Buyer's Guide to Secure Email
Securing your email is a text-book process: understand the risks, analyse your
requirements, research the solutions, and make your choice.
The risks
Insecure email can
•
•
•
•
•
allow confidential, sensitive or valuable information to get into the hands of
the wrong people (competitors, blackmailers, etcetera)
carry malware (viruses, worms, spyware) into your network to infect your sys­
tems
carry malware (viruses, worms, spyware) out of your network to infect other
systems
deliver junk mail to your staff in such large numbers that it can reduce the ef­
ficiency of your network, clog up your servers, and waste the time of your em­
ployees
potentially make you legally liable for any illegal content generated by mem­
bers of staff and circulated within or outside of your network
For each of these risks we need to apply a monetary value: how much will it cost us if
the risk is realised. If there is no cost, then there is no risk. If there is a catastrophic
risk, then we need to take immediate steps to eliminate/reduce that risk.
Analyse your requirements
Only when you fully understand the risks can you analyse your email security
requirements - and eliminate any associated risks. This is straightforward risk
assessment. The purpose is to decide whether you should
•
•
•
avoid the risk
This choice is easy - if you wish to avoid all risk associated with the use of
email, you simply avoid using email
accept the risk
This choice implies that any potential loss from the risk is likely to be less
than the cost of preventing the risk
transfer the risk
This choice is useful when you can transfer the risk elsewhere. A liability
©2006 ITSecurity.com, all rights reserved.
•
transfer clause in a contract document is a good example: the contractor seeks
to transfer any liability risk to the contractee. Where the risk can be quantified
in a monetary value, the usual method of transferring the risk is to use insur­
ance: the risk is transferred to the insurer (who may subsequently seek to
transfer some of this risk to other insurers through the process known as re-in­
surance). This is only a valid choice when the cost of the insurance is a signi­
ficantly lower cost than that of loss because of the risk. In reality, insurance
companies tend to insist that you accept some of the risk yourself (the
'excess'), and that you take some steps to further mitigate any potential loss
(for example, through the use of specific security software, or a particular
wording in the company security policy).
mitigate the risk
This choice involves making the likelihood of loss from the risk less than it
would otherwise be; and taking steps to ensure that any loss that does happen
is minimal. This is the area that is usually meant by 'computer security' - it is
the use of security software, security training, and security policies to protect
your assets as far as possible from all known risks. 'Good' security is not ne­
cessarily the maximum possible security; it is the best possible security com­
mensurate with the value of potential loss. If the cost of mitigation is more
than the value of any loss - then that is Bad security.
Once we know the risks involved, and have quantified the effect of any potential loss
through that risk, we can decide which of the four choices to apply. There are no hard
and fast rules. Cause, cost and effect will be different for different companies. So
what to do to obtain the right level of email security will depend on what you are
likely to lose and what you can afford to spend.
Secure email solutions
So far in this process, we have looked at the risks posed by email, and the choices we
have to tackle those risks. We now need to look at some of the solutions on the
market. First of all, there are products that will help you develop a solid security
policy for use within the company and by your employees; and there are other
products that will help with security awareness training. Neither of these can be called
secure email products - nevertheless you must have both in place before any secure
email products you also install can be used to their maximum effect. Misuse by staff
can completely nullify the effect of security software; so you need to take other steps
to ensure there is no misuse.
loss of confidential information
You can only be sure that this will not happen if you encrypt your emails. This way,
even if someone intercepts the emails, he or she simply cannot understand the
content. Encryption involves garbling the content to such an extent that it is
completely unintelligible to anyone trying to read it. Encrypted text can only be
decrypted with the use of a special code known as the key. There are plenty of
©2006 ITSecurity.com, all rights reserved.
excellent products that can do this encryption and decryption: the difficulty is in
managing the keys. For example - just one of the problems - let us say you wish to
send an encrypted message to a new contact. That means you will also need to send
that person the key. How do you do that in a secure manner? If the key falls into the
hands of an attacker, the attacker will be able to decrypt any and all messages he
manages to intercept. You could, of course, encrypt the key and send it to your
contact - but then you'll need some method of also sending a key to decrypt the
encrypted key for the original message. And this is just for one person. Multiply this
by the many contacts you need to email, and you'll see the problem.
