Happy with your email?



Similar documents
How To Protect Your Organisation From Viruses At The Gateway Of Your Network And Internet At The Same Time

Newcastle University Information Security Procedures Version 3

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

ELECTRONIC SIGNATURES FACTSHEET

Security - A Holistic Approach to SMBs

Network Security Policy

Securing your Online Data Transfer with SSL

PrivyLink Internet Application Security Environment *

White Paper. The Importance of Securing s as Critical Best Practice within Financial Services. Executive Summary

cipher: the algorithm or function used for encryption and decryption


Managed Security Services for Data

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Secure Inside the Corporate Network: INDEX 1 INTRODUCTION 2. Encryption at the Internal Desktop 2 CURRENT TECHNIQUES FOR DESKTOP ENCRYPTION 3

Nine Steps to Smart Security for Small Businesses

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

How To Prevent Hacker Attacks With Network Behavior Analysis

White paper. Why Encrypt? Securing without compromising communications

Cyber Warnings E-Magazine August 2015 Edition Copyright Cyber Defense Magazine, All rights reserved worldwide

FTA Computer Security Workshop. Secure

Top five strategies for combating modern threats Is anti-virus dead?

INFORMATION TECHNOLOGY SECURITY STANDARDS

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

CONTENTS. 1.0 Introduction

Privacy 101. A Brief Guide

SORTING OUT YOUR SIEM STRATEGY:

Acceptable Use of ICT Policy For Staff

A Decision Maker s Guide to Securing an IT Infrastructure

A practical guide to IT security

Encryption and Digital Signatures

Evaluate the Usability of Security Audits in Electronic Commerce

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Information security controls. Briefing for clients on Experian information security controls

Information Security

HIPAA Security Alert

INTRODUCTION TO CRYPTOGRAPHY

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Cyber Essentials Scheme

So the security measures you put in place should seek to ensure that:

PineApp TM Mail Encryption Solution TM

Seamless ICT Infrastructure Security.

Data Protection Act Guidance on the use of cloud computing

Tumbleweed MailGate Secure Messenger

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

IT Security. Securing Your Business Investments

HIPAA COMPLIANCE AND

The GlobalCerts TM Secur Gateway TM

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Law & Ethics, Policies & Guidelines, and Security Awareness

Compliance in the Corporate World

Brainloop Cloud Security

Effective Intrusion Detection

More effective protection for your access control system with end-to-end security

Protecting Your Organisation from Targeted Cyber Intrusion

Encryption Made Simple

HP PROTECTTOOLS RELEASE MANAGER

Driving Company Security is Challenging. Centralized Management Makes it Simple.

STRONGER ONLINE SECURITY

A Guide to Information Technology Security in Trinity College Dublin

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

Securing Endpoints without a Security Expert

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Implementing Transparent Security for Desktop Encryption Users

The strategic importance of encryption Securing business data and traffic throughout its journey

The Challenges of Securing Hosting Hyper-V Multi-Tenant Environments

2012 Endpoint Security Best Practices Survey

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

KEEPING PATIENT INFORMATION SAFE AND SECURE IN THE CLOUD

Table of Contents. Page 2/13

Security Policies

Small businesses: What you need to know about cyber security

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

Internet threats: steps to security for your small business

How much do you pay for your PKI solution?

Is your data secure?

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Malicious Mitigation Strategy Guide

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Mitigating and managing cyber risk: ten issues to consider

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

IBM Data Security Services for endpoint data protection endpoint encryption solution

ThreatSpike Dome: A New Approach To Security Monitoring

The Advantages of a Firewall Over an Interafer

Information Technology Security Policies

Top tips for improved network security

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Five Keys to Ironclad Security in Your M&A Transactions

HP ProtectTools Release Manager

Protecting personally identifiable information: What data is at risk and what you can do about it

Why self-signed certificates are much costlier and riskier than working with a trusted security vendor

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Transcription:

Happy with your email? Answers on a postcard please Dean Adams Trustis Limited Copyright Trustis Limited 2001 All rights reserved.

