Secure Email Inside the Corporate Network: INDEX 1 INTRODUCTION 2. Encryption at the Internal Desktop 2 CURRENT TECHNIQUES FOR DESKTOP ENCRYPTION 3



Similar documents
W H I T E PA P E R. Providing Encryption at the Internal Desktop

FTA Computer Security Workshop. Secure

Security Solutions

Tumbleweed MailGate Secure Messenger

Trend Micro Encryption (TMEE) Delivering Secure . Veli-Pekka Kusmin Pre-Sales Engineer

Securing enterprise collaboration through and file sharing on a unified platform

How To Secure Mail Delivery

Implementing Transparent Security for Desktop Encryption Users

Securing enterprise collaboration through and file sharing on a unified platform

The GlobalCerts TM Secur Gateway TM

Consolidated Hygiene and Encryption Service E-Hub. Slide 1

White paper. Why Encrypt? Securing without compromising communications

Business Case for Voltage Secur Mobile Edition

Best Practices

April PGP White Paper. PGP Universal 2.0 Technical Overview

An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst

DMZ Gateways: Secret Weapons for Data Security

A Guide to Secure

Digital certificates and SSL

SECURE User Guide

Symantec Encryption Solutions for , Powered by PGP Technology

HIPAA: Briefing for Healthcare IT Security Personnel. Market Overview: HIPAA: Privacy Security and Electronic Transaction Standards

Cyber Warnings E-Magazine August 2015 Edition Copyright Cyber Defense Magazine, All rights reserved worldwide

Compliance in 5 Steps

Rethinking Encryption: Eight Best Practices for Success

Privacy 101. A Brief Guide

CIPHERMAIL ENCRYPTION. CipherMail white paper

Top 10 Features: Clearswift SECURE Gateway

Dispatch: A Unique Security Solution

Evaluation Guide. eprism Messaging Security Suite V8.200

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Rethinking Encryption: Eight Best Practices for Success

VAULTIVE & MICROSOFT: COMPLEMENTARY ENCRYPTION SOLUTIONS. White Paper

Using Voltage Secur

A New Standard in Encrypted . A discussion on push, pull and transparent delivery

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Encryption Services

A NATURAL FIT. Microsoft Office 365 TM and Zix TM Encryption. By ZixCorp

When Data Loss Prevention Is Not Enough:

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Secure Messaging Overview

Receiving Secure from Citi For External Customers and Business Partners

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

Strengthen Microsoft Office 365 with Sophos Cloud and Reflexion

The PerspecSys PRS Solution and Cloud Computing

Mimecast Large File Send

Djigzo encryption. Djigzo white paper

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Voltage's Encrypted

Secured Global Communication version 4.6

Secured Enterprise eprivacy Suite

Quick Heal Exchange Protection 4.0

Sutter Health. Send It / Secure It / Control It Cloud based data exchange for business. For more information / info@datamotioncorp.

Secure Data Exchange Solution

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Privacy. Protecting Your Members. Monday, June 30, :00 p.m. - 4:15 p.m. Dena Bauckman, Director of Product Management Zix Corporation

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Secure User Guide

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

INLINE INGUARD GUARDIAN

DJIGZO ENCRYPTION. Djigzo white paper

Deployment Guide. For the latest version of this document please go to:

Instructions for Secure Cisco Registered Envelope Service (CRES)

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

In-House Vs. Hosted Security. 10 Reasons Why Your is More Secure in a Hosted Environment

Building A Secure Microsoft Exchange Continuity Appliance

INFORMATION PROTECTED

The Advantages of Security as a Service versus On-Premise Security

GlobalSign Enterprise Solutions

Using Entrust certificates with Microsoft Office and Windows

V1.4. Spambrella Continuity SaaS. August 2

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

Service Schedule for BT Business Lite Web Hosting and Business Lite powered by Microsoft Office 365

Lightweight Security using Identity-Based Encryption Guido Appenzeller

Configuration Information

Unifying Information Security. Implementing Encryption on the CLEARSWIFT SECURE Gateway

Axway SecureTransport Ad-hoc File Transfer Service

GETTING STARTED SECURE FILE TRANSFER PROCEDURES A. Secure File Transfer Protocol (SFTP) Procedures

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Seamless ICT Infrastructure Security.

