PGP encryption, as industry old-timers know, started out as "Pretty Good Privacy" invented by Phil Zimmermann in 1991, and since then, was sold on to various corporate owners until it ended in the hands of Symantec in 2010. While it is a widely used vintage brands, does PGP public-key encryption still meet today's enterprise demands, given the rise of cloud computing and mobile?
PGP encryption, as industry old-timers know, started out as “Pretty Good Privacy” invented by Phil Zimmermann in 1991, and since then, was sold on to various corporate owners until it ended in the hands of Symantec in 2010. While it is a widely used vintage brands, does PGP public-key encryption still meet today’s enterprise demands, given the rise of cloud computing and mobile?
Enterprise managers are somewhat mixed on that, though PGP, over two decades old, is so well known that Symantec, which dropped the PGP moniker in favor of “Symantec Encryption,” still reminds everyone it’s “powered by PGP technology.” In addition, there’s “OpenPGP,” the IETF standard that was championed by Phil Zimmermann, that can be implemented by companies without licensing.
Symantec declines to discuss how many customers it has exactly in the PGP realm, but it does point out that Symantec has invested resources in developing what it inherited with PGP. For example, Symantec offers client app software for both Apple iOS and Google Android devices as part of its Desktop Email Encryption. Symantec says its email encryption encrypts e-mail directly from an end user machine. The result, according to Symantec, is encrypted mail is delivered directly to a user’s device and they use the Symantec Mail Encryptor App to reply.
+Also on Network World: The weirdest, wackiest and coolest sci/tech stories of 2013 | The worst security SNAFUs of 2013 +
But despite this kind of PGP-related development work, one sticking point is managing the digital certificates needed for end-to-end encryption and decryption, especially when it comes to sharing files securely between two separate companies as outside business partners.
“It’s too problematic,” says Yuval Illuz, associate vice president and head of global infrastructure and IT operations at network equipment company ECI Telecom about digital certificate management among business partners. “It’s not something you need today. You change suppliers all too often.”
Illuz said his company has migrated off the PGP-based Symantec Encryption e-mail and filing sharing software that the firm once used for secure communications with business partners. Instead, ECI adopted a different type of exchange, the RSAccess product from Safe-T, in which two nodes are set up on each side of a firewall to support requests for sensitive data from suppliers, business partners and customers. It can also create directories for the cloud-based Dropbox service. Everything is encrypted but it doesn’t depend on certificates, but strong passwords, to get information, he says.
But ECI is sticking with Symantec Encryption for some things, particularly for in-house use. “The laptop encryption for PGP, we are still using it,” he says, expressing confidence about the security and manageability involved in it.
Since acquiring PGP, Symantec has released secure file-sharing with Dropbox in what it calls its File Share Encryption integration with Dropbox. Symantec says it works by simply checking a box in the management server so anything sent to Dropbox is automatically encrypted with the appropriate keys.
Not everyone, however, feels the need to migrate away from managing certificates with business partners.
“We have a lot of business partners,” says Dylan Taft, systems engineer at Rochester General Hospital, who says he relies on managing separate PGP-based encryption keys for secure file sharing. “PGP is not an issue.”
The hospital uses the Ipswitch MOVEit File Transfer System which makes use of the protocol OpenPGP. The hospital uses what’s called MOVEit Central from Ipswitch for exchange of business-to-business documents. “PGP works at the application layer,” says Taft, saying the hospital can encrypt with its PGP key and the recipient can decrypt with theirs. “The data we send is large files, and it’s not a problem.”
Some complaints about Symantec Encryption have been heard related to the need to renew VeriSign certificates each year in order to be able to decrypt old e-mail if it’s held encrypted for an extended period of time that way. VeriSign was also acquired by Symantec, and like PGP, VeriSign s a vintage brand that is now officially referred to as Symantec “powered by VeriSign.”
Asked if this is a general practice at Symantec in terms of certificate renewal associated with Symantec Encryption (PGP) products, Symantec responded, “No, the need for certificate renewals is based on the user using VeriSign certificates vs. self-signed certificates created with the Symantec Encryption Management Server.”
Symantec points out, “Symantec Gateway Email Encryption and Symantec Desktop Email Encryption both allow certificates to be used to store keys. The certificates are self-signed certificates, created and signed by Symantec Encryption Management Server.”
Symantec points out that using a self-signed certificate, rather than a certificate with a trusted root, would eliminate the need to pay to renew the certificate.
Symantec keeps some of the old traditions around PGP alive by publicly making the source code publicly available for peer review.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: email@example.com