A Fresh Approach to Secure Data Exchange:

Transcription

1 June 2009 Egress White Paper A Fresh Approach to Secure Data Exchange: The Architecture of Egress Switch John Goodyear CTO

2 Copyright 2009 Egress Software Technologies Ltd. All rights reserved. The information contained in this document represents the current view of Egress on the issue discussed as of the date of publication. Because Egress must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Egress, and Egress cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for information purposes only. EGRESS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Egress may have patents, patent applications, trademark, copyright or other intellectual property rights covering the subject matter of this document. Except as expressly provided in any written license agreement from Egress, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Egress and Switch are either trademarks or registered trademarks of Egress Software Technologies Ltd in the United Kingdom, United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

3 Sharing Information Makes A Business Go We live in the Information Age; information is flowing between individuals and organizations every second of every day. This flow of information is essential to ensure businesses continue to perform and economies continue to grow. Procedures that allow information to flow outside of an organization vary from business to business. Some organizations have implemented formal methods for recurring secure data exchange transactions, but many more are informal. With the proliferation of connectivity and low-cost high-volume storage, individuals have a variety of means to share a lot of information using attachments, CD or DVD, USB, or FTP. Many times these transactions are undertaken with little consideration for the security of the information being exchanged. The important questions to consider when dealing with information exchange are Have users considered the security implications around these informal exchanges? and secondly Do the intended recipients treat the information with the same level of security expected by the information owner? The latter can be especially painful if investments have been made to protect information while it is still under the control of an organization, only to have it exposed through mishandling by third parties. What many organizations do not realize is that they have become dependent on these informal information exchanges; they are an essential factor for the pace and success of their business. These exchanges only become a serious problem when things go wrong and the organization becomes front page news because of a serious data loss incident. A typical reaction to this kind of problem is to implement Port Management or consider Data Loss Prevention (DLP) to lock down the operating environment of the user; DVD Writers are restricted to Reading, USB ports do not allow access to USB Flash drives, and gateways block attachments. What is the price of solving the data leakage problem in this way? Reconsider the premise that We live in the Information Age and it is clear that stopping the flow of information may not be the answer. Challenges with Existing Technology When a user performs a task they will typically follow a path of least resistance to get their job done. Many data security products on the market today add complexity into the daily workflow of the user by giving them extra steps to perform, rather than assisting them with the workflow while making it more secure. When a user starts to share information with this kind of technology they are required to understand many new concepts associated with data security: encryption, key exchange, digital signing. Should the user have to understand these concepts? Isn t this like insisting on an understanding of advanced electronics before watching TV? If users are not given the right tools to get their job done then the technology put in place to secure information exchange may be circumvented. But if the tool put in place actually makes their daily workflow easier, the users may prefer to use the system and be more secure in the process. Desirable Features A security platform designed to perform information exchange should address a number of problems: Ensure the security of the data being exchanged; Egress White Paper A Fresh Approach to Secure Data Exchange 1

