VAULTIVE & MICROSOFT: COMPLEMENTARY ENCRYPTION SOLUTIONS. White Paper

Similar documents
Mimecast Large File Send

SonaVault Archiving Software

DJIGZO ENCRYPTION. Djigzo white paper

5/20/2013. The primary design goal was for simplicity of scale, hardware utilization, and failure isolation. Microsoft Exchange Team

MICROSOFT EXCHANGE, OFFERED BY INTERCALL

CIPHERMAIL ENCRYPTION. CipherMail white paper

The GlobalCerts TM Secur Gateway TM

Djigzo encryption. Djigzo white paper

Outlook Express POP Instructions - Bloomsburg University Students

A NATURAL FIT. Microsoft Office 365 TM and Zix TM Encryption. By ZixCorp

MS Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Symantec Encryption Solutions for , Powered by PGP Technology

PORTLANDDIOCESE.ORG - How to Connect Table of Contents

Cloud. Hosted Exchange Administration Manual

Quick Heal Exchange Protection 4.0

Nuove Features MDM ParlaMI ITALIAN SFFv2

Erado Archiving & Setup Instruction Microsoft Exchange 2007 Push Journaling

ONE Mail Direct for Desktop Software

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Implementing Transparent Security for Desktop Encryption Users

MS Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Build Your Knowledge!

Introduction. Part I Introduction to Exchange Server

msona mbox mgroupware 6.0 mbox mgroupware 6.0 Datasheet enterprise , group Product Highlights

BUILT FOR YOU. Contents. Cloudmore Exchange

5053A: Designing a Messaging Infrastructure Using Microsoft Exchange Server 2007

Office of Information Technology Connecting to Microsoft Exchange User Guide

Business mail 1 MS OUTLOOK CONFIGURATION... 2

Amazon WorkMail. User Guide Version 1.0

The new Exchange Work Smarter, Anywhere.

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

activecho Driving Secure Enterprise File Sharing and Syncing

Configuring your client to connect to your Exchange mailbox

What s New with Enterprise Vault 11? Symantec Enterprise Vault 11 - What's New?

Migration User Guides: The Console Application Setup Guide

What s New in Exchange 2010?

PORTLANDDIOCESE.ORG - How to Connect Table of Contents

10135A: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010

Rethinking Encryption: Eight Best Practices for Success

GREEN HOUSE DATA. Services Guide. Built right. Just for you. greenhousedata.com. Green House Data 340 Progress Circle Cheyenne, WY 82007

Parla, Secure Cloud

Selecting Your Essential Cloud Services for Office 365

Encryption Made Simple

Windows Mail POP Instructions - Bloomsburg University Students

Astaro Mail Archiving Getting Started Guide

Configuring Managing and Troubleshooting Microsoft Exchange Server 2010

Dispatch: A Unique Security Solution

Overview of Active Directory Rights Management Services with Windows Server 2008 R2

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

Using etoken for Securing s Using Outlook and Outlook Express

Symantec Managed PKI Service Deployment Options

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

WineWeb Account Services

HOW HOSTED EXCHANGE COMPARES WITH GOOGLE APPS

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Wharf T&T Cloud Backup Service User & Installation Guide

Receiving Secure from Citi For External Customers and Business Partners

BTC STUDENT GUIDE

ForeScout MDM Enterprise

PolyU Connect Mobile Connection. Setup Guide

User Guide. Please visit the Helpdesk website for more information:

The ForeScout Difference

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

DLP Quick Start

Evaluation Guide. eprism Messaging Security Suite V8.200

Rocket Mail Smartphone Configuration Guide. Version 2.0

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Encryption Made Simple

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Exchange, Kerio Comparison

redcoal SMS for MS Outlook and Lotus Notes

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Cloud Services. Cloud Control Panel. Admin Guide

Comparing VMware Zimbra with Leading and Collaboration Platforms Z I M B R A C O M P E T I T I V E W H I T E P A P E R

Hybrid Architecture. Office 365. On-premises Exchange org (Exchange 2007+) Provisioned via DirSync. Secure Mail flow

Toll Free: International:

BOTTOM UP THINKING SETUP INSTRUCTIONS. Unique businesses require unique solutions CLIENT GUIDE

Copyright 2012 Trend Micro Incorporated. All rights reserved.

