So, if S/MIME is the most established solution for securing email, why hasn’t it seen broader adoption? Like every technology, S/MIME isn’t perfect. Traditionally, it has been considered too difficult to deploy for most enterprises. The main challenges with S/MIME are:
It’s important to note that these problems stem from the fact that S/MIME certificates and keys are typically distributed out to end-users, rather than managed centrally. If you were instead to generate and store the S/MIME keys centrally, only giving end-users proxied access to the keys they need, the solution would be much easier to deploy and maintain.
In such a solution, the S/MIME private keys would be centrally managed in an enterprise HSM cluster and never exported from those secure devices. When end-users need to make use of the keys— that is, when they need to sign or decrypt email— their email client would invoke a cryptographic service provider that makes a call to the HSM to use the private key. In this way, the keys are always secure, auditable, and easily managed, while email is both fast and secure.