PROTECTING AND OPTIMIZING EXCHANGE ENVIRONMENTS:

Securing Corporate on Personal Mobile Devices

FileCloud Security FAQ

Content Teaching Academy at James Madison University

Symantec Mobile Management 7.1

Symantec Mobile Management 7.1

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

Securing Microsoft Office 365

SecurEnvoy Security Server. SecurMail Solutions Guide

Encryption Made Simple

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Scalability in Log Management

Best Practices for PCI DSS V3.0 Network Security Compliance

How To Achieve Pca Compliance With Redhat Enterprise Linux

Outbound Security and Content Compliance in Today s Enterprise, 2005

Transcription:

A Tumbleweed Whitepaper Secure Email Inside the Corporate Network: Providing Encryption at the Internal Desktop INDEX INDEX 1 INTRODUCTION 2 Encryption at the Internal Desktop 2 CURRENT TECHNIQUES FOR DESKTOP ENCRYPTION 3 Compression and Encrypted Attachments 3 Using an S/MIME-based PKI for Desktop Email Security 4 Using PGP on the Desktop 4 Identity-based Encryption 5 THE IDEAL SOLUTION 5 Ideal User Experience of a Typical Sender 5 Ideal User Experience of Two Typical Recipients 6 Ideal User Experience of a Typical Administrator 6 TUMBLEWEED PLUG-IN COMING IN 2006 6 The Tumbleweed Plug-in Approach 7 CONCLUSION 11 1

INTRODUCTION Each organization has its own unique security needs when it comes to sending and receiving sensitive information via email from complying with government privacy regulations in Healthcare (HIPAA) and Financial Services (GLBA) to enforcing corporate policies (SOX) and protecting intellectual property. Although individual implementations vary, current email security requirements typically fall into two categories: inbound email protection and outbound email security. Inbound email protection. Protecting the inbound email stream from viruses, spam, dark traffic, and other malicious messages is critical for network efficiency, user productivity, and policy compliance. A combination of firewall, antispam, anti-virus, anti-phishing, and anti-hacking products are generally deployed to guard against these threats. Outbound email security. Securing the information that exits a corporate network is as important as defending the inbound email stream, because misuse of corporate information, data leakage, and delivery of improper content can result in significant exposure. Content filtering, authentication, and encryption solutions can mitigate these risks. An effective approach to both inbound and outbound email security is to apply protection at the enterprise boundary, where email enters or leaves the corporate network. This strategy simplifies security by allowing administrators to define and manage security policies and measures centrally and universally, without requiring individual users to actively implement them. Until recently, securing email at the gateway to the enterprise has been sufficient for most organizations. ENCRYPTION AT THE INTERNAL DESKTOP Securing email between users inside the corporate network has not been a major concern for most organizations with sufficient security at the gateway to the enterprise. Today, however, a combination of changing business, regulatory, and technology factors are highlighting the need for organizations to re-evaluate their email protection strategies and consider implementing a third type of security: encryption at the internal desktop. As business relationships become more distributed and complex, internal networks are providing email access for more remote users and non-employees. This blurs the line between internal and external recipients and makes the network less trusted. It is becoming increasingly common for users to send sensitive information to a combination of internal and external recipients who may warrant different levels of security and have different encryption/decryption capabilities. Increased regulation requires greater control over the information exchanged within internal networks, including encryption to protect against unauthorized access. Desktop encryption software has become easier to deploy, making it a viable solution for protecting sensitive information inside corporate networks. This paper summarizes several current techniques for encrypting email at the desktop, and outlines the characteristics of an ideal solution that overcomes their various limitations. It also provides an overview of the new desktop encryption enhancements that will be available for Tumbleweed Secure Messenger and Tumbleweed Email Firewall in 2006. 2

