480 likes | 601 Views
Data Security & Privacy Certification: Understanding Email Encryption. Introduction to E ncryption. Organizations are buying email encryption TODAY They can buy from YOU or they can buy from your competitor
E N D
Data Security & Privacy Certification: Understanding Email Encryption
Introduction to Encryption Organizations are buying email encryption TODAY They can buy from YOU or they can buy from your competitor Once you have an encryption customer they are a customer for life as changing providers is costly and complex Introduction to encryption
What is encryption • Encryption transforms readable data into unreadable data (cipher text) using an algorithm • Only those possessing the decryption “key” can unlock the data • The use of encryption/decryption is as old as the art of communication. It has been used for centuries, and in time of war to protect confidential information from the enemy
Encryption benefits With a focus on policy-based encryption: • Eliminates the possibility of confidential information being read by anyone other than the intended recipient • Helps organizations meet compliance regulations • Automatically encrypts emails based on pre-defined policies • Enables security audits and tracking • Good business practice
Gartner recommends that all companies make efforts to broadly install encryption across all their workstations Magic Quadrant , Sept 7, 2011
Why? • To comply with data protection regulations • To follow best practices • To take a more proactive approach to data protection and avoid • high costs • heavy fines • brand damage • operational disruption caused by a data breach
Organizations want to buy from YOU! Solutions involving encryption have seen the biggest increase in IT budget earmarks over the past year
If they don’t they are vulnerable to... • Significant fines • Loss of reputation • Loss of customers • Possible business data loss and failure
The cost of encryption • The cost of a data breach is always higher than the cost to invest in preventive measures • Organizations can pay for encryption upfront or run the risk of paying more later
Best practice • As content can be easily intercepted, encryption is synonymous with best practice • Most companies, even if not in regulated industries, recognize that encrypting business data is best practice
Did you know? • Email is still the # 1 communications tool • Workers spend on average 152 minutes per day on email • 1 in 5 outgoing emails contain content that poses a legal, financial, or regulatory risk • 75% of all corporate email contain some Intellectual Property • Worldwide email accounts are projected to increase from over 2.9 billion in 2010, to over 3.8 billion by 2014 • 26% of these will belong to corporate users
Encrypting everything? • Encrypting everything is only a viable solution if time and money are not factors in the decision process: • High up front capital investment in the encryption solution – most are not subscription model-based • Investment in newer equipment that can handle the burden of constant encryption • Increased training in both solution administration and management • Additional administration of password or key management • And more …
Data leakage • Since the invention of the floppy disk, data leakage has been on the minds, and often in the nightmares, of all IT security personnel • You could make the direct correlation between data leakage and the creation of the IT Security industry as a whole
Defining data leakage THE HUMAN EFFECT (inadvertent) • Verbally reveals confidential information to outsiders • Confidential information is revealed on Twitter, Facebook, etc. • An ex-employee discusses trade secrets with a new employer • Confidential data is inadvertently left in a public place THE TECHNOLOGY EFFECT (malicious) • Malicious hacking or use of virus, bots, trojans, etc., to gain access to critical systems through corporate firewalls and other safeguards • Sharing secure email communications via unsecure channels • Downloading confidential information on portable devices such as thumb drives, iPods, etc. • Physically stealing laptops, hard drives, etc.
New data leakage culprit • Mobile devices are not part of the internal company network • Organizations are embracing BYOD (bring your own device) • With a mobile workforce organizations rely more on mobile devices than ever before
The cost of a data breach • $140 per record • $14 M cost on average (100,000 records) • $5 M: Notification, legal expenses, discounts, telecoms • $7.5 M: Opportunity cost: retention and acquisition of customers
The cost keeps growing • $1.5 M: Productivity losses due to additional load on staff • $79 per record lost (Gartner) • $11.5 M in expenses directly related to exposure • $15 M fine by Federal Trade Commission • 75 out of 150 companies surveyed had a data loss in the last 12 months (Deloitte Survey)
Talk to the decision maker • Chief Info Security Officer (CISO) • Chief Compliance Officer (CCO) • Chief Information Officer (CIO ) • VP IT • Director Security • Director MIS • Data processing • Security architects • Information architects
Tell them what they want to hear • Easy to use email encryption for IT and end users i.e. forgot password link and other features means fewer calls to IT • Minimum steps to send an encrypted email • Industry best in registration and pick up of emails • Administration console • Encryption expertise: working with someone that understands encryption
How to displace the competition • Push and pull delivery i.e. recipient can choose how they would like to receive their messages • Plain text notifications are branded and trusted so recipients know it is not spam • Easy to use for mobile devices • Robust pick up center • Compliance driven reporting engine • Create bulk keys • Customize send and recipient groups
How to displace the competition • Supports standards based encryption • Digital signatures on all notifications and messages • Trusted CA and Webtrust audited http://bit.ly/z6Odet • Interoperates with 3rd party PGP and S/MIME services • Helps make PGP a cloud-based solution
Talk technology • Cloud-based credential management • Data is digitally signed • Data remains encrypted while stored in the cloud • Standards-based PKI, X 509 certificates • Rapid deployment of multiple encryption applications on one platform • Encryption complexities are hidden from the end user • Provide credential and identity-management services • Enable secure communications across a wide range of applications, media, and mobile devices
Types of email encryption S/MIME(Secure/Multipurpose Internet Mail Extensions) Is included in email clients by default such as Outlook, and relies on the use of a Certificate Authority (CA) to issue a secure email certificate TLS (Transport Layer Security) / SSL (Secure Socket Layer Security) Less secure forms of email encryption used to encrypt messages between two servers
Understanding S/MIME S/MIME provides two security services: • Digital signatures • Message encryption
Understanding digital signatures • Digital signatures are the digital counterpart to the traditional, legal signature on a paper document • As with a legal signature, digital signatures provide the following security capabilities: • Authentication • Nonrepudiation • Data integrity These security capabilities are the core functions of digital signatures. Together, they ensure recipients that the message came from the sender, and that the message received is the message that was sent
Understanding digital signatures • Authentication: A signature serves to validate an identity. It verifies the answer to "who are you“. Because there is no authentication in SMTP e-mail, there is no way to know who actually sent a message. Authentication in a digital signature allows a recipient to know that a message was sent by the person or organization who claims to have sent the message. • Nonrepudiation: The uniqueness of a signature prevents the owner of the signature from disowning the signature. This capability is called nonrepudiation. Thus, the authentication that a signature provides gives the means to enforce nonrepudiation. The concept of nonrepudiation is most familiar in the context of paper contracts: a signed contract is a legally binding document, and it is impossible to disown an authenticated signature. • Data integrity: An additional security service that digital signatures provide is data integrity. With data integrity services, the recipient is assured that the e-mail message has not been altered while in transit.
