The number of file sharing and instant messaging platforms keeps on growing, but despite this, email remains the leading form of collaboration for most enterprises. Within organizations, instant messaging solutions such as Skype for Business have slightly reduced the number of emails exchanged between users, but when it comes to communication between organizations, email is still the predominant collaboration platform.
In a world where most cyber-attackers are now using email as an attack vector, email security has never been as important as it is today. Almost every day there is a new case of someone or some organization falling victim of an email scam, exposing them to some sort of loss, usually either of private data or financial, sometimes both. Failure to protect an email infrastructure and properly educate users, can easily and quickly cause enormous damage to an organization.
In this product review, I am analyzing HPE SecureMail Cloud Standard Edition (HPE being Hewlett Packard Enterprise), an end-to-end email encryption solution available for desktop, web and mobile, and which is already used by millions of users worldwide.
Although the focus of this review will be how SecureMail integrates with Exchange Online (Microsoft Office 365), it also applies to other messaging platforms, such as on-premises Exchange deployments, or G Suite (formerly Google Apps) for example.
Why email encryption? And how?
The introduction says it all: email is now the preferred channel for launching advanced targeted attacks. According to Forrester Research, end-to-end email encryption is now essential: “Data, while in transit or at rest, needs to stay protected. Select an encryption solution that provides full lifecycle data protection, regardless if accessed internally, externally, or through a mobile device.”
But it is not just about cyber-attacks. Many organizations require encryption to meet their own specific needs such as compliance with privacy legislation (HIPAA, GDPR, etc.), Secure PII, or intellectual property and identity, just to name a few.
Office 365 is one of the most popular productivity platforms worldwide. And the reason why is simple: it is a highly capable bundle of email, calendaring, scheduling, task management, desktop productivity, telephony, real-time communications, and other collaboration tools and services. The fact that most organizations can easily sign-up to Office 365 and start using all its offerings almost immediately, makes it an attractive solution, especially when compared to how much it would cost to deploy and maintain the same solutions on-premises.
Cloud-based systems like Office 365 provide a wealth of resources to organizations large and small, but they also come with important challenges, especially in terms of security and handling of sensitive data. Organizations should ask several questions regarding their deployment:
- Are built-in security and encryption capabilities enough?
- Should all emails and files be encrypted before they reach the cloud?
- Is there a need for better usability?
- Is there a need for more flexible implementation options?
- Do we need our own encryption keys?
Office 365 delivers multiple encryption options to help organizations meet their business needs for email security:
- Office Message Encryption (OME), covered in the Office 365 Message Encryption article by Neil Hobson;
- Secure/Multipurpose Internet Mail Extensions (S/MIME), covered in my Email Security with Digital Certificates article;
- Information Rights Management (IRM).
All these methods suit different scenarios and meet specific requirements, and all have their pros and cons. HPE SecureMail is very similar to OME in that it lets users send encrypted emails to people inside or outside the organization, regardless of the destination address (Gmail, Yahoo! Mail, Outlook.com, and so on) and if the recipient is using the same encryption solution or not.
To view an encrypted message, a recipient is directed to a website where the message is decrypted and presented to the user, or using Outlook if the recipient is a SecureMail user. Recipients can also send encrypted replies using the same website without the need for SecureMail or an Office 365 subscription. We will see how this is done in the Using SecureMail section later in this review.
Benefits of HPE SecureMail
On paper, HPE SecureMail seems to be a natural fit for any messaging platform, enhancing its security, privacy, and usability capabilities:
- It enables end-to-end data protection, full privacy, and confidentiality. Only our organization has access to the decrypted data - not Microsoft, or Google, or even HPE;
- It adds multiple usability features that make encryption easy to use. In addition, it provides a full-featured solution to protect collaboration in the cloud and on-premises;
- It provides a simple user experience for desktop, mobile and web;
- It offers flexible deployment options: in the cloud (which this review is covering), on-premises, or a hybrid model;
- It uses standards-based Identify-Based Encryption (explained later in this review), meaning there are no keys to manage or store.
Although all important, the first reason mentioned above is key. Recently, a United States federal appeals court has ruled Microsoft cannot be forced to turn over customer emails stored on servers outside the US, handing a victory to privacy advocates. On the other hand, a US judge has ordered Google to comply with search warrants seeking customer emails stored outside the US, diverging from the federal appeals court that reached the opposite conclusion for Microsoft.
What this tells us is that every case is a different case and no one can be certain when Microsoft or Google will be forced to hand over customer data to law enforcement agencies; and that we seem to be moving towards a world where an organization’s privacy rights are governed by their own laws and interpreted by their own governments.
But both these cases are between a US company and an organization on a different country. What about, for example, a US company with all their data within the US? In this case, Microsoft or Google would have no choice other than hand over customer data to the authorities.