4 Reduce the complexity associated with establishing identities and relationships; Maximize re-use of existing methods of transportation for secure data; Integrate into the user s existing workflow; Ensure the security of the data once it has left the owners physical control; Maintain control and audit of the data lifecycle outside of the perimeter. Secure Data Exchange Innovation To ensure that information remains secure no matter what journey it undertakes, we need to think about how users exchange information in a different way. By inspecting workflows and patterns of information sharing as a baseline, Egress has created a sharing solution with security built in instead of the old school approach of building security and forcing it into the workflow. Egress Switch is designed to meet a fundamental requirement to allow a data owner to stay in control of the information, no matter where that information may go, who the recipient is, or the method used to get it to its destination. With the end user workflow as the starting point, adoption of this technology is expected to proceed at a more rapid pace because it is a natural fit. By encapsulating the security details inside the sharing process, users of any knowledge level can exchange information securely. Users and Requirements In order to ensure that a secure data exchange solution meets the needs of the widest possible audience it s important to consider the users of such a solution and the typical use-case scenarios the product will encounter on a day-to-day basis. Users break down into the three broad demographics shown below. Consumer A user who has been empowered to install an application onto their own personal computer to achieve a specific goal. These users work without any supporting infrastructure. Prosumer An individual who uses a personal computer for work, but is still outside of a formal infrastructure. Typically this would be independent contractors or self-employed business users. Organizations Users will typically have less choice over the tools that are deployed to their workstation. These users work within a formalized infrastructure such as businesses or governments. Each of these user types could potentially interact with one of the other types. Consumers and Prosumers have a need to communicate with Businesses and vice versa. Any software solution used needs to be simple enough for a single user to pick up and install but flexible enough for an enterprise to deploy to thousands of seats. From a single user installation to a large scale deployment, the solution needs to be able to deliver on the problems described below. Security Some users understand and even demand encryption and authentication because they understand the implications of not using it. Other users don t understand it but should be using it. Usability The solution removes the pain points of user interaction and integration into the daily workflow, possibly even enhancing the work flow experience. 2 Egress White Paper A Fresh Approach to Secure Data Exchange

5 Data Exchange complexities exchanging data especially over the Internet and with large file sizes can be a challenge. Ensuring that large transfers resume when interrupted or use of more antiquated protocols such as FTP often raises the bar too high for average users. Ensuring that these key factors are delivered to the users will be essential for acceptance, thereby creating a safer sharing environment. Architecture The context of information sharing drives the overall architecture for Egress Switch. Figure 1 Information Sharing Context At the top level, the architecture has been broken into a client-server model for two key reasons: Local enforcement of security policies at the endpoint requires a client; Round the clock access to parameters about shared information requires a server in the cloud. During the process of designing the Egress Server Infrastructure (ESI) the concept of flexibility was essential to meet planned and anticipated use cases. By designing a server infrastructure that includes flexibility as a key concept, a whole range of possibilities became available. ESI is built upon Microsoft Windows Server and is currently deployed to Windows 2003 and 2008 servers. The Windows Communications Framework (WCF) is a keystone of the infrastructure. The concept of flexibility first became a factor when business requirements led to a hosted software service (SaaS) model for Egress Switch. The current economic climate means that cost implications of a new solution are considered more rigorously, and SaaS delivery ensures the cost of ownership is managed and spread out. Beyond the benefits of cost there are practical advantages to using a hosted service. When dealing with issues of information exchange, the need to manage identities becomes a challenge - if information is being exchanged outside of your perimeter you have to have knowledge of external users. A hosted solution makes the management of trust relationships much simpler. Another key element of the Egress Switch architecture is the notion that once information has been secured by its owner, there is no need to move that secured information through the ESI. This approach allows minimal change to existing user workflows. If a user is familiar with sending information as an attachment to an , they can continue to use that data exchange mechanism. If they are more comfortable with sending large data sets on CD or DVD, this mechanism can be used. Egress White Paper A Fresh Approach to Secure Data Exchange 3

6 Figure 2 - High level Architecture and Typical Transaction Flow A basic understanding of the architecture becomes clear by tracing a typical transaction flow through the various components. 1) An Information Owner has information to share, and signs in to Switch. The Switch client used by the Information Owner will authenticate that user locally or to the ESI. 2) The Information Owner creates a secure package, an encrypted file which contains the information being shared plus information about file and folder hierarchies. The client creates a unique package ID and an encryption key at this time. 3) The Information Owner assigns intended recipients and sets security parameters defining how their information can be used, e.g. an embargo date, date before which the secure package cannot be opened. 4) The Information Owner s Switch client uses a secure connection to transmit information about the new secure package, intended recipients and security settings to the ESI. The package ID is registered on the server and all associated information is encrypted prior to being stored. The encrypted package content does not move to the server. 5) The Information Owner sends the secure package to the intended recipients through familiar and convenient methods such as an attachment or burning to a CD which might be sent through regular mail. 6) When the Information Recipient receives the secure package, the recipient signs in to their Switch client which authenticates the user locally or to the ESI. 7) The Information Recipient s client receives information from the server that a new secure package, intended for that recipient, is available. The package ID and related security settings are transmitted over a secure connection to the client, including a key for the package. 8) The Information Recipient can now access the information according to the parameters that the owner set. The recipient s Switch client enforces those policies on behalf of the Information Owner. 9) The Information Recipient s client uses a secure connection to transmit audit information. This is a record of the recipient s activity with the secure package, which is encrypted and stored by the ESI. 10) By request from the Information Owner, the owner s client will receive audit information about any packages they share over a secure connection. 4 Egress White Paper A Fresh Approach to Secure Data Exchange