How to install and use the File Sharing Outlook Plugin

Exchange Comparison. Choosing the Best Alternative to Microsoft Exchange Server Feature Comparison. IceWarp Server Microsoft Exchange

Workshop purpose and objective

How To Configure And Manage An Exchange Server 2010 For Free

Transcription:

COMPLEMENTARY ENCRYPTION SOLUTIONS White Paper

Table of Contents Section I: Vaultive & Microsoft: Complementary Encryption Solutions... 2 Section II: Vaultive is a Microsoft ISV Partner... Appendix A: S/MIME Message Encryption a Point-to-Point Solution... Appendix B: Office 365 Message Encryption... 5 6 9 Appendix C: Exchange Information Rights Management (IRM)... 11 2

Vaultive & Microsoft: Complementary Encryption Solutions Leveraging the cloud for email requires businesses take specific action to meet security, fiduciary, and compliance requirements. Vaultive is the only Microsoft ISV partner providing a customer controlled encryption solution across the entire message lifecycle, complimenting Microsoft s encryption. Control Your Data in Office 365 with Vaultive Vaultive Encrypts Data Across its Entire Lifecycle data exists in three states; at rest, in transit and in use, and must be encrypted in all three to ensure control. Vaultive Encrypted Data Can be Searched and Sorted server-side operations (such as search, sort, index, etc.) are performed on the encrypted data without ever decrypting the data. If data must be decrypted for server side operations to work, then the data is exposed and vulnerable. Vaultive Supports Native Exchange Functionality at the Pace of Change Vaultive fully supports native Office 365 services including e-discovery, DLP, archiving and others while the data remains encrypted. In addition, Vaultive includes detailed logging and reporting. You Own, Manage and Control your Encryption Keys according to cloud security best practices, encryption keys should be created, managed and controlled by the customer and not the cloud service provider (if encryption keys are accessible to anyone outside of the organization, it is giving up a crucial element of security and control). Microsoft Encryption Solutions: Protected Delivery of Specific Messages Based on Decisions Made by Individual End-Users S/MIME Individual users determine which messages should be encrypted as they are sent, assuring pointto-point delivery to specific people inside or outside of the organization. Messages are encrypted and only sender and recipient have access to the keys to decrypt the data. Office 365 Message Encryption Sends a clear text email with the encrypted message included as an attachment. Recipients must log on to the sender s server using a compatible web browser, to read the email. Outgoing messages are encrypted once they leave the Exchange server, but are stored on the Exchange server in the clear. IRM Individual users dictate (but cannot enforce) recipient permission for email messages for actions such as replying, replying to all, forwarding, extracting information, saving, or printing. Important Note: When utilizing Microsoft encryption technologies; the data must be decrypted in order to search, sort, index or perform other server-side operations. The data is therefore sitting in the clear while server-side operations are performed. Encryption of Data in its Entirety every single email in the inbox, outbox, sent and deleted folders is encrypted as well as message subjects, attachments, tasks, calendar items, invitation messages, folders and more. No End-User Actions or End-Point Software encryption must be applied automatically without requiring end-user action. Otherwise, it is subject to human error and guaranteed to fail. Vaultive does not require any end point software (agent, plug-in, or client application). 3

The following table summarizes Vaultive s feature support in direct comparison with Microsoft s various solutions. Feature Office 365 Message Encryption Exchange IRM S/MIME Vaultive Design Principles End user organization controls the keys Server-side operations (search, sort, index, and others) are performed on encrypted data Central key management Transparent to end-users Support for DLP, e-discovery and archiving on encrypted data Unified protection across multiple cloud services Encryption All messages are encrypted Inbound messages are encrypted Messages sent to only internal recipients are encrypted Messages sent to only external recipients are encrypted Messages sent to both internal and external recipients are encrypted 1 Message subjects encrypted Calendar items and invite messages encrypted Tasks and notes encrypted Items are encrypted before reaching the server 2 Messages to distribution lists from POP/IMAP/Mac Mail/Android encrypted Preview of encrypted messages 1 Unless the external recipient has S/MIME set up and has forwarded its certificate to the internal sender. 2 Unless the message is sent from Outlook. 4

