Safe Passage

E-mail security service providers protect your sensitive messages from being read by electronic eavesdroppers.

By Heather Harreld
Network World, 08/28/00

When the CEO of the giant 7-Eleven convenience store chain recently began using e-mail for high-level, strategic business negotiations with external parties, he was worried about security. His IT staff was directed to find a way to protect the mail from hijackers as it leaves the safe confines of the LAN to travel the treacherous frontier of the Internet.

Instead of investing in costly encryption hardware or software to scramble e-mail, officials at 7-Eleven tapped an e-mail security service provider to protect corporate e-mail from falling into the wrong hands. The company is using ZixMail.com's ZixIT service, which lets 7-Eleven employees involved in sensitive business communications with the outside world encrypt and digitally sign e-mail to anyone with an e-mail address in one click

7-Eleven is among a burgeoning group of companies turning to specialized service providers to secure business negotiation details, legal documents, product blueprints and campaign proposals that are transmitted via e-mail over the Internet. Corporations are drawn to such services because they provide user-friendly security without the hassles and hefty costs associated with complicated public-key infrastructure (PKI) alternatives.

Choosing ZixIT was a "no-brainer" because it requires relatively little ongoing maintenance work or related costs, says Robert Gray, 7-Eleven's IS director in Dallas. While the company uses hardware and software encryption to secure other applications, such as financial transactions, the technology was cost-prohibitive and support-intensive fore-mail security, he says. No secure e-mail product vendor could match ZixMail's price model of $1 per month per e-mail account, he adds. Key executives are now using the service, and the company plans to introduce ZixIT to 500 users by year-end. Ultimately 2,000 of 7-Eleven's approximately 65,000 employees will have access to the service.

ZixIT also automatically compresses files so they fall under the size limit imposed by 7-Eleven's firewall, and it scan e-mail and attachments for viruses.

"That's the magic bullet right there," says Todd Cohen, IS security manager at 7-Eleven. "With encrypted mail, it could slide right by the server unprotected. To have automatic virus scanning is a big plus for me."

ZixMail and other e-mail security service providers, including Certified Mail.com, Hush Communications, Safe-mail and ZipLip.com, are maneuvering for a niche in the exploding e-mail market. Most services are quickly evolving to interoperate with popular e-mail programs. Typically, all users need to do is download the service provider's software without making any changes to their e-mail addresses or computers. To send an encrypted message, a user clicks a button and the scrambled message is on its way.

In addition, several e-mail outsourcers, such as Commtouch, Critical Path and Mail.com, include security in their offerings.

Worldwide, the number of e-mail boxes will grow from 570 million at the end of 1999 to one billion by 2001, says Messaging Online, an e-mail newsletter. In the U.S., the number of e-mail boxes grew 73% in 1999 to 333 million.

Despite this massive growth and the availability of encryption for the past decade, less than 1% of corporate e-mail is encrypted, and the secure e-mail outsourcing niche totals $30 million a year, says Ferris Research in San Francisco. That is a minute portion of the overall e-mail outsourcing market, which Gartner Group in Stamford, Conn., expects to grow to $2.5 billion by next year, with 40% of firms outsourcing some of their messaging.

In part, widespread adoption of e-mail security has been hampered by the currently available hardware and software. Most popular e-mail packages offer built-in security for internal use within a company. To safeguard external communications, users could tap encryption software such as Pretty Good Privacy (PGP). However, PGP isn't a good option for corporate e-mail security because it doesn't scale well, says David Ferris, research director at Ferris Research.

Another option would be to invest in a gateway, but these products often limit secure messaging to specific business partners and cannot verify the sender's identity within a company.

PKI, a popular technology for verifying a sender's identity while encrypting the contents of an e-mail message, requires companies to deploy complex digital certificate technology that is difficult to manage. Moreover, PKI products can be expensive, with average product costs of $25,000 per 10,000 users. For now, there's no PKI standard that allows widespread interoperability between PKIs from various companies.

Finally, e-mail security has often been bypassed for higher-visibility security technology such as firewalls and intrusion-detection software designed to protect sensitive data from hackers.

"It's still primarily thought of as an internal support application," says Dennis Gaughan, senior analyst at AMR Research in Boston. "So why would I need to secure it? It's important, but it hasn't been raised to a higher level within an organization. Until you have a problem or an exposure, it's hard to justify. It's very much a reactive technology rather than a proactive technology."

While certain fields, such as law, advertising and manufacturing, have been spurred to secure e-mail, massive adoption of e-mail security will only evolve slowly as more companies are burned by corporate espionage or other events stemming from unprotected e-mail, Gaughan says.Last year, an Internet bookseller plead guilty to illegally intercepting e-mail from Amazon.com for commercial gain. Publicity over such security incidents is likely to spur the market.

Confidential correspondence

Many of the nation's law firms haven't needed to be prodded to secure their e-mail. In one month alone this year, ZixMail garnered six large law firm customers. The company is counting on the law firms' clients, trading partners and other contracts signing up for the service to grow this initial customer base, says Doug Kramp, CEO of ZixMail.

"E-mail is like sending a postcard on the Internet," Kramp says. "It can be read in transmission. It can be read when I receive it by the technicians at my company."

According to ZixMail research, 98% of corporate e-mail users want to secure some portion of their e-mail. Despite this demand, awareness of e-mail security products is low, he says.

ZixMail markets the simplicity of its system compared with internally operated PKI products. PKI involves the use of two keys: one that is publicly available to everyone, and one that is kept secret by the user. Because public keys are sometimes difficult to find, ZixMail stores its customers' public keys on its Web site, making them accessible to anyone who wants to send a ZixMail user a message. Private keys used to encrypt outgoing messages and decrypt incoming messages are stored on the user's desktop.