As just stated, HPE SecureMail provides organizations with end-to-end encryption of all emails and files, from their point of origin (no matter from what device they originate from) all the way along their lifecycle. This offers complete privacy control (even from Microsoft or Google) by encrypting emails before they get to their servers.
Digital certificates also provide end-to-end encryption. However, in very generic terms, for Alice to send Bob an encrypted email, Bob would have to be using a digital certificate and Alice would have to have Bob’s public key prior to sending him an email. In short, key exchange is not straightforward and users are limited to sending encrypted emails to recipients that use digital certificates. With SecureMail this is not the case. Organizations can deploy SecureMail to allow their users to send encrypted emails to any recipient, without having to worry about key management and distribution.
HPE claims SecureMail to be the most widely deployed email encryption solution in the world, with more than 75 million users worldwide across thousands of enterprise and midsize businesses. These customers cover financial, health care, insurance, and other highly regulated industries. It also claims that SecureMail is used by 2 of the top 3 US Banks, 2 of the top 4 European Banks, and 2 of the top 4 Health Insurers. Pretty impressive.
Requirements and Installation
HPE SecureMail is flexible in its deployment options as it comes in several versions to accommodate the varied needs of customers:
- HPE SecureMailOn-Premises is usually deployed by major corporations and companies that want to retain the management of their keys and encryption solution;
- HPE SecureMail cloud version is usually preferred by smaller corporations or those that do not want to manage keys themselves;
- Hybrid deployments have been preferred by some customers to enable some aspects of the solution to be on-premises (for example, the key server) and others to be based in the cloud. Customers can also migrate from one deployment to another.
In this review, we will be testing the cloud version, using v22.214.171.1249 of its client application.
HPE SecureMail was formerly known as Voltage SecureMail before the acquisition of Voltage Security by Hewlett Packard. This is why you will still see references to Voltage when using this service as well as within this review.
Being an enterprise-grade solution, SecureMail has its own administrative console that allows administrators to manage their licenses and activate users for example. In this review, I will focus on SecureMail from an end-user’s perspective.
HPE provides a 14-day free trial of SecureMail Cloud here. Signing-up for the trial is straightforward and, in no time, we can download the software that will allow us to encrypt emails and files. Below is the version tested in this review, as well as all the supported platforms and operating systems:
Once we download the software, the installation is simple and straightforward:
All we have to do is accept the license agreement:
Chose the location where we want to install SecureMail (or Voltage Encryption for that matter):
And we are ready to go:
Once complete, we should reboot the PC even though it is not mentioned. Once that is done and we start Outlook we are presented with a wizard that will help us configure SecureMail:
Again, this is very straightforward and all we must do is enter our email address:
Once that is done we are redirected to a website to complete the configuration:
Here we choose our password (notice the notification saying that we will be asked for this password periodically for security purposes):
After which we are notified that we will receive an email in order to confirm our email address (as it is standard nowadays):
The email I received didn’t render properly in my Outlook 2016 or OWA but it basically contained a link to verify my email address:
Once we verify our email address, we are done. Simple as that!
SecureMail client software adds a simple Send Secure button to send encrypted email from most devices:
- Desktop – the desktop plug-in adds an encryption button to outlook and all office apps (as we will also see);
- Web – the web interface enables customers and recipients to view secure emails on any device. Simple HTML message, easy sign-on, full Mac support;
- Mobile – the mobile app is compatible with most mobile operating systems and provides a native user experience for smartphones and tablets.
The first time we launch Outlook after having configured SecureMail completely, its add-in gets loaded. Looking at Windows’ Event Viewer, we can see it loaded very quickly, not causing any significant delay to Outlook’s startup process:
In Outlook we are presented with a new Voltage tab where we can get access to the help file, support and Encryption Manager:
The two main tabs in Encryption Manager, are Identities where we can add manage our Voltage identities, including adding additional ones if we use more than one email address:
The other useful tab is SafeList. Here we can create and maintain a list of recipients to whom we automatically send secure messages. If the Enable Safe Secure Recipients List Check is enabled, the SafeList check is performed locally to match the SafeList entries with the recipients of the email message before sending the secure message. This helps prevent leaking of confidential information to unauthorized users:
The Support tab provides information about Voltage Encryption Client installation that can be useful when troubleshooting. It also allows us to set logging levels, generate diagnostic information to a file, and reset our Voltage Encryption Client (which we might have to do if an administrator makes a change to the configuration of the Voltage Encryption Client, for example):
Sending Secure Emails
Using SecureMail to protect our emails is easy. It adds a Send Secure button to our Outlook toolbar:
We can continue to create new emails and reply to emails the same way we always have. When we want to send a secure email, we click on the Send Secure button to encrypt our message and send it securely. That’s it!