CURRENT TECHNIQUES FOR DESKTOP ENCRYPTION One of the major challenges with any security solution is to balance the absolute security requirements with usability. This is especially true for secure email products if they are not easy to use and fully integrated into the normal email workflow, the user community will not adopt them. This is because they don't pass a simple "Friday afternoon test." Imagine a busy employee who has to send an important email two minutes before leaving for the weekend. While assembling the message, the employee realizes it really should be sent securely. An email encryption system will only pass the test if it is integrated with the normal workflow, and so easy to use that the employee will encrypt the message rather than continuing with standard email and hoping for the best. A variety of encryption technologies and approaches provide different levels of security and usability. They include: Compression and encrypted attachments Relying on passwords as a Shared Secret Using a full PKI for desktop email security Using PGP on the desktop Identity-based encryption COMPRESSION AND ENCRYPTED ATTACHMENTS A number of desktop utilities enable individual users to create encrypted archives of files that can be attached to emails and sent to internal or external recipients (e.g. WinZIP ). Some support only password-based encryption while others allow the use of the recipient s digital certificate to perform the encryption. This is one of the simplest methods for providing email encryption at the desktop, but generally requires senders to initiate the encryption process outside of the email client. Utilities can be linked into the sender s email system relatively easily by adding an encrypt and send option to the menus available on the desktop. Many of these systems also only support password-based encryption schemes, the limitations of which are discussed below. Relying on Passwords as a Shared Secret Many of the simpler encryption schemes follow three steps: The sender gathers the information they wish to send into a package. The sender uses some tool to encrypt the package, and creates a password that the recipient will use to decrypt it on the receiving end. The sender emails the package to the recipient(s). 3

This approach has several limitations: It doesn't account for how senders provide recipients with passwords. It doesn t easily scale beyond a few users. It tends to result in very loose security, with either standard known passwords being used and shared among multiple users, or passwords being included in the emails themselves. It doesn t enable the message body of an email to be encrypted along with the attachments. USING AN S/MIME-BASED PKI FOR DESKTOP EMAIL SECURITY Public Key Infrastructures (PKIs) use virtual IDs, or digital certificates, to validate the identity of organizations, computers, and individuals before allowing a transaction or communication to occur. The ability to encrypt and decrypt email using digital certificates and the S/MIME standard is built into many desktop clients, including Microsoft Outlook and Outlook Express, Lotus Notes, Mac Mail, and Thunderbird. Yet S/MIME has not been adopted as a universal email encryption standard. This is because desktop-based encryption solutions that rely on thousands of individuals installing and consistently using digital certificates have not passed the Friday afternoon test because they are not only cost-prohibitive, but they are also difficult to use. For example: To encrypt a message, the sender must first find a certificate for each recipient. If the intended recipient does not have a certificate or the sender can't find it, the encrypted email can't be sent. If certificates are found, senders must import each individual certificate into their email clients. This is time-consuming and difficult to manage, particularly for non-technical users. Who do you trust? Managing individual certificates on the desktop requires that senders know how to verify certificates from different issuers, and what to do when certificates become invalid or expire. Publishing a certificate directory is a security risk! If a company places a directory of internal users' certificates on the Internet or corporate intranet for others to look up, it is opening the door to Directory Harvest Attacks and other threats from malicious hackers. These limitations combined with the expense and administrative overhead of deploying a traditional PKI has prevented widespread deployment of desktop email encryption. It is simply too cumbersome. USING PGP ON THE DESKTOP Using desktop clients to implement PGP encryption between individuals imposes many of the same limitations as S/MIMEbased desktop encryption. While the trust model is usually different, the requirement that individual senders have pre-existing PGP keys for all intended recipients only works well for small communities, and does not scale within larger enterprises. As with S/MIME and X509 certificates, publishing a directory of internal keys on the Internet to improve scalability is a security risk. 4