Happy with your email? Answers on a postcard please Dean Adams, Trustis Limited Email is all-pervasive nowadays, it s difficult to imagine how we would ever cope without it. Until recently, the vast majority of discussions relating to important company matters might have been conducted face-to-face, in some company meeting room. These days however, employees are far more likely to discuss such topics over email than through any other means. Imagine that the only way you could communicate with your clients, colleagues, partners and suppliers was through the picture postcard. Would that affect what you put down in writing? It should! Why is it then that most organisations, in all likelihood including your own, continue to communicate sensitive and sometimes critical information via email? Of course we all want the benefits of email: the ability to communicate swiftly, cheaply and without regard to location or time zone. But can we afford to bet our business on the chance that the email might be read or forged by others? Journalist Maryfran Johnson reported the following on 4th March 2000, In a show of instructive mischief, a reader not too long ago sent me e-mail that arrived from myself. I'd been spoofed. This fellow (clearly a man with time on his hands and a mission in his heart) intended me no harm. But he wanted to show me how pitifully easy it was to slip into my e-mail system and borrow my online identity. Late last year, Alibris, an online rare bookseller was charged with intercepting a competitor s email traffic. The competitor in question was Amazon.com and Alibris agreed to pay $250,000 to settle criminal claims. These two examples and hundreds of incidents like them, demonstrate that email can be subverted and compromised by those in the know, or by those with desktop tools provided by those in the know. Email accounts for around 70 per cent of all network traffic, yet despite its very prevalent and everincreasing use as an integral part of business transactions, the degree to which it is protected by security measures seriously lags behind other corporate resources. This, of course, leaves it wide open to forgery, tampering and simple snooping, amongst other threats. However, when we look at the sort of information that routinely gets transmitted through our email systems, it is easy to come to the conclusion that email is the single largest unprotected application that exists in the corporate world right now. The lack of security associated with our use of email is not necessarily the result of apathy. Many people are simply not aware of the threats and risks that email is exposed-to, and there is a widespread underlying assumption that the sheer volume of email on the Internet somehow protects them. A simple search for press coverage of security incidents involving email would quickly show however that breeches of security involving email occur with alarming regularity. If you and your organisation don t want to be the subject of yet another press report, you need to take steps to protect yourselves when using email. My organisation uses email am I at risk? In order to answer that question, we need to understand what and where are the common threats to email. To protect our email usage effectively, we must know what it is that we are protecting from. Only then can we make sensible judgements on what sort of protective measures to take, where they should be taken, and when. Where are the threats internal or external? If you were to ask most IT managers where they had most concerns regarding email, they would probably cite all sorts of Internet-based hacking activities. Make no mistake about it, these certainly do 2

occur, and have the potential to trigger the sort of publicity that can be highly damaging to a company, as well as being directly responsible for financial and other losses. However, between fifty and eighty per cent of security incidents are due to causes that are internal to the organisation and can range from simple and honest mistakes made by staff, to deliberate and malicious behaviour, (see Security Its not just about keeping the bad guys out at http://www.trustis.com). Typically, an insider has much more knowledge about the organisation s information assets and much more opportunity to access them than anyone outside the company. Anyone who is serious about securing their organisation s email usage should not forget this, and should ensure that adequate protective measures are taken inside the company, as well as on the outside. The threats arising from internal causes are not entirely concerned with confidentiality. As we shall see, many other worrying and damaging incidents can originate from within the company as well as from the outside. What are the threats? Breach of Confidentiality - How damaging would it be if email conversations on such subjects as reorganisation plans, staff appraisals and salaries, the future of project X were to become common knowledge within the company? Would it be more damaging for that information to be seen by someone outside the company? Normal email is essentially transmitted in the clear. It s almost equivalent to writing on a postcard. For those operating under the jurisdiction of the European Directive on Data Protection, if you re sending email that contains information relating to some person and considered to be of a personal nature, then unless you have taken adequate steps to protect that information from unauthorised disclosure, you are at risk of prosecution. Lack of Integrity Emails can be intercepted, modified, and then sent on their way. Normal email has no protection from such a threat, and the recipients have no idea that they may be acting on false information. Imagine the chaos that could be caused with minor modifications like the insertion or removal of the word not, changes to figures, delivery addresses or dates, etc. Unverified Identity It is relatively easy to forge an email to make it appear to come from someone else, with potentially dramatic consequences. Even within the company this is a problem. For example, most people would unquestioningly and immediately act on an email that purported to come from their manager, or the CEO. By the time the forgery has been discovered, in all likelihood the damage has already been done. According to the Associated Press, 24 th March 2000, Dozens of electronic messages racing across the Internet this week carried what's believed to be an unprecedented payload--a subpoena and other documents approved by a judge, warning that the recipient's Web site may be violating a federal court order. Supporters applaud the idea, saying it allows attorneys to respond in accelerated "Internet time" to new issues of law and technology. Critics say it's unworkable because email can be falsified or forged so easily. Virus Infection These have the ability to render a company completely unable to conduct business if not checked. According to the ICSA Labs 1999 Computer Virus Prevalence Survey, infections from email attachments increased from 32 per cent in 1998 to 56 per cent in 1999, and as a result, topped the list of the sources of viral infections. Unsuitable Content This is a source of great concern to almost all companies now, especially since quite a large number of companies have fallen foul of this particular issue, and as a result have been taken to court with expensive and publicly damaging consequences. On 16 th March 2000, SACA, the South African Certification Agency reported Management at Tongaat-Hulett must have cringed when they listened to President Mbeki s State of the Nation address to parliament. The vitriolic racism spewed by their chief engineer; Odendaal in an email instantly became a topic of conversation throughout South Africa. In an attempt to distance themselves from his offensive attitudes, Tongaat- 3