Receiving Secure Emails with SecureMail Installed
If the recipient has SecureMail installed, he can use Outlook to open the secure message in the same way he opens any other email message as the message will be automatically decrypted and presented to him (even in the Reading Pane):
As it can be seen in the screenshot above, SecureMail encrypts email to protect the data, and digitally signs the email to show it came from an authentic email account.
If we look at the email headers, there are some information added by SecureMail:
Administrators can control whether secure messages their own users receive are stored in encrypted or decrypted form in Outlook by default. Messages can be stored in encrypted form, decrypted each time they are opened, and automatically re-encrypted when they are closed. Alternatively, messages can be automatically decrypted when they are first read and then stored decrypted in the mailbox.
Receiving Secure Emails without SecureMail Installed
Now let’s assume this recipient does not have Outlook or SecureMail installed. He will login to Gmail and will see the following message in his Inbox:
All the recipient needs to do is open the message_zdm.html attachment and then click on the Read Message button to access the secure email:
The encrypted body of the original message, as well as any attachments to the original email, is contained in this message_zdm.html attachment. By opening the HTML attachment and authenticating, recipients will be able to access the secure email and its attachments.
After opening the message, the recipient is either prompted to authenticate himself by an email sent to the email address that he selected, or asked for a username and password if he has previously registered. In this case, because it is the first time using SecureMail, the recipient is asked to authenticate:
If he had previously registered, all he would have to do is sign-in:
Once the recipient authenticates, the secure email is decrypted:
The decrypted secure email is presented in the web browser over a secure SSL connection. The digital signature identifies the sender of the email and protects the recipient against spoofing. Any message with an invalid signature will show an alert.
Replying to Secure Emails
Replying to or forwarding secure emails using Outlook is trivial when SecureMail is installed. When using the website, users can click on the Reply or Reply to All buttons to compose a reply to the sender:
Once the user finishes composing the email, he clicks Send Secure and the reply is automatically secured. Users can also upload attachments to be sent securely to recipients.
Let’s now have a quick look at SecureMail’s mobile app. For this test I will be using the iOS edition, v2.2.4 last updated on January 2016:
Thankfully this app supports Touch ID, which is great:
Once we install and open the app, we are told that it works by using our traditional mail app, and then opening the secure attachment we already looked at in SecureMail mobile app:
To do this, we open the secure email we received:
We press and hold the attachment, and select Copy to Voltage Mail:
The secure email is then displayed within the app. Embedded images are available as attachments, and users can easily reply or forward the email:
It is also possible to compose new emails and send them securely using the mobile app by clicking on Compose:
The recipient will then receive the email securely just like before:
Sharing files between organizations has been an everyday part of doing business for decades. As privacy becomes more and more vital for businesses all around the globe, file-sharing processes present an ever-growing business risk, especially under standards and regulations such as PCI or HIPAA.
When installing HPE SecureMail, SecureFile is also included, which provides persistent data-level protection for sensitive and confidential data inside files and documents.
HPE SecureFile lets us encrypt and decrypt any type of file, using the Voltage SecureFile shortcut menu:
Encrypt – using this button we can encrypt a file so that only we can decrypt it. No other users can decrypt and gain access to this file. The original file is securely deleted from the disk, the encrypted file is saved in the same folder as the original file (with a .vsf extension), and the original icon is replaced by the Voltage icon:
Encrypt and email... – this option is used to encrypt and securely share files containing sensitive information with individuals and groups that we choose. The encrypted file is then automatically attached to a new message in our default email application. As before, the encrypted file is saved with a Voltage icon in the same folder and the original file is securely deleted.
Encrypt and set access list... – we can always decrypt files that we encrypt using our own identity. We can also encrypt files so that they can be decrypted by a set of individuals and groups that we specify (as long as they have SecureFile installed). Using the Encrypted File Access List dialog, we can add email addresses of one or more users who are permitted to decrypt the encrypted file. Our default identity is automatically included in the list (with a *) so that we can decrypt the file ourselves. Once more, the encrypted file is saved with a Voltage icon in the same folder and the original file is securely deleted.
Important: we can only share files encrypted using SecureFile with users who also have SecureFile installed. If we want to share an encrypted file with a recipient who might not have SecureFile installed, we must use SecureMail, which encrypts all attachments as part of the messages sent securely.
SecureFile enables easy encryption of supported Microsoft Office documents (with .docx, .pptx, and .xlsx extensions) by using the Voltage Encryption ribbon button:
When we press this button, the Add users and encrypt window comes up. We then type or select an email address in the Email entry box and select Owner, Editor or Viewer depending on the access rights we want for the selected user. Once done, we click on Encrypt and save the changes to encrypt the file. If we do not save the changes or accidentally exit the application before saving, the document remains unencrypted.