7 11) At the Information Owner s convenience, audit information can be viewed locally to see who, when, and how their shared information is being handled. Since security policies are not stored with the secure package, changes can be made at any time and updated at the ESI. This gives added control to the Information Owner to make decisions about revoking access if, for example, the secure package never reaches the intended recipient. Cloud Service To create a viable cloud service of the type that ESI needs to provide, considerations had to be made for availability and security requirements. Since Egress Switch is offered as a SaaS, these characteristics are of particular importance. Availability With the highly modular design of ESI, multiple instances of each sub-system can be deployed. By deploying instances across multiple physical nodes, two goals can be achieved; increased load capacity and additional redundancy. This flexible infrastructure also enables ESI to be distributed geographically to ensure optimal local response times for Switch users. To efficiently implement the cloud service, Egress chose to manage servers and storage with proven and reliable service providers. Additionally, due to the fact that ESI is built on a federated security model, multiple physical servers can complete client requests at any time in cases of high load or failover. For a service provider to qualify, they must meet rigorous service level requirements established by Egress. These include: 100% availability of network infrastructure; 24x7 reboot or power cycle guarantee; 15 minute response to escalated incidents; 1 hour hardware replacement from time of diagnosis; 24x7 emergency support. As the user base of Egress Switch expands in numbers and geographic spread, the network of hosted locations scale to match demand around the world. Security As a security service, the design of ESI has been hardened for suspected vulnerabilities. Many vectors have been closed with industry best practices. For example, best practice coding standards have been followed to prevent attacks such as SQL Injections. By using parameter enforcement and sanitization, the system has passed our internal suite of penetration testing. Additionally, security best practices are used throughout the ESI implementation and operation to safeguard the system including: All ESI communication is secured by SSL; Account passwords are secured using PBKDF1; All data stored in the SQL server is encrypted to AES 256 bit; All user identities are stored in an ADAM database leveraging Microsoft s trusted security infrastructure; Servers are hosted behind managed and monitored Cisco firewalls for industry standard DoS protection. Egress White Paper A Fresh Approach to Secure Data Exchange 5

8 ESI Modules The modular design of ESI can be represented by the following seven primary subsystems. These can be replicated to multiple physical nodes and geographical locations to deliver scalability, redundancy and optimal response times. Figure 3 Egress Server Architecture Components Connection Point The connection point is the external interface to the Egress Switch network. This web service is secured using SSL and provides the communication interface for the Switch client software. It is used by the Self Service Portal as well as direct traffic to and from Egress Switch clients. Self Service Portal This web-based interface allows Switch users to use a web browser for the following functions: 1. Enroll for a Switch account; 2. Manage their Switch account settings including password; 3. Pay for Switch services such as pay-as-you-go credits or monthly subscriptions; 4. Manage security and access policies for secure packages. In addition to the secure communication presented by SSL at the Connection Point, the Self Service Portal has incorporated a non-repudiation mechanism that provides confirmation on initial account creation. Beyond single user accounts, business accounts are supported where an individual acts as account manager and invites other accounts to join the business account. This is designed to offer a single billing process for each joint account. It also allows the account manager to control policy and manage data exchanges for the managed accounts. Bulk enrollment is possible by presenting a list of users in CSV format to create Switch identities, and allowing users to set their password on first system access. User Management By providing User Management in the cloud, Egress Switch has advanced beyond many of the earlier Rights Management solutions that require the Information Owner s organization to manage user accounts for any recipients outside their organization. Using Switch, each individual user or business account manager is responsible for their own identity management such that effort is distributed across the entire user base. User Management is handled by ESI as a cloud service. An address is required as the user identity. During the account creation process, an is sent to the supplied address as confirmation that the 6 Egress White Paper A Fresh Approach to Secure Data Exchange