There is an excellent tried and tested solution: public key encryption. For this you
need specialist software that provides the full public key infrastructure (PKI) that
manages the keys. It is very secure - but it can also be very expensive. This is
potentially a good solution for large companies with large budgets and a need for very
secure email.
There is an alternative free solution - the original free PGP (Pretty Good Privacy)
software developed by Phil Zimmerman. This is free and provides encryption security
comparable to that of PKI; but frankly it is not easy to implement and manage. This
would be a good solution for a company with a high degree of computer savvy. There
are also commercial versions of PGP that reduce the difficulty and complexity - but at
a cost.
Individuals looking for encrypted emails are unlikely to be able to either afford, or
simply manage, either of these solutions. So individuals with only average computer
literacy will need to look elsewhere. One thing I would counsel here is that you
simply avoid any of the low cost secure email solutions that tell you, when you ask
them, 'we use a proprietary encryption algorithm so that we know its secure.' The
only encryption algorithm worth using is one that is open to peer scrutiny: something
like (but not limited to) AES, RSA, IDEA, 3DES, Blowfish, RC4...
The solution for individuals with a need for only occasionally encrypted emails.
would be to use one of the many web-based secure email offerings.
Infection by malware
Emails can carry attachments; and attachments can carry viruses, worms, Trojans,
spyware and more. The easiest way to avoid infection by email-borne malware is
never to open an attachment that you are not convinced is safe. But we all make
mistakes - so don't rely on this. The solution here is to use anti-malware software:
anti-virus, anti-spyware, and (for the individual) a personal firewall. But be sure to
choose products that check both incoming and outgoing emails - that way you will
avoid infection, and avoid infecting others.
Larger companies can achieve the same effect by the use of one of the new UTM
(unified threat management) products. This will probably be a device that sits at the
©2006 ITSecurity.com, all rights reserved.
perimeter between the internal network and the external internet, providing a firewall
and anti-virus (and quite probably other technologies as well), in a single product.
Avoiding junk email
The sheer volume of junk email (spam) is staggering. Webmail providers such as
Hotmail, Google and Yahoo, and the ISPs themselves, are getting better at screening
out junk mail. And there are many commercial and some free products that will do
the same for you. But the problem with spam filters is they might just interpret a very
important message as spam - and dump it. The likelihood is that they will filter it out
and put it into a spam folder - but that means that you must remember to check your
spam folder on a regular basis - and most of us occasionally forget to do that. So the
ultimate choice here, is how important is it that you don't miss any incoming emails?
The more important this is, the more spam you'll have to live with.
Illegal content
There is an increasing likelihood that you can be held responsible for the content of
emails on your equipment. And of course, if you are an individual using a private
computer, then you simply are responsible for the content. The only real solution here
is some form of content filtering. It checks the content of email as it passes, looking
for dubious content - usually obscene words or phrases that indicate a confidential
document. This may be affordable for larger companies; but is unlikely to be a
reasonable solution for individual users. In the latter case, the only viable approach is
good old fashioned vigilance.
Conclusion
And there you have it. Understand the risks that are created by insecure email; decide
whether to avoid, accept, transfer, or mitigate those risks; and only then look for the
products that will fulfil your choice. You could start by checking through the
following...