Hulett not only struck the sender of the e-mail off their employee list but also threatened to seek out like-minded people. What can we do? First and foremost, define an email policy! All good security starts with policies, and the security of email is no exception. Ideally the email policy should be a part of a wider ranging set of security policies addressing all facets of day to day operations. There is a great temptation to purchase and deploy any number of security products that are available in the marketplace and which are designed to combat one or more of the threats we ve just discussed. However, without an email security policy, any technical protective measures will be applied in an undirected manner, without clearly defined common goals that stem from a business perspective, not a technical one. Technology led approaches will very likely result in inadequate use of non-technical means of reducing the risks associated with email and recovery from situations where the technology fails to protect. Education should play a key role when forming these policies. Employees need to know what should and should not be emailed, to whom and under what circumstances. Employees should also be involved in the creation of the policy. If its content is something that is merely commanded from on high, without any involvement from staff, it may not be enforced so easily. However, the premise that there shall be email security and security in general, from a policy perspective, is something that needs to mandated and fully supported from on high. Upper-level management has to state clearly that the email policy is important that this is what we want people to do, and that these are the consequences of not following the policy. Assuming that we ve defined an email policy and we have the full and active support of senior management, we should now be looking to support that policy through the use of appropriate technology and procedures. Protection through technology There are several very effective and well-used technologies that we can use to protect ourselves from the threats to email. What will become obvious however, is that the decision to deploy one or more of these techniques cannot be taken in isolation. The decision to deploy one safeguard and how it is to be deployed will affect whether or how another can be deployed. Secure Email We need to protect ourselves from threats to the confidentiality, integrity and authenticity of our email as it transits a potentially hostile environment like the Internet, and for that we need to make use of what is commonly described as Secure Email. Secure Email uses cryptographic techniques to strongly protect an email conversation from anything considered external to the direct conversation between the originator and the recipient. This is normally called end-to-end security between the originator and the recipient, and ensures that email is sent in a self-contained and secured envelope, which cannot be breached by any person or software as it travels from the sender to the recipient. By using Secure Email, we can protect our email from being read by anyone except the person to whom it is being sent. Used properly, the cryptographic technology upon which it is based can enable us to not only keep our email conversations private, but also be confident in it origin and ensure that its contents cannot be tampered with without our knowledge. The confidentiality of the message is achieved by encrypting it, whilst the protection against tampering and the proof of authenticity is achieved through another cryptographic technique called a digital signature. One does not have to be an expert in cryptography to use these facilities. They are normally supplied as a part of normal desktop email programs, or if not, are readily available as additional plug-in components to existing email programs. In normal use, just one or two clicks of the mouse encrypts and/or digitally signs the email. 4