9 correct user has enrolled an address that they control. This sequence fulfils a non-repudiation requirement. Internally, user management is implemented with Active Directory Application Mode (ADAM). It is operating in the same mode as an Active Directory server and holds the database of registered users and organizations. The Organization Unit (OU) capabilities of this directory service allows for segregation of users into groups (for example a business account) who might have a different set of policies from other users. Anticipating self-hosted instances of ESI in the future, use of AD will provide easier integration with existing ADs at large organizations. Package Management A relational database is used to keep track of secure packages by a unique package ID. The package ID is generated at the time the secure package is created. It is used to relate security and access policies to any package, to map key management to recipients, and to tag audit information to a specific package. Information stored about each package is limited to package and security parameters, the contents of the package (shared information) does not pass through or get stored on the server. Billing and Support The Billing and Customer support system manages user account levels of pay-as-you-go credits or subscriptions (either monthly or annual). Billing activity is routed through a third party credit card processing service with no credit card information held in ESI storage. The support aspects of this module are used by the Egress support organization to diagnose and correct any malfunctions with the Switch client, communication paths, or the ESI. This system communicates with components of the Switch client for diagnostic purposes. Audit Switch is designed to ensure that individuals can always maintain visibility of their shared information. Actions performed against a Switch data package from the point of creation to recipient access are audited into the Switch infrastructure. The encrypted audit trail is visible from the Information Owners desktop using the Switch client or from the web Self Service Portal. Users can review any Switch package created from their account, including policy changes plus anonymous and authorized access attempts against the package. For every access attempt ESI records the time and IP address allowing an information owner to gain an understanding of where their data has gone. An audit of the package content is also recorded at the time of package creation which allows an owner to review the package contents (file names and folder structures only) at any time. If, for example, a recipient makes an access request to view a package, the owner will be able to review the package file and folder content first. The owner can only review the data in the package if they have kept a copy since the package itself is not stored on the ESI. This feature is particularly important when a user operates as part of a business account, as the account manager may need to maintain visibility of activity on the account. Database Microsoft SQL server is used to store all Egress Switch data including registered secure packages, security policies, authorizations and audit information. All information is encrypted prior to storage. Communication Channel Additional functionality is available through the ESI to direct anonymous communication between a recipient and the Information Owner. A use case exists where a secure package becomes available to a recipient who is not authorized for access. This case may be the result of accidental or malicious activity. Egress White Paper A Fresh Approach to Secure Data Exchange 7

10 In this instance, it is desirable to allow the recipient to request access without divulging any identity information about the owner. Anonymity can block social engineering attacks. Figure 4 Transaction Flow for Access Request The communication channel is implemented as an access request presented to an unauthorized recipient. When processed, the ESI logs an audit event and notifies the Information Owner both as a pending request to their Switch Client, and by which can receive prompt action from the owner. At the owner s discretion, access can be granted or declined. Any resulting changes of access will be handled through the system as a normal access policy change and logged as an audit event. By creating a secure package with no recipient assigned, the Information Owner can force positive receipt confirmation from any Information Recipient that gets the package. Client Architecture The Egress Switch Client is designed as a compact set of components that sets or enforces security policies on shared information. The Client has two forms: Full-featured Switch Client that can create, read and manage secure packages; Lightweight Switch Browser that can read secure packages. The modular architecture of the client software allows flexibility in the same way as the ESI. As an example of this flexibility, the Switch Browser is simply a subset of the Switch Client components built as a single executable so no administrative privileges are required for installation. 8 Egress White Paper A Fresh Approach to Secure Data Exchange

