies can handle – the choices really boil down to:
1) TLS encryption (encrypted channel from your server to theirs)
This is pretty commonly supported, requires *no* configuration at the outlook client (all done by the server) and is built into Exchange 2003 (I am not sure that 2003 can *insist* on TLS though, while 2007 can). for this, you set up a second SMTP route for JUST the specific mail domains involved, and make sure that connector uses TLS. This requires a digital certificate at the recipient’s mail server.
2) S/MIME encryption
This is built into outlook, and requires a digital certificate very similar to the ones used for webservers (and renewable periodically). Unlike webservers, the recipient (not the sender) must buy or create the key, and get that to the sender by some method. once in the microsoft keystore on the sender’s machine, the sender can encrypt the entire message (including the attachments) by hitting an encrypt button that appears on the compose mail dialogue box. There is a more complex system called pgp (or openpgp, or gpg) that requires installing software to use, and works similarly.
3) proprietary web-based systems
There are a few solutions out there (Cisco’s Ironport pxe is considered one of the better ones) that use a web "oracle" service to provide key management and decryption – those are effective, and not recipient-led (which is the weakness of most encryption systems) but are quite expensive.
As I say, ask your recipients what they can support – most of the heavy lifting and key management has to be done by them anyhow, and once *you* have their public key, you can push it out to whatever machines need it.
