E-mail security services vendor Postini is launching a new service today
that it expects will process more than 30 million encrypted messages per day.
Postini Auto-Encryption, a feature of the company’s Perimeter Manager Enterprise
Edition service, is an implementation of Transport Layer Security (TLS)
Non-customers sending e-mail to Postini customers can use TLS as their encryption
standard and will not have to worry about exchanging PKI keys or certificates, because
Postini claims to be able to work with them all. TLS is already built into most
modern mail servers and gateways. Postini’s service will allow the
encrypted e-mail to be sent through its system for policy-based message management
and filtering.
Andrew Lochart, Postini’s director of product marketing, described TLS as
basically SSL
“Regular e-mail is sent in the clear; some people describe it as being like
postcards, because anybody can read it along the way if they choose to and
there can be issues with hackers or rogue employees eavesdropping on messages,”
Lochart explained to internetnews.com.
According to Lochart, existing encryption technologies have been viewed as
too complicated to use and have held back adoption. New regulations like HIPAA
and Sarbanes-Oxley among others are pushing the need for greater e-mail security
and management so that companies can no longer ignore e-mail encryption.
“The language of these regulations all deals with things like taking reasonable
measures to ensure the privacy of personally identifiable customer data,” Lochart
said. “That’s really forcing these companies into message encryption.”
Like other message encryption technologies, TLS is based on PKI
though it differs in that encryption keys are not needed for every single user.
Only one certificate is needed for the mail gateway that will suffice for all
users. Lochart explained that the Postini solution can also accept self-signed
certificates so it doesn’t have to cost a business anything to get a certificate.
Message encryption can be done through desktop encryption
technologies like PGP for example. Though Lockhart argues that unless
an IT department can filter e-mail, they can’t guarantee policy or regulatory
compliance.
“With a technology like PGP, if you leave the keys in the hands of the end
users you’ve put the IT department in a position where they cannot open up messages
and examine them,” Lochart said. “For the last five or six years, we’ve all been
focused on spam and viruses and content policy and all these good reasons why IT
needs to take a look.”
TLS does not treat encryption like other desktop encryption messaging solutions,
according to Lochart.
“TLS basically shoves encryption down the protocol stack, and it essentially becomes
part of TCP/IP and that’s really beautiful because you can leave end users out of
the equation and everything just happens more transparently and simply,” Lochart said.