Consider Adding an Encryption ModuleBy David Strom | Posted 2009-12-08 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The business case for e-mail encryption is compelling: Enterprises need to protect corporate and customer data, and the latest encryption products are easier to manage, implement and use.
3. Consider adding an encryption module as part of your existing messaging infrastructure. This was the case with Lovitt & Touche, which needed a way to deliver protected health information to its clients via e-mail. The Tucson, Ariz.-based benefits insurance company examined a variety of encryption solutions, but they didn’t meet its needs. One “was a lot of trouble to set up and required multiple calls to their support center,” says IT Manager Ian Crawford. Another system was too expensive, he adds.
Since Lovitt & Touche was already using a Sophos appliance for e-mail filtering, it was simple to add that vendor’s encryption module to provide security for the firm’s 250 users on a Microsoft Exchange/Outlook network, Crawford says.
With the encryption module, “The creation of rules and general setup was straightforward,” Crawford says. “To send a secure e-mail, all a user has to do is set the message option to ‘confidential’ or use a keyword in the body of the message, and the recipient will receive a password-protected PDF with attachments.” The only requirement for e-mail recipients is that they have Adobe Acrobat Reader 7.0 on their computers.
The University of Tennessee Medical Center in Knoxville also added an encryption module from the vendor that provides its messaging technology. The medical center had been using a more cumbersome encryption system before it purchased Mimecast’s appliance in March 2009, recalls Jerry Hook, the hospital’s server team manager.
With the former system, “We had to use a special phrase inside our messages that would trigger the encryption process, but users would forget to include it or they would put the phrase in their e-mail signatures so that every e-mail went out encrypted,” Hook explains. “We wanted something that would be able to catch the most sensitive information automatically.
“We use Mimecast for our spam and virus protection, as well as e-mail archiving and encryption. It was a lot of work to get everything integrated, but now we don’t have any major issues, and [the vendor’s] support staff is worth the money we paid for them.” The medical center sends out about 2 percent of its messages encrypted.
Adopting a similar strategy of sticking with a current messaging vendor for its encryption, the Colorado State Supreme Court in Denver has been using AppRiver’s CipherPost service since April. “It really solved quite a few problems for us,” says Brett Corporon, a systems architect for the court. “Most of the alternative methods for encrypted e-mail are more complex than our users are willing to deal with. With CipherPost, we can exchange messages with anyone across the Internet because recipients don’t have to have the same encryption infrastructure. And everything is kept secure and safe.”
AppRiver’s Voltage service also provides encryption for the BlackBerrys the court has deployed. “It’s pretty seamless, and it takes just one simple step to get e-mails encrypted,” Corporon notes.
4. Take advantage of pilot programs or staged rollouts to test how intrusive the system will be. The Boston Medical Center’s IT department began a pilot project with Voltage’s SecureMail by using the “read only” mode of the system to see the volume of e-mail that would be subject to encryption rules. The hospital has been using the product for more than two years to protect more than 10,000 mailboxes.
“We have implemented solutions at our mail gateways to automatically encrypt messages that contain specific keywords that could be used to identify someone,” Blake says. “What makes this simpler than most is that users can continue to work as they have in the past, and when they receive an encrypted message, they can either view it in their Outlook preview pane or click on a Web link to see the response.”
One of the attractions of this system is that the hospital’s IT staff can control the level of security thresholds on a per-domain basis. “We have several partners with different e-mail domains, and we can automatically encrypt messages to them with one policy, while using another policy for our users who are e-mailing general sites such as Yahoo,” Blake says.
Another benefit of Voltage is its integration with Exchange. “It requires minimal overhead to support,” he says.
Merit Resources, an employment outsourcing firm that began using Proofpoint’s encryption solution for 60 employees at its Des Moines, Iowa, headquarters, is implementing the technology in phases. “We haven’t rolled it out to all of our clients yet, because it’s harder for some of them to understand the value of encryption and why they have to do it,” says
Jeff Caracci, vice president of IT and facilities management.
However, Caracci emphasizes this system’s ease of use. “A recipient gets an e-mail with an embedded Web link that they click on to read the message,” he explains. “There are no key management headaches, and if someone forgets their password to decrypt the message, they can automatically change it on their next login attempt, as long as they remember their password reset question.”
Merit uses the module that automatically encrypts messages containing sensitive information, such as Social Security numbers or employee data. “Because we are essentially a remote human resources office for our clients, we send and receive a lot of confidential information via e-mail, and that always needs to be protected,” Caracci says.