11 Figure 5 Egress Switch Client Architecture Components Switch Client The client is an installed application made available as a single installer EXE or MSI. Once installed the Switch client allows a user to create and manage Switch packages. The Switch client can also open secure packages that have been sent to the user. Consistent with the architecture of Egress Switch, consideration has been given to user workflows as a way to simplify information sharing while adding protection and control. To meet this need, an integration API has been exposed to simplify the process of integration into various user application such as . Additionally, the concept of configurable data exchange mechanisms is built into the creation process to streamline multi-step sharing procedures to a single button operation. The client presents three components to the user: 1) Tray icon which provides easy links, account management settings, and other applications; 2) The Package Creator allows creation of secure packages, communicates package information to the ESI, and presents a variety of Data Exchange Mechanisms (DEMs) to streamline data sharing; 3) The Package Library which allows management of package security policies, inspection of package usage and audit information. All three of these components leverage Switch Services for functions such as authentication, encryption/ decryption, and communication to the ESI. Switch Browser The Switch browser is a no installation option which has minimal system dependencies delivered as single executable designed to make it incredibly easy to open Switch packages. This lightweight browser uses a subset of the Switch Services to maintain a small disk and memory footprint. The Switch browser can be placed onto a CD/DVD or USB storage device and transported to the recipient along with the secure package. The Browser can be easily downloaded from the Egress website. This option does not require the user to have administrator privileges. Both Switch clients communicate with the Egress Server Infrastructure using standard HTTP requests which are secured using SSL. This ensures the Switch clients can safely transverse most modern firewalls, proxies and routers with no intervention from the user or system administrator. Egress White Paper A Fresh Approach to Secure Data Exchange 9

12 Switch Client API The Switch Client API is a set of integration functions that can be used to tie package creation into other user applications that might have a need to create or open secure packages. In the current version of Egress Switch, this API set has been used for integration with Microsoft Windows Explorer for right-click package creation and with Microsoft Outlook to provide an add-in that creates a secure package from any attachments in an . The convenience factors have been well received by users because the sharing process has been simplified in spite of added security. Anticipating future needs, the Switch Client API will make it possible to integrate with other user applications, for example a document management tool could invoke Switch as part of its export process and ensure that the documents are secured for delivery. Data Exchange Mechanisms A key objective of Switch is to simplify the data sharing process. One effective means of doing this is through automation of a multi-step user procedure to a single step. This concept, called a Data Exchange Mechanism (DEM), is presented to the user during package creation. Using this concept provides flexibility and streamlines the operation of Switch. Consider the example of writing information to optical media such as a CD or DVD, which are widely used for low cost, high volume information exchange. Normally the user will have to use one or two tools to author and burn their content, more if the content is secured with encryption. With the DEM for optical media supplied with Switch, the user has one tool and one operation. An Information Owner will drag and drop selected files into the Package Creator, and on selection of the CD/DVD DEM, the content is encrypted, the package is registered with the ESI, and the media is written in a single operation. This same concept is available for attachments when the Outlook add-in described above is not used. An Information Owner will drag and drop files into the Package Creator, and on selection of the DEM, the contents are encrypted, the package is registered with the ESI, and attached to a new addressed to the package recipients in a single operation. Future expansion of DEMs for FTP and web file transfers is anticipated as well as configuration options for multi-user accounts. With this capability, DEMs can be defined and pushed to specific users as a means of controlling approved data exchange methods. Switch Encryption The Switch Client creates a secure package containing information to be shared. When creating a package, the Package Creator first generates a 128-bit package ID and an AES-256 encryption key. AES- 192, AES-128 or other algorithms may be used for package encryption keys if configured in policy as shorter key lengths may be useful for future offline access and offline key recovery scenarios. Package content is encrypted with the package key in Cipher Block Chaining (CBC) mode, and the package ID is stored in the package header. The Switch Client establishes an SSL-protected connection to the ESI, and proceeds only if the server s certificate is trusted. The client uploads the package ID, package key, and any security policies to the server. The ESI encrypts the received data before it is stored in the Database to ensure it cannot be compromised. Compression of encrypted data is incorporated into the package creation process. Industry standard algorithms are adaptively selected based on content type and compression factors. When an Information Recipient is assigned to a package, the owner is granting that recipient access to the encryption key. To decrypt a package for a recipient, the Switch Client first retrieves the package ID from the unencrypted package header. The client connects to the server via SSL, providing the recipients Switch identity, password and the package ID. The ESI validates the client identity and checks any security policies or restrictions related to the package, Information Owner, or the owner s organization. If these checks indicate the recipient is authorized to view the secure package, the package key is retrieved from 10 Egress White Paper A Fresh Approach to Secure Data Exchange

