E-mail security:
The PKI way

Public key infrastructure end e-mail’s similarity to postcards.

E-mail has emerged as the first truly widespread Internet application. In addition to its obvious consumer appeal, e-mail has become an indispensable tool for most businesses, as well.

Many organizations use e-mail every day to send sensitive information, such as company documents, data and goals to team members. Unfortunately, not many have taken measures to secure their e-mail, creating a potentially damaging situation.

E-mail is similar to sending a postcard—do not write anything too personal because the message can be easily read. This goes for e-mail, as well—never send a message that you would not want the world to see. Should enterprises send sensitive e-mail without some measure of security? Of course, there really is no choice.

We are addicted to e-mail because it makes our lives more efficient. We will take the risks and send the messages with hopes that we will not end up having to do damage control if something goes awry. It does not have to be this way, however.

Digital certificates provide the technology to validate the identity of the sender, encrypt the message and ensure the message was neither spoofed nor altered in transit. The certificates allow a user to digitally sign a message (to validate identity) and also to ensure the integrity of the message. The underlying technology for digital certificates—called public key infrastructure (PKI)—has been around for almost 20 years.

By using PKI, messages cease to be like postcards, as they are encrypted and digitally signed when sent. That way, recipients can ensure the correct person sent the message and that it was not altered during transit. Additionally, the message has been encrypted so, even if it is intercepted, the “bad folks” cannot decipher it.

Since PKI and digital certificates are robust and mature, why is all e-mail not secured using these technologies? The reality is that, even though the leading e-mailers already support the technology, they do not make digital certificates particularly easy to engage. Users need to do a significant amount of configuration to make the technology work, and administrators cannot centrally configure the security policies. Thus, an enterprise deployment must be managed on a user-by-user basis, which exponentially increases support costs and makes secure e-mail cost-prohibitive.

Additionally, interoperability problems have plagued the industry, even though security/multipurpose Internet mail extensions are a widely accepted standard for encrypting and digitally signing messages. Thus, unless organizations have standardized a specific version of a specific e-mail product, there will likely be problems decrypting messages.

Finally, the lack of a global directory service to serve as a repository for digital certificates (which are needed to encrypt messages) forces users to know where to search for the certificates, since a search path cannot be defined centrally and must again be managed on a user-by-user basis.

What is needed is a transparent e-mail security solution, which snaps into the leading e-mail packages, takes configuration out of the hands of the users and enables security administrators to enforce a secure e-mail policy. The e-mail security product must also have built-in intelligence to search a variety of directories along a centrally defined search path for the digital certificates of e-mail recipients (which allows messages to be encrypted).

To net it out, PKI is the right answer for secure e-mail, and both the PKI vendors and third parties are working to solve the problems constraining widespread adoption of secure e-mail. As more companies and regular e-mail users see the need to secure their messages, the use of PKI will explode. Soon, this critical technology will become a transparent part of an enterprise’s everyday activities.

Rothman is executive vice president of SHYM Technology, Needham, MA.