News

Sendmail and PGP Partner to Meet Compliance-driven Demand for E-mail Encryption

• By John K. Waters
• May 4, 2005

E-mail encryption is now one of the fastest-growing categories in the e-mail security market, concludes a recent study by Osterman Research, and it’s likely to grow by more than 100 percent over the next 12 months. One of the key drivers of this warp-speed growth spurt, the analysts found, is corporate anxiety about regulatory compliance.

“Companies are still concerned about threat protection—about viruses and the rise of spam,” says John Stormer, senior VP for worldwide marketing at Sendmail, which commissioned the study. “But they’re more concerned about things like penalties for non-compliance, lawsuits for harassment and intellectual property leaking out of the network. And they’re increasingly looking at e-mail encryption as a way of protecting themselves.”

As a provider of e-mail security infrastructure for large enterprises, Emeryville, CA-based Sendmail offers its own session-layer encryption. The company’s recently announced partnership with e-mail encryption pioneer PGP Corporation will enable Sendmail to begin soothing the frazzled nerves of compliance-crazed execs with solutions that encrypt message content.

Sendmail has been a cornerstone in the foundation of e-mail security almost from the beginning. Created in 1981 by Eric Allman, Sendmail Open Source quickly became a standard Internet message transfer agent (MTA). Today the Sendmail MTA stores and forwards more e-mail than any other MTA on the Internet. (“Probably every e-mail sent touches a Sendmail server,” Stormer says.)

In 1998, Allman founded Sendmail to commercialize the technology. Today, the company delivers a complete platform for protecting and controlling e-mail from the gateway to the mailbox, including spam and virus protection, perimeter traffic control and sophisticated message processing for compliance.

PGP Corporation also has roots in the free and open-source software movement. PGP (Pretty Good Privacy) is an encryption program originally published in 1991 as freeware by Phil Zimmermann. The PGP algorithms and data formats were eventually standardized, and are now an Internet standards-track specification known as OpenPGP, which is an open standard used by PGP, GNU Privacy Guard (GnuPG), Hushmail, Veridis and others.

Zimmermann founded a commercial operation in 1996 to develop new versions of the program. The Palo Alto, CA-based company today develops, markets and supports products used by more than 30,000 enterprises, businesses and governments worldwide.

Earlier this month, PGP Corporation selected Sendmail as a charter member of its new Total Solution Provider (TSP) Program. The TSP Program was established to enable enterprise e-mail security companies to complement their existing products and services with PGP encryption solutions. The two companies announced an early version of this partnership in February at the annual RSA security conference. “It was such a success that we decided to step up the relationship,” Stormer says.

As a TSP member, Sendmail will be reselling PGP Universal, an encryption server that will be paired with Sendmail’s Mailstream Manager, an e-mail security and policy management solution. Stormer explains how the two will work together: “You set the policies about which messages you want to encrypt and how you want to interact with the encryption server, and Mailstream Manager takes over the control of that policy. It makes calls to the PGP Universal server to orchestrate the encryption/decryption analysis, and puts [the message] back into the mail stream, either encrypted or un-encrypted. Essentially, you are creating a clean room for content scanning analysis and policy implementation, re-encrypting it and delivering it to a specific recipient.”

Companies should keep in mind that an e-mail encryption strategy is something of a two-edged sword, Stormer warns. Encrypted messages can hide content from the bad guys, but they can also hide viruses from the network and inappropriate employee activity from the company.

“You don’t have the visibility into that communication that you have with an unencrypted message,” Stormer says. “The inability to impose corporate policies—say, for compliance or content protection—on that message can actually create another security hole.”