13 the database and sent to the client through an SSL-secured connection. The client can then decrypt the content of the secure package and present it to the recipient. In situations where the recipient is offline and cannot contact the ESI, previously accessed packages can be viewed with the Switch Client. The Switch Browser does not allow offline access. To support this operation, the ESI creates a 256-bit shared secret, for each Egress Switch user. As part of the connection protocol to the ESI, the Switch Client requests an encrypted form of this shared secret where the encryption key is derived from the user identity and password. The Switch Client can store package encryption keys and associated security policies locally according to policy, in an encrypted form using the encrypted shared secret. If the recipient attempts to access a secure package but no connection to the server can be made, the recipient identity and password can be used to gain access to the cached keys and policy information. In this way, only packages that have been accessed once through an ESI connection can be accessed offline, and even then, only with the recipient s credentials. Switch in Restrictive Environments Egress Switch is built using industry standard encryption; it operates with accepted key lengths and key management schemes. To ensure data is secured in accordance with defined operating and handling procedures Egress Switch will encrypt information using FIPS-140 certified cryptographic modules if the hosting computer is running Microsoft Windows operating system (Windows XP and newer) and placed into FIPS mode of operation. Future versions of the Switch client are expected to incorporate a FIPS-certified cryptographic module from a third party such as OpenSSL or RSA. Ultimately, Egress will complete a NIST certification with selfauthored implementations of cryptographic algorithms. Switch in Operation Adding secure data exchange technology into established user workflows and practices can potentially be disruptive. To avoid user downtime or unwanted help desk calls, Switch is designed to support every common sharing operation in as few steps as possible. While other methods of sharing are possible, the following examples highlight user work flows and best practices to keep information secure when sharing it. with Attachment Once the Information Owner has registered as a Switch user and downloaded the Switch Client, they are ready to complete one of the most common data sharing operations. With the Microsoft Outlook Add-in installed, securing attachments is essentially transparent to the user. 1) The Information owner signs in to Switch and opens MS Outlook. 2) The owner creates a new and selects the files to be attached. 3) When the is composed, the owner clicks send which activates Switch. 4) Switch creates a secure package with all attached files, adds the recipients as authorized recipients of the secure package, and allows the to be processed by the server. 5) At any time, the owner can use the Switch Package Library to inspect the package security settings, audit information, or change recipients and security parameters. Egress White Paper A Fresh Approach to Secure Data Exchange 11

