Policy Based Encryption Essentials. Administrator Guide

Similar documents
Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

Policy Based Encryption Z. Administrator Guide

Encryption. Administrator Guide

Symantec Enterprise Vault

Boundary Encryption.cloud Deployment Process Overview

Symantec Enterprise Vault

Symantec Enterprise Vault

Symantec Enterprise Vault

Quick Reference. Administrator Guide

Symantec Enterprise Vault

Symantec Enterprise Vault

Symantec Enterprise Vault

Track and Trace. Administration Guide

Enabling Windows Management Instrumentation Guide

Enterprise Vault.cloud. Microsoft Exchange Managed Folder Archiving Guide

Data Protection. Administrator Guide

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec Enterprise Vault

Patch Assessment Content Update Release Notes for CCS Version: Update

Policy Based Encryption Gateway. Administration Guide

IBM Lotus Protector for Mail Encryption

Policy Based Encryption Gateway. Administration Guide

Symantec Backup Exec Management Plug-in for VMware User's Guide

Cloud Services. Cloud Control Panel. Admin Guide

Web Security Firewall Setup. Administrator Guide

Symantec Enterprise Security Manager Oracle Database Modules Release Notes. Version: 5.4

Spambrella SaaS Encryption Enablement for Customers, Domains and Users Quick Start Guide

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec Enterprise Vault.cloud Compatibility List. March 13, 2015

Symantec Mobile Management for Configuration Manager

Portal Administration. Administrator Guide

Creating a Content Group and assigning the Encrypt action to the Group.

Symantec Security Information Manager - Best Practices for Selective Backup and Restore

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

Backup Exec 15. Quick Installation Guide

Symantec Backup Exec System Recovery Granular Restore Option User's Guide

Veritas Operations Manager Package Anomaly Add-on User's Guide 4.1

Spam Manager. User Guide

SaaS Encryption Enablement for Customers, Domains and Users Quick Start Guide

Symantec Mail Security for Microsoft Exchange

Symantec Endpoint Protection Shared Insight Cache User Guide

Veritas Operations Manager LDom Capacity Management Add-on User's Guide 4.1

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

IBM Lotus Protector for Mail Encryption

Spam Manager. Quarantine Administrator Guide

Services Deployment. Administrator Guide

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

Quick Start Guide for Symantec Event Collector for ForeScout CounterACT

NetBackup Backup, Archive, and Restore Getting Started Guide

Symantec Client Firewall Policy Migration Guide

Symantec Data Center Security: Server Advanced v6.0. Agent Guide

How To Archive A Mail From A Mailbox On A Server On A Password Protected (Smtp) On A Pc Or Mac (Mailbox) On An Ipa (For A Password Saf ) On Your Pc Or Ipa On A Mac

Symantec Managed PKI. Integration Guide for ActiveSync

Symantec NetBackup Backup, Archive, and Restore Getting Started Guide. Release 7.5

Symantec AntiVirus Corporate Edition Patch Update

Spambrella SaaS Encryption Enablement for Customers, Domains and Users Quick Start Guide

Symantec Mobile Management 7.2 MR1Quick-start Guide

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Symantec NetBackup for Microsoft SharePoint Server Administrator s Guide

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

Norton Small Business. Getting Started Guide

Symantec NetBackup OpenStorage Solutions Guide for Disk

Symantec Backup Exec 2010 R2. Quick Installation Guide

Symantec NetBackup for Microsoft SharePoint Server Administrator s Guide

Symantec Enterprise Vault

Symantec NetBackup Vault Operator's Guide

Symantec ESM Agent For IBM iseries AS/400

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Getting Started with Symantec Endpoint Protection

Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Symantec Endpoint Encryption Device Control Release Notes

Configuring Symantec AntiVirus for Hitachi High-performance NAS Platform, powered by BlueArc

Symantec Drive Encryption for Windows

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

McAfee Gateway 7.x Encryption and IronPort Integration Guide

Symantec Enterprise Vault

Symantec Protection Center Enterprise 3.0. Release Notes

Symantec Critical System Protection Agent Guide

Recovering Encrypted Disks Using Windows Preinstallation Environment. Technical Note

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Altiris Asset Management Suite 7.1 SP2 from Symantec User Guide

T E C H N I C A L S A L E S S O L U T I O N

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Symantec ApplicationHA agent for Microsoft Exchange 2010 Configuration Guide

