Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

Keeping e-mail secure: No easy chore

Related linksToday's breaking news
Send to a friendFeedback

By Mike Rothman
Network World, 02/28/00

Considering the sensitivity of information sent via e-mail, securing that correspondence is naturally a high-level concern.

Let's say you're an e-mail administrator, and you show up at work and get the fateful call. Your CEO had a nightmare about e-mail being used in an antitrust case, or documents being hijacked by a competitor. As a result, the firm's head of IT mandates that you secure all internal and external e-mail.

Unencrypted messages can be hijacked in transit and read or altered. If the mail is not digitally signed, you can't be sure where it came from.

There are many options for securing e-mail, all with a few strengths and probably more weaknesses.

Let's take care of the easy decisions. Secure/Multipurpose Internet Mail Extensions (S/MIME) should be the message encryption and digital signature format because it's the accepted standard and is built into leading e-mail clients such as Microsoft Outlook 98/2000 and Lotus Notes R5. Yet a standard such as S/MIME only takes you so far. Each vendor has implemented its own interpretation of S/MIME, which makes interoperability problematic. This drawback is exacerbated by the emergence of S/MIME Version 3 in the newest e-mail clients, which again could create interoperability issues.

The path of least resistance is to get an e-mail security gateway, which is analogous to a firewall for e-mail. Every message going in or out passes through the gateway, allowing security policies to be enforced (where and when messages can be sent), virus checking to be performed, and messages to be signed and encrypted. One drawback of the gateway approach is that it doesn't provide user-based security. For example, the gateway encrypts outbound messages so recipients can verify they came from your company, but recipients can't prove from whom they came.

Client-based methods use your private key to sign messages (proving it came from you), which is a more granular level of security, but they have weaknesses as well. First, they need to be configured on each desktop, which includes issuing a digital certificate to each user (for encryption and digital signature), and ensuring that a proper security profile is configured within the e-mail client. This requires a fair amount of user training and help desk assistance. Of course, if the profile is wrong - for example, specifying the wrong certificate or turning off encryption - the messages are not secure. And there is no way for an administrator to centrally control the profiles.

There are also a number of Web-based secure mail services that keep all messages within their environment at all times to ensure security. You use a secure site on the Internet to compose a message. Once you hit "Send," the site encrypts and stores the message on its site, and sends the recipient an e-mail notification that a secure message is waiting. The recipient links to the site, provides a shared secret for authentication, and accesses the message via Secure Sockets Layer. Unfortunately, this method does not work with existing enterprise e-mail systems.

The stickiest issue is building a directory of digital certificates. This directory holds the certificates needed to encrypt messages to a recipient. Internally, building the directory may not be a big deal because all certificates for a company can be published in a central Lightweight Directory Access Protocol server, but externally this causes many problems. You will need to establish an agreement with a recipient's organization to ensure access to the right digital certificates. This process, however, creates more user training issues and adds complexity to e-mail communications.

Although there is technology available for secure e-mail, widespread deployment is still problematic. However, as more companies and regular e-mail users see the need to secure their messages, the use of digital certificates will one day become a transparent part of your everyday activities.

Upclose: E-mail security options

Rothman is executive vice president of SHYM Technology, a security company. He can be reached at mrothman@shym.com.

Related Links

E-mail security products to launch at RSA show
Network World, 01/17/00

Secure mail: Whom do you trust?
Network World, 01/10/2000

Tech Update archive

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.