Basic e-mail encryption between two users isn't terribly difficult to implement. Free add-ons to the more popular e-mail clients provide for easy encryption and decryption of messages. It's exponentially more difficult, however, to deploy encryption to hundreds or thousands of clients, which typically involves supplying the software to recipients at the other end of every encrypted connection, coordinating the exchanges of keys, and training users on client-side encryption software.
Voltage Security's SecureMail 2.0 Appliance makes e-mail encryption dramatically easier to implement. A policy-based e-mail encryption gateway, SecureMail can automatically encrypt messages based on the sender's identity, the destination domain, keywords in the subject line, or other factors. In addition, there is no need for administrators to manage keys, or for a recipient to download software to decrypt the mail -- he or she simply clicks on a link in the e-mail. The link takes the recipient to the appliance, where he or she enters log-in information to decrypt the message.
To provide automatic decryption of messages for users in other domains, you must place the SecureMail appliance in the DMZ or outside the firewall, or make a number of holes in the firewall for the various protocols used. The appliance uses four IP addresses in the DMZ, one each for incoming mail, outgoing mail, the key server, and the policy server.
If you want to encrypt messages to other users within the domain, you must run SecureMail Desktop, which integrates with Microsoft Outlook. Otherwise, Desktop is not necessary. Using the plug-in enables the admin to set up the system such that messages are always encrypted, whether en route from the client to the server or from the server to the destination.
Beginning configuration requires creating an SSH tunnel until you set up an SSL certificate. You can then log in via SSL to complete the configuration. Because most appliances are set up by a Voltage systems engineer before shipment, they will often come with an SSL certificate pre-installed.
Some other installation issues may make you want to get that engineer on the phone. For instance, some features, such as the PGP encryption and decryption functions, can be enabled or disabled only at the CLI. And building rules to specify when messages are encrypted requires editing text in an XML file, rather than using a GUI.
In addition to Voltage's own encryption scheme, the appliance can encrypt and decrypt messages using S/MIME and PGP standards. If users already have certificates, those can be imported, or you can create an S/MIME domain certificate. PGP keys for internal and external users must be imported one at a time.
The server gets authentication information for local users from the Exchange or Active Directory Server, or through POP3 authentication. You must set up a connector for each Exchangeor AD domain, but this process is simple and straightforward.
When sending e-mail to users at other companies, you can use the ZDM (Zero Download Messenger) server, which allows anyone who received an encrypted e-mail to connect to a SecureMail Web server to decrypt and reply to e-mails. For users who converse regularly, you can provide the client software, which is a 3MB download.
Although setup of the appliance is not the simplest thing I've ever done, it is not the worst by a long shot, and the potential gain in reducing user support calls and ensuring that security policies are enforced without impacting users is huge. If your security policy calls for encrypting e-mail between internal users or between your company and partners, you should investigate the Voltage SecureMail Appliance. It could produce huge savings in support costs over individual encryption clients.