1 SECURITY SOLUTIONS TECHNOLOGY REPORT Secured Enterprise eprivacy Suite JANUARY 2007
2 2 SECURITY SOLUTIONS TECHNOLOGY REPORT CONTENTS Secured Enterprise eprivacy Suite Secured Headquarters, Drakegatan 7, Gothenburg, Sweden Tel: Fax: Secured Incorporated, 565 Carriage Drive NE, Atlanta, Georgia Tel: +1 (212) Fax: +1 (212) secured .com Introduction...3 Test Objectives and Test Network...4 Security Test Methodology...5 Checkmark Certification for Security...6 The Product...7 Test Report...8 Test Results...10 West Coast Labs Conclusion...11 Security Features Buyers Guide...12 West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : , Fax :
3 SECURITY SOLUTIONS TECHNOLOGY REPORT 3 INTRODUCTION With usage at an all-time high, and an increasing need to comply with the myriad of industry and government regulations, organizations are facing a series of significant security challenges. Legislation frequently requires that any breach of data privacy, including any -based breach, be publicly disclosed. Previous disclosures by organizations have resulted in a subsequent loss of corporate reputation, combined with litigation aimed at both the company and individuals, as well as regulatory penalties and fines. However, recent statutes and regulations including Sarbanes-Oxley, HIPAA, GLB, and the Data Protection Act (UK) are not the only drivers that companies should take into account when considering adopting security technologies and practices. The need to communicate securely, while protecting sensitive or confidential business data is also a concern in its own right. Organizations increasingly need to both protect and ensure the integrity of their intellectual property, the financial and personal data relating to both customers and employees, and their own internal and private communications in general. While different approaches exist, the central and essential features in any best-of-breed solution should certainly include the ability to robustly encrypt and decrypt not only the text of an but also its entire contents, or the ability to send and receive via an equally secure mechanism. With these features in mind, this technology report evaluates each solution under test to ensure that any message can be sent and received in an end-to-end encrypted state, then decrypted and read in plain text by the intended recipient. West Coast Labs have carefully designed all tests to match real-world conditions and scenarios as closely as possible, ensuring that all results are not only meaningful but are also technically relevant to potential buyers. To summarize the methodology, numerous network traffic analyzers were configured to capture all relevant activity on the test network. Any appropriate client software was installed on the test machines and any necessary key exchanges performed between users of accounts set up on those machines. West Coast Labs then produced a number of different s, which were then sent both to internal LAN based recipients and to external internet based recipients. All s were sent in both unencrypted and encrypted forms. The two sets of unencrypted and encrypted data were then compared by examining the output from the network traffic analyzers to ensure that encryption had taken place and that there were no obvious data patterns present. Having confidence in the encryption and decryption abilities of an security solution is essential, yet it is only one consideration when making a purchasing decision. Typically, ease-of-use and deployment, the methods of encryption, the methods and related security of any key exchanges, appropriate reporting and auditing features, and the general administration tasks all play an important part in the decision making process.
4 4 SECURITY SOLUTIONS TECHNOLOGY REPORT TEST OBJECTIVES & TEST NETWORK West Coast Labs defined and configured a real-world enterprise-class network environment in order to perform a series of rigorous validation tests that assess the following core objectives: Test the ability of each product to encrypt / decrypt potentially sensitive -based data. Evaluate the features, high-level protocols and general functionality of each product - from both enduser and administrator perspectives. Capture metric based data to assess general ease-of-use and product installation complexity, emphasising the positive points of each product - from both end-user and administrator perspectives. The test network was deployed as appropriate to the configuration requirements of each product. Network applications may include - but were not be limited to - the following components: RAID-enabled Server (with an appropriate operating system installed, for example, a Windows server, or a UNIX / Linux based distribution). DHCP server. DNS server. IIS/NNTP/IAS server. Exchange Server 2000 / Lotus Domino Server. Microsoft Outlook Client. Lotus Notes Client. Cisco Router / Firewall (configured as an Internet gateway).
5 SECURITY SOLUTIONS TECHNOLOGY REPORT 5 SECURITY TEST METHODOLOGY INDEPENDENT SECURITY TESTS / ENCRYPTION VALIDATION The following methodology was used to test that messages can be successfully encrypted by the sender and successfully decrypted by the recipient: A network traffic analyser was configured with the appropriate capture filter set to record all relevant activity within the test network. A set number of different messages were created, containing a pre-defined number of words and characters in both the subject line and the message body. An internal LAN-based recipient and an external Internet / WAN-based recipient was chosen at random from available addresses and issued with any appropriate client software and / or security keys. The previously defined messages were sent unencrypted to the randomly chosen, internal LAN-based recipient and external Internet / WAN-based recipient, this was used as the comparison baseline. The previously defined messages were sent encrypted to the randomly chosen, internal LANbased recipient and external Internet / WAN-based recipient. The two sets of unencrypted and encrypted data were compared by examining the text output from the network traffic analyser captures. In addition to the above test criteria, West Coast Labs will also evaluate the overall functionality of the solutions under test including ease of use, management and administration.
