Item: Webroot Advanced Email Encryption powered by Zix
Rating: 10
Author: Trace Ridpath - CISSP, ITILv3, CHP, CHSS

Use Cases and Deployment Scope

We use ZixPort as the outbound email gateway for 17 executive branch state agencies to secure outbound messages that contain sensitive information. We also host an external customer facing portal for external senders to send secure messages into staff that work at these executive branch agencies.

Pros and Cons

Automated content scanning and application of lexicon libraries. Keyword and individual account and group rule application is quick and easy.
Quick response to any technical issues or questions.
Easy to access and use public facing secure message portal for external senders to send encrypted messages to intra-domain recipients.

More flexibility to customize lexicon libraries at individual business units without having to apply that customization across all customers. We have some agencies that don't send HIPAA data for example but they do send healthcare terms related to Public Health aggregated data and it's difficult to apply customized exclusions or rules in Zix's current state.
Scaling across large, complex organizations is difficult with Zix because of the one size fits all approach that Zix takes. We are an IT service organization that serves 17 executive branch state agencies each with unique business requirements. As currently designed, we would need to have 17 different instances of Zix to accomplish the level of customization that each agency would like to have so it's a balancing act in serving the greatest number of customers with "One Size Fits All" service and realizing that no one is completely happy with the service provided due to the platform constraints.

Return on Investment

We've saved potentially millions of dollars in compliance fines by using Zix. The amount of HIPAA information that gets sent by email is staggering and prior to deploying Zix we were unprotected. The level of assurance and auditing trail is awesome and provides incredible value.
While many email users were at first inconvenienced they've come to appreciate the protection they received from the service because people often make mistakes when sending emails about the sensitivity of the information they are sharing they feel they have a safety net with Zix that is keeping them out of harm's way.

Alternatives Considered

None

Effectiveness of the product and cost were the two most important considerations. Almost as important for us was the fact that it's a Zix hosted service so we don't have to maintain in-house expertise. It just works for the most part and very little effort is required on our part to ensure it's an effective service we provide to our customers.

Likelihood to Recommend

Zix's strengths lie in the automatic application the lexicon libraries that no other vendor has been able to replicate thus far. I believe this is due to their corporate focus in securing email communications as opposed to being a security company that provides a variety of services including email security. Scanned PDFs are a chink in the armor for Zix as well as their competitors. Forms that people fill out in handwriting that contain HIPAA, PII, e-PHI, SSA data are not caught because they have not been OCR'd. We receive a ton of this type of correspondence that goes through Zix and it's not recognized and not auto-encrypted. Zix could be a market leader hands down if they integrated OCR technology and the application of a second scan post OCR so that these messages could get the same lexicon library rule application as other components of the messages.

Usability

The user is not required to take any action or make a decision to encrypt or not, the system does that for them and with the level of tuning and tweaking with Zix we've got complete confidence in the reliability and credibility of the system.

Zix product review by a security person deep in the trenches.

Overall Satisfaction with Zix Email Encryption (ZixEncrypt)