RealTime IT News

Postini Extends E-Mail Boundaries

E-mail security services vendor Postini is launching a new service today that it expects will process more than 30 million encrypted messages per day.

Postini Auto-Encryption, a feature of the company's Perimeter Manager Enterprise Edition service, is an implementation of Transport Layer Security (TLS) .

Non-customers sending e-mail to Postini customers can use TLS as their encryption standard and will not have to worry about exchanging PKI keys or certificates, because Postini claims to be able to work with them all. TLS is already built into most modern mail servers and gateways. Postini's service will allow the encrypted e-mail to be sent through its system for policy-based message management and filtering.

Andrew Lochart, Postini's director of product marketing, described TLS as basically SSL for e-mail.

"Regular e-mail is sent in the clear; some people describe it as being like postcards, because anybody can read it along the way if they choose to and there can be issues with hackers or rogue employees eavesdropping on messages," Lochart explained to internetnews.com.

According to Lochart, existing encryption technologies have been viewed as too complicated to use and have held back adoption. New regulations like HIPAA and Sarbanes-Oxley among others are pushing the need for greater e-mail security and management so that companies can no longer ignore e-mail encryption.

"The language of these regulations all deals with things like taking reasonable measures to ensure the privacy of personally identifiable customer data," Lochart said. "That's really forcing these companies into message encryption."

Like other message encryption technologies, TLS is based on PKI , though it differs in that encryption keys are not needed for every single user. Only one certificate is needed for the mail gateway that will suffice for all users. Lochart explained that the Postini solution can also accept self-signed certificates so it doesn't have to cost a business anything to get a certificate.

Message encryption can be done through desktop encryption technologies like PGP for example. Though Lockhart argues that unless an IT department can filter e-mail, they can't guarantee policy or regulatory compliance.

"With a technology like PGP, if you leave the keys in the hands of the end users you've put the IT department in a position where they cannot open up messages and examine them," Lochart said. "For the last five or six years, we've all been focused on spam and viruses and content policy and all these good reasons why IT needs to take a look."

TLS does not treat encryption like other desktop encryption messaging solutions, according to Lochart. "TLS basically shoves encryption down the protocol stack, and it essentially becomes part of TCP/IP and that's really beautiful because you can leave end users out of the equation and everything just happens more transparently and simply," Lochart said.