IC L05: Security.cloud Configuring DLP on to your flow & Applying security to your Office 365 or Google Apps deployment Hands-On Lab

VERITAS NetBackup 6.0

Symantec ApplicationHA agent for SharePoint Server 2010 Configuration Guide

Report Designer and Report Designer Add-In Installation Guide Version 1.0

Nokia for Business. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Symantec Virtual Machine Management 7.1 User Guide

Symantec Patch Management Solution for Windows 7.5 SP1 powered by Altiris User Guide

Address Registration. Administrator Guide

Symantec Secure Proxy Administration Guide

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Transcription:

Policy Based Encryption Essentials Administrator Guide

Policy Based Encryption Essentials Administrator Guide Documentation version: 1.0 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Technical support If you need help on an aspect of the security services that is not covered by the online Help or administrator guides, contact your IT administrator or Support team. To find your Support team's contact details in the portal, click Support > Contact us.

About Policy Based Encryption Essentials This document includes the following topics: Introduction to Policy Based Encryption Essentials Defining a Policy Based Encryption Essentials policy Enforcing TLS between your domains and the Email Security Services infrastructure Installing the PBE Essentials Email Encryption Add-In FAQs about PBE Essentials and PBE Advanced Introduction to Policy Based Encryption Essentials Policy Based Encryption (PBE) Essentials is an email encryption service that is available to Email Security.cloud customers who have the Email Safeguard bundle or are provisioned with the Email Data Protection service. PBE Essentials is used to encrypt your organization's outbound email that contains sensitive information, and the service is invoked with the Data Protection policies that you configure. You can set up Data Protection policies to look for specific keywords within the subject line, body, and attachments of email that is sent from your organization. These keywords act as flags to trigger encryption. Your users can also use the Email Encryption Add-In, which provides an option within Microsoft Outlook to add a trigger header to outbound email messages. When messages are flagged for encryption, the original message and any attachments are sent to the recipient in an encrypted PDF attachment. See Introduction to Policy Based Encryption Essentials on page 5.

Defining a Policy Based Encryption Essentials policy 6 See Defining a Policy Based Encryption Essentials policy on page 6. See Enforcing TLS between your domains and the Email Security Services infrastructure on page 9. See Installing the PBE Essentials Email Encryption Add-In on page 11. See FAQs about PBE Essentials and PBE Advanced on page 12. Defining a Policy Based Encryption Essentials policy Policy Based Encryption Essentials (PBE Essentials) is closely integrated with Email Data Protection (Data Protection). When an outbound email meets the criteria you define in a Data Protection policy, encryption is triggered. The emails that trigger the policy are redirected to a specific email address, which routes the email through the encryption infrastructure and on to the recipient. Two PBE Essentials templates are available in the Email Data Protection policy list to help you create custom policies for your organization. Each policy is a set of rules that are designed to analyze your organization's email and encrypt any email that matches the predefined conditions. You are not required to use a template to create a policy, but the templates provide relevant default settings to help you maintain consistency. For example, the templates have the recipient group condition and the redirect to administrator address included as defaults. You configure your policies to encrypt those emails that meet specific criteria. The criteria are trigger keywords or phrases that the sender types into the body of an email. For example, you can set up a policy that encrypts any emails that include the word "encrypted". Other triggers for a policy might include number sequences that appear to be credit card numbers, or particular product or project names. If the Email Encryption Add-In for Microsoft Outlook is configured in your organization, your users can also insert headers into their email to trigger encryption.

Defining a Policy Based Encryption Essentials policy 7 Table 1-1 Policy Based Encryption Essentials Templates Template Name and Redirect to Administrator Email Address PBE Essentials Trigger Template (EU) secure@encrypt-emea.emailprivacy.com Description and Actions The recipient receives the original message in an encrypted PDF attachment. This template is set to look for a specific keyword within the subject, email body, attachments, or the header inserted by the Email Encryption Add-In of email sent from your organization. Apply To: Outbound Email Only Execute If: All rules are met Action: Redirect to administrator (check the box to stop the evaluation of lower priority policies) Notification: Use settings as defined on Email Data Protection Settings page PBE Essentials Trigger Template (US) secure@encrypt-us.emailprivacy.com The recipient receives the original message in an encrypted PDF attachment. This template is set to look for a specific keyword within the subject, email body, attachments, or the header inserted by the Email Encryption Add-In of email sent from your organization. Apply To: Outbound Email Only Execute If: All rules are met Action: Redirect to administrator (check the box to stop the evaluation of lower priority policies) Notification: Use settings as defined on Email Data Protection Settings page