14 The only additional step to sending (creating the secure package) is done automatically. The further task of monitoring the package is a new level of control previously not available. For the recipient of this , the process is equally straight-forward. The recipient receives their and double clicks the attachment. The secure package is opened and ready to be used assuming the recipient has a Switch account and the free Switch Browser software. For unregistered recipients, simple instructions explaining how to set up Switch are appended to the outgoing . CD/DVD sent by Regular Mail There are situations where an Information Owner needs to be certain that their sensitive information has reached an intended recipient. In these cases, there can be no risk that the information has been lost, mishandled, or fallen into the wrong hands. Using the real-time control features of Egress Switch makes it possible to be certain that only the intended recipient can access shared information. 1) The Information Owner signs into Switch and opens the Switch Package Creator. 2) The owner drags in a folder containing a large data set to be shared. 3) The owner assigns no recipients thereby forcing any recipient to contact the owner for access. 4) The owner selects Create Package and selects the Egress Switch CD/DVD Data Exchange Mechanism, and they are prompted to insert blank optical media. 5) With no further steps and no additional authoring software, the secure package is written to the media. 6) The owner places the media in a mailer addressed to the recipient and sends it through regular mail. In this workflow, there are actually fewer steps than usually required as the data encryption and CD/DVD authoring is done automatically. The owner simply selects their files and burns them. For the recipient of this CD, the process is straight-forward. The recipient receives the CD, inserts into their PC and are prompted to sign into Switch or register for a Switch ID. The Switch browser is included on the CD and will auto-run so that the recipient can gain access to the information. Since the owner has not specified a recipient, the recipient makes an access request through Switch that notifies the owner to grant access. At this point the owner is assured that the recipient has received the information. File Uploaded to FTP Server Many systems have limitations on the size of an including attachments. These limits are usually set by a service provider or the IT staff. When an Information Owner needs to share files beyond this limit, an FTP site is a common alternative. Using Egress Switch to secure the shared information means it can no longer be compromised by relaxed security practices of FTP sites that may use a common folder for many users. Access can be easily compromised, and the jumble of files that build up over time make it even more likely for sensitive information to fall into the wrong hands. Secure FTP sites offer little additional security as the primary difference from FTP is the use of SSL on communications lines; no further protection or control over shared information is provided. 1) The Information Owner signs into Switch and opens the Switch Package Creator. 2) The owner drags the large files to be shared. 3) The owner assigns a recipient, who was previously notified by that the file will be available on the FTP site. 12 Egress White Paper A Fresh Approach to Secure Data Exchange

15 4) Next, the owner selects Create Package and selects Egress Switch file package from the Data Exchange Mechanisms. Finally they are prompted for a location to save the file. 5) The owner saves the file to the desktop so it is ready for upload. 6) The owner opens their FTP client and transfers the file to the FTP site. In this workflow, the Information Owner has the additional step of creating a secure package before uploading the information to the FTP site. With this protection, the file is encrypted during upload, while stored on the site and during download even if Secure FTP is used. Further, all control over the file to assign or change recipients and security policies means there is no risk that the information is compromised during the transfer or while stored in intermediate locations. As noted above, there are new Data Exchange Mechanisms planned for future releases that will streamline this process further by automatically uploading the secure package once it is created. Conclusions To ensure that information is always under the control of the owner after it has been shared is not a trivial task. Egress Switch does exactly this with the added benefit of simplifying the process of sharing for end users of various skill levels. The focus throughout the design and development process has been to protect shared information by applying security policies to data entities, not to the container of the data. This is in sharp contrast to many of the legacy encryption products available today such as full disk encryption. At the same time, key design objectives have included: Strong Security use of best-of-breed technologies for encryption of data in motion and data at rest; Simplifying User Experience designed to match sharing workflows; Scale from individual users to large organizations Software as a Service model, available over the web for single users or multi-user accounts. Egress Switch presents an innovative new way to remove risk from data exchange and keep businesses flowing. This represents an ideal solution to inject security into today s informal information exchange while avoiding disruption to the user workflow. By using Egress Switch to secure data exchange, individuals and organizations can have confidence that the information which they consider valuable will not be mishandled by third parties who may have valid reasons to hold or operate on that data. Egress White Paper A Fresh Approach to Secure Data Exchange 13