Tip

A review of Voltage Security's Voltage SecureMail Desktop

This review of the Voltage SecureMail Desktop email encryption solution, courtesy of Information Security, will help security consultants and value-added resellers (VARs) learn the basics of a simple, secure, Identity Based Encryption (IBE)

    Requires Free Membership to View

messaging system.

Voltage SecureMail Desktop
Voltage Security

Price: Zero Download Messenger is $12,000; individual clients are $25

For all the effort businesses put into password-protecting data resources and computing infrastructures, maintaining the integrity or verifying the authenticity of incoming and outgoing email is often neglected because of cost and complexity.

The Voltage SecureMail platform is an email encryption solution that aims to make secure ad hoc business communication as easy as traditional, nonencrypted messaging. It eschews the complexities of key and certificate management in favor of a far simpler, user-transparent scheme called Identity Based Encryption (IBE).

IBE cryptography enables users to choose an identity -- usually their own email address -- as the basis for secured business communications. This method supports message encryption without requiring the distribution of keys between sender and receiver. IBE is easy to implement and manage, without the administrative overhead imposed by certificates and revocation lists.

We tested the latest version of SecureMail Desktop with client software and Zero Download Messenger components. (Voltage also offers SecureMail Gateway, with policy-based encryption/decryption and integration with antivirus/antispam products and Active Directory.)

Installation/Usage A

The SecureMail Desktop agent integrates directly with a sender's email client, such as Microsoft Outlook or Lotus Notes. The Zero Download Messenger system allows recipients of encrypted email to receive and reply without needing to download any software.

Installation required no user configuration and took just a few minutes. In Outlook, a Voltage signature-information icon was added to the main toolbar, and a "send secure" button was added to the "compose new email" screen. The regular send button remains fully active, allowing the message originator to choose whether to encrypt.

The Voltage Identity Manager client registers with a Voltage server the email addresses chosen by the user that will transact encrypted messages. Adding an identity couldn't be simpler. After entering the target email address into a dialog box, VIM connects to a Voltage server, launching a browser window into which the user types his name and password. Upon submission, a single-use link is emailed back to the user. Clicking on it completes enrollment.

Clicking "send secure" is the only action needed to encrypt an outgoing message.

Effectiveness B

When someone who does not have the Voltage client installed receives a secured email, opening it displays the HTML Zero Download Messenger (ZDM) screen. ZDM prompts the recipient to open an attachment, select his email address and register it on the Voltage server, a one-time process, before the actual message is displayed.

The process works as intended, allowing messages to be opened only by recipients authenticated by Voltage. Nevertheless, first-time recipients, unless forewarned by the sender, may regard the ZDM screen as merely another piece of spam, quickly dispatching it to the recycle bin. ZDM's generic notice that "You have been sent a secure message" is inadequate.

A continuing email thread can be made secure at any time by clicking "send secure" instead of "send," and continues secure as responses are added.

Voltage key management capabilities directly map to the PCI standard, among the most granular. Its standards-based 128-, 256-, and 512-bit encryption algorithms are FIPS certified.

Verdict

Encryption often requires a budget-busting investment and IT expertise that medium-sized businesses may not have. The Voltage SecureMail Desktop is an elegant cryptographic solution, easily installed and transparent in use.

Testing methodology: Our test environment emulated a small, serverless business that employs a peer network, uses Outlook and relies on a third-party provider for POP3 email services. Email messages were sent to outside business associates with no prior notification.

This review originally appeared in Information Security.


This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.