Why isn't PGP bigger? Why isn't it everywhere already?
Good questions indeed that you totally fail to answer. You think IBE is impractical ? Well I'd say you demonstrate your lack of knowledge with the real TCO and complexity of maintaining a PGP system up and running in a large IT environment.
We're using Trend's email encryption now for over 3 months and the deployment has been seamless and users haven't complained about it.
I have no desire to get into an argument, just a point of view, but I have plenty of experience of both, John.
Let me guess, you have client software at both ends, and don't communicate with unknown 3rd parties? Like I said, too many mandatory requirements.
PGP is much more widespread than IBE, given that it is a standard. It isn't everywhere already for the same reason that IBE isn't everywhere - not a lot of people have needed email encryption up until now.
If you read my previous article, you'll see that I said not a lot of people need email encryption at all, it's not supposed to be a secure method of communication, and trying to secure it is a mug's game.
But, since you are, does it make sense to have multiple products to fulfil all the encryption needs in your organistaion? IBE for email, another for disk encrption, another for DLP, another for endpoint or one that fits all?
IBE is flawed, it is the easiest to implement but the weakest on security. I'd be interested to know exactly where this implementation is.
Thanks for reading the blog.
Talk about a skewed perspective... did Rob not go through any of the complexities of PKI or the fact that is requires pre-existing cryptographic relationships? PGP is not more widely adopted because it is complex and costly. IBE reduces complexity and increases universal reach tremendously more than PGP or any PKI-based technology!
Surely a more skewed perspective would come from the Global Product Manager of Trend Micro, Mark Bloom, rather than an independent consultant?
You decide.
I enjoyed reading with your post, but I would like to respectfully disagree with some of your conclusions. I was formerly (approx 2yrs ago) an architect for a rather large, global, financial services company. As a point of reference, we had about 15k users in about 70 locations in over a dozen countries.
I had been down the ‘secure email’ path multiple times over the course of my career and at the time that compliance/ corporate/ customer/ etc. pressures pushed our organization to do something about email encryption, I had a handful of pocket implementations already in play including Zix, PGP, Tumbleweed, and a couple others.
When faced with the task of designing a corporate email encryption solution, I honestly dragged my feet… largely because the pocket implementations were such a distraction to manage, and I did not want to get in the business of managing any of these solutions on a large scale. Additionally, users are like electricity, they will follow the path of least resistance and consumers of our encrypted email were not very forgiving. These points coupled together had: mind-numbing help desk procedures, painful mail recipient calls and explanations to the business as to why I am making their life more complicated in my future. I agree with you, email is the standard for file transfers in the corporate world; however, adding layers of security without demonstrated associated value is why people seem to have distaste for security architects… in other words, they want to do what they are already doing, but they want it secure. Easier said than done.
Added to the mix of the requirements was from the legal department… they took the stance of: email is a liability, if it is on our systems, we are responsible for it. To them, the security and privacy aspects of mail being sent across the internet were a small price to pay for not having sent email on our systems. Read: anything that used a ‘link back’ in an SSL session to mail on our systems was not going to fly.
So not only have I been wrestling with secure email technologies for years, but I am pretty familiar with the business aspects as well. All of that said, enter Voltage. I recalled reading about IBE over the years; however, I did not have any practical experience with it till I ran across Voltage. I cannot speak for TrendMicro’s implementation of IBE; but I can say from a Voltage perspective, it was a little bit of time thinking through the logic of the problem that I was trying to solve and I kid you not, 30min of actual technical configurations. That was it. Now, could [PGP, Zix, Tumbleweed, etc.] been able to be configured in 30min if I had my problem scoped? maybe… but the real upside was the long term management of the Voltage implementation.
I was officially out of the key management business with Voltage. I did not have to worry about some employee’s brother-in-law that knows everything about computers jacking with something and blowing away a key ring.
I have to admit that I don't have practical experience of Voltage, it is Trend that has let me down in the past.
With regards to what you are saying about "pocket implementations" - I would recommend looking at PGP again now, it has changed beyond recognition from what it was 2 years ago, and is now a fully fledged enterprise solution.
As with all good security, it is seamlesss to the users, but requires some knowledge to install, unlike Trend which is visible to the users but fairly simple to drop in if all the other requirements are in place.
I guess it depends on what you have in your environment. PGP is fairly simple to install anywhere if it's implemented by someone who knows what they're doing, and everyone can use it. IBE is simple to install if the environment is set up correctly and not everyone will be able to use it securely.
The CTO of Identum mailed me earlier to say that IBE is better for widespread multiparty communication of low grade sensitivity material while PGP is better suited for smaller groups of more sensitive information. I like security and usability, I didn't find IBE usable, so the fact that it is less secure makes me lean towards PGP, which I found very easy to install and use for both personal and corporate mail.
Commenting by HaloScan
