Secure Email Service (SES)

Secure Email Service (SES)

Email is potentially very vulnerable to cybercrime. With digital signing and possibly encryption based on S/MIME certificates, this risk can be greatly reduced.

With the Secure Email Service, KeyTalk offers the ideal ‘first line of defence’ and we make implementation and management of S/MIME certificates extremely easy. Whether it is a handful or tens of thousands of users and internal or external contacts: S/MIME certificates can be easily requested, deployed, installed and configured for use.

Good to know:

  • You can install SES on-premise or purchase hosted from KeyTalk as a SaaS solution.
  • KeyTalk SES is a turn-key product, including an S/MIME certificate from GlobalSign or DigiCert. If you choose the hosted version, an HSM (digital safe where keys are stored) is also included.
  • The roll-out can be done quickly (often within a day) and does not require extensive knowledge or time investment.

Easy implementation S/MIME

If you choose hosted SES, the implementation proceeds as follows:

  1. An admin logs in to the service and enters the necessary data for the onboarding process. This includes company information, domain names to be used and the number of e-mail addresses to be connected to the service.
  2. Based on this data, KeyTalk initiates the vetting of the organisation to CA partner GlobalSign or DigiCert. The CA partner verifies the identity of the requesting organisation and its ownership of the requested domains. KeyTalk takes care of the correct settings in the application.
  3. After these preparations, KeyTalk provides a standard text for an e-mail addressed to all the Service users. We explain how signing e-mails works and what our solution does. The text contains two links. The first refers to the KeyTalk agent, the second ensures that the agent is automatically set up with the organisation-specific settings.
  4. After receiving the e-mail, each user can download the agent and add it to their e-mail address. The app sends a verification email with an automatically generated password. When the password is entered by the agent, the correct certificate is retrieved and installed. KeyTalk configures the e-mail client to use the certificate.

And… done. The user now emails with a digital signature by default, and with encryption if desired. It can be as simple as that.

What does it cost?

KeyTalk SES is competitively priced and can easily be scaled up or down. The basic price per user (with multiple devices) is  just over € 5 per month, in case of installation on-premise. The SaaS solution (hosted by KeyTalk) costs just over €6.50 per user per month. These prices apply to up to 250 participants. For bigger organisations, a staggered discount applies. Get in touch for more information.

The prices quoted include all components of the service: KeyTalk SaaS or on-premise, a digital (S/MIME) certificate from GlobalSign or DigiCert and a hosted HSM from Thales (DPoD). The HSM is used for the secure storage of the master key, for the encryption of all private keys associated with the certificates and the important signing keys.

“Email is potentially very vulnerable to data breaches.”

Some technical details

  • Installation: The KeyTalk CKMS, including linking to AD/AAD, is usually realised within a few hours. The CKMS can be hosted in our secure data centres or on-premise as a virtual appliance, or the cloud.
  • Key Roll-Over: The keys associated with a certificate can be used easily and fully automatically on different devices. The KeyTalk CKMS centrally stores issued certificates and keys, protected by unique AES256 encryption. This technique is patented worldwide.
  • LDAP address book / key server: the KeyTalk CKMS provides a secure email address book / key server based on LDAP. The public S/MIME details of the organisation’s user population are kept, linked to the AD so that users are automatically familiar with each other. The KeyTalk LDAP integrates with all regular e-mail clients and thus offers unique user-friendliness. Read more about LDAP / key server
  • Free S/MIME certificates for external relations: Users can automatically request a free S/MIME certificate with a validity of one year for external relations when using the plus version of the KeyTalk SES. The client will then receive an e-mail via KeyTalk with simple instructions for automatically requesting and installing the S/MIME certificate. This makes it easy to share sensitive information via e-mail with external contacts too.
  • Integrations: KeyTalk has a large number of integrations with MDM solutions such as Intune and MobileIron, among others. Certificates can, therefore, be installed at the location where the MDM solution expects them to be.
  • Multiple email addresses in one certificate: End-users with multiple e-mail addresses can be included in one S/MIME certificate in the SAN as an RFC 882 entry.
  • Management: Administrator access to the KeyTalk CKMS is role-based and requires, in case of strong authentication, certificate-based authentication. This can be an authentication certificate, issued and managed by the KeyTalk system, or it can be an already rolled out smart-card, card-based certificate. All administrator activities and automated processes are logged locally and can be exported to a SIEM system or SysLog server.

Would you like to know more?

Do you wish to be provided with a demo, Proof of Concept or a direct technical in-depth consultation with one of our PKI experts? Feel free to contact us, we are happy to think along with you!