IDENTITY-BASED ENCRYPTION PGP, S/MIME, and X509-based approaches typically run into deployment problems because of the need for senders to know in advance the encryption keys associated with each recipient. In the last few years, some new approaches to PKI have been suggested which remove the need to share public keys or digital certificates. These approaches, dubbed identity-based encryption, simplify the process by using some other already-known feature, such as the recipient's email address, as a pseudo public key. The cryptography underlying these techniques is relatively new and has not been subjected to the same level of peer review as encryption using PGP or X509 certificates. As a result, identity-based encryption techniques do not have the same standing in the cryptographic community. They also have some characteristics that make them less attractive than they first appear: The encryption scheme actually relies on a single central Master Key. Compromise of this Master Key has the potential to break system security. The recipient's email address is not enough in itself. Using only the email address as a pseudo public key does not allow revocation of keys. If a key is compromised, the recipient must change email addresses or risk a security breach. In practice, the public key is constructed using a combination of date/time, email address, and information about the Master Key. This means that a particular recipient may have multiple private keys, significantly increasing complexity. Unlike methods which rely on standards already supported by a variety of desktop and mobile email clients, this method requires installing proprietary software on every system you consume email on. This can be very timeconsuming and challenging to support for user who rely on multiple methods for receiving email. THE IDEAL SOLUTION The ideal desktop encryption solution for internal networks will eliminate the weaknesses and limitations of current techniques. For example, the ideal desktop-to-desktop encryption solution: Does not place any administrative burden on the sender, unlike conventional desktop S/MIME and PGP. Can scale to support growing user communities, which is not possible with password-based techniques. Integrates easily into the normal email workflow, unlike encrypting attachments. Does not rely on pseudo public-keys, which are unproven and tricky at best. Can effectively deal with encrypting email to a combined group of internal and external recipients. IDEAL USER EXPERIENCE OF A TYPICAL SENDER Bob works for Enterprise X. He needs to send secure email to Alice, who is within Enterprise X and Carol, an external partner. He should be able to send the encrypted message from his existing email client without having to worry that Alice is internal and Carol is external. He may or may not have previously sent email to Alice or Carol, and he may or may not have previously 5

sent encrypted email to anyone. Bob is an executive user who does not have time to understand or manage digital certificates he just wants his messages to be delivered securely. IDEAL USER EXPERIENCE OF TWO TYPICAL RECIPIENTS Alice receives the secure email from Bob, and may not have previously sent or received secure email. She should be able to decrypt the email from Bob without worrying about her own software, certificates, or keys. This means that Alice should either have pre-installed software to handle the decryption (distributed by the administrator), or the email she receives should include easy-to-follow decryption instructions. This might include a link to software she can download and install on her desktop. Alice should also be able to reply to both Bob and Carol securely, without concerning herself with who is internal and what encryption method is used. Once any initial software or key is installed, Alice should be able to read any secure email she receives, even if her computer is not connected to the Internet. Carol should be able to receive secure messages from Enterprise X in her preferred encryption format. She may already use S/MIME or OpenPGP encryption, or she may not have any previous encryption capability. Carol should not need to know whether Bob and Alice are encrypting from their desktops or using gateway encryption. She should simply be able to reply to or originate secure messages using her preferred method and have them delivered to Bob and Alice. In addition, encrypted messages originating from Carol should be scanned for viruses and policy violations before being allowed into Enterprise X. IDEAL USER EXPERIENCE OF A TYPICAL ADMINISTRATOR Ted is the administrator for Enterprise X. He wants to enable employees to exchange secure email internally and externally, but does not want to have to issue and manage certificates for internal and external users. As much as possible, he wants encryption between internal and external users with and without desktop software to be handled automatically by the gateway server. Ted does not have time or resources to support complex client installation and setup for each user who needs to send secure email. Ideally, he will be able to remotely install and enable secure email for users from his own administration console. In cases where Ted is required to distribute software for installation, he needs to take into account the profile of users such as Bob, and allow them to send and receive secure email with minimal knowledge about encryption. TUMBLEWEED PLUG-IN COMING IN 2006 Tumbleweed is the leading provider of solutions for securing email communications. In the current releases of Tumbleweed software, MailGate Email Firewall (EMF) and Secure Messenger (SM) work together to inspect all outbound email at the network gateway. Based on custom policies that each Tumbleweed customer administrator defines, it automatically identifies violations based on the content of the email, and redirects suspect messages to a secure, encrypted channel for further action. This perimeter-based design ensures that every employee, customer, and partner benefits from secure email without having to actively implement and manage it on their own desktops. 6