•
•
•
•
•
•
Aladdin: Mail Security; eSafe Mail protects all incoming and outgoing SMTP
and POP3 traffic
BlackSpider: BlackSpider Security Services; on-demand and modular securi­
ty services protect against email and web based threats
Borderware: MXtreme; a comprehensive email security, privacy and compli­
ance solution that enables organizations to prevent inbound threats, control
outbound content and centrally manage an email infrastructure
CertifiedMail.com Inc: Managed Security Service; secure email in minutes
without the need for in-house software or hardware
CertifiedMail.com Inc: Secure Email API; provides everything you'll need to
rapidly integrate secure email into your desktop, server and portal applications
CertifiedMail.com Inc: Secure Email Software; for integrating secure email
and large file transfer into your existing infrastructure
©2006 ITSecurity.com, all rights reserved.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
CipherTrust: CipherTrust Edge; an additional layer of security at the network
perimeter to protect against spam, viruses and zombies before they reach the
enterprise network
CipherTrust: CipherTrust Hosted IronMail; provides all the benefits of Iron­
Mail for those enterprises that prefer to outsource the management of e-mail
security
CipherTrust: CipherTrust IronMail; inbound threat protection against spam,
viruses, phishing, zombies, and intrusions
Comodo: Digital Email Certificates for businesses; personal digital certifi­
cates
Comodo: EPKI Manager; an outsourced, managed PKI
Counterpane: Email and Web Scanning; provides email continuity and attack
protection, and protects against malicious web content
Cryoserver: Cryoserver; forensic archiving and compliance solution for
email, instant messaging and other electronic records
Email Systems Ltd: Email Protection (managed service); provides defense
against all email threats including viruses, spam, malware, denial of service
attacks and directory harvesting
Entrust: Anti-phishing; identity theft protection for users
Entrust: Content Filtering; solves spam, virus, regulatory compliance, and ha­
rassment and phishing issues
Entrust: Email Compliance; corporate policy compliance, IT policy compli­
ance and government regulatory compliance
Entrust: Email Encryption; corporate email security for Microsoft Outlook,
Lotus Notes and BlackBerry
Entrust: Secure Email Gateway; protects your electronic boundary
Entrust: Secure Web Mail; makes it possible to protect email going outside of
your organization
Essential Security Software: Taceo; an email and document security soft­
ware solution
Firetrust: MailWasher Pro; anti-spam software
GFI: MailArchiver; Email archiving of internal and external email
GFI: MailEssentials; Anti-spam for Exchange, anti-phishing and email man­
agement
GFI: MailSecurity; Email anti-virus, content policies, exploit detection and
anti-trojan
Gpg4win: Gpg4win; includes GnuPG (a free software re-make of PGP’s per­
sonal encryption suite, and more
Hushmail: Hushmail Business; send and receive secure email for your own
domain; customize webmail with your own brand and colors
Hushmail: Hushmail Free! exchange secure email with any email address, in­
cludes spam filtering & virus scanning
©2006 ITSecurity.com, all rights reserved.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Hushmail: Hushmail Premium; send and receive email from your desktop; re­
ceive encrypted email from your website
IBM: E-mail security management; IBM managed security services can pro­
vide a variety of e-mail security options
IronPort: Email Security; email security appliances to protect the email sys­
tems of enterprises of all sizes
LuxSci: Email Hosting Services; email hosting, secure WebMail and spam
filtering for corporates, business, and individuals
Message Partners: MPP Email Archival; provides email archival that is
straightforward, simple, scalable and fully searchable
Message Partners: MPP Email Virus Protection; protection from email borne
viruses, spyware, trojans, worms and malware
Message Partners: MPP Filtering Content in Email; powerful tools to control
and filter content in email headers, bodies and attachments
Message Partners: MPP Policy Engine; a scalable way to create per-domain,
per-group or per-direction configurations
MessageLabs:
Email Recover; fully managed archiving service guar­
antees secure storage of corporate email
MessageLabs: Email Control; content control, image filtering and advanced
email management services
MessageLabs: Email Protect; multi-layered anti-spam, anti-virus and antiphishing email services
MessageLabs: Email Secure; fully managed guaranteed boundary-to-bound­
ary email encryption services
Mirapoint: ComplianceVault: passively and discretely copies all messages
sent or received, indexes them and places them into a permanent archive
Mirapoint: Message Server – SMB Bundle; appliance offering rich mail, cal­
endaring, group scheduling and address book, coupled with integrated antivirus and anti-spam
Mirapoint: Message Server; access email via WebMail from any desktop that
has a browser, or via any standards based email client including Outlook
Mirapoint: RazorGate - MailHurdle Edition; blocks up to 80% of threats at
the network edge
Mirapoint: RazorGate: appliance with multi-layered protection from spam,
virus and hacker attacks
MX Logic: Email Defense Service; managed email defense service
PC-Encrypt Inc: A-Lock; secures the email you type
PGP Corporation: Series 100; Gateway-based email encryption that’s easy
to deploy and transparent to users.
