In-Depth

PGP: Encryption Everywhere

PGP Corporation may have the handle on protecting sensitive data everywhere

• By Chris DeVoney
• 01/30/2007

My November 28 column on disk encryption prompted reader comments that were almost unanimous on the message "caveat erus"—let the owner beware. Whether the data is shadowed from the heavy iron, is siloed in a small group, is meant to travel, or is designed to always stay behind the corporate doors, the "owner" (as in institution/corporation or the manager responsible for the data) has an obligation on the line.

When you follow the free-association thought process about that obligation, using encryption elsewhere makes sense. One of my first motivators to examine encryption was for e-mail privacy. That need eventually led me to Pretty Good Encryption (PGP), originally authored by Phil Zimmerman, for my personal use.

Zimmerman later fostered the effort that turned the product into OpenPGP, an international Internet standard. Today PGP remains one of the best public-key infrastructures (PKI) encryption schemes and one of the most popular for both personal and corporate use.

PGP Corporation is the current corporate residency of Zimmerman and many of the original developers. Corporate deployment of PGP Corp’s products is strong: they’re used by over 94 percent of the Fortune 100.

One attraction of PGP’s public/private key encryption was the wide accessibility of key servers; minimal effort was required to exchange or verify a message. That’s okay for personal use, but enterprises want to shoulder the identity issues by issuing their own credentials and running their own key servers. PGP’s central key management is very mature and integrates well with directory systems such as Active Directory or LDAP. Leveraging that central administration across multiple uses makes rollout and operation far more efficient in large deployments.

PGP puts most of the encryption burden on the endpoints. E-mail, attachments, and instant messages (the latter done in real time) are encrypted and decrypted on client computers. A strategic success in version 9 (version 9.5 was released late last year) was automating encryption and enforcing encryption through policies via its Universal Gateway.

You know the story. When the work to send an encrypted e-mail takes more than one step (i.e., hitting the send button), most uses follow the path of least resistance—and least protection—and don’t encrypt. The central administration tools can force the encryption for some or all of the e-mail depending on the originator or the recipient or characteristics of the e-mail itself and provides auditing details. As PGP desktop software makes the encryption and transparent to both the user, compliance becomes automatic.

Automatic Web-based e-mail is another piece of PGP that should pique the interests of groups that exchange privacy-regulated data, such as financial or health information, via e-mail. When an encrypted message will broach the network boundary, the PGP e-mail gateway checks for suitable public-key information. If none is found, the gateway forwards an e-mail to the recipient with a URL to a Web mail sever where the original message can be view in an SSL-secured browser.

Another PGP product, PGP Whole Disk Encryption, does the necessary deed on desktops and notebooks. Although it inflicts some performance burden on clients, PGP Disk works on Windows 2000/XP/Vista systems and Macs running OS 10.4, which Microsoft’s BitLocker and Vista does not, and doesn’t require new hardware such as self-encrypting disk drives. Removable media and individual disk partitions also gain protection and users don’t suffer double-password startup frustration as PGP Disk supports Windows single sign-on.

For groups of people needing to share sensitive documents, PGP Netshare automatically encrypts files on network shares. Like the Windows Encrypting File System (EFS), the encryption takes place on the client, not the server, and multiple users can be designated to use the file. Unlike EFS (which serves up encryption rights on a per-file basis), PGP Netshare can enforce rights on a per-directory or per-share basis, which makes protecting multiple files in a group far easier to administer.

For pumping data files from the heavy iron or severs for backup to business partners, or for regulatory archive, either PGP Corp or OpenPGP-compliant tools do the encryption chores from the command line or within batch jobs. PGP encryption is supported on almost all platforms.

PGP offerings, either by the company or third parties, are comprehensive, but caveats apply. There are versions of PGP for almost all desktops, but legacy systems, particularly pre-Windows 2000, do not have automatic operation or compliance. The same applies for Mac pre-OS 10.4. Linux/Unix also gets coverage via OpenPGP but not PGP Corporation products.

Of course, this protection comes at a price. For example, the price tag on the Whole Disk Encryption plus Netshare product is about three dollars per month per user at the 1,000-user level. When balanced against the expense of a data loss, which (depending on what costs are tossed into the heap) ranges from tens of thousand of dollars to over $14 million, just one breach or theft pays for this investment. PGP is a name I have long trusted, and PGP Corporation retains my respect. Alas, educational or non-profit institutions that traditionally enjoy some price reductions get no favors from PGP Corp.

PGP has worthy competitors, including another three-letter name famous in encryption: RSA Corporation. All enterprises should take a careful look at where products from PGP and its competitors should be deployed now rather than saying "caveat erus" later.