Secure Email Middleman Pattern

The Secure Email Middleman Solution provides NIH users and external users with the capability to send a secure email communication and/or attachment that is received and read by a recipient who is inside or outside the NIH infrastructure. The pattern facilitates the identification and adoption of non-PKI based technologies and solutions to secure email communications prior to transmitting across a network and receipt at recipient locations. It is not intended to replace current PKI-based S/MIME technology, but rather provide an alternative approach when PKI-based S/MIME is not practical or currently operational.

The Secure Email Middleman Solution identifies a logical and functional amalgamation of various secure email architectures. The pattern relates two flows defined as (1) NIH user message origination and receipt by an external user, and (2) external user message origination and receipt by a NIH user. Outbound and inbound virus, spam and policy checks occur at the middleman server location; although, this does not limit additional capabilities at the NIH or External User boundary.

• Enables secure communications with external users where PKI-based S/MIME is not practical or currently operational
• Provides common standards to be employed across the NIH while accounting for various external user configurations
• Provides capabilities for NIH personnel to send a secure email communication and/or attachment that is received and read by a recipient who resides inside or outside the NIH infrastructure
• Provides capabilities for outside personnel (i.e., partners and non-affiliates) to send a secure email communication and/or attachment that is received and read by a recipient who is inside the NIH infrastructure
• Provides scalability benefits for NIH and external users
• Minimizes usability impact on NIH and external users
• Minimizes cost impact to NIH and external users
• Provides for browser-based and plug-in solutions
• Provides vendor support for both NIH and external users
• Maximizes support to internal and external end users
• Minimizes effort and burden on both internal and external users
• Provides flexibility to co-exist with current government PKI based S/MIME solutions and requirements
• Provides flexibility to adopt future government standards and requirements regarding information security
• Provides the NIH with capabilities to manage NIH users
• Provides effective policy enforcement, authentication and identify management via a third party for hosted solutions
• Provides for auditing capabilities by establishing trust credentials between senders and recipients
• Provides NIH with the ability to continue security activities at the server level, i.e. external attacks originating via email (e.g., spam, virus detection, spoofing, etc.)
  

• Does not explicitly identify gateway email server requirements inherent to current industry secure email solutions
• Does not elaborate on secure email initiation or reply only capabilities at the external user’s desktop, (i.e. the external user can compose a new message, or is restricted to reply-only capabilities based on communication from an NIH user)
• Is susceptible to early technological obsolescence because secure email technology solutions will continue to evolve during NIH adoption timeframes and will require ongoing monitoring against the pattern