VAULTIVE & MICROSOFT: COMPLEMENTARY ENCRYPTION SOLUTIONS. White Paper

VAULTIVE & MICROSOFT:

COMPLEMENTARY

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Table of Contents

Section I: Vaultive & Microsoft: Complementary Encryption Solutions ...

Section II: Vaultive is a Microsoft ISV Partner

...

...

Appendix A: S/MIME Message Encryption – a Point-to-Point Solution ...

Appendix B: Office 365 Message Encryption ...

Appendix C: Exchange Information Rights Management (IRM) ...

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Leveraging the cloud for email requires businesses take specific action to meet security, fiduciary, and compliance requirements. Vaultive is the only Microsoft ISV partner providing a customer controlled encryption solution across the entire message lifecycle, complimenting

Microsoft’s encryption.

Control Your Data in Office 365 with Vaultive

•

Vaultive Encrypts Data Across its Entire Lifecycle – data exists in three states; at rest, in transit and in use, and must be encrypted in all three to ensure control.

•

Vaultive Encrypted Data Can be Searched and

Sorted – server-side operations (such as search, sort, index, etc.) are performed on the encrypted data without ever decrypting the data. If data must be decrypted for server side operations to work, then the data is exposed and vulnerable.

•

Vaultive Supports Native Exchange Functionality at the Pace of Change – Vaultive fully supports native Office 365 services including e-discovery, DLP, archiving and others while the data remains encrypted. In addition, Vaultive includes detailed logging and reporting.

•

You Own, Manage and Control your Encryption Keys – according to cloud security best practices, encryption keys should be created, managed and controlled by the customer and not the cloud service provider (if encryption keys are accessible to anyone outside of the organization, it is giving up a crucial element of security and control).

•

Encryption of Data in its Entirety – every single email in the inbox, outbox, sent and deleted folders is encrypted as well as message subjects, attachments, tasks, calendar items, invitation messages, folders and more.

•

No End-User Actions or End-Point Software – encryption must be applied automatically without requiring end-user action. Otherwise, it is subject to human error and guaranteed to fail. Vaultive does not require any end point software (agent, plug-in, or client application).

Microsoft Encryption Solutions: Protected Delivery

of Specific Messages Based on Decisions Made by

Individual End-Users

•

S/MIME – Individual users determine which messages should be encrypted as they are sent, assuring point-to-point delivery to specific people inside or outside of the organization. Messages are encrypted and only sender and recipient have access to the keys to decrypt the data.

•

Office 365 Message Encryption – Sends a clear text email with the encrypted message included as an attachment. Recipients must log on to the sender’s server using a compatible web browser, to read the email. Outgoing messages are encrypted once they leave the Exchange server, but are stored on the Exchange server in the clear.

•

IRM – Individual users dictate (but cannot enforce) recipient permission for email messages for actions such as replying, replying to all, forwarding, extracting information, saving, or printing.

Vaultive & Microsoft: Complementary Encryption Solutions

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Accountability cannot be outsourced.

Feature Office 365 Message Encryption

Exchange

IRM S/MIME Vaultive

Design Principles

End user organization controls the keys NO NO YES YES

Server-side operations (search, sort, index, and others) are performed on encrypted data

NO NO NO YES

Central key management YES YES NO YES

Transparent to end-users NO NO NO YES

Support for DLP, e-Discovery and archiving on encrypted data

NO NO NO YES

Unified protection across multiple cloud services NO NO NO YES

Encryption

All messages are encrypted NO NO NO YES

Inbound messages are encrypted NO NO NO YES

Messages sent to only internal recipients are encrypted

YES YES YES

Messages sent to only external recipients are encrypted

YES NO NO1 _YES

Messages sent to both internal and external recipients are encrypted

NO NO NO YES

Message subjects encrypted NO NO NO YES

Calendar items and invite messages encrypted NO NO NO YES

Tasks and notes encrypted NO NO NO YES

Items are encrypted before reaching the server NO NO2 _{YES YES}

Messages to distribution lists from POP/IMAP/Mac Mail/Android encrypted

YES YES NO YES

Preview of encrypted messages NO YES NO YES

1 _{Unless the external recipient has S/MIME set up and has forwarded its certificate to the internal sender.} 2 _{Unless the message is sent from Outlook.}

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Feature Office 365 Message Encryption

Exchange IRM S/MIME Vaultive

Client Support (both sending and receiving messages)