Defining a Policy Based Encryption Essentials policy 8 Note: Legacy Policy Based Encryption E and Policy Based Encryption Z templates are available in the portal for use by existing customers of those services. If you are a Policy Based Encryption E customer who is interested in using Policy Based Encryption Advanced functionality, speak to your Support Representative about updating your organization's existing encryption profile. Policy Based Encryption Essentials customers can only use the Policy Based Encryption Essentials templates. To define an encryption policy from a template 1 Select Services > Email Services > Data Protection. 2 Click the New Policy from Template option. 3 Select the appropriate PBE Essentials template from the list and click Create. A new PBE Essentials policy is created at the bottom of your policy list. You may need to adjust the number of policies shown to display your newly created PBE Essentials policy in the list, or you can manually navigate to the end of the list. 4 Click on the newly created policy name to open it. You can modify the name of the policy if required. The policy will already have the default setting of Outbound mail only applied, and the default action is Redirect to Administrator. 5 Ensure that you are using the correct template, and then double-check the policy is using the correct redirect address. 6 The first rule in a PBE Essentials template policy is a Recipient Group rule. Note that all PBE Essentials policies require a recipient group rule to be triggered. By default, the Recipient Group rule in a PBE Essentials template is configured to trigger if the message recipient does not match an address in the Default PBE Recipient Group. By default, the default group contains example@domain.com, so as long as example@domain.com is not a recipient of the message, the rule will always be triggered. This setup works for almost all configurations and therefore rarely needs to be modified.

Enforcing TLS between your domains and the Email Security Services infrastructure 9 7 The PBE Essentials templates contain two additional rules by default that are used to help identify messages containing sensitive data. The first rule looks for common keywords that may be found in messages that customers may want to be encrypted. Examples of these keywords are confidential, sensitive, and encrypt. The second such rule looks for headers that are found in a message if the sender has flagged the message for encryption using the Email Encryption Add-In. These rules can be left in place, or you can remove them and create your own new rules to identify messages with sensitive data. 8 Once your PBE Essentials policy is finalized, click the Save button in the bottom right hand corner of the page. Once saved, you can move the policy to where you want it positioned in your policy list. Note that you must activate the policy by clicking the Activate link in the far right hand column. Once activated, your policy will typically be in effect in 30-60 minutes. See Introduction to Policy Based Encryption Essentials on page 5. See Enforcing TLS between your domains and the Email Security Services infrastructure on page 9. See Installing the PBE Essentials Email Encryption Add-In on page 11. See FAQs about PBE Essentials and PBE Advanced on page 12. Enforcing TLS between your domains and the Email Security Services infrastructure Policy Based Encryption Essentials (PBE Essentials) and Policy Based Encryption Advanced (PBE Advanced) are Email Security.cloud services that provide an extra level of email encryption. PBE Essentials and PBE Advanced do not have any dependencies on other encryption technologies, so you can easily send encrypted email to third-party recipients. PBE Essentials and PBE Advanced are cloud-based email encryption services that are integrated with the Email Data Protection service. Email Data Protection policies identify when messages should be encrypted using different types of triggers. Email messages that trigger encryption policies are routed through an email encryption infrastructure and then on to the recipients.

