Secure Messaging

Learning Center

Back to top

Search Results

Cloud Deployment & Microsoft Outlook

Ideal for SMBs and departments within larger organizations, this deployment is up and running within minutes. It requires no changes to your basic email and no complex server configurations for a true Cloud deployment. A ‘branded’ Secure Messaging portal is created for each customer, with AES 256 bit ‘at-rest’ encryption ensuring there’s no cross-contamination of data on the multi-tenanted Cloud environment.

Employees ‘opt-in’ to communicate securely with internal and external users. An optional plug-in for Microsoft Outlook® (2003 – 2013), Desktop Agents for Windows® and Mac®, Mobile Apps for iOS® and Android®, and a browser extension for Google Chrome® increase the ease of use without requiring expensive deployments. This deployment doesn’t require costly server configuration, your current email infrastructure remains intact and no training is needed to start using it. It is as easy as using the ‘Send Secure’ button in Outlook.

Support for Hosted or On-premise Email (Microsoft Exchange, Microsoft Office365, Google Apps, Zimbra, etc.)

Secure Messaging Architecture Overview

  1. The optional plug-in for Microsoft Outlook® extends the functionality of the system and the patented Delivery Slip without requiring any mail server modifications for both sender and recipient. By default, it stores the secure messages decrypted in the mail server. It’s ideal for indexing, searching, archiving and e-discovery. The user workflow remains practically unchanged.
  2. No changes are required to the user’s the email address, email program or email server. Microsoft Hosted Exchange® & Office365® and Google Apps® are all supported. All data can be stored decrypted in the mail server at the administrator’s preference.
  3. All communications with the browser or Microsoft Outlook® are secured with HTTPS – confidential data is never exposed to unsecure SMTP route. On ‘SEND’, Outlook intercepts the command and re-routes the message and file attachments securely via HTTPS, instead of sending the encrypted message via SMTP. At this stage, the user is authenticated and once the data is transferred securely to Secure Messaging platform, the message content and file attachments are encrypted ‘at rest’ using AES 256bit. No complex keys to rotate.
  4. The Secure Messaging platform Cloud servers are hosted in Worldclass tier-3 datacenters (depending on partner: Microsoft Azure, Peer1, Rackspace, Amazon, in various data jurisdictions). All data in transit is secured with a minimum of 128bit SSL and 256bit AES at rest encryption using Microsoft’s .NET Framework AES algorithm (AesCryptoServiceProvider class), a FIPS 140-2 compliant library. The Secure Messaging platform servers are used as a different ‘route’ (instead of using unsecure SMTP) and do not create a separate mail store – all company data is still available behind the firewall (optional).
  5. A basic email notification is sent through SMTP to notify the recipients of their new secure message. This notification contains no confidential data, no file attachment. If equipped with Outlook, the notification message is sent through the sender’s outbound SMTP with all x-headers intact. Recipients equipped with the same Outlook plug-in never see this notification; instead, the secure message is automatically rendered in Outlook and stored in the mail server.
  6. Recipients of the secure message benefit from the same great features: the Outlook plug-in recognizes the notification message and instantly sends a command to the Secure Messaging platform to authenticate the recipient and decrypts the message and file attachments. This data is then instantly transferred along with the secure message, using the same encrypted HTTPS route, and the message is rendered inside the existing inbox. For email programs that do not include a Secure Messaging platform plug-in, a convenient link is provided within the notification message in the recipient’s existing inbox to access the Secure Webmail that also supports mobile, tablet and visually impaired user access. Users using the Google Chrome® browser can install the extension and render secure messages directly in Outlook Web Access® (OWA), Gmail®, Yahoo Mail® or any other webmail service within the same familiar interface.
  7. Microsoft Exchange® Journaling intercepts outgoing or incoming notification messages, and journals them to a specific archiving address. When sending a secure (encrypted) message, the actual message content is sent encrypted through the Secure Messaging platform. Consequently, Microsoft Exchange® will only journal the message notifications that do not contain confidential data. In order to complete the archiving process, the Secure Messaging platform implements a direct method of decrypting and archiving to ensure that the secure message’s content is archived to the third-party archiving provider (Cloud or On Premise). When a secure message is sent, the Secure Message archiving functionality creates a copy of the secure message as a basic (normal) decrypted email message, with the full message content decrypted in the body in the form of an Enveloped message. The archiving system adds the specified archiving mailbox as an “envelope recipient address”. Then, the system connects to the third-party archiving SMTP server, authenticates via TLS, and sends this copy of the original secure message, but decrypted.

* Did you know? Other ‘park & pull’ products force internal and external users to a web browser to compose and read secure messages. This method creates a separate mail store. Aside from the impractical side effects to the end users, it creates a nightmare from and archiving and e-discovery perspective. To remedy this problem, the Secure Messaging Platform extend the same ‘local store’ capabilities to internal and external guest users, either with the use of the Microsoft Outlook plug-in or Perimeter Gateway.


