damien1234
asked on
Looking for e-mail encryption appliance
My organization has about 300 Exchange mailboxes. I am looking for an appliance which will automatically encrypt outbound e-mails based on policies. My vision is that the recipient would be sent a link to login to the appliance via a browser to view the message. An Outlook plug-in would be nice and a way to encrypt when using OWA would be a requirement.
I've read about the Cisco Ironport box but that's designed for 5000+ users. We have neither the volume or money for that type of a solution. What other products are out there? A software based solution is also a consideration.
I've read about the Cisco Ironport box but that's designed for 5000+ users. We have neither the volume or money for that type of a solution. What other products are out there? A software based solution is also a consideration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You guys have really helped. I'm going to dig a little deeper into Zix and see where that leads me.
Damien: I'm glad you were able to get something useful from our contributions. Tell them I sent you and...well, you may not get a price break, but I might get a trip to Hawii! :-)
Dave: since the Zix VPM does not store ANY Email itself, I think that this alone would make gaining access to previously sent Email is impossible. Even mail that is queued to be delivered to a non-subscriber is held at the Zix datacenter, where the public key lies. The user's private key is encrypted and is held on my ZIXWeb portal server. Likewise, my Email domain's private key is held on my ZIXVPM while the public elsewhere, and no Email is archived as this is not a feature or within the capacity of the VPM. Additionally, if you were to review the details of their SAS70 and encryption techniques (these are likely restricted to VAR and Partners), it would probably make you feel a little better about the security.
Dave: since the Zix VPM does not store ANY Email itself, I think that this alone would make gaining access to previously sent Email is impossible. Even mail that is queued to be delivered to a non-subscriber is held at the Zix datacenter, where the public key lies. The user's private key is encrypted and is held on my ZIXWeb portal server. Likewise, my Email domain's private key is held on my ZIXVPM while the public elsewhere, and no Email is archived as this is not a feature or within the capacity of the VPM. Additionally, if you were to review the details of their SAS70 and encryption techniques (these are likely restricted to VAR and Partners), it would probably make you feel a little better about the security.
clawrimore:
Did a review of their system as part of the bidding process for one of our customers. According to the material I was sent (I have no access to the material on their site, that's for subscribers only. I nearly dropped them from the bidding process after that, but one of their sales staff, terrified of being dropped from a really obscene amount of potential profit sent me a bunch of them) the mail is encrypted to the user, and the user's private key is held on the Zix server (encrypted to their password, once they have one). each user has only one keypair, no matter how many correspondents they have in the Zixmail system, and the Zixmail central server acts as an oracle - it grants access to the key to the user, based on their login details, and that key is never given to the sender under any circumstances (otherwise you could hack your own zix server after sending an email to - say - the CEO of another company, and theoretically extract their key to unlock mail you have intercepted)
During the key-in process where a new recipient has not yet set up an account at zixmail, the mail is encrypted symmetrically and the symmetric key for that one email is held at the sender's appliance; once the recipient has created his new keypair, the public key is sent to the sender, who responds by encrypting the "queued" mail's symmetric key with the new public key and sends that to Zix to allow decryption of the mail by the recipient.
The weakness (common to all oracle based systems, including the cisco solution) is that if the zix server were compromised, a hacker could modify the system to reveal the secret key for users to a third party. It is also assumed (but no mechanism has been revealed, for obvious reasons) that zixmail's own ability to "recover" lost passphrases and grant lawful access to law enforcement agencies on production of a warrant means they have some way to remove the protection from the secret key when this is needful. A hacker therefore could, if he could compromise that system, gain access to *all* secret keys for all recipients.
This could of course be out of date (been a few years since I reviewed this, and as I say, Zix don't allow access to the applicable information unless you are a customer) but given you can still access historic mail using their servers, I doubt it has changed much. A possible variant (but one patented by disappearing inc, so they would need to licence that patent) is for the sender's appliance to hold all the symmetric keys, regardless of the oracle status of the recipient, and supply them on-demand when the user needs to read a particular message. The downsides there are:
1) if your server is unavailable on the internet, none of your recipients can read their own mail
2) if your server is unrecoverable due to hardware failure, all your recipients lose all their historic mail (backups would fix this of course, but that opens a completely different can of worms)
3) there would need to be some way to grant legal discovery access - although (again) that could be done at the central server, lawyers have a horrible habit of demanding *you* do things when you hold the data, and whatever access route this has would be yet another gate into your security.
Did a review of their system as part of the bidding process for one of our customers. According to the material I was sent (I have no access to the material on their site, that's for subscribers only. I nearly dropped them from the bidding process after that, but one of their sales staff, terrified of being dropped from a really obscene amount of potential profit sent me a bunch of them) the mail is encrypted to the user, and the user's private key is held on the Zix server (encrypted to their password, once they have one). each user has only one keypair, no matter how many correspondents they have in the Zixmail system, and the Zixmail central server acts as an oracle - it grants access to the key to the user, based on their login details, and that key is never given to the sender under any circumstances (otherwise you could hack your own zix server after sending an email to - say - the CEO of another company, and theoretically extract their key to unlock mail you have intercepted)
During the key-in process where a new recipient has not yet set up an account at zixmail, the mail is encrypted symmetrically and the symmetric key for that one email is held at the sender's appliance; once the recipient has created his new keypair, the public key is sent to the sender, who responds by encrypting the "queued" mail's symmetric key with the new public key and sends that to Zix to allow decryption of the mail by the recipient.
The weakness (common to all oracle based systems, including the cisco solution) is that if the zix server were compromised, a hacker could modify the system to reveal the secret key for users to a third party. It is also assumed (but no mechanism has been revealed, for obvious reasons) that zixmail's own ability to "recover" lost passphrases and grant lawful access to law enforcement agencies on production of a warrant means they have some way to remove the protection from the secret key when this is needful. A hacker therefore could, if he could compromise that system, gain access to *all* secret keys for all recipients.
This could of course be out of date (been a few years since I reviewed this, and as I say, Zix don't allow access to the applicable information unless you are a customer) but given you can still access historic mail using their servers, I doubt it has changed much. A possible variant (but one patented by disappearing inc, so they would need to licence that patent) is for the sender's appliance to hold all the symmetric keys, regardless of the oracle status of the recipient, and supply them on-demand when the user needs to read a particular message. The downsides there are:
1) if your server is unavailable on the internet, none of your recipients can read their own mail
2) if your server is unrecoverable due to hardware failure, all your recipients lose all their historic mail (backups would fix this of course, but that opens a completely different can of worms)
3) there would need to be some way to grant legal discovery access - although (again) that could be done at the central server, lawyers have a horrible habit of demanding *you* do things when you hold the data, and whatever access route this has would be yet another gate into your security.
Zix is considered "good enough" to satisfy due dilligence for HIPAA audits though, so I doubt in practical terms there is anything to stop you going forward with it as a solution, you will just have to note (in any security audits or reports) that your security is entirely in the hands of a third party - which is fair enough, lots of companies farm out security, firewall admin etc to specialized providers rather than provisioning in-house resource.