Sounds too good to be true, and to a certain extent it is. There is a multiplicity of choices facing any organisation wishing to take up Secure Email. There is the question of the underlying technology upon which the Secure Email product is based; for instance, S/MIME and PGP amongst others. There are differences in exactly where and how digital signatures and encryption are applied to the message. S/MIME (Secure/Multipurpose Internet Mail Extensions) is an industry standard that has gained ground in recent years to become the predominant method of securing email. Products that follow this standard make use of what are known as a Public Key Infrastructure (PKI) to manage the large number of keys that accompany the high volume of secure emails, whether digitally signed or encrypted or both. These keys are contained within what are known as Digital Certificates, or industry standard X.509v3 certificates to be more precise. In simple terms, an X.509v3 digital certificate is the electronic commerce world s analogue of the passport. It is issued by a trusted authority and binds you as an individual to an identity that can be recognised and verified by other agencies. It confers certain rights and obligations on you according to policies exercised by the issuing authority. Because it includes cryptographic keys, it provides you with the ability to digitally sign messages, documents or transactions, or to verify the signatures of others. It enables you to make messages, documents or transactions only readable by those that you designate. Traditionally, one of two basic choices typically has to be made with regard to the PKI used to support Secure Email: to build the complete infrastructure in-house or to purchase all-encompassing contract services (outsource). However, recent developments have seen product and service offerings with a much higher degree of flexibility and adaptability to the customer organisation s needs than was previously available. In essence, what was a take it or leave it all-embracing approach to PKI has now been broken down into individual roles and components from which customer organisations can elect to take ownership, or contract out, as they see fit (see Secure E-commerce A Competitive Advantage at http://www.trustis.com). This type of approach has several important benefits to the customer organisation. Firstly, the policy under which certificates are issued and used can be entirely under the control of the customer organisation. Thus the rights, obligations and liabilities associated with the use of Secure Email can be clearly defined and tailored to the needs of the organisation. Secondly, appropriate business-led decisions can be taken with regard to functions that impact on trust, performance and recovery from outages. One final point that should be noted is that a PKI, once established for the support of Secure Email, can also be reused for the support of a variety of other applications such as secure web access, secure payments, virtual private networks, and many others. S/MIME is not perfect in the sense that the standard leaves some details open to possibly divergent interpretation by software suppliers and hence complete interoperability cannot be guaranteed. However, an organisation that bases its Secure Email on the use of S/MIME compliant products with the underlying support of a standards compliant PKI, will certainly have greater confidence that it can successfully exchange secure email with others than through any other method. Industry interoperability trials with feedback from advanced user organisations are helping to improve the level of interoperability between different email products. A critical option available to customer organisations deploying Secure Email is where the encryption, decryption and signing should take place; should it be done at each individual desktop, or should be done centrally at the mail server? There are pros and cons for both approaches. If carried out at the desktop, then each user must be issued with his or her own digital certificates for encryption and signatures. To have separate certificates (with separate keys) for encrypting/decrypting and for signing purposes is generally regarded to be good security practice. Most reputable email packages will support this separation, and the certificates themselves can be encoded to identify which operations they may be used with. However not all Certificate Issuing Authorities support this encoding, and instead supply all-purpose certificates. On the pro side, by allowing each individual user 5

to hold their own certificates, individuals can sign messages, documents and transactions, as they would do in real life; as themselves. Accountability for actions is assured down to the level of a single individual. Messages can be encrypted so that only the identified individuals can read them, and thus messages are protected from threats that may exist within the corporate network as well as from the outside. On the con side, the customer organisation is engaged in the issuance and management of a potentially large set of certificates. Some Secure Email products and services adopt the approach of applying encryption/decryption and signatures at a central location such as the customer organisation s email server. On the pro side, this type of approach will require just a few certificates, issued to the customer organisation itself as a named entity, thus certificate management problems are greatly reduced in scope. On the con side, individual accountability is not supported, any messages are simply signed as coming from the customer organisation. In addition, because messages are encrypted/decrypted as they pass through the email server, they are essentially stored and forwarded in the clear and hence unprotected on the internal corporate network. Given that experience has shown the majority of security threats to originate from within the organisation, this may give some managers pause for thought. Virus Protection Most people are familiar with the existence and function of anti-virus software, even if they don t use it themselves. Given that email is one of the prime source of viral infections, it makes sense to deploy anti-virus software that is capable of detecting viruses carried by email and effectively dealing with them before the email can be opened by an unsuspecting user, potentially unleashing the damaging virus on the internal corporate network. A great many companies use central server-based anti-virus technology. In general, these work by scanning emails and their attachments as they pass through the email server, and before they are delivered to the end-user desktop. The benefits of this approach are that since virus detection and elimination is done centrally at one place for everyone in the company, only this one central facility needs to be kept updated with the most current virus definitions and anti-virus software. Typically, end-users cannot be relied upon to diligently keep their desktop anti-virus protection up to date, and so a centrally managed facility ensures that the company is always protected by the most up to date measures. The problem with this approach arises when used in conjunction with Secure Email where for the reasons explained earlier, the encryption/decryption and signing are performed at the end-users desktops. If the emails are encrypted/decrypted at the desktop, then the central anti-virus facility will not be able to scan the messages for viruses as they pass through the server. After all, if the anti-virus facility were somehow able to decrypt the messages in order to scan them, then it should also be possible for some other software (possibly malicious) to do the same thing. A solution to this problem lies in the deployment of anti-virus software that is managed centrally for updates and anti-virus policy, but is actually executed locally at each individual desktop when the message is decrypted for opening by the end-user. In this way, the benefits of central ant-virus management and update are retained, whilst allowing for the end-to-end security protection and individual accountability afforded by Secure Email. There are a number of anti-virus products that support this type of approach. Unfortunately, some central anti-virus facilities have still not recognised that end-to-end Secure Email is a growing trend, and consequently have not upgraded their products to deal with this scenario. Typically and defensively, these anti-virus product suppliers will recommend to their customers that they do not adopt end-to-end Secure Email, but instead use a centrally operated approach as discussed earlier, where the encryption/decryption is applied at the email server. If you decide that end-to-end Secure Email is what you need, then choose anti-virus technology that is capable of working with it. One final note on anti-virus strategies; viruses can come from a variety of sources apart from email via the corporate email server, such as web, floppies, CD-ROMs, and modem access to the Internet 6