Understanding digital certificates • A digital certificate is an electronic “document" that establishes your credentials and enables you to create a digital signature • Supports the X.509 standard • Think of a digital certificate as you would of a passport
Message encryption • Digital signatures provide data integrity • They do not provide confidentiality • Messages with only a digital signature are sent in cleartext, similar to SMTP messages, and can be read by others • To protect the contents of e-mail messages, you must use a message encryption solution like Symantec Policy-Based Encryption provided by Echoworx
Types of encryption Symmetric encryption • The oldest and best-known encryption technique • A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way • It can be as simple as shifting each letter by a number of places in the alphabet • As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key. The oldest and best-known encryption technique • The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands • Anyone who knows the secret key can decrypt the message Asymmetric encryption • Uses two keys rather than one and is known as a “key pair” • The public key (key # 1) is made freely available to anyone who might want to send a message • The private key (key # 2) is kept secret • Messages encrypted using a public key can only be decrypted by using the matching private key (no risk as the public key is freely available) • Because asymmetric encryption is more secure it is slower than symmetric encryption and uses more processing power to encrypt and decrypt the content • PKI (Public Key Infrastructure) uses Asymmetric encryption
Understanding CA’s (certificate authority) • A CA is a trusted third party organization or company that is allowed to issue and manage digital certificates • The role of the CA is to guarantee that the person granted the digital certificate is who they say they are • CA’s are a critical component in data security because they guarantee that the parties exchanging information are really who they claim to be • Echoworx is a trusted CA and in order to maintain their designation, they are WebTrust audited by Deloitte annually • There are two types of CA’s: • Private CA – held by a private entity (Company, Administration, the Military) • Public CA – Echoworx, Verisign, Swisskey, Global-sign
Understanding PKI (Public Key Infrastructure) • PKI is a set of standards, procedures, software, and people for implementing authentication using public key cryptography • PKI is the infrastructure that manages digital certificates. It is used to request, install, configure, manage and revoke digital certificates • PKI offers authentication via digital certificates, and these digital certificates are signed and provided by a Certificate Authority • PKI uses public key cryptography and works with x509 standard certificates • PKI enables authentication, nonrepudiation, and data integrity • PKI is an infrastructure in which many things happen and is not a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work
PKI includes • Certificate Authority (CA) which delivers digital certificates • A directory that stores digital certificates • A registration authority that allows for the enrollment of digital certificates • Centralized management functionality
Policy-based encryption Automatically encrypts email at the gateway based on pre-defined policies and procedures
Symantec policy-based encryption • Automatic email encryption based on pre-defined policies and procedures • No encryption action required for users and administrators • Fully hosted, easy-to-use service • Eliminates the need for on-premise installation • Flexible message delivery options to users and non-users of policy-based encryption • Easy for recipients to receive and reply securely to messages • Supports mobile devices including iPhone, BB and Android • Works with third-party S/MIME and PGP credentials • Supports multiple tenancy, branding and multiple levels of administration
Deployment A typical installation includes the Echoworx policy engineresiding on premises with the messages travelling via TLSconnection to the Encryption engine at an Echoworx secure facility
Where it fits Symantec.cloud Content Control can trigger the encryption of an email
Challenge • A National healthcare organization is actively seeking a way to secure emails and comply with HIPAA • They want to ensure that the messages never leave their environment if they contain certain key words or phrases • They realize that human error plays a part in everything, and the organization needs a solution that will AUTOMATICALLY encrypt emails based on pre-defined polices • Their requirements include: easy to use, automated, and flexible policy management Solution • You recommend Policy-based encryption • Key factors you picked up on were: • Messages never leave their environment if they contain certain key words or phrases • Needs a solution that will AUTOMATICALLY encrypt emails based on certain rules or policies • Requirements: easy to use, automated, and flexible policy management
Resources • For educational papers, product sheets, videos and more: http://www.echoworx.com/resources/ • For more on Symantec Policy-based encryption.cloud: http://www.symanteccloud.com/services/data_protection_management/email_policy_encryption.aspx
Thank You for Participating Certification is just a test away!