One young company hoping to provide e-mail security and digital signature solutions through outsourcing is Dallas-based ZixMail.com. The ZixIt Corp. subsidiary is headed by David P. Cook, founder of the Blockbuster Entertainment Corporation, the parent of the popular video chain.
ZixMail provides users of any e-mail client with a way to send time-stamped, tamper-free messages that can only be read by the intended recipient or recipients.
To utilize ZixMail, a Notes user would compose an e-mail message, add attachments if needed, and then encrypt the message using a private key, or signature phrase.
"When you enter that [private key] in, we're going to send a hash of the message up to our World Wide Web server," said ZixMail.com, Inc. CEO Douglas Kramp. "A hash is a digital representation of the message, not the message itself."
The hash is time stamped and matched with the recipient's public key. The public key certifies the recipient's identity as a ZixMail user and that he or she is able to securely receive the message.
After the hash is reunited with the mail message and sent to the recipient, only that recipient can view the message by using a unique key signature phrase. The recipient gets a brief message in his or her in box with word that a secure message is waiting. The recipient clicks on the provided Web link, types his or her private key in the secure browser-based interface, and is then able to read the message.
Plusses and minuses
Ease of use is at the top of the list of ZixMail advantages, however one drawback is that a fully integrated Notes version of ZixMail will not be released until the end of the year.
Roy Schuster, a spokesperson with Lante Corporation in Dallas, said his e-commerce consulting firm sends digitally signed ZixMail messages with Lotus Notes despite the lack of integration.
"It's only a minor inconvenience. Once you get used to using it, certainly everybody would agree it's not something you use for every message you send. It's not something you would use just to e-mail your wife and ask what you're doing tonight," said Schuster.
The outsourcing benefits resemble those gained by using any application service provider (ASP). Sparing a company's precious IT resources is often reason enough.
"Companies really back off when they think about the work to install a secure system and manage public keys," said Kramp. "If a company doesn't have certification authority, then they have to rely on the other company they're communicating with. Then it just breaks down."
However, there are concerns that come with outsourcing any type of security solution.
"If I wasn't very aware of exactly how it works and how secure it is, I would certainly have a lot of questions," Schuster said.
"Frankly, from what I've seen, there's certainly there's no worries on our part that there's any sort of breach of security. We know the management top to bottom and we have total comfort," he said.
Building a business
Kramp claims his company can provide a public key for every e-mail address in the world. Today ZixMail is releasing its SecureDelivery.com portal site, which will enable non-ZixMail users to receive ZixMail messages by automatically distributing free public keys to message recipients.
While ZixMail will eventually cost $1 per month per e-mail address, right now it's free.
"It's a land-grab situation for marketshare right now," Kramp said. "We feel like we have a widespread solution, and we want to leverage the market. We want that spread to happen as quickly as possible."
ZixMail users rely on the outsourcing capabilities of the company's $50-million data center.
"It's a real investment," said Kramp, "In the security business, the magic is not in the encryption, it's in the automated management of public keys."
Since ZixMail is based on personal keys, it can become more difficult for companies to monitor employee e-mails. That may be a benefit for employees, but companies are ultimately responsible for maintaining a suitable work environment. Losing some of the ability to monitor e-mail may cost a company in the long run.
Naturally, there is a loophole. Companies can request what's called a keymaster. That person, typically an IT director will get a copy of all the private keys issued for a company's e-mail domain.
That way, Kramp said, a company still maintains controlled access to its employees electronic communications.
"That [designated keymaster] isn't going to spend their time cruising though people's e-mail messages for sport. You've got tech support people now who have full ability to go in and look at other people's email anytime whenever they want. This puts a whole sequence of authority on the viewing of e-mail," Kramp said.
Tomorrow, SearchDomino profiles CertifiedMail.com, an in house solution to securing e-mail.