Zix wins 5-vendor email encryption shootout

Inky’s email clients support Android 4.0, iOS 8, Mac OS X 10.8 and Windows 7, and up. This means that you can’t use its encryption features with Outlook or webmailers. Once you install the client, you set up a special username and password to access your emails. There is a nice feature, which provides feedback on how secure your password and about how long it will take to crack it (whether this is accurate or not, still a nice reminder to set something complex). The Inky client supports using multiple email accounts for one user too.

While the email client includes a calendar, it doesn’t have a separate contact manager, and will pull contacts from the linked email account that it is sitting on top of. Inky will extract contacts from your sent folder and order them by frequency of emailing and then try to autocomplete the contact as you type it in. This isn’t as convenient as having full access to your contacts and being able to edit this information on the fly, such as to add phone numbers and other data to the contact record as you would an ordinary Outlook or Gmail contact.

The Inky client is pretty much bare-bones. There is a separate settings screen where you can add S/MIME digital signing, customize the text sent to indicate an encrypted message, set it as your default mail client, and other features.

One plus is the ability to quickly search your mailbox, and I found the search feature to be easier to use than the typical Gmail mobile client. All data is stored encrypted on the client on your local hard drive. There is a long list of configuration settings on each client, including showing a warning if you forget to attach a file, only send encrypted mail to other Inky users, customize the text when you send a message to a non-Inky user, and set Inky as your default email client.

David Strom

A recently added feature is being able to send email to a non-Inky user. Like the other products reviewed here, the recipient gets a message with a URL that requests you first authenticate, and then sends another message to your recipient’s email inbox that you can click on to view the contents. This is the only way to enter its webmailer to view and respond to an encrypted message. These links expire within 60 minutes, according to the default policies. This time period can be changed if you contact Inky support. A future version of Inky will have a menu to set the expiration period on your own. Message attachment size can be controlled within the settings sheets, the default is 32GB.

While I was testing Inky, several times it reported that my Google IMAP connection was slow. One of the settings will show you instantaneous bandwidth usage, both up and downlinks. While this is nice to know, I wasn’t sure what to do with the information. Inky also stores this in a log file to document the issue.

Pricing is based on a freemium model. Inky is free for individuals using Gmail, Outlook.com and iCloud. Otherwise, it is $5 per month per user, with corporate discounts available. There is a premium level with additional charges for MDM features and on-premises deployments. There are free trials too. They have several customers with more than 20,000 end users.

Symantec Email Security.cloud with Advanced Policy-Based Encryption option

Symantec is the current keeper of two important legacy encryption technologies: PGP and the email filtering service MessageLabs, both of which it purchased a while ago and have been kept around as separate product lines. The PGP flame is kept alive with their on-premises product, called Symantec Encryption Server that runs its own Linux-like OS. However, it hasn’t kept up with the times, and we can understand why its inventor (Zimmerman) has moved away from it. We looked briefly at this but decided to test the current incarnation of MessageLabs technology, called Symantec Email Security.cloud. This is intended for smaller businesses and has much better configuration and setup and DLP-like policies.

David Strom

Email Security.cloud makes use of S/MIME but is much more than email encryption: it offers a full anti-malware email spam filtering and protection suite. But we will just focus on the encryption features. To get the most out of these, you will want to spend the extra money and purchase Symantec’s Policy Based Encryption Advanced (PBE-A) option. This incorporates technology that Symantec acquired from Echoworx, and functions similar to the other cloud-based tools in our review. All of the management features are accessed via a very capable web portal that has a complex series of menus that will take some careful study.

With this option, you can exchange encrypted messages and PDFs with users running Microsoft Office 365, Google Apps, and on premises or hosted Microsoft Exchange. For Outlook users, you install a plug-in. There are actually two plug-in versions: basic and advanced. The advanced version works with PBE-A, the basic version supports the basic Email Security.cloud feature set.

The Advanced plug-ins have more features for Windows Outlook users, and there at least is a plug-in for Mac Outlook users. For example, from the Outlook toolbar, you can set up a variety of passphrases (something mutually shared, for example), encrypt just the attachment, set an expiration period for your message, and provide both pickup confirmation and encryption confirmation.

David Strom

The Symantec cloud services don’t have any mobile apps. To read your messages on your phones or tablets you’ll need to make use of the web client portal. These are also used when you send a message to an external user for the first time. To access it, you will see a link in your encrypted message where you can register, decrypt and view the contents of your messages. This is similar to what the others offer.

The only difference is that Symantec can authenticate you with one of your social media accounts (such as Google+ or Facebook), although for additional privacy you can set up a new account with a separate password. As with other web portals, you can reply to the message, but can’t compose an encrypted email to a new recipient. When a recipient collects their message (or if they are reaching the end of the period before a message expires), the sender gets notified.

PBE-A has a default maximum message size of 50MB, but you can increase this in the Services/Mail Platform menu. If you are using G-Suite or the other Google email services, you need to first determine if Google’s attachment limits will take precedence.

PBE-A has a long list of default mail processing policies and a very granular policy creation and definition process. There are numerous policy templates included, and they have obvious keywords included so you can differentiate those that filter based on Social Security numbers or other data. All of this is well documented in the Admin Guide.

