Universal secure messaging will need outsourcers to gain ubiquity

We rely so heavily on e-mail that it’s a bit of a shock to realize how insecure today’s messaging systems are. Few users have ever digitally signed or encrypted an e-mail, and few have received such messages. How can we be sure the messages we send aren’t being read or modified in transit by unauthorized parties?

You’d think companies would be rushing to implement secure messaging systems for business-to-business applications, considering the stakes involved in these transactions. Messaging is rapidly becoming the predominant application-to-application communications approach for business-to-business transactions, judging by the increased interest in message-oriented middleware and XML-based message formats such as those specified under the BizTalk Framework and the Simple Object Access Protocol.

But secure messaging hasn’t yet penetrated the new world of business-to-business e-commerce to any great extent. Even for internal communications, few firms have taken advantage of the Secure Multipurpose Internet Mail Extensions (S/MIME) features supported in their e-mail systems, such as Lotus Domino, Microsoft Exchange and Novell GroupWise. That’s because S/MIME-based e-mail requires more than just a standards-based messaging infrastructure. It requires firms to implement something that, so far, few have considered worth the trouble, time and expense: a public-key infrastructure (PKI).

For years, we’ve been hearing that most firms will some day establish PKIs for secure e-mail and other applications. But that day is taking an awfully long time getting here. Setting up an internal PKI can be a costly, time-consuming project. When you bring business-to-business communications into the picture, the technical challenges grow in complexity. So it’s no surprise that, in the face of these many obstacles, only businesses and exchanges with truly mission-critical security requirements have attempted to deploy traditional internal PKIs and S/MIME-based mail systems.

If we’re ever going to have a universal secure messaging infrastructure, something will have to give. Companies will need better tools or stronger incentives to speed deployment of interoperable PKIs and PKI-based secure messaging systems. Or they will have to obtain secure messaging services from outsourcers.

The outsourcing approach seems to be gaining ground in the marketplace. In the past two years, many application service providers (ASPs) have begun to provide Web-based secure messaging services on a subscription basis. Trusted content-delivery ASPs such as Certia, CertifiedMail.com, PostX and Private Express support secure messaging services that can be accessed in many ways, such as via browsers, mail clients equipped with ASP-provided plug-ins or ASP-provided stand-alone secure mail clients.

Secure messaging is a good fit with the subscription-based ASP model. Users can access many of these services without needing to involve corporate IT staff or make significant modifications to their e-mail client or server software. These services can quickly establish common secure business-to-business messaging environments where one or more trading partners lacks an internal PKI or PKI-enabled secure messaging system.

This sounds like a great deal, so why aren’t companies flocking to these ASPs for their secure messaging needs? One reason is the novelty of this approach. Few corporate mail administrators realize these ASPs provide a legitimate alternative to in-house S/MIME e-mail.

Even when companies are aware of these services, they may remain reluctant to use the outsourcers. Businesses must think long and hard before handing such a sensitive application over to a third party, especially to a recent start-up that may not be around in a year’s time. How trustworthy are these would-be trusted third parties? There are dozens of such ASPs on the market, many with unproven technical approaches and shaky business models.

One of the biggest obstacles these ASPs face is customer confusion. No two service providers, it seems, implement the same technical approach or the same set of secure messaging services and features. There are no standards governing how these ASPs’ plug-ins interface to subscribers’ mail clients and browsers. Increasingly, users will need access to multiple ASPs to securely exchange content with different external parties. Different ASPs’ dedicated plug-ins will undoubtedly conflict with each other on desktop, a situation that could potentially give service providers a black eye in the marketplace.

In spite of the many open issues, it’s clear that these outsourcers will pick up much of the slack in the business-to-business secure messaging market. Given the underdeveloped state of internal PKIs, many companies are not ready to support end-to-end secure messaging on their own.

Kobielus is an analyst with The Burton Group, an IT advisory service that provides technology analysis for network planners. He can be reached at (703) 924-6224 or jkobielus@tbg.com.