STAMFORD, Conn. – Management oversight as well as a good understanding of the stage of development of the available technology before and after deploying it, are keys to secure electronic messaging such as e-mails. That's the essence of a research report from Gartner Inc. that examines issues credit unions may want to consider when choosing e-mail delivery options. The report by Gartner analysts Vic Wheatman and Arabella Hallawell say that most e-mail is safe because of the sheer volume of such electronic communications. "Most e-mail is protected by a form of steganography – sensitive messages are buried among literally billions of other messages," they said in their report. "That is called `security by obscurity.' " However, the analysts note, " Threats exist from identity thieves, blackmailers and the idle curious. "It is necessary to understand what secure messaging is and how it can be implemented, and when encrypted messages are required vs. optional, to effectively implement secure messaging solutions." While anti-virus, anti-spam, backup storage and secure file transfers provide protection, new regulations that call for encrypting financial e-documents are pushing up against "inconsistency among encryption options and vexing implementation issues that have inhibited widespread deployment," the analysts say. Solving those issues may become more crucial for credit unions as more move toward the use of e-signatures to close loans and other transactions. Currently, most enterprises that need to routinely secure messages do it in "staging-server" approaches that involve posting the message to a secure Web site with secure-sockets layer (SSL) protection, following that up with an e-mail to the recipient. That offers password and ID authentication protection for the sensitive documents. There also now are emerging ways to encrypt the message itself, as well, and storage costs and other considerations are driving health-care and financial industry participants to evaluate "push" e-mail encryption that can take place on the desktop computer, instead of the server. Fears of lost management oversight on the desktop-to-desktop encryption may be slowing down deployment, however, making server-based options more attractive to some. Other issues to consider, the analysts say, include how such things as routine changes from standard browser functions will affect end users and help desks, and they recommend avoiding that if possible when considering encrypted e-mail solutions. "The deployment, management and support of user- or enterprise-specific encryption and signing keys is critical, including where they will be stored and how they will be accessed, maintained and updated," the analysts say. "Thus the cryptographic key management functions of secure e-mail projects require careful consideration," they say. Hallawell and Wheatman also recommend testing "to identify and work around performance bottlenecks if necessary." Here are four points that Hallawell and Wheatman consider the "bottom line" in security considerations while planning and deploying electronic communications: * Enterprise e-mail encryption is immature, and the vendors, technology and business implementations remain in a nascent stage of development. * Tread carefully and closely define your business or regulatory requirements before embarking on implementation. * The market is moving toward a preference for server-side approaches for securely sending routine, but sensitive, messages to customers, partners and consumers. * Explore implementation issues such as architecture, management oversight and vendor size, to plan for adequate development timelines and service delivery. -

[email protected]