One of the nice features is being able to maintain separate keyword lists for each policy, so for example you could share all your medical-related keywords for various HIPAA policies. You can apply a policy for particular message parts or even filter by attachment properties too, as well as filter based on inbound or outbound message traffic. And you can group recipients for special treatment. Like a typical firewall rule collection, policy rules are applied from the top down, so you can set up some very sophisticated situations, depending on how you order your policies.

One big drawback of PBE-A is that changes to the policies happen automatically, but don’t take effect for about 30 minutes. So this could slow down your testing of any policy. One small drawback of PBE-A is that its messages are set to expire in 30 days. You can’t change this option, and neither can the Symantec support folks.

For pricing, you first need to purchase the email Safeguard bundle, which costs $2.41 per user per month. Then you need to add the PBE-A bundle will set you back another $3.50 per user per month.

Virtru Pro: Set it and forget it

The Virtru product was one of the more impressive products in 2015 and it has gotten better since then. It offers an interesting twist on the trade-offs of ease of use and functionality, thanks to its nice balance of plug-ins and mobile apps. The net result is that it supports encryption operations across a variety of email circumstances.

If you use Windows Outlook 2010, 2013 or 2016 versions, you can encrypt messages on any SMTP-based email server with a “send secure” button that gets added to the Outlook toolbar. If you make use of Google’s webmail, you can run either the Chrome or Firefox browser extension on any Windows, Mac or Linux computer. And there are mobile apps that support iOS and Android phones.

Since we looked at it in 2015, it has eliminated support for Yahoo and Outlook.com mailers and doesn’t support Mac Mail clients. This is because as Virtru enhances its product, these older clients can’t keep up with its newest features.

Once you add the plug-in to your email client or browser, you have a simple toggle switch to send an encrypted message. That is pretty much the only decision a user has to make. Email administrators can set policies for what messages are automatically encrypted, which override the user’s choice.

Virtru expanded its attachment limit from 25 MB to 150 MB since our last look in 2015 for its browser clients. For Outlook, it follows whatever the Exchange sysadmin has set for this value.

There is a web-based management portal that works with your Google and Office 365 installations. The portal is similar to what we saw two years ago but has been significantly expanded in terms of features and its UI has been cleaned up somewhat. There are various menus for adding users from your domain to be able to employ Virtru, a series of automatic protection and other mail processing rules to force encryption for specific circumstances, such as including a Social Security number or other personal information.

You can also set mail expiration rules as well as forwarding rules. Its rules aren’t as comprehensive as Zix but still offers a lot of options, and unlike Zix everything is collected under a single dashboard location.

David Strom

Another feature added recently is the ability to generate message read receipts, along with the ability for users to search their encrypted message store that also includes text in the subject lines and attachments. This search option, along with the ability for mail administrators to make searches of Google’s Vault, are also found on the web portal pages. Administrators can also revoke sent messages, set expiration dates or disable forwarding on any encrypted message or attached file in the domain.

Last year, they announced a SDK to allow software vendors to incorporate their features into their platforms, and the first instance of this was AODocs. Finally, another new feature is being able to use hardware-backed encryption so that administrators can decide where to locate their encryption keys. This feature works with a variety of installations, including hosted on premises, in a private cloud, or on public clouds such as Amazon’s Encryption Key Management service and uses Safenet/Luna’s hardware modules. This means that cloud providers can never see customer encryption keys or be able to decrypt underlying content, and an enterprise can locate its keys in a particular geography to meet local compliance regulations.

Virtru has a free version, and a pro version that will cost $5 a user per month, with a discount for annual purchases. Both are available for 14-day free trials. The free version just does encryption without the additional features, such as message expiration, DLP rules and domain administration that are found in the paid Pro version. Virtru is one of the few email encryption vendors that has very transparent pricing, with a page on their website that spells everything out. I wish more vendors were like them. They have several customers with more than 20,000 end users.

Zix Gateway: Frictionless encryption

Zix has been in the email encryption business for more than a decade, and its product shows. It is an interesting one to review because of how much it does under the covers, making the encryption happen in spite of what any end user is trying to do. This is one reason why they have so many large installations, and could be a reason why the software is so popular. Messages are sent and received without any specific user action, the encryption just happens. This makes Zix one of the most transparent and frictionless encryption products around.

Zix sells two products: the gateway that we tested, and an end-to-end encryption client that either works standalone or works with a Windows-only Outlook plugin to encrypt messages on the desktop before sending. The two systems don’t interoperate. The gateway supports both Office 365 and Google cloud-based mailers. It can make use of OAuth to authenticate a user to both systems.

Getting the Zix Gateway installed will take a matter of hours, which can be reduced with personal support if you want it: it is included as part of the purchase price. Once set up, your employees might never know that their messages have been encrypted and decrypted, it basically operates under the covers and uses a variety of different techniques, depending on who is getting a message and how sensitive the contents. Unlike other products, such as Voltage that have added a “send secure” button, all mail is sent encrypted, if that is how you have set up your policies.