Modernizing Authentication — What It Takes to Transform Secure Access
Encrypted e-mail has flopped in the enterprise.
More than five years after standards were created and vendors rushed to support them, virtually no one secures e-mail today, despite widespread concerns about prying eyes and corrupted data.
"It's almost like a black plague would have to occur before there would be a grass-roots swing toward using secure e-mail," says Joey Lawrence, a senior consultant for the Privacy Council, a Dallas company that helps companies understand and manage privacy issues. Lawrence says the number of clients that ask about encryption is close to zero. "Even in healthcare, which has the highest need for encrypted communication, there is still rampant unprotected e-mail."
Less than one in a thousand corporate employees sends encrypted e-mail with any regularity, according to Ferris Research.
Some industries, such as defense and financial, require technology to meet privacy and confidentiality mandates. But otherwise, use of encrypted e-mail has hit a virtual dead end.
Ferris Research, which tracks the messaging market, estimates that less than one in a thousand corporate employees sends encrypted e-mail with any regularity. This despite the fact that e-mail, when sent across the Internet, can be compared with a postcard that anyone savvy enough to pull it off the wire can read.
"I still believe encrypted e-mail is something the enterprise wants and will be a stimulus for e-business," says David Ferris, president of Ferris Research. "When it is easy to do, users will do it."
And there's the rub. Current standards do not make it easy. And a handful of products for secure messaging that have popped up in the past few years, from companies such as HushMail, Zixit, Sigaba and TumbleWeed, only lessen the burden. And secure e-mail gateways, from companies such as TFS Technologies, Viasec and TumbleWeed, still require complex infrastructure for both sender and receiver.
But perhaps the biggest limiting factor is that end users don't seem to have much concern for e-mail beyond hitting the send button.
"Users seem to trust the Internet like they trust a telephone conversation," says Dave Bailey, e-commerce and messaging architect for Imerys, a global leader in minerals processing. Bailey remembers a failed project a few years back to use encrypted mail.
"It worked on some occasions and not on others." He says the problem is that to be effective nearly every other company needs to do it and "that's when it gets complex."
Others note that even when companies make secure e-mail technology available to end users, the technology gets little use.
"We have basic encryption internally on our Lotus Notes system and it's an option available to every user - but almost no one uses it," says John Shaull, senior tech analyst and Notes administrator for Chicago Bridge and Iron, which manufactures storage tanks and water towers. He says there's no concern about encryption because most e-mail contains only general conversation.
A management headache
But there also is an administrative issue in that encrypted e-mail makes it more difficult to move users as they transfer through the company. "If the user has encrypted mail, we have to transfer the entire user account instead of just creating a new one and linking it to the old account. If the mail is encrypted the new account won't have access to that mail. It creates more problems than value."
Shaull instead uses corporate policy to control the content of e-mail, such as message size, and appropriate language and attachments. And he enforces the policies with technology called MailSweeper from Baltimore Technologies, which compares e-mail against set policies.
"It's wise to create internal policies for usage of the Web, e-mail and instant messaging," says Robert Mahowald, an analyst with IDC. "Those policies are better protection than encryption in the long run."
And creating those policies is easier than building an infrastructure for encrypted e-mail. The standard for encrypted mail, the Secure/Multipurpose Internet Mail Extensions (S/MIME) was created in 1995 and completed in July 1999. It requires the use of certificates and keys as part of a public-key infrastructure (PKI), which is complex and costly to build. Gartner estimates that deploying PKI software in-house typically costs $150 to $180 per user for 5,000 to 25,000 users.
"The industry thought [secure mail] would become as ubiquitous as MIME given the large amount of vendor support," says Paul Hoffman, director of the Internet Mail Consortium and a Network World columnist, recalling the days when the fuse was lit on encrypted mail. The hype was that the widespread adoption of S/MIME would make privacy, data integrity and authentication common features of e-mail.
"All the pieces fit into place except user education and easy-to-use tools for trust management," he says.
Trust is a major issue.
"We have a key management and certificate authority installed but we don't use it much," says Teri Harrison, messaging manager for Baker & Hostetler, a law firm with 10 offices across the U.S. "The problem is the recipients don't trust our certificate authority." Harrison says she has found other ways to build trust, including using common VeriSign certificates, bypassing the Internet with direct e-mail connections to clients, using a VPN for some communications, and even establishing some PGP accounts for use with one client.
But she admits it's a lot of administrative work for little return.
"Actually, we have very few cases that require signed and encrypted e-mail," she says.
But others do have that need and must go through the same trouble as Harrison.
Marv Makie, IT security manager at United Defense LP in Arlington, Va., says his firm has frequent communications with the Navy, which requires secure messaging. And since the Navy is using Network Associates' Corporate PGP, United Defense has to use it to share sensitive information with the Navy.
"It forced me to purchase the PGP corporate package," Makie says. "All of our laptops now have PGP for mail and file encryption."
Those without such a requirement don't want to go through that kind of trouble.
"It's a point application that not everyone needs, so companies don't want to pay for it," says James Kobielus, an analyst with The Burton Group and a Network World columnist.
Plus, Kobielus says, there is another more powerful factor.
"There is already a basic level of trust. Until users hear about eavesdropping, they'll trust the current system even with sensitive traffic."
Network World Senior Writer Ellen Messmer contributed to this report.