I do not trust email today. Period.

Oh sure, I can encrypt email but that doesn’t mean that I know that the other side will open it. Most of the IT people I deal with on a daily basis don’t even understand the concept of PKI. So the idea that I can help create a trusted email environment seems rather far away.


Today, many systems are vastly more complicated than the simple Windows 95 systems we used over 10 years ago. So imagine how difficult it can be trying to put that trust back at the enterprise level when you have so many people and their PCs involved: customers, business partners, different departments, different geographical locations and even different IT departments.

Before I get into a possible answer for your enterprise, let’s explain two different ways of passing email back and forth securely.

One of the first ways to accomplish this was to use a type of encryption where both sides had the same shared key (password), a.k.a. symmetric encryption. This makes encryption rather simple and straightforward. Because of this, we can have any number of people seeing a specific email, provided they have the password. The challenge, of course, is getting that password out, especially if the parties don’t share the same geographical area.

So a solution to this was to use, in very simplistic terms, two keys - a public one and a private one. The idea of public key infrastructure, or PKI, allowed for easy scalability and secure emails. But the fact that each person using the encryption has to register with a Registration Authority and have the public key on a Certificate Authority server became a challenge. So whom do we trust to perform those registrations and to hold those certificates?

Today there are dozens of companies and the registration process takes both a fair amount of time and a decent chunk of money. And anyone can setup their own CA server if need be (mostly for internal use). Additionally, while certificate revocation lists (CRLs) exist, they are rarely used effectively. This presents a problem when trying to verify the validity of a user or key.

So the question is how can we take the simplicity of shared key and pair it with the ability to authenticate users like a PKI system?

Well, that's where Identity-Based Encryption (IBE) comes into play (you can find a nice intro to IBE here). Basically, it's a form of encryption where a specific string, like an email address, is used to generate the key. This avoids having to deal with having a Certificate Authority, eliminates the need to look up a certificate, and can also ensure good use of a time-based policy.

So, how does it work?

Basically, if I send an email with this article to my editor, I encrypt the email using his email address. There is no key lookup, at least not yet. Now, if he doesn't have a key yet that's fine. The email is still sent in an encrypted format. With IBE, this includes AES, RSA, ECC, etc.

My editor need only go to a Private Key Generator (PKG) to register and get a key. He can then open the email. He still has to be able to identify himself initially to the PKG, which is a shorter process than to a RA server, but once that is done, he's set. He no longer has to get a certificate or anything else.

This system also allows for scalable environment, as the encryption would be based on each individual email within the corporation. And it is here Voltage Security comes into play in putting trust back into email.

Voltage focuses on email security specifically, but has also begun to introduce encryption for the laptop and server space. They have also partnered with Microsoft to provide secure hosted services for email, providing regionalized organizations such as AT&T with ways to deal with spam. At present, it is the health care industry that is mostly taking advantage of this kind of encryption system.

Their SecureMail v2 appliance helps enterprises introduce IBE into their large-scale environments. Now, if we were to use IBE as is, we have some limitations to contend with. But SecureMail includes policy-based email encryption, thus ensuring that specific security policies are applied. Additionally, using these policies means that if required, a key can be revoked, thus denying access to encrypted documentation. Keep in mind that this system is designed specifically for business environments and not for consumer usage.

One of the advantages of SecureMail is that it uses a browser environment so that no matter where employees roam, they can access their email securely. It even works with Blackberry products, one of the few secure options out there that do. Wrapped in its simple layout are options for messages and usage auditing - important for dealing with regulations such as HIPAA or SOX - that includes reports on emails received, read and sent.

Furthermore, SecureMail ensures that there is little or no need for training since employees only need to be familiar with a browser. But it's not only the end user that will find it straightforward. Administrators too will find it simple to use and manage. It also allows for interoperability with existing secure mail environments such as PGP and S/MIME. Future versions of SecureMail will tie into Active Directory, thus allowing for even more security policy granularity.

And while users need to authenticate against a business portal, you probably don’t want to set one up for business partners since you may not want to establish and manage specific accounts for them. In this case, the process can be done in the form of email answerback to two-factor authentication.

But I think the thing that I like the best about SecureMail is that Voltage is focusing on securing documents and mail itself rather than trying to be a be-all-end-all.

Too many companies let themselves get stretched thin and do too much at once. Voltage has created partnerships with anti-spam, anti-phishing and other developers to work with their content scanning tools and the SecureMail network appliance, which lets the company direct their energies toward a specific goal: reestablishing trust in enterprise email.

A SecureMail starter package starts at approximately $20,000 US.

This article was first published on EnterpriseITPlanet.com.