Enforcing TLS between your domains and the Email Security Services infrastructure 10 Note: Outbound messages from your organization that are flagged for encryption by the PBE Essentials or PBE Advanced services must be routed securely using TLS from your mail servers to the Email Security Services (ESS) infrastructure. A failure to send outbound messages for encryption over TLS results in a bounce back to the message sender. To ensure that all outbound messages are routed securely to the ESS infrastructure, you are advised to enforce TLS encryption on all outbound messages from your domains that are enabled with PBE Essentials or PBE Advanced. To enable TLS outbound from your domains to the ESS infrastructure, navigate in the portal to Services > Email Services > Encryption. Within the TLS Enforcements tab, click on the domains you want to configure, or click on Default Settings. In the section titled TLS Enforcements between you and the Email Security Service..., ensure that Always enforce TLS outbound from my domain to the Email Security Services infrastructure is checked. This diagram shows the portion of the process where TLS encryption is enabled outbound from your domains to the ESS infrastructure: Figure 1-1 Always enforce TLS outbound from my domain to the Email Security Services infrastructure TLS-enabled traffic Outbound Outbound My domain Inbound Email Security Services (ESS) Inbound Third-party mail server Note: To ensure that third-party replies to your PBE Essentials or PBE Advanced encrypted messages are delivered securely to your domains, you can enable TLS encryption from the ESS infrastructure to your domains. To enable TLS inbound from the ESS infrastructure to your domains, navigate in the portal to Services > Email Services > Encryption. Within the TLS Enforcements tab, click on the domains you want to configure, or click on Default Settings. In the section titled TLS Enforcements between you and the Email Security Service..., ensure that Always enforce TLS inbound from the Email Security Services infrastructure to my domain is checked. This diagram shows the portion of the process where TLS encryption is enabled inbound from the ESS infrastructure to your domains:

Installing the PBE Essentials Email Encryption Add-In 11 Figure 1-2 Always enforce TLS inbound from the Email Security Services infrastructure to my domain Outbound Inbound Email Security Services (ESS) Outbound Inbound My domain TLS-enabled traffic Third-party mail server Installing the PBE Essentials Email Encryption Add-In As an administrator for your organization, you can deploy the Email Encryption Add-In to your users' Microsoft Outlook installations. With the Email Encryption Add-In installed, an Encrypt button is configured to appear in the Microsoft Outlook ribbon when a user composes or replies to an email. Upon clicking the Encrypt button, this header is inserted into the outbound email: x-echoworx-encrypt yes The Encrypt button can be used as an encryption trigger. A rule condition exists in the Policy Based Encryption Essentials templates to detect this trigger. The Email Encryption Add-In is installed using an installation wizard. Note that a reboot is not required after installation. To install the Email Encryption Add-In for Outlook 1 Download the installer from the following location: Email Encryption Add-In for Outlook 2 Double-click the installer, then click Next. 3 If you accept the End User License Agreement, select I accept the terms of the license agreement and then click Next. 4 Accept the default destination folder, or click Change... and select the required folder. The default destination folder is C:\Program Files\Encryption Services. 5 Read the message and then click Install. 6 To complete the installation, click Finish. Note: PBE Essentials customers have access to a particular version of the Email Encryption Add-In that allows users to set a one-time shared pass phrase on push encrypted email messages.

FAQs about PBE Essentials and PBE Advanced 12 See Introduction to Policy Based Encryption Essentials on page 5. See Defining a Policy Based Encryption Essentials policy on page 6. See Enforcing TLS between your domains and the Email Security Services infrastructure on page 9. See FAQs about PBE Essentials and PBE Advanced on page 12. FAQs about PBE Essentials and PBE Advanced The following frequently asked questions provide further information about the Policy Based Encryption Essentials and the Policy Based Encryption Advanced services. Table 1-2 FAQs Question Answer Are email messages transmitted securely to the Email Security Services infrastructure? Only if your organization has enforced TLS between your mail servers and the Email Security Services (ESS) infrastructure. When an email triggers a Data Protection encryption rule, your email is only encrypted on the first leg of its journey if TLS is enforced from your domain to the ESS infrastructure. Mail cannot be identified as needing to be encrypted until it is scanned by the Data Protection service. Will an encrypted email be available indefinitely? When using the pull methodology, emails are not retained indefinitely. Messages expire and are no longer available after the configured time. The default expiry period is 30 days. If a user needs to access emails after this time, their content must have been printed or copied into another format before expiry. Expired emails cannot be retrieved. Emails that are sent using the push method are available until they are deleted. They are stored in the recipient's email system. Does an email that is sent by an administrator bypass encryption? Yes. The PBE service does not intercept any emails that an administrator sends to avoid policies blocking Administrator emails. We recommend that administrators use a special email address (e.g. ccadmin@exampledomain.com) for administrative purposes, instead of their own personal email address. Then all emails that are sent from the personal email address can be encrypted when they trigger the encryption policy, as normal. Does the order of Data Protection policies make any difference to how Policy Based Encryption works? Yes, the Data Protection service scans emails for each policy in order. When an email triggers a policy with an exit action, such as the redirect to administrator action that is used in Policy Based Encryption, the email is not scanned for any further policies.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information