Encrypted, Secured and Battle-Tested: Lessons From a Decade in Encryption Trenches

• Regulatory compliance and data concerns make encryption a must-have for organizations handling sensitive information.
• Gateway Email Encryption secures messages in transit, while Desktop Email Encryption locks them down at every stage.
• Seemingly small structuring or management choices can lead to major security headaches if overlooked.

I’ve been supporting Broadcom’s Encryption portfolio for over a decade and have the scars to prove it. From wins to missteps, I’ve seen it all while helping businesses safeguard their assets. It’s about time I shared my thoughts about the solution portfolio, how our customers use them and some common mistakes I see being made.

Encryption as we know it started gaining traction in the early ‘90s, when Phil Zimmermann wrote the PGP (Pretty Good Privacy) data encryption system. What began as an independent encryption tool turned into PGP Inc. in 1996, which later became the PGP Corporation. In 2010, Symantec acquired the company (and me a year later) and by 2019, Symantec’s Enterprise Security division had joined Broadcom’s ranks. That’s the long and winding road that brought us to what the encryption portfolio is today.

Why the Symantec Encryption Portfolio matters

The Symantec encryption portfolio offers flexible and comprehensive coverage for data at rest, in use or in motion. In this first blog, we’ll focus on data in motion, particularly email encryption. 

An age-old concern for organizations is whether their users take necessary precautions to protect sensitive information when sending it through email. But for many, encryption is a legal requirement. Organizations needing to comply with regulations like Continuous Diagnostics and Mitigation (CDM), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and the EU General Data Protection Regulation (GDPR) must implement an auditable encryption solution to protect the privacy of customer data. That’s why so many financial, legal and healthcare organizations rely heavily on the Symantec Encryption portfolio to keep their communications secure. 

To address these needs, our portfolio offers two targeted protections: Gateway Email Encryption and Desktop Email Encryption. Let’s break them down.

Gateway Email Encryption

One of our most popular solutions, Gateway Email Encryption is a completely server-based solution—meaning there’s nothing to install on the desktop. I can already hear the sighs of relief.

This solution encrypts and decrypts emails using PGP keys or S/MIME certificates. However, since 95% of recipients don’t have a key or certificate, relying solely on this method wouldn’t be practical. That’s why Gateway Email Encryption offers additional options: it can convert messages into password-protected PDFs or store them securely in web portal mailboxes, allowing recipients to access and reply to messages effortlessly. Plus, the portal and notification messages can be fully customized with your branding—an essential feature for most businesses.

For added reliability, servers can be clustered to ensure high availability and disaster recovery.

Common deployment mistakes—and how to avoid them

While Gateway Email Encryption is a powerful tool, we often see a few common missteps in deployment:

• Overcomplicating the cluster. Clustering is great for failover and disaster recovery, but more servers don’t always mean better performance. Some assume that if two servers are good, four must be better—but that’s not true. Each additional cluster member increases long-term overhead, requiring extra time for upgrades and maintenance. When planning your deployment, focus on redundancy and reliability rather than excessive clustering.
• Underestimating disk space for user mailboxes. Insufficient disk allocation can lead to running out of storage, forcing you to purge messages sooner than desired or impose smaller mailbox quotas. Conversely, some customers retain messages longer than necessary, leading to storage issues. The default three-month retention period is generally the right balance.
• Overlooking the PDF option. Some customers opt for user mailboxes without considering the password-protected PDF alternative. From a recipient’s perspective, a PDF is far more convenient than logging into a web portal to retrieve messages. In addition, PDF Email Protection does allow recipients to reply through the Web Email Protection portal. A thoughtful deployment balances both options for an optimal user experience.

Understanding Gateway’s limitations

While Gateway Email Encryption offers robust security for data in transit, it does not provide end-to-end encryption or encryption at rest. When a user sends an email via the Gateway, it remains unencrypted in their Sent Items and may pass through multiple intermediate servers before reaching the Gateway. Each hop introduces a potential security risk, so organizations should consider additional security measures where necessary. We’ll talk more about how to encrypt files at rest in the next blog.

Desktop Email Encryption

All our desktop solutions are now part of the PGP® Encryption Suite, bundled together for a more streamlined experience. Unlike Gateway Email Encryption, Desktop Email Encryption must be installed on the desktop because it provides end-to-end and at-rest encryption—keeping messages secure at every stage.

Here’s how it works: The desktop client registers with the PGP Server, which applies the appropriate encryption policy. Typically, the server syncs with Active Directory, validating the user upon first registration and assigning them to a policy group based on their AD security group membership.

While Gateway Email Encryption does the job (and more) for many organizations, this level of encryption is essential for a select group of users who handle highly confidential messages where unauthorized access is not an option. This includes executives, legal teams and those working with highly sensitive data that needs to be encrypted at every stage.

Final thoughts

So, there you have it—a whistle-stop tour through two solutions in our encryption portfolio. In Part 2, we’ll focus on data at rest encryption, covering how to secure stored data across endpoints, file servers and databases. Stay tuned.

Need a visual run-through of the Symantec Encryption Portfolio? Watch this quick video.