I once co-wrote a book on enterprise email where I likened email encryption to a "sucking chest wound." That was in 1997, when you had to do all the encryption key management on your own, a daunting task to say the least.
While things have improved considerably since then, encrypting messages is not as simple as it could be, and requires careful study if you want to have truly private communications that can't be viewed by your competitors -- or your government.
In the past, recipients of encrypted emails had to share the same system as the sender, and many email clients were difficult to configure. Today, many products have a "zero knowledge encryption" feature, which means you can send an encrypted message to someone who isn't on your chosen encryption service. Just provide them a passphrase to decrypt their message and to compose a reply to you, or in some cases they can read the message by just authenticating themselves. After this first communication, your recipient is able to exchange encrypted messages with you quite easily.
Apart from zero knowledge encryption, modern products make sending and receiving messages easier, with advances like an Outlook or browser plug-in that gives you nearly one-button encryption. And all of the products reviewed have better control over the message traffic, such as setting expiration dates, or being able to revoke unread messages or prevent them from being forwarded once your recipient has read them. These are all good signs that encryption has finally come of age.
But there is one remaining problem: the ways we use email has also evolved and gotten more complex. Some of us alternate between desktop and mobile clients, or also turn to webmail as our mail client. Some people prefer Outlook and many organizations depend on Microsoft Exchange, while there are dozens of SaaS-based hosted email providers, such as Google Apps and Office 365. That means any encryption solution has to cover different use cases and endpoint clients. And there still is a lot of end user apathy towards encrypting messages, even in spite of the Snowden saga and other object lessons in keeping messages secure.
To analyze the current state of the art, we examined seven products, and found that they fall into three functional categories.
First are hosted email services that make use of end-to-end encryption of their message traffic. Typically, you use the hosted provider's webmail client to have a secure connection to send and receive email. If you are already using a hosted email service, you would need to replace that provider with one of these services. We looked at Hushmail and ProtonMail in this category. Hushmail has been around for more than a decade, while ProtonMail is relatively new and still in an extended beta. This category is appealing for smaller networks or places that see an immediate need for encryption and want to get started quickly.
Sign up for CIO Asia eNewsletters.