28 December 2015

How to Select Email Encryption Software? 4 Practical Questions to Answer Before Making a Choice.



Every day, we field phone calls, live chats and (unencrypted) email messages from people who are in search of information about email encryption.  The caller will usually begin their Q&A with a very general statement such as, "I need to encrypt emails. Tell me how to do it."

Because Encryptomatic LLC has been helping people encrypt sensitive emails for more than a decade, this is where I usually pause the conversation to get more information.  By the time I get to speak to the caller, they have already been overwhelmed with arcane terms, even more arcane encryption technologies, government regulations that threaten terrible consequences, prices that range from hundreds of thousands of dollars to free open source software, and they are confused.

Before I frustrate them any further, I ask them four questions that will help me determine whether or not any of our products are a fit.

1. Which email client, if any, do you or your organization work with?

Start with your email client and work backwards.  If you represent a company with 1,000 desktops, and everyone is a seasoned Microsoft Outlook user, then you really want to find a solution that works well with Outlook. Likewise, if you use Thunderbird, or Gmail, that's where you should begin your search.

2. What regulations bind you?

Understanding the requirements of your industry is crucial.  Don't take shortcuts. It will serve you well to make a knowledge investment here.  Convince your boss to send you to that industry security conference so that you can obtain this expertise for your organization. Beware of any sales people who tell you that they are already "compliant," and that you can just trust their self-certified software.  While you can certainly take their advice (or my advice for that matter), what your organization needs is an in-house expert who has some exposure to the industry regs that bind you. Also be aware of compliance and archiving requirements for your industry.

3. Who will be receiving your encrypted messages?

Don't forget that sending encrypted emails is only half of what is required.  You can send secure emails all day long, but it won't help if the recipient cannot receive your messages.  Understand who is the intended recpient, and how much work are they willing to do to open your messages.  Do they share your motivation to encrypt email messages?  It is different to ask someone who is tech saavy to install encryption software versus someone who is a casual customer. Make sure that your important intiative to protect email communications doesn't fail at the point of reception.

4. Who are you willing to deal with?

Selecting email encryption software for your organization is a big commitment in training, implementation and processes. It means partnering with your supplier to protect crucial communications.  Don't choose the wrong company to work with. Encryption software will need regular updates. You will have questions and need answers, so make sure they answer the phone and respond to emails.

Open source software is great for the right companies,  especially those with a developer on staff who understands encryption and can fix bugs along the way. If that's not your company, then working with a software publisher that issues updates and can respond to your customization requests will be important.

Which Email Encryption Solution is Best?

If there was a single answer to that questions, your job would be easy.  You could just go into the market and find the best price and voila! Problem solved.

As you no doubt have discovered, there are many different approaches to email encryption. Lets break a few of them out.

OpenPGP
Pretty Good Privacy, or PGP has been around since the 1990's and is still generally considered to be both the most secure method of email encryption, as well as the most difficulty. In this case, high security equals high difficulty.  PGP is supported by both large corporation entities such as Symantec as well as a core of dedicated open source encryption enthusiasts with a passion for privacy.   Each person has a public key that they share with the world, and a private that they keep safe and secret.  Anyone can encrypt an email for you using your public key, then you use your private key to unlock that message. The math is complicated, but it works very well.  Just remember: share you public key, and protect your private key.

Encryptomatic Open PGP add-in for Outlook, shown in Outlook 2016 toolbar.
OpenPGP Add-in for MS Outlook


Encryptomatic LLC has contributed to OpenPGP with an add-in designed specifically for Microsoft Outlook users.  We wanted to make it accessible, so Encryptomatic OpenPGP for Outlook is free for personal use, journalists, activists and non-profit organizations, and affordable for everyone else. You can learn more and try it free.



Symmetric Key Solutions
There are lots of email encryption solutions that rely on the sender and receiver knowing the same key.  These are generally quite easy to use, but less secure and the key (or password) must be shared privately between the sender and receiver, and this sharing creates a vulnerability.

Symmetric key email encryption has its place. It's easy for recipients.  Encryptomatic LLC has designed a couple of symmetric key email encryption add-ins for Outlook.

MessageLock is useful when both recipients have Outlook and MessageLock. The process of sending and receiving secure messages can be made seamless, automatic and invisible.

Screen image of MessageLock add-in for Outlook.
MessageLock email encryption for Outlook


For cross platform compatibility and ease of use, our PDF Postman solution is hard to beat. PDF Postman encrypted emails and files and places them within an encrypted PDF envelope, which means that any recipient who knows the password and has a device with a PDF reader can open the message.

Image showing PDF Postman message in Gmail inbox.
PDF Postman for Outlook


Email Encryption as a Service
Many companies have discovered that they need something between end-to-end OpenPGP and simple password encryption. That is where a mediated solution might be the best fit.  Encryptomatic LLC operates Lockbin.com, which implements encrypted messaging as a service that enables sending and receiving to anyone.  The recipient does not need special software. A simple and non-invasive signup process for a free Lockbin account is all that is asked of the recipient. Management of public and private keys happens behind the scenes, even while the Lockbin acocunt holder maintains full control over their public/private key pair.

While there are many other service providers in this space, Lockbin differentiates itself through its longevity and through a product set that includes online access via Lockbin.com, an Android app on Google Play, a Java app and an convenient add-in for Microsoft Outlook.

The downside to using email encryption as a service is that it is never trustless. The service provider could, if required by law, capture the credentials and supply them to the demanding authority.


In conclusion...
We hope this has been useful. Feel free to contact Encrptomatic's support and sales people. We will be happy to discuss your requirements, and recommend the best product for your needs as we understand them, even if it is not our own product.  Life is too short for unhappy customers, and so if you are not a good fit for our products, we will tell you so.

If you found this article helpful, please tell us below or feel free to share.