This review of the Voltage SecureMail Desktop email encryption solution, courtesy of Information Security, will help security consultants and value-added resellers (VARs) learn the basics of a simple, secure, Identity Based Encryption (IBE)
Voltage SecureMail Desktop
Price: Zero Download Messenger is $12,000; individual clients are $25
For all the effort businesses put into password-protecting data resources and computing infrastructures, maintaining the integrity or verifying the authenticity of incoming and outgoing email is often neglected because of cost and complexity.
The Voltage SecureMail platform is an email encryption solution that aims to make secure ad hoc business communication as easy as traditional, nonencrypted messaging. It eschews the complexities of key and certificate management in favor of a far simpler, user-transparent scheme called Identity Based Encryption (IBE).
IBE cryptography enables users to choose an identity -- usually their own email address -- as the basis for secured business communications. This method supports message encryption without requiring the distribution of keys between sender and receiver. IBE is easy to implement and manage, without the administrative overhead imposed by certificates and revocation lists.
We tested the latest version of SecureMail Desktop with client software and Zero Download Messenger components. (Voltage also offers SecureMail Gateway, with policy-based encryption/decryption and integration with antivirus/antispam products and Active Directory.)
The SecureMail Desktop agent integrates directly with a sender's email client, such as Microsoft Outlook or Lotus Notes. The Zero Download Messenger system allows recipients of encrypted email to receive and reply without needing to download any software.
Installation required no user configuration and took just a few minutes. In Outlook, a Voltage signature-information icon was added to the main toolbar, and a "send secure" button was added to the "compose new email" screen. The regular send button remains fully active, allowing the message originator to choose whether to encrypt.
The Voltage Identity Manager client registers with a Voltage server the email addresses chosen by the user that will transact encrypted messages. Adding an identity couldn't be simpler. After entering the target email address into a dialog box, VIM connects to a Voltage server, launching a browser window into which the user types his name and password. Upon submission, a single-use link is emailed back to the user. Clicking on it completes enrollment.
Clicking "send secure" is the only action needed to encrypt an outgoing message.
When someone who does not have the Voltage client installed receives a secured email, opening it displays the HTML Zero Download Messenger (ZDM) screen. ZDM prompts the recipient to open an attachment, select his email address and register it on the Voltage server, a one-time process, before the actual message is displayed.
The process works as intended, allowing messages to be opened only by recipients authenticated by Voltage. Nevertheless, first-time recipients, unless forewarned by the sender, may regard the ZDM screen as merely another piece of spam, quickly dispatching it to the recycle bin. ZDM's generic notice that "You have been sent a secure message" is inadequate.
A continuing email thread can be made secure at any time by clicking "send secure" instead of "send," and continues secure as responses are added.
Voltage key management capabilities directly map to the PCI standard, among the most granular. Its standards-based 128-, 256-, and 512-bit encryption algorithms are FIPS certified.
Encryption often requires a budget-busting investment and IT expertise that medium-sized businesses may not have. The Voltage SecureMail Desktop is an elegant cryptographic solution, easily installed and transparent in use.
Testing methodology: Our test environment emulated a small, serverless business that employs a peer network, uses Outlook and relies on a third-party provider for POP3 email services. Email messages were sent to outside business associates with no prior notification.
This review originally appeared in Information Security.
This was first published in December 2006