Products to ensure e-mail security

September 21, 2001

WITH THE RISE of e-business, companies face an ever-increasing need to transmit confidential and sensitive information via e-mail, but tools to provide encryption have unfortunately been complex in implementation and use, inhibiting their take-up.

But help is at hand from security vendors such as ZixIt, Tumbleweed Communications, and PrivateExpress, which are providing the tools necessary for customers to deliver and receive encryption-wrapped e-mail complete with certified receipt and browser-based authorization mechanisms. This will fulfill a pressing need, according to many.

"From a technocrat to a business applications guy, [a user] wants all the security in the world behind the [e-mail delivery] icon, but he doesn't want to go through a lot of pain to use it," says Tom Nicewarner, CIO of Houston-based gas behemoth Conoco.

Nicewarner says that sensitive material sent over the Internet must be proactively safeguarded. Due to the sheer number of e-mails sent out on a daily basis, incorporating ease of use into that function is paramount.

To answer this need, Conoco has deployed ZixMail from ZixIt to a large proportion of its 19,000 employees worldwide, many of whom share kiosks on oil refineries, and is conducting a pilot with ZixMail in Europe to confirm encrypted online trades and transactions.

ZixMail sends e-mail to subscribers and nonsubscribers through a 1,024-bit encrypted desktop client or via an SSL (Secure Sockets Layer) Web browser connection. It's compatible with e-mail systems including Outlook, Lotus Notes, AOL, Yahoo Mail, and MSN Hotmail, according to Ted Hull-Ryde, vice president of product strategy at Dallas-based ZixIt.

This week ZixIt will introduce its mass-volume e-mail automation ZixBlast and policy-oriented ZixVPM (Virtual Private Mail) solutions, both of which build on the ZixMail product. Hull-Ryde says ZixBlast scales ZixMail from a single sender-to-sender model to bulk or batch proportions, for instance, to distribute and track digitally signed and encrypted e-mail bank statements or financial notifications.

ZixVPM moves ZixMail from the desktop to the server arena, allowing administrators to set e-mail policy definitions and remove the burden of implementing and managing PKI (public key infrastructure) technology, Hull-Ryde adds.

Taking a different approach is PrivateExpress, with its E-mail Gateway service, a hosted e-mail application that operates using a two-factor authentication method. Users of the service are issued x.509 digital certificates and public and private keys through security vendor Entrust, and neither the user's password nor their issued PKI keys are stored online. Each document is encrypted with a 168-bit Triple DES symmetric key, whereas passwords bear a 1,024-bit RSA key of the recipient. Messages are delivered through a pair of VPN tunnels between the sender's -- and recipient's -- location and the PrivateExpress Operations Center.

Richard Ormand, president and CEO of the San Mateo, Calif.-based company, says the PrivateExpress E-mail Gateway service, which is primarily designed for large-scale e-mail dispersal, also offers policy management, virus scanning, and content filtering. Other PrivateExpress user messaging options feature an API solution, a desktop encryption service, a government procurement offering, and secure Web access via any Windows browser, Ormand says.

The gateway works with leading e-mail systems including Outlook, AOL, Yahoo Mail, and Hotmail, and can be integrated directly into an existing network infrastructure for central management. In late August, PrivateExpress E-mail Gateway compatibility was upgraded to include GroupWise, Lotus Notes, and SendMail e-mail systems.

Other vendors are taking e-mail security one step further by combining encryption technologies with another pressing security need: protection against e-mail-borne viruses.

As part of its Messaging Management System, Tumbleweed Communications grants users control over the full plate of incoming and outgoing e-mail traffic through its Tumbleweed Secure Public Network (SPN) and Tumbleweed Secure Redirect products.

Tumbleweed SPN incorporates set policy definitions toward e-mail that is given access to travel over the secure network. The e-mail is then stapled with S/MIME encryption to create a protected channel between a company and its business partners, say officials of the Redwood City, Calif.-based vendor. In turn, Tumbleweed Secure Redirect is designed to secures messages to e-mail recipients outside of the protected "hub." Alongside its encryption capabilities, Tumbleweed offers content filtering, virus scanning, access control, spam detection, and digital signature policy functions.

CipherTrust's new IronMail security appliance is said to safeguard e-mail within and outside the enterprise. The product, which sits between the firewall and mail server, requires that no software be installed on the e-mail client of choice, and protects messages using SSL encryption, says Lawrence Hughes, CTO and co-founder of CipherTrust in Alpharetta, Ga. Also offering virus scanning and content filtering, IronMail works with e-mail servers Microsoft Exchange, Lotus Notes, Sendmail, Groupwise, Netscape Messenger, and Eudora e-mail clients.