Standards battles slow encrypted email use

Without universal standards, email encryption remains flawed, and leaves corporations open to attack.

Email may be the killer app of the online world, but it also represents the Achilles heel of corporate networks. Email-delivered viruses have been crippling servers for years, with no letup in sight.

A year-end report by tech security company Trend Micro, for instance, says virus attacks cost corporations $55 billion worldwide in 2003, up from $30 billion in 2002 and $18 billion in 2001.

The best way to plug the security holes in corporate email systems, say experts, is two-way encrypted mail. Senders are easily tracked – a no-no for those trying to dodge the law. But lack of universal standards has slowed the technology’s functionality and adoption rate.

The Internet Engineering Task Force (IETF), the group that oversees the communication standards, has developed an encryption method called Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on technology by RSA Security and backed by Microsoft, America Online, and Research in Motion.

A competing technology called Pretty Good Privacy (PGP), or OpenPGP, is widely used. Companies like Qualcomm and Network Associates have incorporated OpenPGP into their products, favoring its small size and customization abilities.

Both the S/MIME and PGP standards use different technology but can be designed to work together, says Network Associates. Most of the time, however, they do not.

Although Microsoft is the 800-pound gorilla pushing S/MIME, few use it for external email, according to Marc Luescher, an analyst with Ferris Research. Blame it on the kinks and hassles related to encryption authentication management, as well as inadequate directory support, and delegation snags.

Encrypted email is not without its flaws. There is no guarantee, for instance, that an encrypted email can be read by the recipient. An executive may not be able to forward email to a home account and read it, or move back and forth from a desktop to a laptop. Lack of delegation ability means a secretary or other assistant may not have access to an email.

In a Ferris survey, fewer than 10 percent of large companies (5,000 employees or more) are installing system-wide email encryption. That falls to less than 1 percent for the smaller companies of 500 to 5,000 employees. “Even when an organization is piloting or adopting secure external messaging, it’s unlikely to be used by more than 5 percent of users,” he says. It doesn’t take much to do the math: the other 95 percent remain vulnerable to attack.

For: Red Herring