Beyond PGP: A New Method for Securing Email

The most common method of securing e-mail is the old stand-by: PGP. Anyone can use PGP to ensure that messages are secure and only being read by those who were intended to read them.

PGP has its disadvantages; the most obvious is ease of use, especially for large environments. This isn’t necessarily a user-friendly option and is an add-on that users have to install onto existing e-mail programs. And because of its decentralized nature, there is still the inherent risk of imposters claiming to be someone else.

An additional disadvantage becomes apparent when messages need to be sent to multiple people. Because of the nature of PGP and using public keys to encrypt, again we run into another snag. For individuals working with more than a handful of recipients, it is a time-consuming and user-unfriendly option.

Lastly, what if I’m on the road and don’t have my laptop with me? I have to have some method of transporting my private key around and I need to be able to have a machine with PGP installed along with all the public keys of those I communicate with along with me. This isn’t always viable, even in this day and age of mobile computing. Where are my keys?

So, the idea of secure e-mail went through another variation. What if we agreed on a password and that password would be what encrypted the e-mail? Nice concept. Very easy. But, how do we get the password agreed upon and send it? Well, that’s what PKI is for and thus begins the road down to public certificates and such. And I might have multiple recipients. Again, not user friendly. Maybe Web-based?

What about using a web-based solution? Everyone has a browser, right? And we could use SSL to ensure that the messages are sent securely. That’s the answer. Isn’t it? Well, we do run into the issue of space. The reality is the message is still stored, somewhere. And that might cause problems.

In addition, we now have a central point of failure. If the server goes, so does all my important data. Of course there are backups but that might take time to recover from and it may not have my important file.

Our biggest stumbling block with secure e-mail is the transmission of the key. What if there was a way to securely provide a key that would allow someone to read an encrypted message? Well, that’s where Sigaba comes in.

Named after the encryption machine from World War II, Sigaba brought securing messaging to a user-friendly yet safe environment. Their primary product is the Sigaba Secure E-mail environment.

Rather than replacing existing e-mail options, this server (or rather gateway) sits in front of the e-mail server and provides mechanism by which the e-mail is encrypted. A keyserver issues out keys to recipients and/or senders to encrypt/decrypt e-mail with. An authentication server rounds out the environment by allowing for authentication through a variety of methods.

The interesting thing is that the keyserver never sees any of the e-mails. It only sees the keys issued and used. This issuing of keys, based on public key certificates, adds the ease of use as well as the security that one needs to ensure that integrity are met.

Add to this the flexibility to create policies that fit the need of the company specifically and it becomes a very powerful. With Sigaba I can specify that all e-mails going out of my LAN must be encrypted while LAN messages are not. I can specify that all the CEO’s messages are encrypted as are those between the finance department and the bank.

This kind of granular control ensures that to the user, the encryption is done transparently. I can even give a user the option to encrypt even if the policy doesn’t require it.

The encryption can be performed a variety of ways. I can use gateway-to-gateway for intracompany setups or between partners. I can also use gateway-to-recipient for when I deal with users outside of my normal operations. And I can make it easier for them to interact with me by simply installing a plug-in for their e-mail program (most major e-mail programs are supported including the Outlook family, Eudora, Groupware, Lotus Notes, Hotmail and Yahoo mail).

Further, to control who knows what I know, I can limit who can see the message by who will be allowed to use the key. If a message-forwarding attempt is made, the new “unintended” recipient will be unable to open the message since they were not on the list of intended recipients.

This will allow for more control over what information is leaving a company. And given that the 2003 CSI/FBI Computer and Network Security Survey indicates that about $70 million was lost due to theft of proprietary information, this kind of option is one that will appeal to keepers of the bottom line.

The most appealing aspect of the product was that rather than replacing an existing and well-known e-mail server, this simply adds to the e-mail environment. And it can be used on a variety of platforms (Linux, Solaris, Windows), which allows for flexibility and little in the way of additional training. In fact, it can be setup in a short period of time (about half a day) and be up and running quickly and transparently.

And without having to re-inventing the wheel, Sigaba partnered with Trend Micro for anti-virus checking of messages and Proofpoint for filtering out spam. The gateway server can filter messages for inappropriate language if need be. This allows administrators to employ appropriate e-mail policies for company image and quality assurance. Pricing is competitive with other secure e-mail offerings.

What a refreshing concept to have secure, user-friendly communication. Especially for larger environments where communication has long ago evolved beyond simple grunts, indecipherable or not.

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.