6 6 SECURITY SOLUTIONS TECHNOLOGY REPORT CHECKMARK CERTIFICATION Participating solutions will be eligible for the Checkmark Security certification, subject to the successful completion of the testing and satisfying the following specific functionality and performance criteria. Each and every time an end-user and / or administrator chooses to send an encrypted , that will be verified as being 100% encrypted and unreadable in plain text, Each and every time an end-user and / or administrator chooses to send an unencrypted , that will be verified as being 100% unencrypted and readable in plain text, When a solution makes use of keys, the ability will exist to more securely exchange such keys via a separate channel and will not be limited to an key exchange, The solution will provide a centralized administration interface and appropriate reporting / auditing capabilities.
7 SECURITY SOLUTIONS TECHNOLOGY REPORT 7 THE PRODUCT SECURED ENTERPRISE EPRIVACY SUITE Secured products are based on a concept new to the encryption world: the Simple Encryption Platform. SEP provides highest levels of security, along with ease of use, making the act of securing data while at rest, or in transit, a very simple process. SECURED DESCRIBES THE PRODUCT'S BUSINESS BENEFITS AS Encryption is now in use throughout enterprises, securing business transactions across networks, maintaining the confidentiality of communications or protecting client data stored on servers or desktops. Companies have been forced to piece together these encryption solutions, the majority of the time relying on different vendors for endpoint security, gateway , disk encryption and file encryption. This method created issues with system disruptions, high overall cost and made it difficult and expensive to achieve the data security that companies required for regulatory compliance. Secured has created an approach that offers operability, scalability and simple management of assets. SECURED DESCRIBES THE PRODUCT'S TECHNICAL BENEFITS AS Companies can deploy the Secured platform that allows them to integrate new encryption applications quickly and easily, profiting from the benefits of a unified management console and resulting in high ROI over time. A platform strategy allows additional Secured products to leverage this common platform allowing deployment to be more cost-effective, thereby reducing operational costs and freeing IT resources to focus on additional projects.
8 8 SECURITY SOLUTIONS TECHNOLOGY REPORT TEST REPORT INTRODUCTION The Simple Encryption Platform (SEP) by Secured is a unique set of modular, enterprise-grade software components. These components are designed to redefine, simplify, and reduce the cost of the more traditional PKI based approach that is commonly utilized within contemporary encryption systems - whilst maintaining maximum security. SEP offers ease-of-use for both end-users and system administrators alike, with robust encryption, flexible deployment options, and a powerful policy engine all combining to successfully ensure that organizations meet or exceed compliance, regulatory, and corporate security demands. SEP actively supports compliance with a number of regulatory and legal initiatives, including SOX, GLBA, HIPAA, and the EU Data Protection Directive. DEPLOYMENT SEP is easily deployed within existing infrastructure, being compatible with all major SMTP servers, as well as Lotus Notes and Microsoft Outlook clients. A Java applet is also available, allowing end-users to securely receive a secured using nothing more than a Java-enabled web browser. End-user training requirements are kept to a minimum, with organizations benefiting from a fresh and uncomplicated approach to secure key exchanges, user transparent encryption, centralized user and policy management, and a comprehensive help system. West Coast Labs quickly and easily deployed SEP within an existing network infrastructure, installing the Enterprise Server and Admin Tool components on a Microsoft Windows Server 2003 operating system, whilst using Microsoft SQL Server 2005 as one of the data stores. The SEP eprivacy client software was installed on a number of client machines running Microsoft Windows XP Professional and Microsoft Outlook The system may also be deployed on different hardware and software including some lower specification options such as the free SQL Server Express Edition. This makes the solution cost-effective to set-up in smaller business environments, or to use it in testing and evaluation networks. The ease of deployment of SEP means that the existing Microsoft skillsets of many system administrators can be used and any periods of training are kept to a minimum. SEP may also integrate with LDAP based directories, allowing any existing users and any associated data to be quickly and simply imported into the database of the solution. This feature is particularly useful in larger organizations where it can help to significantly reduce the time and complexity associated with company-wide deployments. SEP effectively becomes a slave data source and is continually synchronized with the master data source, allowing any changes to the master to take immediate effect in SEP.
