Make E-mail Encryption EffortlessBy David Strom | Posted 2009-12-08 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The business case for e-mail encryption is compelling: Enterprises need to protect corporate and customer data, and the latest encryption products are easier to manage, implement and use.
E-mail encryption certainly isn’t new, but as more companies come under fire for leaking customer identities or privileged information, encryption is increasingly essential for doing business—and possibly for staying in business. The business case for encryption is even more compelling because the latest products are easier to manage, implement and use in daily e-mail activities. Here are four issues involved in getting encryption deployed across the enterprise.
1. Don’t assume that all your users know that ordinary e-mail isn’t private. Encrypting e-mail ensures that information is not “sent out in the wild and stolen,” says Brad Blake, IT director for the Boston Medical Center. “I am amazed at people’s lack of awareness at how e-mail works,” he says. “Our senior clinicians, in particular, have some trouble, and part of patient care is to secure their records and identities.”
Karl Anderson, the network security manager at the Ann Arbor, Mich., headquarters for Domino’s Pizza, agrees. “A lot of our users still think sending an e-mail is the equivalent of sending a letter in a sealed envelope,” he says. “They don’t realize that anyone can read it, just like a postcard. They don’t know there are many points along the path across the Internet where their messages can be easily viewed.”
Part of the challenge is finding a solution that will work widely for all messages sent and received. “It is not acceptable to need multiple-vendor technologies or different secure messaging solutions when we have to interoperate with our business partners,” says Ken Patterson, chief information security officer at Harvard Pilgrim Health Care in Wellesley, Mass.
The nonprofit health care organization evaluated eight suppliers before picking PGP’s Universal Encryption Solution for their 2,000 staff members using Lotus Notes. “For me, the issue is, you are sending sensitive information to an ISP, where that e-mail is going to sit on their server, and you don’t know how well it is secured,” says Patterson. “That is a much bigger risk than being intercepted in transit across the Internet.”
2. Know the right time to add encryption. Sometimes, you can deploy encryption as part of an e-mail upgrade or migration, or when you are adding features, such as data-leak protection.
For example, Domino’s was using Novell’s GroupWise for about 1,000 users and realized that encryption was necessary to protect the communications involving the employment information that’s transmitted between its stores and its outside benefit providers. The restaurant chain began deploying Proofpoint and Voltage’s encryption products while still on GroupWise because it planned to work with both GroupWise and Microsoft Exchange/Outlook when the company upgraded later, Anderson explains.
Domino’s new system, set up to automatically encrypt any message that contains a credit card or Social Security number, was easily implemented, according to Anderson. “We hardly ever look at the Voltage administration console because it is so effortless,” he says. “One time we had a problem with an expiring certificate that needed to be renewed, but that was about it.”