Encrypted email is delivered to external desktops based on administrator-defined policies that determine the most appropriate delivery medium for the intended recipient. The major encryption standards (S/MIME, OpenPGP, SMG) are used for recipients who have encryption/decryption capabilities in their email clients already, and Secure Messenger and Secure Envelope are used to deliver encrypted email to recipients without requiring anything beyond an email client and Web browser. While offering highly secure encryption options, these capabilities are not currently integrated with standard email clients, reducing their effectiveness at the internal desktop. In response to the growing need for higher security inside corporate networks, Tumbleweed will release a desktop encryption plug-in for MailGate Secure Messenger that: Is easy to deploy and easy to use, enabling users to encrypt messages from their desktops using the software they already know. Integrates seamlessly with existing workflow and desktop email clients. Works effortlessly with other Tumbleweed methods for external encryption, so that senders do not need to worry about whether recipients are located inside or outside the enterprise. THE TUMBLEWEED PLUG-IN APPROACH The Tumbleweed desktop encryption plug-in will provide the proven security of PKI deployments without the complexity and burden of certificate or key management. Combined with the flexible Email Firewall, it will allow organizations to manage desktop-to-desktop email encryption in a way that is most appropriate for each user. The three diagrams, beginning on the next page, illustrate how the desktop plug-in will work for three typical use cases: 1. Where the sender (Bob) is a user of the desktop plug-in, and the recipient (John) has also previously installed the desktop plug-in and enrolled in the system. 2. Where the sender (Bob) is a user of the desktop plug-in, and the recipient (Alice) is an internal user who has not yet installed the plug-in. 3. Where the sender (Bob) is a user of the desktop plug-in, and the recipient (Carol) is an external recipient outside of the enterprise. These diagrams have been separated to show the flow of information in each scenario, but of course Bob could easily be sending the same message to all three recipients at once. The approach taken by the desktop encryption plug-in means that Bob doesn t need to worry about who is who, and the plug-in will simply chose the right approach for each recipient. Of course once John, Alice, or Carol have received Bob s message, they can reply to him by effectively reversing the processes shown here. 7

Figure 1 Bob sends a secure email to John, another internal user who has previously installed the plug-in 8

Figure 2 Bob sends a secure email to Alice, an internal user who has not yet installed the desktop plug-in 9

Figure 3 Bob sends a secure email to Carol, a recipient outside of his organization. This example shows Carol receiving the email using Secure Messenger delivery, but she could equally well be configured to use Proxy S/MIME or Proxy OpenPGP messages 10

CONCLUSION Shifting business processes and communications needs, expanding internal email networks, and increased regulatory requirements are prompting many organizations to re-evaluate their email security strategies. Specifically, they are looking for ways to secure email traveling within their corporate networks just as they secure email entering and leaving the enterprise. One approach is to augment existing perimeter-based security with an additional layer of protection inside the firewall, at the internal desktop. By providing encryption capabilities to individual users, organizations can ensure that sensitive information is delivered safely to both internal and external recipients. A host of desktop encryption techniques are currently available, although they each have certain drawbacks in terms of security, manageability, and ease of use. As the leading provider of solutions for secure communications, Tumbleweed has the experience and the expertise to deliver desktop encryption capabilities that provide the strong security required in today's business environment without the limitations of existing techniques. In 2006, Tumbleweed will introduce an encryption plug-in for MailGate Secure Messenger that adds a new layer of desktop-to-desktop encryption that is easy to deploy, easy to use, and easy to manage within corporate networks. and Tumbleweed SecureTransport, SecureTransport Standard Edition, SecureTransport Enterprise Edition and SecureTransport Partner Edition are trademarks of Tumbleweed Communications Corp. All other 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information