Ask Slashdot: What Is the Best Email Encryption Gateway For a Small Business? 155
Attila Dimedici writes "I am in the process of implementing an Email Encryption Gateway for my company. I checked with my various contacts in the industry and came away with Voltage as the best solution. However, as I have been working with them to implement a solution, I have been sadly disappointed by their lack of professionalism. Every time I think I am one question away from being ready to pull the trigger, I discover something that my contact with them had not mentioned before that has to be ironed out by the various stakeholders on my end. So, my question for Slashdot readers is this: what is your experience with implementing an Email Encryption Gateway for your company and what solution would you recommend?"
Email Encryption (Score:4, Interesting)
Re:Outlook.com (Score:3, Interesting)
Re:Not Voltage's problem: buyer error. (Score:4, Interesting)
Voltage is a slimeball company though. They typically sell to really big institutions for many times the original quoted costs once you figure in all the 'appliances', upgrades, support contracts, implementation engineers and contractors and then their product usually doesn't deliver. They're the PWC, PeopleSoft or Gartner of e-mail.
Re: gmail (Score:4, Interesting)
And while Google App Engine is less essential to the company future, and is as vulnerable to the axe as Google Wave and Google Reader, there's an open source implementation of the APIs called "AppScale" which offers a migration path if Google shuts App Engine down.
Re:gmail (Score:5, Interesting)
I love the idea of those places running things in house, but in my experience, specifically with law firms, they do not even when they are big enough for it to make a huge difference. They are also some of the most technologically misinformed and lazy people I have met. I've got three really good examples of this.
First example is Dropbox and other services like it. A local attorney was in a big surprise when Dropbox complied with a subpoena and turned over all documents they had that the attorney and his client had uploaded to their dropbox accounts. The court had a special master review them for confidential information and turned over a ton of documents and data. Suffice it to say, they "lost" the divorce case when the information included pictures of a second home (complete with GPS coordinates), multiple cars and other hidden assets.
The second is that many solos and small firms (about 40% of practicing attorneys) use the email service provided by the state bar association. The email service that does not have SSL or TLS support. Webmail, pop3, IMAP, SMTP, LDAP and the rest are all unencrypted. When I asked the tech guy at the association about why it was unencrypted, he pointed me to the board minutes, where at every meeting, they refused to approve a certificate because, as one put it, "it was a waste of money." During an experiment conducted at a legal education program (which I'll detail below), they came up with quite the large amount of information.
The third is the experiment I mentioned. At a legal education program, they partnered with a security group and they set up a device to log all the attempts to connect to wireless networks as well as real access points. The access points were protected by WPA2, but the password was given with the materials. It then had a screen presented with a TOS and privacy policy that they had to agree to before being granted access. The TOS gave all this away and included a button to click so we could see how many people actually read them (the people who clicked saw a stat page, which included a bar graph so you could see it over time). The access point was setup to log all the traffic (which ended up being gigabytes of data, they said, due to all the videos people watched) as the traffic came in. They then analyzed it for key words and statistics. A team of attorneys and people from the ethics committee cleared all the info that was presented in the speech about safety and being careful online. They talked about all the video, and news people checked, and then it slowly got more personal. They started referencing people's email, a snippet of a person's VOIP session and a document uploaded to some service. They then talked about safety steps like TLS, truecrypt and being careful and that you need to check that you are connecting to who you think you are as well as other things. The best part was right at the end, the speaker said "Jody wants you to remember to pick of a pizza on the way home," and about 25 people all went for their phones to see if they were talking about them. Incidentally, after the presentation, encrypting the bar association's email was added to their 5-year plan for year 5(!), but I guess it is better than nothing.
Last thing I will note is the mixed advice. For example, the latest, or maybe previous issue, of the ABA magazine had an article detailing the dangers of the cloud, especially dropbox as it is unencrypted, they keep your files after you delete them, and you can get them anywhere. Less than 20 pages later was an article that declared dropbox a "MUST HAVE" app for any attorney for the exact same reasons that the previous said were dangerous.
Develop a Thunderbird extension to automate (Score:3, Interesting)
People fuss to much about the security of the passphrase and such things. The effect is that almost nobody uses encryption.
Make a Thunderbird extension that automatically sets up a default configuration that works from the get-go.
In this default configuration the private key could be stored in a local file encrypted with a passphrase that is hardwired into the program.
Totally insecure if there is a virus that targets this arrangement, but still a million times safer than sending everything over the wire in the clear.
Add simple functions to synchronize the security parameters, including the private key(s), on multiple laptops and computers.
Have the extension generate a mail that can be sent to yourself or stored in the drafts folder of your IMAP account, containing the synchronization data.
Upon opening such a mail, or even just upon downloading it, the extension should know what to do and do it.
Add a good user interface to perform key management tasks and to configure all these dangerous things, like turning off some automatic actions, or adding a true user-selected password to the private key file.
Add a feature, active by default, to include in all MIME-encapsulated mails an attachment containing your public key,
and another feature to automatically harvest all public keys that your Thunderbird installations come across. If you send a mail to some party with a known public key, encrypt automatically. If you receive an encrypted mail, decrypt automatically.
If one copy of Thunderbird does not have the private key it needs to decrypt a mail it has received/downloaded, generate a special request mail that other instances of Thunderbird will know to answer if they have the private key requested. Etc.
If such an extension becomes included in the standard distribution, more and more people will begin using it, and then other people will hear about it and request it from their mail application vendors.
Re:Outlook.com (Score:4, Interesting)
BES is a pain in the ass when you don't need any of the above and all you're doing is syncing email, calendar and contacts. But those are all critical features in many places.
About that... my complaint about BES is that it's this Java application, that requires this huge install of SQL server just to function, you wind up needing a server with 4GB of RAM, to provide 20 users with mail synchronization.
This is almost as many resources as the complete Exchange system requires....