We can view or edit SecureFile encrypted files that have been encrypted with or to our email identity. We can use the option from the context menu by right-clicking on the file, or we can double-click on the encrypted file to open it in the associated application:
For some file types, such as .txt, .htm files, we must save the decrypted file before opening or editing it. For files with .docx, .xlsx, and .pptx, extensions, we can double-click on the encrypted file to open it in the associated application for editing.
Other Features of HPE SecureMail
HPE SecureMail has other good features such as:
- Good dynamics add-on. HPE SecureMail for Good Dynamics secure mobile app platform simplifies regulation compliance, user experience, and management for enterprises leveraging the BlackBerry Enterprise Mobility Suite (formerly known as Good Secure EMM Suite);
- Integration APIs. HPE SecureMail Application Edition uses RESTful API to protect email from different applications and websites that generate, store, and use email.
But the three features I want to give some more attention to are the following ones:
- HPE SecureMail Archive Connector;
- HPE SecureMail eDiscovery Accelerator;
- Identity-Based Encryption.
Security audit regulations often require organizations to produce email correspondence upon request. To comply with these requests, organizations must be able to provide decrypted versions of encrypted messages. This is the purpose of the first two features mentioned above.
HPE SecureMail can also sit in-line with archive systems that collect data for legal archive and hold purposes. There are various options to consider here – allowing data to go into the archive encrypted and then accessed afterwards using the e-discovery tool (noted below), or decryting data just prior to collection using the Gateway in-line connected to the archive allowing easy indexing and full text searches of decrypted email within the archive. Essential eDiscovery processes like collection, processing, review, and analysis can be conducted on decrypted messages, while keeping a high security level.
HPE SecureMail eDiscovery Accelerator allows policy-controlled decryption of secure emails. It is a web-based application that enables eDiscovery auditors or administrators to manage Outlook PST files that contain archived copies of secure messages. Administrators can then decrypt messages in those files in order to make them available for eDiscovery applications. This is possible by SecureMail eDiscovery Accelerator working together with the SecureMail Server, which is responsible for centrally managing keys and allowing access to those keys only by users who have been authenticated. eDiscovery Accelerator is installed on a Windows server, and is responsible for requesting keys from the SecureMail Server for the decryption of encrypted messages in PST files.
HPE Identity-Based Encryption
As mentioned in the beginning of this product review, using digital certificates to encrypt emails works great, but this public key system has the inherent problem of public key distribution (remember that for Alice to send Bob an encrypted email, Bob would have to be using a digital certificate and Alice would have to have Bob’s public key prior to sending him an email). In 1984, Adi Shamir, a cryptographer and co-inventor of the RSA algorithm, proposed a new type of public key algorithm: mathematically generating the receiver’s public key from his/her identity, then having a trusted third party deliver the private key to the user after verification of the user's identity. This type of public-key cryptography is known as Identity-Based Encryption (IBE).
Using IBE greatly simplifies key management because Alice does not need to contact the key server to get an encryption key, or get Bob’s public key beforehand. Instead, the encryption key is mathematically derived from Bob’s identity (his email address). Bob must only contact the key server once to authenticate and get the required decryption key. The key server is able to construct the receiver’s decryption key mathematically, eliminating the need for a database at the key server and making key recovery extremely straightforward.
That private keys need to be generated only once, upon initial receipt of an encrypted message. All subsequent communications corresponding to the same public key can be decrypted using the same private key, even if the user is offline. Also, because the public key is generated using only Bob’s email address, Bob does not need to have downloaded any software before Alice can send him a secure message.
By eliminating the need for certificates, HPE IBE removes the drawbacks of PKI: certificate lookup, lifecycle management, certificate revocation lists, and cross-certification issues.
HPE SecureMail (and SecureFile), is without a doubt a great solution that meets the security requirements of many businesses worldwide. The way it implements Identity-Based Encryption plus the fact it is so easy to use, makes it ideal for many, many organizations.
The only question is: doesn’t Office 365 Office Message Encryption (OME) do the exact same thing without any additional cost?
OME does have some advantages such as the fact it is included in some Office 365 plans (E3 and above for example); admins can configure transport rules to automatically apply encryption (or decryption) to emails that meet certain criteria; and a better web client for example.
On the other end, HPE SecureMail works with other messaging platforms, not just Office 365, so its suitable for organizations running solely Exchange on-premises or using G Suite for example. Another important advantage is that Microsoft (or Google) is not able to decrypt any emails encrypted with SecureMail. Finally, SecureMail recipients do not need to use the website to view encrypted emails if they have SecureMail installed and use Outlook, which is an advantage over OME.
These, in my opinion, are the main selling points of HPE SecureMail.
MSExchange.org Rating 4.7/5