Industry standard for sending encrypted emails to customers?

[baydude]

This is more of an enterprise security topic but I'm sure there are many information security professionals that also post here. If my company has a Public Key Infrastructure and distributes keys through our own CA server, how do we send encrypted emails to customers outside our domain? I'm assuming there will be trust relationships involved between our company's CA server and the vendor's? If there are other email encryption options that are more ideal and more of an industry standard, I'd like to know too. PGP? SSL? I'm not a security guru who implements these types of solutions for my company (obviously).. but it's just been on my mind and I was wondering.. how do I send this stuff outside to people encrypted??

 

[seepy83]

The company I work for and all of our business partners that I'm aware of use a web/https based solution for secure email. The recipient receives an email notification that they have been sent a secure message, and they click a link in that email which links them to an https site on our secure email webserver. They need to log in and view the message in a browser/webmail type of format. There are a few products that work in that fasion...ZixMail, Axway Secure Messenger, and I believe Cisco IronPort can be used in the same way. I'm sure there are others out there too, but those are the ones I have encountered. My personal opinion is that the nice thing about that type of solution is that the recipient doesn't need to have an specific infrastructure or configuration for it to work...they just need to remember a username and password.

You can go the route of PGP, s/mime, etc...but that way typically requires additional cooperation and education on the receiving end.

 

[Dravic]

Symantec (ugh..) bought PGP corporation about 2 years ago and now sells their PGP Universal Server and PGP Desktop client. The Universal server is nice because it centralizes all your private keys, and can add an additional decryption key to every encryption function for e-discovery and recovery. It can also come with a web messenger portal that allows you to send encrypted email to anyone, and if you don't have their public key uploaded into your key store it will send them a email telling them to pick up their secure data from an SSL secured website.

PGP Desktop adds two buttons into outlook for sign and encrypt, very easy for end users. The only caveat, the email plugin can break some outlook plugins like some voip voicemail plugins and some fax plugins.

 

[ZeroRift]

Their root CA only needs to trust your issuing CA. So as long as your buying a cert from one of the trusted roots, you shouldn't run into trust issues.

The main problem is that most email clients need special configuration to verify the Cert via SSL, and most admins don't go through the trouble.

We work with a company that uses a web based solution like seepy83 mentioned as well.

Microsoft's cert reference (you probably know about it, but just in case):
http://technet.microsoft.com/en-us/library/cc700805.aspx