PGP Corporation: Series 200; centrally managed PGP Desktop encryption
for end-to-end protection of email, files, disks, and IM
PGP Corporation: Series 500; integrated gateway and PGP Desktop end-toend encryption for email, files, disk, and IM
©2006 ITSecurity.com, all rights reserved.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Postini: Email Security & Management; email security and management for
the enterprise
Postini: Integrated Message Management; suite of managed services for all
types of enterprise messaging.
Postini: Message Encryption; policy-based, practical solutions for email en­
cryption
Proofpoint: Proofpoint Messaging Security Gateway; combines MTA with
perimeter security, anti-spam, anti-virus, secure messaging and outbound con­
tent security
Qualcomm: Eudora; popular email client for Windows and Mac
Sendmail: Mailstream Envelope Encryption; an easy to deploy and use secure
email solution, that delivers encrypted email messages to any email inbox re­
gardless of the computer platform or email client
Sendmail: Mailstream Flow Control; protects against DOS, DDOS, and Di­
rectory Harvest Attacks (DHA) on enterprise messaging, groupware and di­
rectory infrastructures
Sendmail: Mailstream Gatekeeper; integrated email gateway solution provid­
ing email firewall protection against session-level and content-level security
threats, and ensures compliance, and centralized policy enforcement for all in­
bound and outbound email traffic.
Sendmail: Mailstream Governor; integrated email governance solution pro­
viding centralized policy management and quarantine capabilities
Sendmail: Mailstream Guardian; email perimeter gateway solution that stops
unwanted email before it enters the network
Sendmail: Mailstream Manager; provides centralized policy management and
comprehensive content scanning of inbound, outbound, and internal email
Sendmail: Mailstream Switch MTA; secure, scalable, and reliable routing for
email networks of all sizes and complexity
Sendmail: Sentrion Gatekeeper; protects email networks from spam, viruses
and phishing attacks
Sendmail: Sentrion Guardian; an appliance that provides routing and traffic
control capabilities that protect against email dark traffic attacks like denialof-service or directory harvesting
SoftScan: SoftScan hosted solution; an advantage of using a hosted solution is
that potentially dangerous virus and spam mails are routed to external servers
for quarantine, and never enter your system
Sophos: The ES4000 Email Security Appliance; an appliance providing highavailability security for enterprise email networks
Trend Micro: Hosted email security services; removes spam, viruses and oth­
er Internet threats before they can enter your gateway
Tumbleweed: MailGate; provides centralized control - inbound and outbound
emails require common management, threat protection, content filtering, and
reporting
©2006 ITSecurity.com, all rights reserved.
•
•
•
•
•
•
•
•
•
•
Verisign: Digital IDs for Secure Email; instead of risking disclosure of your
private emails, safeguard them with a Digital ID
Vircom: ModusGate Appliance; an email assurance gateway designed to fit
seamlessly with existing Microsoft Exchange or other email servers
Vircom: ModusGate; a comprehensive secure email gateway
Vircom: ModusMail; anti spam mail server, integral email internet virus pro­
tection, and email assurance
Voltage: Voltage Policy-Based Secure Messaging; enables enterprises to au­
tomatically and dynamically apply encryption and enterprise privacy manage­
ment policies
Voltage: Voltage SecureMail Gateway Server; allows enterprises to enforce
rules to ensure compliance with regulations such as GLB, HIPAA, and SOX
ZixCorp: ZixDirect; delivers messages directly to the inbox without requiring
client software
ZixCorp: ZixMail; a quick-click solution that enables users to send and re­
ceive encrypted emails
ZixCorp: ZixPort; a secure Web portal that enables encrypted emails to be
sent and received through a branded Web site
ZixCorp: ZixVPM; a server-based solution that ensures customer privacy and
regulatory compliance through policy-based email encryption
For more information about email security and all aspects of IT Security, visit
ITSecurity.com.
©2006 ITSecurity.com, all rights reserved.