680 likes | 943 Views
TLS Webinar. Safeguarding Our Email. Via TLS. Presented by: Jim Rogers, Director of Distribution Technology, The Hartford Tim Woodcock, President, Courtesy Computers Jeff Yates, Executive Director, Agents Council for Technology Webinar will begin shortly!. TLS Webinar.
E N D
TLS Webinar Safeguarding Our Email Via TLS Presented by: Jim Rogers, Director of Distribution Technology, The Hartford Tim Woodcock, President, Courtesy Computers Jeff Yates, Executive Director, Agents Council for Technology Webinar will begin shortly!
TLS Webinar Safeguarding Our Email Via TLS Presented by: Jim Rogers, Director of Distribution Technology, The Hartford Tim Woodcock, President, Courtesy Computers Jeff Yates, Executive Director, Agents Council for Technology 2
Agenda Submit questions via the Question & Answer Log First 40 Minutes: • eMail Usage • Security - Why you should care • Benefits • Resources • Q&A– Last 20 Minutes: • TLS Configuration of MS Exchange 2007 • Q&A
Background • Email has become a major component in every day agency/carrier business interactions. • Mail sent over the Internet is typically unprotected • The need to protect email continues to grow • The use of, and reliance on, email within core business workflows will continue to increase
Why Protect e-Mail? • e-Mail often contains sensitive customer information • Required by business contract • Is easily accessible to prying eyes on the Internet • Mandated by regulation
Existing Regulations and Standards • Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Info. • non-public personal information (NPPI) in paper, electronic, or other form • NPII: personally identifiable information provided by a consumer or resulting from a transaction for a consumer • written information security program to address internal/external risks • physical, technical and administrative safeguards • oversee service providers • Security Breach Notification Laws (Various states) • first/last name and SSN/drivers license/state ID/financial account + password • when not encrypted • must notify any resident of the state of a breach without unreasonable delay • Payment Card Industry Data Security Standards (PCI-DSS) • cardholder data • certification of compliance with PCI-DSS depending upon level of merchant • firewall, encryption in storage/transmission, antivirus, etc. • assign individual user IDs
Recent Regulatory Developments • Nevada 597.970 • “Restrictions on transfer of personal information through electronictransmission” • Massachusetts 201 CMR 17.00 • “Standards for The Protection of Personal Information of Residents of the Commonwealth” • California Department of Motor Vehicles • “On-Line DMV Special Permit Program”
TLS: Transport Layer Security • Provides secure e-Mail communications across the Internet through a standardized, secure, and non-proprietary mechanism • Eliminates the “drawbacks” that plague the commonly used tools and services • Is built-in to most modern e-Mail systems and just needs to be “turned on” by your technology professional
How Does TLS Work ? • At transmission time, TLS creates an encrypted communication session between email servers • The e-Mail is then sent through a protected “tunnel” • The servers de-crypt the message and send it along to the client Encrypted Agency Partner Carrier Client Client
Transport Layer Security: TLS Encrypted Message “$erm840 kkfd8820& l1k6ss” “My ssn is: 999 65 9999” “My ssn is: 999 65 9999” • Safe/Secure • Standard Protocol • Available on most email systems • Transparent to end-users • Eliminates the need for hosted services • Negligible cost
Benefits of TLS • Provides the confidentiality of emails across the Internet • Requires no changes to the client • Is a standards-based protocol that is implemented on most e-Mail gateways and appliances • It’s free, no additional licensing is needed. Security certificate is required.
How Do I Get TLS ? • TLS is a standards-based protocol enabled on most server-based email systems • Talk with your system support staff or e-Mail service provider • Most agencies that have an up-to-date in-house mail server are TLS capable. Agencies with a hosted Microsoft Exchange server are TLS capable as is gmail. Those with hosted email using hotmail and yahoo are not currently TLS capable
Detecting TLS • Talk to the email server administrator • Some email contains a tag line if sent via TLS…. at the bottom of the email • More on this in our technical discussion How do you determine if TLS is active….
