Large companies adopt encryption methods
Encryption software has the potential to become an essential part of many corporations' e-mail strategy. In the past, Macintosh-based encryption tools were aimed at protecting individual hard drives, but new products also make it possible to protect data while its traveling from one hard drive to another.
Dee DiPietro, president of Advanced HR Inc. of Saratoga, Calif., is developing a report about stock-option benchmarks for start ups, companies that plan to go public within the next three years. When completed, the report will reveal compensation in stock options and salaries, allowing participants to compare their compensation packages with those of similar companies.
To collect the raw compensation data, DiPietro sends each member a survey in a Microsoft Excel spreadsheet. She also supplies a copy of Private File, a cross-platform encryption product from Aladdin Systems Inc. of Watsonville, Calif.
Although providing free software to survey participants may seem exorbitant, DiPietro said she believes its the only reasonable way to reassure participants that sensitive data will remain confidential via e-mail.
In spite of encryption software's recent popularity, however, the encryption software market doesn't seem to be going anywhere. "The market for encryption products has been stalled because most products were geared toward individuals," said Victor Wheatman, vice president of the Gartner Group in San Jose, Calif. "Server-based encryption products will need a much broader user of encryption in corporations."
Keys to encryption
Private File from Aladdin and PGP Business Security Suite from Pretty Good Privacy Inc. of San Mateo, Calif., represent two different encryption methods. Private File uses symmetric encryption, in which sender and recipient share the same key, or password. The PGP Business Security Suite uses the asymmetric, or two-key, approach. In this method, each user has two keys: a public key, which can be published, and a related private key, which is kept secure. When someone wants to send an encrypted message, he or she looks up the recipient's public key and uses it to encrypt the document. The recipient then uses his or her private key to decrypt the document.
The advantage of the asymmetric approach, according to security consultant Andrea Liles of Portland, Ore., is that it solves the problem of transferring and storing the keys safely. Companies that are concerned with the security of their e-mail systems are reluctant to use that medium to transmit passwords.
Changing values
PGP Business Security Suite will change the way corporations work, said Liles, who believes the product is the first to combine the asymmetric method, 128-bit encryption and cross-platform clients. She said she's developing systems using PGP for three large corporations, which for the first time will let all its employees, including those in sensitive areas, use e-mail.
PGP Business Security Suite has three components: PGP for Business Security with Mac, Windows and Unix client software; PGP Certificate server, which manages the public key infrastructure; and, just released, PGP Policy Management Agent for SMTP, which automatically enforces encryption policies.
PGP Policy Management Agent can check all outgoing e-mail messages to make sure they are encrypted. Or it can be configured to apply different rules to different Internet Protocol addresses. So, for example, the legal department may be required to encrypt all messages, but the marketing department can send unencrypted messages.
PGP Business Security Suite "represents a different view of encryption," said Carl Howe, director of network strategies at Forrester Research in Cambridge, Mass. Until recently, encryption was left to individuals. Companies that were concerned about sending sensitive material over the Internet simply used other means, such as couriers.
PGP Policy Management Agent can give companies confidence to use e-mail by assuring managers that their security rules will be adhered to.
The Gartner Group's Wheatman pointed out that PGP Policy Management Agent allows corporations for the fist time to centralize control over encryption: "For encryption to be accepted, IT had to gain control. This isn't Big Brother; this is necessary to comply with liability laws and SEC regulations."