Go Premium for a chance to win a PS4. Enter to Win


secure mail

Posted on 2013-06-04
Medium Priority
Last Modified: 2013-06-06
We are looking into secure email solutions for sending sensitive/restricted information via email to external recipients. Our email platform is exchange 2010 and on the computers outlook 2010. What I don't understand is if one of our internal employees wants to send email to an external recipient in another organisation via whichever secure mail solution we decide on, do they (the recipient) also need to invest in some compatible secure email software, or not really? Please keep answers low tech management friendly. I cant see that going down well with recipients ("we can only send you secure email if you invest in a $$$ software package from your side also").

There also seems to be many solutions for secure email ranging from free products to quite expensive products? Are there more expensive solutions " more secure", or if not why they difference in price? If it is because they are more secure, can you elaborate what exactly is more secure, and the risks associated with the free/cheap options? I cant understand why anyone would pay for a solution if there is a free alternative, so please enlighten me (again in management friendly low tech terms) why the paid options are often more desired.

\if you wish to recommend some products and pros and cons on the various options then that would be great...
Question by:pma111
LVL 44

Assisted Solution

Amit earned 400 total points
ID: 39220208
You can look for software like voltage

Free i haven't tried so cannot comment.
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 400 total points
ID: 39220284
Email was not designed for security in mind. It also has the limitation of being a send and forget technology.  A technology like www.sharefile.com allows a secure transfer of files of any size, and you get manageability of the file i.e. who has access, when accessed, you can delete the file and so forth.

Disclaimer: I don't use this product but know many lawyers that do use it for secure discovery material transmission.

If one encrypts a file then the recipient must have the applicable software to unencrypt the file. Another way is to have the file / message sent to a secure webmail page but this requires both parties to have an account .. and this does not integrate very well with current email technology.. As I mentioned before, email was not designed with security in mind, but the free transfer of information from one party to another.
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 39220639
The most common method I have seen this implemented is to use a service that takes the message, wraps it up on a web page and then the recipient gets an email saying there is an email for them. They then visit the special link, where the contents of the email is displayed.

The main solution I have seen here is Microsoft's solution Forefront Hosted Encryption.
Technical details here:


That is about your only option.
You can sign emails, but that will only prove they haven't been tampered with.
You could look at something like PGP, but that will require key exchange in many cases.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 400 total points
ID: 39221183
The common saying is "If it is easy, it isn't secure."  Yes, both ends have to have compatible encryption software.
LVL 33

Accepted Solution

Dave Howe earned 400 total points
ID: 39221738
Ok, there are two different ways to do this (and lots of subsections)

First, the email crypto world is divided into two fields -
preshared key solutions (where the recipient must first set up and deliver to you a key to be used for encryption)
Oracle based solutions (where the user must log into a device or portal and then either stored mail is delivered over https, or encrypted mail is decrypted using a passed key obtained from the service)

For the first, there are two major encryption schemes to consider.
The first is the easiest - s/mime (called by microsoft a "digital ID") - this is the same system used for securing HTTPS webservers, and consists of a private key (used to digitally sign outgoing messages or decrypt incoming messages) and a public certificate (used to verify digital signatures and encrypt outbound mails) - all digitally signed messages include this certificate, so the fastest key distribution technique is to send a digitally signed message to all potential correspondents.
Downside is key management. each cert expires (typically after 1 year, but you can configure this) and unless you want to manually verify certificates every time you update, you need to buy them from a commercial CA - and that isn't cheap.
  Upside? everything you need (other than your personal key and cert) is already built into your email client. Outlook+Exchange users can also have their certs generated and pushed to them automatically via autosubscription (this requires the exchange to be configured to do so, and for there to be an Enterprise CA set up on a windows server to fulfil these requests)
  For test or smaller scale solutions, you can generate the required key/cert pair manually using the free xca package.

  The other competing solution is called openpgp (note, that is the standard, not the name of the software). This is typically NOT built into an email client, but instead you will need to configure plugins or desktop software at both ends to support the system.  Typical packages are "Pretty Good Privacy" and "GNU Privacy Guard" - the former commerical, the latter less polished but free/open source.  Openpgp is functionally similar to s/mime, so I won't go into further detail, other than to note that it doesn't use x509 certificates but its own key format based on adding "trust" signatures to keys, so that you can decide if a key is valid based on those willing to assert validity by signing whose keys you already have.

  Moving on then, the other major subcategory is oracle based crypto.

There are four big players in this market.

First and oldest is cisco - their [URL=https://res.cisco.com/websafe/about]CRES[/URL] solution was an early runner (albeit, under a different ownership - they bought the original company called Ironport). For this, you need an Ironport email security appliance (not cheap!) with the encryption subscription service and flag messages (with configurable rules, most sites use the "confidential" flag from outlook and/or the presence of [encrypt] in the subject line) that need to be encrypted.  Recipients are presented with an attachment that renders (in javascript) a pretty envelope that allows them to select which recipient they are, and links (in the background) to the CRES site. new users are required to sign up, but that's one signup for each user for the whole of CRES (user accounts are not specific to sender). The same messages can be used to reply securely, again via CRES.

Second oldest is [URL=http://www.zixcorp.com/email-encryption/zixmail/]ZixMail[/URL] - similar to CRES, but using a software solution (although there are on-premise server solutions).

Third oldest is [URL=http://www.symantec.com/en/uk/gateway-email-encryption]PGP Universal Gateway[/URL] - This is very much an afterthought from PGPinc, as they originally wanted to concentrate on their openpgp based offerings - but works similarly, other than the fact the server is an on-premise applicance and signups therefore per-site.  Offers much more control than off-premise though (note, there have been occasions where access to "secure" email has been granted by CRES to law enforcement in the USA, due to the fact that the encryption keys are stored by them, not the user; PGPinc is unable to comply with such "requests" which is of course only a factor if you don't want the american government reading your email :)

Newest is Microsoft's [URL=http://technet.microsoft.com/en-us/library/exchange-hosted-email-encryption-service-subscription-in-fope.aspx]Exchange Hosted Encryption[/URL] (part of their [URL=http://office.microsoft.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam-FX103763969.aspx]FOPE[/URL] offering and only available to FOPE customers. This is similar to CRES (again) and is similarly a solution where the company controls the encryption keys.

Author Comment

ID: 39222123
Thanks all most helpful

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month11 days, 17 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question