Review: E-mail Encryption Made Easy
You probably know by now that any e-mail that isn't encrypted traverses the Internet in clear text that can easily be viewed with little skill and just some patience. So what are you doing to protect your company's sensitive e-mail?
The right way is to encrypt e-mail messages in their entire path from sender to receiver. You also need to digitally sign them, to ensure that no one else has tampered with them in transit.
The problem is that, not long ago, encryption products had two big drawbacks. First, they required a lot of effort devoted towards key management tasks to make sure that everyone's encryption keys were properly exchanged and properly maintained. Public/private key encryption meant that you exchanged the public keys in order to read each other's messages, and in the past this exchange was cumbersome at best. Also, when someone left a corporation, that person's key had to be expired so that they would no longer have access to their e-mail stream.
Second, the products were designed to work between two people who were using a matched set of the same tools. If you sent an encrypted e-mail to some random correspondent who was likely not using any encryption, they couldn't read the message and needed to install the same tool you used to decrypt it.
Today, however, there are a number of low-cost, easy-to-use packages that have gotten around these problems in some clever ways. For this review, I looked at three solutions: Hush Communications' Hushmail for Business, Voltage Security Inc.'s Voltage Secure Network, and Connected Gateway and PGP Corp.'s Universal Server.
To test these three products, I created a situation in which a small company had already set up Outlook clients and Microsoft Exchange servers to handle its e-mail and wanted to add a layer of encryption on top of that with as little effort as possible. I assumed the company wanted to be able to send and receive encrypted e-mails to a wide variety of correspondents, and didn't want to install a lot of software on each desktop.
Hush Communications has been around a long time in the encryption world. Its basic business account, which is the least expensive of the three solutions reviewed here, starts at $24 a year per user. (There is also a free personal version that has most of the features found in the business product, with the exception of having your own domain names to send and receive the encrypted e-mails.)
Hush is a completely hosted service: there is nothing to install on the client end, and you just have to set up an e-mail domain on their servers. This can be a plus or a minus depending on your biases toward having your own server on premises. All you need to do is to specify the MX mail account records to point to their mail server for your domain. It lacks the automatic registration for external users that the other vendors offer and the administrative features are spare, but that means that for small companies looking to get started quickly with encryption, Hush is worth taking a closer look.
You have two options for your e-mail client: use Hush's Web client or download an Outlook plug-in. While the plug-in is nice -- it will work with Exchange as well -- there is a bug in Microsoft Outlook 2002 that causes problems with forwarded and replied messages. (Outlook 2007 works fine.) The message that goes out will either appear to the recipient to be blank, or the recipient will see encrypted data, but the data will not decrypt. To resolve this issue, you need to install Microsoft Office XP Service Pack 2 along with the Office 2002 update.
Another issue with the plug-in is that you have to be connected to the Internet to use it, meaning that you can't compose offline encrypted messages. If you have a lot of frequent travelers who want to compose their e-mails when away from a broadband connection, this could be an issue.
If you use the Hush Web client, you can choose to encrypt your message or send it unencrypted, and to digitally sign your message as well.
If you choose to encrypt a message to a user that the Hush key server doesn't know about, you will be offered a question-and-answer dialog that will be presented to the user when they first get an encrypted message. If they answer the question correctly, the message will be decrypted and presented to the recipient.
Hush has also spent some time understanding the issues with running Java. For an extra layer of security, Hush can use Java to encrypt your messages before the data leaves your PC. This means that none of your e-mail traffic is stored in plain text anywhere, so if someone were to use a disk recovery utility, they still couldn't read your e-mail.
One of the nice features about the business client is the ability to include secure forms that will encrypt communications from the general public at no additional charge if Hush hosts the forms, or $4 per month if you want to host the form on your own Web site.
Hush's main advantage is cost and speed of implementation (given that there is really nothing to install). It will exchange encrypted e-mail with PGP desktop users once the appropriate keys are exchanged.