Each ZixMail user creates a secret signature phrase, such as "I love L.A." When sending e-mail, the user enters the signature phrase and the private key digitally encrypts and signs the outgoing message. To receive the message, the recipient enters the signature phrase to decrypt it with a private key.

Before last August, the ZixMail service required both the sender and recipient to use the ZixMail software. However, recipients can now view a message for free via a secure connection from the ZixMail Web page. The service is compatible with Microsoft Exchange, Lotus Notes and othere-mail programs.

Applica, Inc. a small appliances manufacturer, employs ZixMail to encrypt final product blueprints and other sensitive information sent between company headquarters in Miami Lakes, Fla., and a branch office in Shelton, Conn. The company is also testing ZixMail, which is approved for export, for use at a manufacturing plant in China.

Mark Wilkinson, Applica's IS manager, says while securing e-mail does not provide a high-visibility payback, it does provide peace of mind that sensitive e-mail will be protected against unauthorized access, especially from corporate spies.

"Here's something where you don't know you have a problem," he says. "It's not crashing your hard drive. It's not taking over your Web sites. It concerns me that right now somebody could have sophisticated devices looking at your mail over the Internet. This gave us the end-to-end, desktop-to-desktop security which I think is vital."

Because the company is rapidly growing, it could not afford to invest the time, money or resources needed to deploy an internal system to secure mail, he says.

ZixMail also provides a time stamp to ensure that messages are not back-dated or forward-dated. In addition, it provides a certified receipt that the e-mail has been delivered. This certified-receipt feature was the primary draw for Haynes and Boone, a technology- business law firm with 400 attorneys in Dallas. The receipt feature lets attorneys use the ZixIt service instead of an overnight delivery service, says David McCombs, a partner with the firm.

"You could think of it as an electronic FedEx because we know the person received the e-mail," McCombs says. "We have been able to use it for our own records to cover ourselves. With FedEx, you're talking about $20, [and] you can accomplish the same thing with a few clicks."

CertifiedMail.com also offers an e-mail security service that protects e-mail in what company co-founder Bob Janacek calls an "e-armored car." After a sender composes a message and hits a button for it to be sent via CertifiedMail, the data is written into an XML file. The message and all of its components are encrypted and forwarded to CertifiedMail's servers, where it is stored until the recipient accesses it via a Web browser. CertifiedMail.com's secure e-mail service is free for personal use and costs $99 per year for businesses. As its name implies, CertifiedMail also provides notice to the sender that the mail has been delivered, and it alerts the sender when the mail has been opened.

"A hacker monitoring a router would see the message go through, but it would be encrypted," he says. "You don't have to coordinate it with the recipients, the recipients don't have to download special software. You have proof that the document is authentic, and you have proof that the message has been opened."

Allan Cowen, principal of Datamex Technologies, a Mississauga, Ontario, IT security company, says CertifiedMail.com's service lets his company forge stronger customer relationships because it ensures proposals, quotations and other customer- sensitive information are not exposed to potential security vulnerabilities over the 'Net.

"Having the ability to secure, track and get legal verification of receipt when sending important and sensitive documents has given us a more professional approach as we conduct business and correspond with our clients," he says. "Knowing that our e-mails have been delivered securely and read by the recipient eliminates the uncertainty of its delivery and need to make that all too often 'Did you receive my e-mail?' call."

Because the service is Web-based, traveling staff and remote workers can log into their CertifiedMail accounts via a browser or trigger a secure e-mail directly from their Microsoft Outlook or Lotus Notes client, he says.

Shreddable e-mail

ZipLip.com in Mountain View, Calif., offers users of its free secure e-mail service various options for securing mail. ZipLip keeps e-mail messages, encrypts them and puts them on a secure server. Recipients receive a message with instructions to go to the Web site to pick up the message. Or, senders can use a password to decrypt an e-mail to secure a message. The user and the sender can agree upon a password ahead of time via a phone call or separate e-mail, or the sender can send a hint to the recipient. The response to the hint (such as "the name of the restaurant where we last met") will decrypt the message.

"This allows someone to send securely to a particular destination without having to worry about a network administrator reading it," says Kon Leong, ZipLip CEO and president. "It's not that easy to guess a restaurant name. To hack at 100,000 restaurants that can be spelled 20 different ways is tedious."

What's more, ZipLip provides the electronic equivalent of the office paper shredder by letting customers decide how long ZipLip should retain a copy of e-mail. Some customers choose to have all e-mails shredded, while others choose to retain all e-mails, Leong says. ZipLip has received several court orders requesting users' e-mail.

"It's keeping e-mail along the nature of a phone call - once you've said it, it's gone," he says. "It also is a very neat answer to a court order, 'We don't have it' because they can also order you to decrypt it."

Implementation advice

Because secure e-mail services are quick and easy to implement compared with some PKI rollouts, which can take up to a year, outsourcing is a compelling option for the short term, Ferris Research's Ferris says.

However, services that are working well now for small pilot groups may not scale well when companies decide to offer them to a large number of users, he says.

Corporations need to look at future e-commerce-related scenarios and evaluate how secure e-mail will fit there, says Frank Prince, senior analyst of e-business infrastructure at Forrester Research.

For example, if a firm plans on communicating with a large group of trading partners using fairly simple transactions, an external service would make sense because users could just set up an account.

However, if a small group of users has a specialized set of requirements, a company may prefer to purchase in-house technology for specific applications, he says.

Certain companies may be better suited for secure e-mail than others, he says. For example, a company that does not get paid until a client receives a specific document could speed up payment delivery by opting for secure e-mail as opposed to overnight delivery services or snail mail.

"The idea of knowing that a document arrived in the right place at the right time and the recipient cannot deny that he got it - those are the key factors," Prince says.