through local ISPs by laptops whilst away from the office. To defend against these sources of viruses, the protection must be on the desktop itself. Anti-virus product manufacturers would recommend however, that you should not necessarily throw away your centralised server based anti-virus technology. Their recommendation is to continue to use it as a second tier of defence for the large number of emails that will not need encryption, and for protecting against viruses that can be sourced from the web via corporate gateways. Content Scanning While offensive email is the most obvious concern, you can also scan for certain key words in email going out to your competitors, to ensure that no company secrets are being divulged. Once you have devised a realistic messaging policy the next step is to actually put the tools in place that will track and manage incoming and outgoing traffic. There are many products available in the marketplace that will perform content scanning on emails according to a corporate policy, and then perform defined actions such as blocking and alerting. However, as with anti-virus products, there are decisions to be made concerning the placement of such facilities; on a central server or at each desktop. Similar considerations to those involved in anti-virus technologies and placement apply when end-to-end Secure Email is used. Luckily, as with anti-virus, there exist content scanning products that can be configured and administered centrally, by the IT department for example, yet are executed locally on each desktop. Under such a scheme, the protection afforded by this type of technology is still operative when a laptop is used outside the internal corporate network. It is notable that as recently as 30 th April 2000, the front page of the Sunday Times reported MI5 is building a new 25m email surveillance centre that will have the power to monitor all emails and Internet messages sent in Britain. Of course, in an ideal world, this should not concern law-abiding individuals and organisations. However, there has been quite some concern in the past over alleged commercial espionage activities associated with various security agencies since the ending of the cold war. Your emails could already be being monitored as they transit between your offices in different parts of the world, or between you and your customers, partners or suppliers. Email Servers A common way for unauthorised people to get at your email is by compromise of your email server. By gaining access to this central facility, email from or to anyone can be accessed. Of course, end-toend secure email can protect against this, but the fact remains that some emails that should have been encrypted and or signed, will not have been and are thus exposed to attack from both outside and inside the company. Consequently, great care should be taken to install and configure email servers in a secure manner, as advised by the manufacturer, and on operating systems that also have been similarly carefully installed and configured. Where necessary, and as indicated by a risk analysis, appropriate use can be made of firewalls and intrusion detection technology to provide additional layers of protection. Persistent Protection What happens after an email has been delivered, even if it has been secured? Are you confident that the other party will protect its contents as well as you? Perhaps, the email has some content that you only wish to make available to the recipient until such time as you decide otherwise, for whatever reason. Admittedly for most organisations who have merely replaced their paper-based messaging with email, this is probably not an issue, since this degree of control did not previously exist, except in the Mission Impossible style tape that self-destructs in five seconds 7

However if your organisation does indeed have a requirement for this degree of control over Secure Email sent out to others, then there are products available in the marketplace that will attempt to provide a solution. Mostly these will require the message information (including attachments) to be converted to some non-revisable format, such as postscript or portable document format (PDF), and then require that the recipient download a special viewer plug-in. The plug-in does three things: firstly it requires the recipient to request a decryption key from a persistent protection server that is run from your premises. Secondly it uses the key (which is never exposed to local caching) to decrypt the email content. Thirdly, it prepares and makes available for display and printing, a pixel-only based representation of the content, so that electronic text-based copying and saving cannot be used to subvert the protection. What will you do? Of course if you re not happy adopting any of the protective measures discussed here, you may as well use postcards instead of email. You may even be more secure after all, people are less likely to write offensive or sensitive material on something they know will be in plain view to everyone, and a postcard is less likely to be copied and archived in other places to bite you at some later time. Lastly, postcards don t carry computer viruses. Happy with your email? Now you know you can do something about it! 8

