"The vast majority of our business users are in the health care and finance verticals," says David Wagner, CEO at Zix. If an email contains a patient record, it would automatically go through the encrypted channel. "That provides a very important level of protection for sensitive personal information, which is our primary use case," he says.
No interoperability in sight
A number of standards exist for end-to-end email encryption, but so far, none have reached critical mass with vendors. Take Symantec. It supports both the S/Mime and PHP/Mime encryption, says Symantec's Kriese. That doesn't mean that the system easily interoperates with those of other vendors.
"It does get more challenging when you're talking about partners," she says. "You can have a one-to-one relationship. That can be done. We even provide for the global directory, for people to put their public keys into a repository so others can search for them. But getting keys back and forth is a challenge."
Different platforms use different methods for managing encryption keys, and there are other bookkeeping types of issues that need to be resolved for vendors to interoperate. "Even with the best will in the world, the standards break down, because the vendors implement them slightly differently," says Steve Wilson, VP and principal analyst at Constellation Research Inc.
"People have been talking about getting encryption into email for decades now, and it still hasn't taken off because of the compatibility issue," says Jason Hong, associate professor in the human computer interaction institute at Carnegie Mellon University. Plus, you've got the current installed base working against you. "With email, you have to convince lots of people to upgrade simultaneously," he says. "When email was invented in the 70s, a lot of the encryption techniques weren't known and the CPU powers weren't that great," he says.
Earlier this year, Google open-sourced its own approach to end-to-end email encryption, E2EMail. "By open sourcing the technology, they would make it easily accessible and hopefully create some demand and momentum around their encryption, providing an industry standard for people to adopt," says Charles King, principal analyst at Pund-IT, Inc. At least, that was the idea. "I have not seen any sign of broad adoption of Google encryption," King says.
Even Google itself isn't using it. Three years ago, the company says that it was going to use E2EMail to in a Chrome extension that would seamlessly encrypt and decrypt Gmail messages in the browser, but that hasn't materialized.
Google does encrypt email in transit, and while the emails are saved on its servers, but it needs to be able to read the mail in order to filter our spam and phishing attacks, filter and search the emails, and, of course, mine it for marketing data.
Sign up for Computerworld eNewsletters.