Headlines are flying with stories of incriminating e-mail messages — and
the many court cases that have been launched by "discovered" e-mails.
That makes this a very good time for you to be securing your
corporate communications with new tools.
Perhaps your idea of protecting your e-mail is to exhort your employees
not to say anything in a message that would reveal your company's deepest
secrets. Or perhaps you're already using more sophisticated practices than
this. In either case, there is innovative technology to encrypt and manage your
employees' e-mail in ways your employees otherwise couldn't or wouldn't.
Securing and Encrypting Are Two Different Things
It's not necessary to encrypt every message in order to secure your e-mail
communications. But it is necessary to encrypt certain messages to
certain people in order for you to be sure those messages are secure:
• It's Not a 'Get Out of Jail Free' Card.
Encrypting your company's messages won't protect you from
legal entanglements, such as the e-mails that were introduced as evidence at
Microsoft's antitrust trial or in investment banker Frank P. Quattrone's
recent "time to clean up those files" trial. Someone will always have saved
some readable copy of any e-mail you send. And, in any event, your company may
be required by law or custom to preserve readable copies of all e-mails
that were sent or received in the course of your business.
• It's a Good Measure of Protection Nonetheless.
Encrypting can be very important, whether or not you have anything to hide.
The purpose of encrypting your messages is not to cover up illegal activity or
foil a governmental investigation, but to secure your communications from
anyone who might be eavesdropping (including unauthorized in-house staff).
E-mails are ordinarily formatted and sent across the wire as plain text,
and you might be surprised at how often your co-workers reveal sensitive
corporate plans and even network passwords.
While encryption isn't a perfect barrier against e-mails ever being read by
the "wrong" people, it's definitely called for in situations where
your communications are intended for a small, trusted circle.
The Competition Heats Up
Fortunately, there are innovative developments that are making it a lot easier
to secure your e-mail. Starting with the oldest:
• PGP Corporate Desktop, from PGP Corp., is the long-time standard
in e-mail encryption. After this software has been installed, end users decide
which of their outgoing e-mails should be encrypted. The sender's software encrypts each message using the recipient's
"public key," a code for which only the recipient has a corresponding
decryption key.
• FileAssurity OpenPGP 2.0 is a PGP competitor that's due for
release within the next two weeks from the upstart company ArticSoft (whose
name is a play on "articulated software"). The original 1.0 version was launched only last August. In addition to encrypting e-mails, the new
release will have the ability to create compressed ZIP files as well as a secure .pgp file format
that can be opened by anyone with a free
reader (and the right code), company executives say.
• PGP Universal, also from PGP Corp., has
broader capabilities than either of the other two alternatives.
It automatically encrypts and decrypts e-mails — at the server level,
not the user level — between any set of senders and receivers. The
list of who shall send and who shall receive secure e-mails is determined by
an IT administrator. End users never have to remember to click a button to
secure these e-mails before transmitting them. It's done for them in the
background. PGP Universal has been commercially available only since
mid-September.
Each Product Has Its Boosters and Its Detractors
Steve Mathews, CEO of ArticSoft, said in an interview that FileAssurity is easier
for end users to understand and use than PGP Corporate Desktop. The principle
of FileAssurity, he said, is "users being able to use security as easily as
they might use a courier service [for physical documents]."
FileAssurity has been implemented by a variety of companies from the Union State
Bank of New York to the Michigan Public Health Institute, he said.
Stephan Somogyi, the director of products for PGP Corp., said of his
company's Corporate Desktop programs that, "They are about as easy to use
as current technology permits." End users still need training, he said, adding, "we certainly believe
that the ease-of-use can still be improved."
That's one reason Somogyi's enthusiastic about his company's new PGP Universal
product. The new software, operating at the server level, allows end users
to do their primary jobs, he said. The messages that should and should not be
encrypted become "a choice of the IT administrator or whoever is
the person making the policy for e-mail."
Somogyi also noted that many companies in the U.S. and abroad want to ensure
(or are required by law to ensure) that IT staff can't access and read
internal e-mails that are sent from, say, the legal department to the
personnel department. PGP Universal is designed to protect e-mails even
at this intra-company level, he said.
In response to the need for secure communications without any end
user action, ArticSoft officials say they will soon release a new
product called Central Administrator. This server-level program will
enable admins to set encryption policy without installing any software
on client machines, they said.
Conclusion
You may be a novice or a pro at securing information by encryption. In either
case, I recommend that you continue learning about the subject by reading an
excellent 17-page paper by Ewa Zurawska that's posted at the SANS Institute's
GIAC.org
site.
If your business communicates any confidential information
across the public Internet or your intranet, e-mail encryption is a
solution you should implement sooner rather than later.
Small companies may find that products such as Corporate Desktop and
FileAssurity are all they need to protect the few, highly sensitive documents
they may occasionally transmit. But large enterprises should seriously
consider the automatic and corporate-policy–based security provided by
the technology of PGP Universal.