Carriers supporting TLS Some carriers are TLS enabled automatically for their agents who send emails with TLS to them; others activate agencies for TLS only upon request. Please check with your carrier or look in the “Security & Privacy” section on ACT website for specific carrier info: • Allied/Nationwide • Chubb • Cincinnati • CNA • Concord Group Insurance • EMC • Fireman’s Fund • Grange Insurance • Harleysville • The Hartford • Liberty Agency Markets • MetLife – MetLife Auto & Home • MMG Insurance • OneBeacon • Progressive • RLI Corporation • Summit Holdings • Travelers • Westfield • W.R. Berkley Companies Note: for updated list of carriers supporting TLS see “Agency Security” Section of www.independentagent.com/act or ask you carrier
MS Exchange 2003 – TLS Required Mode Both the sender and the receiver must maintain a directory of each other’s email domains in order for a TLS encrypted email to be exchanged If the receiver has TLS enabled in opportunistic mode, not Required mode, the email will still transmit in an encrypted format. If the receiving party does not have TLS enabled, the sender’s email will be sent but it will not be encrypted. MS Exchange 2003 TLS Required Mode MS Exchange 2007 TLS Opportunistic Mode Protected Tunnel Encrypted Insurance Agent Carrier Rep No TLS encryption enabled TLS enabled Email Solution Email sent/received is not encrypted! Policyholder Policyholder
MS Exchange 2007 – TLS Opportunistic Mode • A sender with TLS Opportunistic Mode enabled will check to see if the receiver has TLS enabled. If the • receiver has TLS Opportunistic turned on, the outgoing email will be encrypted. If he does not, there are • two potential scenarios depending on the sender’s infrastructure. • the email is sent out with no encryption • the sender sends the email out via an encryption tool such as Tumbleweed or ZixSelect MS Exchange 2007 TLS Opportunistic Mode MS Exchange 2007 TLS Opportunistic Mode Protected Tunnel Encrypted Insurance Agent Carrier Rep No TLS enabled TLS enabled Email Solution - OR - Email sent/received is not encrypted! Email sent via Tumbleweed with a secured link that the user opens Policyholder Policyholder
Additional Considerations • Important to have your technical support implement TLS • Your technical support can tell you which of your carriers and clients are enabled for TLS • If using an external spam/anti-virus filter, you need to make sure it is enabled for TLS. • Also, some of these external spam/anti-virus providers offer a hosted email option that can be enabled for TLS • Many hosted email solutions are not enabled for TLS (e.g., hotmail and yahoo), but gmail provides some secure options • You also need to make sure that the connections between your email server and your remote computers and mobile devices are encrypted • Use your real-time tools wherever possible to transmit client personal information because it is encrypted • If TLS or Real Time not available, send application information using a password protected pdf or zip file
TLS Links • ACT Web site for TLS Article,FAQs, & TLS enabled carriers • www.independentagent.com/act • “Security & Privacy” Quick Link • Technical Links • http://msexchangeteam.com/archive/2006/10/04/429090.aspx • http://technet.microsoft.com/en-us/library/bb430753(EXCHG.80).aspx
How to Configure TLS • Will cover how to procure SSL Certificates • Representative purposes only and steps here may not be suitable for all environments • Will cover Exchange 2003 and 2007 • If you are on a different platform, please consult your technical support
Several Sources for Security Certificates certificate authority (CA) -an entity that issues digital certificates Verisign http://www.verisign.com Network Solutions http://www.networksolutions.com GoDaddy http://www.godaddy.com Comodo http://www.comodo.com/ Digi-Sign http://www.digi-sign.com HOW TO: Use Certificates with Virtual Servers in Exchange Server http://support.microsoft.com/kb/319574/ 23
Difference between Exchange 2003 & 2007 • Exchange 2003 • requires a valid X.509 server certificate (suitable for TLS usage) • DOES NOT support ‘Opportunistic TLS’ • Requires to manually configure TLS (minimum 6 steps) • Difficult to monitor TLS transmit-receive success/failures • Exchange 2007/2010 • requires a valid X.509 server certificate (suitable for TLS usage) • ‘Opportunistic TLS is automatically enabled (by default) • Easy to monitor TLS transmit-receive success/failures • Greater Message Control with Robust ‘Transport Rules’ Features • Block, Bounce, Copy, append, Send to Archive, Quarantine 24
Follow Up • Follow up email with our email addresses • PowerPoint & Recording of presentation posted on “Security & Privacy” link at www.independentagent.com/act • See more detailed info about security & privacy laws and regulations in the Appendix section of the posted PowerPoint
Mutual TLS • With Mutual TLS authentication, each server verifies the identity of the other server by validating a certificate that is provided by that other server. • In this scenario, where messages are received from external domains over verified connections in an Exchange 2007 environment, Microsoft Office Outlook 2007 will display a ‘Domain Secured’ icon.
Mutual TLS Enabling Process with Exchange 2007 • Process for ‘Server to Server’ Mutual TLS • Configure an additional IP Address (as necessary) • Create & Configure the SMTP Send Connector • Create & Configure SMTP Receive Connector • 4. Test & Verify Mutual TLS between remote domain server
Mutual TLS Enabling Process with Exchange 2007 • Mutual TLS Demonstration Scenario • Insurance Carrier requires a ‘Mutual TLS’ Session between their mail server and the agency’s mail server • Small agency with single Microsoft Exchange Server • No ‘Edge Transport Servers’ are present in their network.