secure mail

We are looking into secure email solutions for sending sensitive/restricted information via email to external recipients. Our email platform is exchange 2010 and on the computers outlook 2010. What I don't understand is if one of our internal employees wants to send email to an external recipient in another organisation via whichever secure mail solution we decide on, do they (the recipient) also need to invest in some compatible secure email software, or not really? Please keep answers low tech management friendly. I cant see that going down well with recipients ("we can only send you secure email if you invest in a $$$ software package from your side also").

There also seems to be many solutions for secure email ranging from free products to quite expensive products? Are there more expensive solutions " more secure", or if not why they difference in price? If it is because they are more secure, can you elaborate what exactly is more secure, and the risks associated with the free/cheap options? I cant understand why anyone would pay for a solution if there is a free alternative, so please enlighten me (again in management friendly low tech terms) why the paid options are often more desired.

\if you wish to recommend some products and pros and cons on the various options then that would be great...
Who is Participating?
Dave HoweSoftware and Hardware EngineerCommented:
Ok, there are two different ways to do this (and lots of subsections)

First, the email crypto world is divided into two fields -
preshared key solutions (where the recipient must first set up and deliver to you a key to be used for encryption)
Oracle based solutions (where the user must log into a device or portal and then either stored mail is delivered over https, or encrypted mail is decrypted using a passed key obtained from the service)

For the first, there are two major encryption schemes to consider.
The first is the easiest - s/mime (called by microsoft a "digital ID") - this is the same system used for securing HTTPS webservers, and consists of a private key (used to digitally sign outgoing messages or decrypt incoming messages) and a public certificate (used to verify digital signatures and encrypt outbound mails) - all digitally signed messages include this certificate, so the fastest key distribution technique is to send a digitally signed message to all potential correspondents.
Downside is key management. each cert expires (typically after 1 year, but you can configure this) and unless you want to manually verify certificates every time you update, you need to buy them from a commercial CA - and that isn't cheap.
  Upside? everything you need (other than your personal key and cert) is already built into your email client. Outlook+Exchange users can also have their certs generated and pushed to them automatically via autosubscription (this requires the exchange to be configured to do so, and for there to be an Enterprise CA set up on a windows server to fulfil these requests)
  For test or smaller scale solutions, you can generate the required key/cert pair manually using the free xca package.

  The other competing solution is called openpgp (note, that is the standard, not the name of the software). This is typically NOT built into an email client, but instead you will need to configure plugins or desktop software at both ends to support the system.  Typical packages are "Pretty Good Privacy" and "GNU Privacy Guard" - the former commerical, the latter less polished but free/open source.  Openpgp is functionally similar to s/mime, so I won't go into further detail, other than to note that it doesn't use x509 certificates but its own key format based on adding "trust" signatures to keys, so that you can decide if a key is valid based on those willing to assert validity by signing whose keys you already have.

  Moving on then, the other major subcategory is oracle based crypto.

There are four big players in this market.

First and oldest is cisco - their [URL=]CRES[/URL] solution was an early runner (albeit, under a different ownership - they bought the original company called Ironport). For this, you need an Ironport email security appliance (not cheap!) with the encryption subscription service and flag messages (with configurable rules, most sites use the "confidential" flag from outlook and/or the presence of [encrypt] in the subject line) that need to be encrypted.  Recipients are presented with an attachment that renders (in javascript) a pretty envelope that allows them to select which recipient they are, and links (in the background) to the CRES site. new users are required to sign up, but that's one signup for each user for the whole of CRES (user accounts are not specific to sender). The same messages can be used to reply securely, again via CRES.

Second oldest is [URL=]ZixMail[/URL] - similar to CRES, but using a software solution (although there are on-premise server solutions).

Third oldest is [URL=]PGP Universal Gateway[/URL] - This is very much an afterthought from PGPinc, as they originally wanted to concentrate on their openpgp based offerings - but works similarly, other than the fact the server is an on-premise applicance and signups therefore per-site.  Offers much more control than off-premise though (note, there have been occasions where access to "secure" email has been granted by CRES to law enforcement in the USA, due to the fact that the encryption keys are stored by them, not the user; PGPinc is unable to comply with such "requests" which is of course only a factor if you don't want the american government reading your email :)

Newest is Microsoft's [URL=]Exchange Hosted Encryption[/URL] (part of their [URL=]FOPE[/URL] offering and only available to FOPE customers. This is similar to CRES (again) and is similarly a solution where the company controls the encryption keys.
AmitIT ArchitectCommented:
You can look for software like voltage

Free i haven't tried so cannot comment.
David Johnson, CD, MVPOwnerCommented:
Email was not designed for security in mind. It also has the limitation of being a send and forget technology.  A technology like allows a secure transfer of files of any size, and you get manageability of the file i.e. who has access, when accessed, you can delete the file and so forth.

Disclaimer: I don't use this product but know many lawyers that do use it for secure discovery material transmission.

If one encrypts a file then the recipient must have the applicable software to unencrypt the file. Another way is to have the file / message sent to a secure webmail page but this requires both parties to have an account .. and this does not integrate very well with current email technology.. As I mentioned before, email was not designed with security in mind, but the free transfer of information from one party to another.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Simon Butler (Sembee)ConsultantCommented:
The most common method I have seen this implemented is to use a service that takes the message, wraps it up on a web page and then the recipient gets an email saying there is an email for them. They then visit the special link, where the contents of the email is displayed.

The main solution I have seen here is Microsoft's solution Forefront Hosted Encryption.
Technical details here:

That is about your only option.
You can sign emails, but that will only prove they haven't been tampered with.
You could look at something like PGP, but that will require key exchange in many cases.

Dave BaldwinFixer of ProblemsCommented:
The common saying is "If it is easy, it isn't secure."  Yes, both ends have to have compatible encryption software.
pma111Author Commented:
Thanks all most helpful
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.