Feature Office 365 Message Encryption Exchange IRM S/MIME Vaultive Client Support (both sending and receiving messages) Outlook OWA (IE) OWA (all browsers) Mobile OWA Mac Outlook Mac Mail Android iphone Other Mobiles (ActiveSync) POP3, IMAP 3 Key Management Keys reside on-premises Tenant organization retains exclusive access to encryption keys 4 Key recovery (integrated backup) Office 365 Features Server searches and sort DLP and policy violation scanning e-discovery Journaling Archiving According to the Encryption in Exchange presentation given at Microsoft Exchange Conference (MEC) 2014 in Austin, Texas, Microsoft does not recommend combining the various Microsoft encryption solutions. 3 Requires a browser. 4 Third party Certificate Authorities could keep generated private keys. 5

Vaultive is a Microsoft ISV Partner Vaultive provides a comprehensive encryption solution for Microsoft Office 365, Yammer, and Dynamics, as well as for other cloud applications. Vaultive persistently encrypts an organization s data before it leaves the trusted network, while the organization s IT retains the keys. Vaultive s encryption software protects data throughout its entire lifecycle: in transit, at rest and in use. Vaultive s persistent encryption maintains content characteristics allowing server-side operations including search, sort and index on encrypted data, and is completely transparent to the end user. How Vaultive Works Vaultive operates as a transparent network-level proxy, deployed at an organization s perimeter network, integrating with Microsoft Office 365 as well as other cloud applications. Data is persistently encrypted before it leaves the organization s trusted network and remains encrypted until it reaches its intended destination. Central Key Management via Robust Management Console The Vaultive platform provides encryption combined with central key management. The data is encrypted prior to leaving the organization so that neither the CSP nor Vaultive ever has access to your data in clear text. The data owner maintains direct control of their encryption keys and secures the keys with their own controls in place. No one can access the keys, or the data, without explicit consent of the organization. 6

Appendix A S/MIME Message Encryption a Point-to-Point Solution Microsoft s S/MIME message encryption provides encryption of email messages in transit, as they travel between the sender and the intended recipient. Once encryption keys are exchanged, messages are encrypted prior to being sent, and then decrypted after download by the intended recipient. In order to utilize S/MIME message encryption, both the sender and recipient must have S/MIME deployed and the sender must have the recipient s public key, or certificate, on the corresponding client from which the email is sent. How S/MIME Works S/MIME requires two separate but related keys a public key and a private key. A unique public key is distributed to those sending encrypted emails, while the private key is maintained by the recipient. The public key is utilized for encrypting the email before sending it to the recipient, and the recipient can only decrypt the incoming email using the private key. The following table shows how certificates are acquired for each client and the associated limitations of each method. Client Certificate Result Outlook Outlook Web Application (OWA) on Internet Explorer (IE) ActiveSync Mac OS X, Exchange Web Services (EWS) Automatically accesses all certificates from Active Directory (AD). Automatically accesses all certificates from AD. Obtains all certificates from the Exchange Server. Obtains certificates from the AD. Outlook can access certificates for most internal recipients but very limited certificates for external recipients. OWA can only access certificates for internal recipients. S/MIME is not supported on Android 5. GAL is an internal list, Mac s can only acquire certificates for internal recipients. Because of the nature of public-key cryptography, S/MIME has two limitations which can inhibit usage: Emails sent to external recipients are generally not encrypted. In order for an email sent externally to be encrypted, the recipient must provide the sender with his public key by sending an email signed with the appropriate certificate. Incoming emails are not encrypted unless they are sent from a sender that is both using S/MIME and has the recipient s public key. 5 http://en.wikipedia.org/wiki/comparison_of_exchange_activesync_clients S/MIME Limitations In addition to S/MIME s constraints encrypting messages to external recipients, the following limitations also apply: S/MIME does not encrypt email subjects. The following example highlights the importance of encrypting subjects in addition to email messages: Subject: Request 20% Discount for ABC Bank proposal to beat Competitor N. Messages are only encrypted when the sender has all recipient certificates. If one certificate is missing, the email will not be encrypted when sent to any of the recipients, nor will it be encrypted in the sender s Sent Items folder. 7