About the Author Dean Adams Dean Adams is a principal consultant with the secure e-commerce specialists, Trustis. As such, Dean has been responsible for the deployment of a number of live PKI deployments and for advising clients in their strategies. Prior to this, Dean spent 9 years with The Open Group, where he was The Open Group's Director of Security and Electronic Commerce and was responsible for all aspects of The Open Group's security program, from market research and business planning, through technical development and certification to commercial product release. Dean is editor of The Open Group's book, "Security Survival - An Indispensable Guide To Securing Your Business" and a contributor to "CDSA Explained". Dean has also been responsible for several other technical development areas within The Open Group including operating systems, internationalisation, relational database, and was a Director of the SQL Access Group on behalf of what was then X/Open, prior to its acquisition by X/Open. Dean has been active in the IT industry for over 18 years. Educated as a physicist, he then worked on several spacecraft projects, involving both hardware and software design. This was followed by several years in a UNIX development environment where he led various teams on both systems and applications development for commercial deployment, and also advanced research and development projects. Prior to joining The Open Group, Dean spent a year as an independent consultant, working primarily with the design of graphics software and with systems integrators, and with both the UK and European governments. Previously to this, he led several teams in the development of advanced document image processing technologies, and other related technologies, for the Racal Group of companies in the UK. Dean holds a BSc with honours in Physics from the University of Manchester and a Master of Science in Atomic and Molecular Physics (Thesis on Electron Scattering) from the University of Manchester. Dean was responsible for the joint development by a wide range of well-known companies, of the Single Common Architecture for Public Key Infrastructures, (APKI), which has been adopted and published both by The Open Group and by the Internet Engineering Task Force. He was also responsible for a key component of this Architecture, the Common Data Security Architecture (CDSA), which provides cryptographic, certificate management, trust policy management, and key recovery services amongst others, and which is now available internationally in products from over 20 companies. Dean is a regular speaker at both national and international conferences, and has written articles for various journals. 9

About Trustis Trustis is based in the City of London and specialises in secure e-commerce solutions. It provides secure e-business consulting and a range of related applications and trust services through its Trust Service Centre. Trustis has a world-class team of experts and offers truly independent advice. The company has no allegiance to any technology vendor and is able to help clients develop strategies to suit their business, guide them through the complex technology selection process and ensure that the implementation and deployment of e-business solutions is commercially sensible, cost effective and timely. The Trustis team is made up of e-business security engineers, business specialists, lawyers and consultants to ensure that every aspect of a client s e-business needs can be met. Only the very highest calibre consultants are deployed, with previous experience and skills in government, commercial and military applications, and from technical, business strategy and legal perspectives. This approach ensures the very best quality delivery, which is essential to maintaining the Trustis brand and reputation. Consultants are kept up-to-date by continual research and are underpinned by the Trustis Technical Committee, described by a technology journalist as an e-business brains trust. Members of the committee are eminent international experts in the field of secure e-business, many of who advise governments and the international community on how policy, regulation and technology should evolve. Trustis consultants are regularly sought after as speakers at international conferences and seminars, and frequently contribute papers to industry publications. Technology is only a part of the solution, and Trustis has widely recognised and respected expertise in integrating the technology with appropriate policies, practices and procedures, to ensure that the technology works for the business, not the other way around. Trustis works with a wide variety of client organisations for which trust in their supplier is paramount. These include organisations in the following sectors: Local and Central Government EU Banking and other Financial Services Insurance Healthcare Law Broadcasting Dot Coms in areas as diverse as secure email, web-based payments, e-tendering, business-business transactions, secure access to sensitive data, etc. In each case, Trustis has demonstrated its integrity, confidentiality, and trustworthiness, as well as its capability to deliver, time after time. Unlike many companies that purport to offer security services, Trustis has the breadth and depth of experience to be able to continue to support organisations as their own needs grow and evolve and as the environment in which they operate becomes ever more challenging and open to threats. Trustis Limited 49 Whitehall London SW1A 2BX Copyright Trustis Limited 2001. All Rights Reserved. Tel: +44 (0)20 7451 1490 Fax: +44 (0)20 7484 7961 Email: info@trustis.com Web: www.trustis.com 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information