In this Cloud deployment, no gateway is required. On ‘SEND’, Outlook intercepts the command and re-routes the message via HTTPS securely instead of sending the encrypted message via SMTP. At this stage, the transmission is encrypted. Once transferred securely to Secure Messaging platform, the message content & file attachments are encrypted ‘at rest’.

Other products work by encrypting the message being sent using local certificates and public/private key pairs. Aside from the impractical problems associated with setting up and maintaining these certificates – particularly for users outside the organization, the more critical issue is that once those secure messages leave the organization’s mail server, they are sent over an unsecured and unreliable SMTP network without any tracking or audit capabilities. Copies of messages can be left on SMTP servers outside the data jurisdiction, that neither the organization nor the recipient control. The messages can also easily get lost in cyberspace and never make it to their final destination.

In a traditional Public Key Infrastructure (PKI)-based solution, each participant of a secure conversation requires a private and public key to encrypt/decrypt content. The deployment and management of such a solution may incur potentially high costs of operations, since for each message that needs to be secured the application needs to know in advance the public keys of all the intended recipients of a secure message. This is true for cases where keys need to be distributed to the clients or also when managed centrally in one server. For small environments this is not a major concern: when an organization reaches hundreds of users, provisioning new users may become unmanageable. However, for those organizations that have already invested in a PKI certificate deployment for non-repudiation purposes, the Secure Messaging platform works in conjunction with PKI and TLS based technologies by allowing encrypted emails to use a better transit system offered with the Secure Messaging platform.

In contrast, the Secure Messaging platform utilizes a closed-loop of secure and redundant servers within the same data jurisdiction for all secure messaging functions including message transport, encrypted database storage, archiving and tracking. When a user sends a secure message, a direct and secure connection is established between the sender’s email program (e.g. Browser or Outlook) and the Secure Messaging platform server. When a notification message is received, the users use their existing email programs to directly and securely connect to the Secure Messaging platform, so they can decrypt and read the secure message, file attachments and associated metadata contained in the patented ‘Delivery Slip’. Information exchanged securely can only be accessed by authenticated users (email address and password, or more is required upon registration). Confidential information in secure messages can only be viewed by the users that they are intended for, and remain within the data jurisdiction where the data is hosted.

Secure messages are stored encrypted using industry standard encryption methods through the use of the patented Interchangeable Cryptographic Engine and can be adapted to the organization’s needs. The default configuration uses AES 256-bit encryption for data-at-rest storage – instead of over the internet on unprotected, public SMTP servers, such as with basic email (even if emails are encrypted). AES 256-bit is the only publicly available cipher certified for official government documents classified as ‘Top Secret’. It eliminates cross-contamination of data with a multi-tenanted Cloud offering and ensures that the organization’s data is not tampered with or edited over time, and is automatically archived indefinitely.

Within the organization, secure messages are stored decrypted by the local email program into the traditional email server repository as with any other basic email messages. This means that all organizational data is stored behind the organization’s firewall and any existing archiving, indexing and e-discovery systems continue to work with secure messages, unlike with other email encryption products. Having a single, secure message repository enables the organization to facilitate email compliance standards. If at any point a user stops using the Secure Messaging platform, these decrypted secure messages will behave as any other basic email message, without the added functionality of the Secure Messaging platform (e.g. Delivery Slip with tracking metadata, etc.). Organizational data is never lost even if an employee leaves the organization.

Microsoft Outlook® to Outlook workflow

The Secure Messaging platform allows a simplified exchange of secure messages using Microsoft Outlook in a true Cloud deployment. The Outlook plug-in is a light weight add-in for Microsoft Office Outlook® 2003, 2007, 2010 and 2013. When a user sends a secure message in Outlook, the plug-in intercepts the secure message and re-routes it via HTTPS to the Secure Messaging platform server, instead of sending them through the usual public SMTP route. The content and file attachments of this secure message is not encrypted by the plug-in. Instead, it relies on the security provided by the encrypted channel established between the plug-in and the Secure Messaging platform server via an HTTPS connection. The content of the outgoing secure message is then replaced with a notification message. This notification message includes a unique encrypted token. The plug-in then allows Outlook to resume its regular workflow delivering the notification message via the standard delivery mechanism (e.g. SMTP protocol using the organization’s own SMTP Smart Host). No confidential information is ever included in these notification messages, only a ‘pointer’ to the secure message is included.

Recipients receiving the notification message follow a similar workflow. If the recipients are already enabled using Outlook, the process is seamless: the plug-in activation recognizes the notification message and sends a command to authenticate the user, and retrieve the secure content and file attachments. The secure message is decrypted at the server side, and returned to Outlook using the same HTTPS encrypted channel. The notification message is automatically rendered with the secure content in Outlook. The patented Delivery Slip is displayed with the meta-data associated to the secure message. For non-Outlook users, a convenient link is provided in the notification message to access the web and mobile enabled Secure Webmail where they can read and reply to secure messages using a standard or mobile browser.