9 SECURITY SOLUTIONS TECHNOLOGY REPORT 9 TEST REPORT ADMINISTRATION Once SEP is installed, it proves to be a simple task to remotely manage users, policies, licensing, SQL database options, and secure user groups, using only the intuitive built-in Admin Tool. All system logs and audit trail data can also be viewed via the Admin Tool and the interface also has the ability to remotely push out organization-wide policies and updates. This may be to the entire user base, or depending on requirements, simply to a single user or secure group, where a group could conceivably be used to represent a single department within an organization. The functionality of Groups is particularly useful for allowing different levels of security to be enforced for specific departments or sets of users depending upon requirements. For example, legal, HR, and finance departments may need tighter security controls than certain other departments within an organization as they are dealing with potentially sensitive company and employee data. The flexible nature of policy management and deployment within SEP combined with powerful rule options that are designed as risk reducing safeguards to help protect an organization's privacy and intellectual property. END-USER EXPERIENCE It is straightforward, fast, and intuitive to send and receive both encrypted and unencrypted s from the standard Microsoft Outlook client once the solution is installed. The key feature of SEP from an end-user perspective is certainly the inherent simplicity of use. To send and receive secure s is as simple as writing an and optionally attaching files, as normal, then clicking the 'Send Secured' button on the same screen. Upon first use for external s, the user is prompted to create a Shared Secret - made up from random text, a phrase, or numbers - and then prompted to communicate that Shared Secret with the intended recipient, preferably via a separate offline method, such as telephone, fax, or SMS. The Shared Secret need only be communicated once between sender and recipient and from that point on, all communications - between both sender and recipient - may be carried out over a secure channel, in an easy and controlled manner. These users are not required to communicate the Shared Secret again as the secure tunnel has been permanently initiated between these parties. It is also worth noting that in addition to the core functionality of encryption, SEP also provides a convenient and simple mechanism for encrypting potentially sensitive data found in files and folders on hard drives or removable storage media, such as USB devices. This feature can be implemented either as a standalone application or in conjunction with a SEP enterprise server. As with the SEP system, this functionality was designed to ensure that the complexities of the encryption process are fully transparent from an end-user perspective.
10 10 SECURITY SOLUTIONS TECHNOLOGY REPORT TEST RESULTS Throughout the comprehensive test process, West Coast Labs verified - via the use of network analyzers and capture tools, followed by rigorous manual analysis - that all routed through SEP that required secure transport was one hundred percent encrypted and could only be successfully decrypted by the intended recipients. All secure s were encrypted desktop-to-desktop - without the need for any third-party, expensive digital certificates - ensuring that potentially malicious eavesdroppers have no window of opportunity to intercept the data in transit. All SEP encryption is carried out using the robust and industry proven AES256 algorithm. Checkmark certification has been awarded in the category of security, based on SEP exceeding the demanding criterion required to pass the related tests and achieve the standard.
11 SECURITY SOLUTIONS TECHNOLOGY REPORT 11 WEST COAST LABS CONCLUSION The Enterprise eprivacy Suite from Secured is a powerful, tried and tested solution that combines ease-of-use and cost effectiveness with proven, user-transparent encryption, to deliver a fresh approach to security. With an effective central policy management engine, organizations can be confident that their compliance, regulatory, and corporate security needs will be met or exceeded. Having successfully completed all the required testing, West Coast labs can confirm that the Enterprise eprivacy Suite from Secured is certified to the appropriate Checkmark certification standard. SECURITY West Coast Labs Disclaimer While West Coast Labs is dedicated to ensuring the highest standard of security product testing in the industry, it is not always possible within the scope of any given test to completely and exhaustively validate every variation of the security capabilities and/or functionality of any particular product tested and/or guarantee that any particular product tested is fit for any given purpose. Therefore, the test results published within any given report should not be taken and accepted in isolation. Potential customers interested in deploying any particular product tested by West Coast Labs are recommended to seek further confirmation that said product will meet their individual requirements, technical infrastructure and specific security considerations. All test results represent a snapshot of security capability at one point in time and are not a guarantee of future product effectiveness and security capability. When West Coast Labs provide test results for any particular product tested, said results are most relevant at the time of testing and within the context of the specific scope of testing and relative to the specific test hardware, software, equipment, infrastructure, configurations and tools utilized during that specific test process. West Coast Labs is unable to directly endorse or certify the overall worthiness and reliability of any particular product tested for any given situation or deployment.
12 12 SECURITY SOLUTIONS TECHNOLOGY REPORT SECURITY FEATURES BUYERS GUIDE NEW FEATURES IN VERSION 3 ENTERPRISE eprivacy SUITE AS STATED BY SECURED Lotus Notes Client Application AD Import New GUI Server Synchronization Wrapmail Edit ef2 - data at rest encryption Enterprise online mode & offline mode One license system Search function in AD Easy license deployment Easy policy deployment Create client installer in Admin Tool Secured group management eusb