Make E-mail Encryption Effortless

By David Strom  |  Posted 2009-12-08

E-mail encryption certainly isn’t new, but as more companies come under fire for leaking customer identities or privileged information, encryption is increasingly essential for doing business—and possibly for staying in business. The business case for encryption is even more compelling because the latest products are easier to manage, implement and use in daily e-mail activities. Here are four issues involved in getting encryption deployed across the enterprise.

1. Don’t assume that all your users know that ordinary e-mail isn’t private. Encrypting e-mail ensures that information is not “sent out in the wild and stolen,” says Brad Blake, IT director for the Boston Medical Center. “I am amazed at people’s lack of awareness at how e-mail works,” he says. “Our senior clinicians, in particular, have some trouble, and part of patient care is to secure their records and identities.”

Karl Anderson, the network security manager at the Ann Arbor, Mich., headquarters for Domino’s Pizza, agrees. “A lot of our users still think sending an e-mail is the equivalent of sending a letter in a sealed envelope,” he says. “They don’t realize that anyone can read it, just like a postcard. They don’t know there are many points along the path across the Internet where their messages can be easily viewed.”

Part of the challenge is finding a solution that will work widely for all messages sent and received. “It is not acceptable to need multiple-vendor technologies or different secure messaging solutions when we have to interoperate with our business partners,” says Ken Patterson, chief information security officer at Harvard Pilgrim Health Care in Wellesley, Mass.

The nonprofit health care organization evaluated eight suppliers before picking PGP’s Universal Encryption Solution for their 2,000 staff members using Lotus Notes. “For me, the issue is, you are sending sensitive information to an ISP, where that e-mail is going to sit on their server, and you don’t know how well it is secured,” says Patterson. “That is a much bigger risk than being intercepted in transit across the Internet.”

2. Know the right time to add encryption. Sometimes, you can deploy encryption as part of an e-mail upgrade or migration, or when you are adding features, such as data-leak protection.

For example, Domino’s was using Novell’s GroupWise for about 1,000 users and realized that encryption was necessary to protect the communications involving the employment information that’s transmitted between its stores and its outside benefit providers. The restaurant chain began deploying Proofpoint and Voltage’s encryption products while still on GroupWise because it planned to work with both GroupWise and Microsoft Exchange/Outlook when the company upgraded later, Anderson explains.

Domino’s new system, set up to automatically encrypt any message that contains a credit card or Social Security number, was easily implemented, according to Anderson. “We hardly ever look at the Voltage administration console because it is so effortless,” he says. “One time we had a problem with an expiring certificate that needed to be renewed, but that was about it.”

3. Consider adding an encryption module as part of your existing messaging infrastructure. This was the case with Lovitt & Touche, which needed a way to deliver protected health information to its clients via e-mail. The Tucson, Ariz.-based benefits insurance company examined a variety of encryption solutions, but they didn’t meet its needs. One “was a lot of trouble to set up and required multiple calls to their support center,” says IT Manager Ian Crawford. Another system was too expensive, he adds.

Since Lovitt & Touche was already using a Sophos appliance for e-mail filtering, it was simple to add that vendor’s encryption module to provide security for the firm’s 250 users on a Microsoft Exchange/Outlook network, Crawford says.

With the encryption module, “The creation of rules and general setup was straightforward,” Crawford says. “To send a secure e-mail, all a user has to do is set the message option to ‘confidential’ or use a keyword in the body of the message, and the recipient will receive a password-protected PDF with attachments.” The only requirement for e-mail recipients is that they have Adobe Acrobat Reader 7.0 on their computers.

The University of Tennessee Medical Center in Knoxville also added an encryption module from the vendor that provides its messaging technology. The medical center had been using a more cumbersome encryption system before it purchased Mimecast’s appliance in March 2009, recalls Jerry Hook, the hospital’s server team manager.

With the former system, “We had to use a special phrase inside our messages that would trigger the encryption process, but users would forget to include it or they would put the phrase in their e-mail signatures so that every e-mail went out encrypted,” Hook explains. “We wanted something that would be able to catch the most sensitive information automatically.

“We use Mimecast for our spam and virus protection, as well as e-mail archiving and encryption. It was a lot of work to get everything integrated, but now we don’t have any major issues, and [the vendor’s] support staff is worth the money we paid for them.” The medical center sends out about 2 percent of its messages encrypted.

Adopting a similar strategy of sticking with a current messaging vendor for its encryption, the Colorado State Supreme Court in Denver has been using AppRiver’s CipherPost service since April. “It really solved quite a few problems for us,” says Brett Corporon, a systems architect for the court. “Most of the alternative methods for encrypted e-mail are more complex than our users are willing to deal with. With CipherPost, we can exchange messages with anyone across the Internet because recipients don’t have to have the same encryption infrastructure. And everything is kept secure and safe.”

AppRiver’s Voltage service also provides encryption for the BlackBerrys the court has deployed. “It’s pretty seamless, and it takes just one simple step to get e-mails encrypted,” Corporon notes.

4. Take advantage of pilot programs or staged rollouts to test how intrusive the system will be. The Boston Medical Center’s IT department began a pilot project with Voltage’s SecureMail by using the “read only” mode of the system to see the volume of e-mail that would be subject to encryption rules. The hospital has been using the product for more than two years to protect more than 10,000 mailboxes.

“We have implemented solutions at our mail gateways to automatically encrypt messages that contain specific keywords that could be used to identify someone,” Blake says. “What makes this simpler than most is that users can continue to work as they have in the past, and when they receive an encrypted message, they can either view it in their Outlook preview pane or click on a Web link to see the response.”

One of the attractions of this system is that the hospital’s IT staff can control the level of security thresholds on a per-domain basis. “We have several partners with different e-mail domains, and we can automatically encrypt messages to them with one policy, while using another policy for our users who are e-mailing general sites such as Yahoo,” Blake says.

Another benefit of Voltage is its integration with Exchange. “It requires minimal overhead to support,” he says.

Merit Resources, an employment outsourcing firm that began using Proofpoint’s encryption solution for 60 employees at its Des Moines, Iowa, headquarters, is implementing the technology in phases. “We haven’t rolled it out to all of our clients yet, because it’s harder for some of them to understand the value of encryption and why they have to do it,” says

Jeff Caracci, vice president of IT and facilities management.

However, Caracci emphasizes this system’s ease of use. “A recipient gets an e-mail with an embedded Web link that they click on to read the message,” he explains. “There are no key management headaches, and if someone forgets their password to decrypt the message, they can automatically change it on their next login attempt, as long as they remember their password reset question.”

Merit uses the module that automatically encrypts messages containing sensitive information, such as Social Security numbers or employee data. “Because we are essentially a remote human resources office for our clients, we send and receive a lot of confidential information via e-mail, and that always needs to be protected,” Caracci says.