PGP's 'bump in the wire' automates email security

PGP's new email-security product encrypts and signs emails without any client or server software

At the Gartner Security Conference in London on Monday, security software company PGP announced a product that allows corporate users to automatically sign and encrypt emails on the fly at the network level, without requiring any client-side software or user intervention.

One of the biggest problems with securing emails and enforcing security policy in a large organisation is that it usually requires users to manually sign or encrypt their emails. According to PGP, because of laziness or forgetfulness, this often leads to insecure emails being exchanged, contrary to an organisation's security policy.

PGP Universal works in two modes, internal and external. Both require a dedicated x86 server loaded with the PGP software, and a "hardened" version of Red Hat Linux 7.3 that allows the server to function as an appliance. To secure internal communications, the box is inserted on the network between the client and the mail server, where it intercepts emails and generates encryption keys as required. To act upon external emails, the appliance sits in the demilitarised zone (DMZ) between the outward-facing email gateway and the open Internet.

Stephan Somogyi, director of products at PGP told ZDNet UK: "Email flows through the box, it is inspected and policy is applied to it (encrypt, sign or both). The same thing happens when external messages come in -- we decrypt if necessary and verify the signature."

Somogyi said that because the appliance works at network level, it means users don't have any option but to follow company policy. "By sitting on the network, we are a bump in the wire. This allows us to enforce policy independent of the users, which means they can't fiddle with the box," he said.

When the appliance is first introduced to a network, by default it switches to "learn mode", in which the system monitors emails, generates keys and gives the IT manager a detailed account of the number of emails being sent, where they are coming from and going to. This mode assists the administrator in creating and modifying security policy before making the box live. "We recommend running in learn mode for at least a week, because you don't want a situation where you go live, the machine starts working and your lights dim and the machine melts -- that's not good," said Somogyi.

PGP Universal also contains a "lightweight" Web mail system that allows emails to be sent to external contacts that have no encryption products. In this case, the recipient receives a message inviting them to click on a link that logs them onto the secure Web mail system. They are prompted to enter a password -- supplied by the sender, preferably by phone -- that allows them to read and reply to the message.

Additionally, a client-based software called PGP Satellite can be sent to external contacts to generate keys and avoid the Web-mail interface. Somogyi said: "Satellite can generate keys and is automatically updated with policy changes. Once running, all emails between the satellite client and the universal gateway will be secure or encrypted, depending on company policy."

PGP Universal is available immediately and, depending on configuration, costs around £3,000 for a one-year subscription for 100 users.