Calendars, Invitations, tasks and other Exchange items are not encrypted. If using Post Office Protocol (POP3) or Internet Message Access Protocol (IMAP), distribution lists are not supported and emails sent to distribution lists are not encrypted. Server-side operations cannot be performed on the encrypted data; therefore search, sort, indexing, DLP scanning, and e-discovery are not supported. Plug-ins are required in order for OWA to use S/ MIME in IE. In order to support S/MIME on any other browser, the private key must be installed on each device where OWA is utilized with S/MIME, and the device must be joined to the AD domain. Message previews are not supported. S/MIME Key Management S/MIME does not provide out-of-the box centralized key management for private or public keys. End-users must maintain both a certificate as well as a matching private key; and it is critical that the keys are properly stored and protected. Every user maintains the certificate and key without any standard key management procedure. It is recommended that administrators define and implement processes to securely back up user private keys, either by company policy or by setting up a key escrow and backup service. Serious security risks are introduced end-users can easily generate their own keys using a third party service, without approval or knowledge of the administrator. The third party service has access to the private key and the enterprise lacks oversight and supervision, creating a significant security gap. When using S/MIME in OWA, email preview and the conversation view are not supported; and email must be opened in a separate window. S/MIME Support Summary Encryption Feature S/MIME Encryption Feature Internal email messages encrypted 6 Outbound email messages encrypted 7 Outgoing email messages encrypted before arriving at the Exchange server Incoming email messages encrypted Email Subjects encrypted Calendar items and invites encrypted Tasks encrypted Encrypt messages sent to both S/MIME encrypted users and non-s/mime Users 8

Encryption Feature S/MIME Client Support Mac/OSX Support Android Support IE browser support 8 Other browser support Distribution lists supported from POP3, IMAP and Mac clients Key Management Keys cannot be accessed by Exchange Out of the box support for private key backups Centralized key management Office 365 Feature Support Server-side operations such as search and sort Message Previews e-discovery 9 support Scanning messages for policy violations DLP support Message archiving support 6 Internal messages are encrypted as long as no external recipients without available certificates are included. 7 External messages are not encrypted unless the recipient has a certificate and emails it to the sender. 8 In order to support IE, each computer using S/MIME with OWA must be joined to an AD domain, and must have the user s private key installed. 9 http://technet.microsoft.com/en-us/library/dd298021(v=exchg.150).aspx 9

Appendix B Office 365 Message Encryption Office 365 Message Encryption, formerly called Exchange Hosted Encryption (EHE), is used for securing outbound emails based on administrator-defined policy. Recipients can use OWA and recipient identities are managed as Microsoft Online Services (MSOL) accounts, requiring users to maintain an MSOL account. How Office 365 Message Encryption Works Administrators set policy-based rules and once implemented, internal users can send and receive encrypted email directly from their desktops. This service sends a clear text email with the encrypted message included as an attachment. Using a web browser compatible with Office 365 Message Encryption, recipients must log in to the sender s server and securely read the email in its original form. Outgoing messages are encrypted once they leave the Exchange server. However, they are stored on the Exchange server in the clear. Office 365 Message Encryption Limitations While Office 365 Message Encryption is a partial solution for email security, governance and compliance, it falls short in the following areas: Does not ensure all outgoing emails are persistently encrypted. Does not encrypt incoming messages. Does not encrypt internal messages. Does not encrypt email subjects. The following example highlights the importance of encrypting subjects in addition to email messages: Subject: Request 20% Discount for ABC Bank proposal to beat Competitor N. Emails are not encrypted while stored in the Exchange server transport. Decrypts email messages for server-side operations such as search, sort and indexing. Office 365 Message Encryption Key Management Encryption key management remains a critical aspect of cloud encryption. Whoever owns and maintains the encryption keys controls access to the data. If the cloud service provider manages the keys on behalf of the customer whether in memory or in an HSM they can access the data, and are obligated to share the data with government officials if presented with a subpoena without notifying the tenant organization. Unique Office 365 Message Encryption keys are generated for each encrypted email. Keys are stored in the Office 365 data center, where Microsoft has access to the keys. Keys can be accessed from an Office 365 MSOL account using a password. Office 365 Message Encryption Support Summary The following table summarizes Office 365 Message Encryption capabilities. Is not transparent to users and administrators. Encryption Feature Office 365 Encryption Encryption Internal email messages encrypted Outgoing email messages encrypted Incoming email messages encrypted 10

