Since re-emerging from Network Associates as an independent company in June 2002, desktop encryption specialist PGP Corporation has been extremely quiet.
With this week’s launch of a major product suite, PGP Universal 1.0, the world at last gets to see what the best-known brand in encryption has been up to in the backroom all these months.
Promoting PGP Universal as a “philosophical change” the company’s razor-sharp director of products, Stephan Somogyi, quickly owned up to a number of problems that had dogged past incarnations of PGP, and indeed message encryption products generally.
“We sat down to think ‘why aren’t people using email security’? We are keenly aware of the limitations of desktop products,” he admitted.
Using encryption at desktop level meant that both sender and receiver had to have the program for communication to work, for example. He also suggested that IT departments had tended to use encryption only for groups of users deemed ‘critical’, but this ignored the need to secure all company message traffic.
“If the CEO is talking about redundancies in two weeks then the IT department should not know,” said Somogyi, referring to the futility of securing messages that could, however, still be read by IT staff. “Our focus is to secure the data wherever it happens to be. Perimeters tend to be compromised.”
According to Somogyi, PGP’s Universal Server software had been redesigned from the ground up to work in a number of modes. As their names suggest, ‘internal’ and ‘external’ modes could encrypt traffic between internal and external servers, and between internal clients and internal servers. All encryption, decryption, signing and verification was carried out transparently.
Other features included a ‘send’ mode, used to analyse message traffic for policy creation and debugging, secure webmail message handling, support for SMTP, POP3 and IMAP4 proxies, the ability to set domain policies, and server load balancing and failover.
Critically, the product also had a ‘Satellite’ mode, whereby a remote email client receiving an encrypted email but without local software to decrypt it, could transparently request the decryption key from the sending PGP server, he said.
For those who need reminding, PGP (Pretty Good Privacy) started life as a home-brew freeware encryption program thought up by one Phil Zimmermann as long ago as 1991. Two years later Zimmermann found himself in trouble with the US government for violating an export ban on encryption software, a misconceived legal wrangle that was eventually dropped by the authorities in 1996.
The following year, PGP Inc. (as it was then known) was bought out by Network Associates. Despite being perhaps the most famous encryption software product in the world, PGP was rarely heard of after that, until news arrived last year that NAI was prepared to sell the product to a new company, PGP Corporation, a venture-backed entity rebooted with a decent complement of former PGPers.
PGP Corporation then released an updated version of PGP’s desktop and server encryption programmes before busying itself developing the products announced this week.
Zimmermann now runs his own independent consultancy but retains a link with PGP by acting as a special advisor.
It bodes well for PGP is that all of the new software operates transparently to the user – the user doesn’t have to decide to encrypt a message. That should get over the issue of users not knowing how or bothering to use the programme.
The company also claims to have cracked the issue of how organisations can impose message encryption without being overwhelmed with management of encryption keys. Simogyi confidently describes PGP Universal as “self-managing,” which we take to mean that IT staff can spend their time worrying about setting up policies.
None of this will necessarily be especially cheap. A one year licence for 100 users will set you back roughly £3,000 (pricing does depend on resellers), but this excludes running the product in ‘internal’ mode. The company also touts ‘perpetual’ licences, whereby the customers effectively ‘owns’ the product, but, again, building in upgrades would add to this price. PGP Universal Server is available now.