Encrypting e-mail is easier than you might think. We discovered this during a Clear Choice Test of six products that not only bolt onto your current e-mail system but also provide new features once you become encryption-savvy.

We cast a wide net to encryption vendors, and six accepted our invitation (CipherTrust IronMail, Entrust Entelligence, PGP Universal Series 500, PostX Secure E-mail, Tumbleweed MailGate and ZipLip Secure Messaging Suite). Voltage Security, Sigaba, Authentica and Zix declined. CenturionSoft's CenturionMail was tested, but the desktop encryption system didn't fit our test bed and methodology (see story ).

CipherTrust's IronMail wins the Clear Choice Award for solid performance, administration and policy enforcement. While the other five products tested are right on CipherTrust's heels, IronMail offers the best all-around package. However, the other products offer strong features and might be a better fit for your environment.

Getting off the ground

For the most part, the cost of encrypting e-mail isn't prohibiting companies from deploying it - it's the complexity that comes from managing encryption keys and certificates. Trying to manage encryption at the desktop has often been difficult. The products we tested let you manage encryption at the gateway (aka policy-based gateway e-mail encryption). More important, the products make encryption transparent to end users.

While we used Exchange Server 2003, these products can be used with any e-mail system that uses SMTP . Outgoing e-mail is sent to a gateway server for processing. With inbound mail, the products process the mail first, decrypting if needed, and then forwarding results to the current e-mail system.

Including others

The next big question is what to do when e-mail recipients aren't using encryption. Fortunately, the vendors have addressed this problem with a Web-based interface that external recipients can use to retrieve encrypted e-mail. If the system cannot find a key to encrypt an outgoing message, it is moved to a Web site on the sender's network. The system then sends a clear-text message to the original recipient, directing them to the Web site. When external users connect to the Web site for the first time, they are asked to create a password to log on. Once completed, users can log on and read the e-mail. The system is secured through a SSL Web browser connection.

Each product tested lets you control the content of the Web repository differently. Some let you delete messages automatically as they age and expire. PGP also lets you create a quota for message stores, which then bounces messages once the quota is reached. This is done because you are essentially hosting the e-mail for external recipients, and the sender should have some control over the resources committed to this effort.

All of the products we tested let you brand the Web site to some degree to look like your other corporate Web pages. The amount of branding varied greatly. On the less flexible end, PGP lets you load a logo and create a custom banner message. At the other extreme, CipherTrust allows complete branding of multiple Web interfaces. This is done to accommodate a company's branches or departments. The other products fell somewhere between these two extremes, offering flexibility in branding the Web interface to match a corporate image.

ZipLip and PostX offered an additional way to deliver encrypted e-mail to external users without encryption of their own. E-mails can be sent as a JavaScript attachment, referred to as a secure envelope. When the first message is sent to an external user, a user must connect to the Web site and create a password. Once the password is registered and accepted, recipients can receive secure envelope messages. When one of these messages is received, the recipient opens the JavaScript attachment. The attachment asks for the password, and if correct the message is displayed. If you look at the source code of the message, you can see that it is stored in an encrypted format.

This method serves two purposes: It lets the message be stored on the recipient's mail system, instead of your own, and it also lets the recipient read the message while offline. However, this approach does rely on having a browser with good JavaScript support. Both systems worked well with Internet Explorer and Mozilla Firefox, but we had mixed results with the Konqueror and Safari browsers (see "How we did it" ). Each product provided an explanation to the recipient if the browser couldn't execute the JavaScript.

Encrypt or not encrypt?

Figuring out what e-mail should be encrypted is best accomplished through policies. A policy is a set of rules that can be applied to each message, which then triggers an action.

Compared with the other products, PGP offered much less in this area. All of the PGP policies were based on e-mail addresses. We could group users together, create policies for specific domains and do some rudimentary subject-line scanning, but that was it. Actions included choosing the type of encryption to use or whether to send the message at all.

The other products could do these things, but offered additional features in how they scanned message content. ZipLip and Cipher

Trust let us build dictionaries of words and phrases to scan for, and would trigger an action if these words were found in the subject line or message body. Entrust, PostX and Tumbleweed also let you type in regular expressions, a way of describing what the data might look like, rather than describing it exactly. For example, you might want to search for nine-digit numbers, which might or might not have dashes after the third and fifth digits (if you are looking for Social Security numbers). CipherTrust, Entrust and Tumbleweed are much stronger in this area than the others tested.

Compliance features are built into the products for companies governed by such legislation as the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act. These products have prebuilt lexicons that can be applied for these situations. The systems also have extra actions that deal with compliance requirements. Some include copying a message to a compliance officer, logging the message or blocking it altogether.