Email subjects encrypted All emails consistently encrypted Calendar items and invites encrypted Tasks encrypted Emails encrypted while stored in the Exchange server transport Client Support Mac/OSX Support Android Support Browser Support Distribution lists supported from POP3 and IMAP clients Key Management Keys are maintained by the end-user Office 365 Feature Support Server-side operations such as search and sort on encrypted data 10 Recipient can access their email seamlessly through their inbox Recipients must maintain an MSOL account Message Previews e-discovery support on encrypted data 12 Scanning encrypted messages for policy violations 13 DLP support for encrypted messages 14 Message archiving support for encrypted messages 15 10 In order to provide server-side operations including search and sort, Microsoft decrypts your data and processes it in the clear. 11 http://technet.microsoft.com/en-us/library/dd298021(v=exchg.150).aspx 12 13 14 15 11

Appendix C Exchange Information Rights Management (IRM) IRM, built on Microsoft AD Rights Management Service (RMS), outlines content access control based on policy. The policy can be defined per message or document, and permissions are granularly defined including reading, copying and pasting, editing, or printing content. How IRM Works IRM utilizes public-key cryptography public and private keys. When IRM is applied to an email message, once the item is in the Exchange system a key is generated per item to maintain restrictions and access associated with the content. The per-item key is encrypted using the RMS public key. When the item is sent, it is accompanied by a license specifying the restrictions and limitations in accessing the content. The recipient s client software must contact the RMS server in order to decrypt the message, and should respect (but cannot enforce) the attached RMS license. IRM Limitations IRM defines and provides notification of specific corporate polices for a subset of data and email transfers. However, IRM is not intended for use as a security tool and is limited in the following areas: Email subjects are not encrypted. The following example highlights the importance of encrypting subjects in addition to email messages: Subject: Request 20% Discount for ABC Bank proposal to beat Competitor N Not encrypted: Calendars, Invitations, tasks and other Exchange items. Internal email messages are encrypted only after they arrive at the Exchange server unless sent from Outlook. Messages are only encrypted when sent internally. If a single recipient is external, the email will not be encrypted when sent to any of the recipients, nor will it be encrypted in the sender s Sent Items folder. The Exchange server has access to the encryption keys and decrypts IRM messages when performing the following: When indexing messages for server searches DLP scanning and Transport Rule evaluations Journaling OWA views ActiveSync downloads OWA indexing The Exchange server provides bulk decryption of messages; unacceptable for many security-aware or regulated organizations. Administrators must configure a highly-available AD RMS infrastructure in order to maintain functionality. Message previews are not supported. In particular, OWA short preview and conversation view is blank. IRM Key Management Individual users are provided with private keys for decryption based on their AD identity. Public keys are generated and encrypted per message and accompany the message when sent. The AD RMS private key is either stored in an on premise RMS server, requiring a solid backup facility; or on an Office 365 RMS server with on premise hardware security module (HSM). Although the keys are stored on premises, the Exchange server constantly accesses the keys and decrypts the content to enable ActiveSync, OWA, Journaling, indexing and transport scanning. IRM Support Summary The following table summarizes IRM capabilities. Only Microsoft desktop clients, mobiles and OWA support IRM. Mac mail, POP3, IMAP, Linux and Thunderbird are not supported. 12

Encryption Feature IRM Encryption Internal messages encrypted once they arrive at the Exchange server Email Subjects encrypted Outgoing email messages encrypted at the sender's client Incoming email messages encrypted Calendar items encrypted Tasks encrypted Encryption achieved seamlessly Client Support Mac/OSX Support Android Support POP, IMAP Key Management Tenant organization retains exclusive access to encryption keys Office 365 Feature Support Server-side operations such as search and sort on encrypted data 16 Message Previews e-discovery support on encrypted data 17 DLP support for encrypted messages 18 Message archiving support for encrypted messages 19 16 In order to provide server-side operations including search and sort, Microsoft decrypts your data and processes it in the clear. 17 18 19 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information