Outlook YES YES YES YES

OWA (IE) YES YES YES YES

OWA (all browsers) YES YES NO YES

Mobile OWA YES YES YES YES

Mac Outlook YES YES YES YES

Mac Mail YES NO YES YES

Android NO YES NO YES

iPhone NO YES YES YES

Other Mobiles (ActiveSync) NO YES NO YES

POP3, IMAP YES3 _{NO YES YES}

Key Management

Keys reside on-premises NO YES YES YES

Tenant organization retains exclusive access to encryption keys

NO NO NO4 _YES

Key recovery (integrated backup) YES YES NO YES

Office 365 Features

Server searches and sort YES YES NO YES

DLP and policy violation scanning YES YES NO YES

e-Discovery YES YES NO YES

Journaling YES YES NO YES

Archiving YES YES NO YES

3 _{Requires a browser.}

4 _{Third party Certificate Authorities could keep generated private keys.}

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Vaultive is a Microsoft

ISV Partner

Vaultive provides a comprehensive encryption solution for Microsoft Office 365, Yammer, and Dynamics, as well as for other cloud applications. Vaultive persistently encrypts an organization’s data before it leaves the trusted network, while the organization’s IT retains the keys.

Vaultive’s encryption software protects data throughout its entire lifecycle: in transit, at rest and in use. Vaultive’s persistent encryption maintains content characteristics allowing server-side operations including search, sort and index on encrypted data, and is completely transparent to the end user.

How Vaultive Works

Vaultive operates as a transparent network-level proxy, deployed at an organization’s perimeter network, integrating with Microsoft Office 365 as well as other cloud applications. Data is persistently encrypted before it leaves the

organization’s trusted network and remains encrypted until it reaches its intended destination.

Central Key Management via Robust

Management Console

The Vaultive platform provides encryption combined with central key management. The data is encrypted prior to leaving the organization so that neither the CSP nor Vaultive ever has access to your data in clear text. The data owner maintains direct control of their encryption keys – and secures the keys with their own controls in place. No one can access the keys, or the data, without explicit consent of

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Microsoft’s S/MIME message encryption provides encryption of email messages in transit, as they travel between the sender and the intended recipient. Once encryption keys are exchanged, messages are encrypted prior to being sent, and then decrypted after download by the intended recipient. In order to utilize S/MIME message encryption, both the sender and recipient must have S/MIME deployed and the sender must have the recipient’s public key, or certificate, on the corresponding client from which the email is sent.

How S/MIME Works

S/MIME requires two separate but related keys – a public key and a private key. A unique public key is distributed to those sending encrypted emails, while the private key is maintained by the recipient. The public key is utilized for encrypting the email before sending it to the recipient, and the recipient can only decrypt the incoming email using the private key. The following table shows how certificates are acquired for each client and the associated limitations of each method.

Appendix A

S/MIME Message Encryption – a Point-to-Point Solution

Client Certificate Result

Outlook Automatically accesses all certificates from Active Directory (AD).

Outlook can access certificates for most internal recipients but very limited certificates for external recipients.

Outlook Web Application (OWA) on Internet Explorer (IE)

Automatically accesses all certificates from AD.

OWA can only access certificates for internal recipients.

ActiveSync Obtains all certificates from the Exchange Server.

S/MIME is not supported on Android5_.

Mac OS X, Exchange Web Services (EWS)

Obtains certificates from the AD. GAL is an internal list, Mac’s can only acquire certificates for internal recipients.

5 _{http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_clients} Because of the nature of public-key cryptography, S/MIME has two limitations which can inhibit usage:

•

Emails sent to external recipients are generally not encrypted. In order for an email sent externally to be encrypted, the recipient must provide the sender with his public key by sending an email signed with the appropriate certificate.

•

Incoming emails are not encrypted unless they are sent from a sender that is both using S/MIME and has the recipient’s public key.

S/MIME Limitations

In addition to S/MIME’s constraints encrypting messages to external recipients, the following limitations also apply:

•

S/MIME does not encrypt email subjects. The following example highlights the importance of encrypting subjects in addition to email messages:

Subject: “Request 20% Discount for ABC Bank proposal to beat Competitor N.”

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

•

Calendars, Invitations, tasks and other Exchange items

are not encrypted.

•

If using Post Office Protocol (POP3) or Internet Message Access Protocol (IMAP), distribution lists are not supported and emails sent to distribution lists are not encrypted.

•

Server-side operations cannot be performed on the encrypted data; therefore search, sort, indexing, DLP scanning, and e-Discovery are not supported.

•

Plug-ins are required in order for OWA to use S/ MIME in IE. In order to support S/MIME on any other browser, the private key must be installed on each device where OWA is utilized with S/MIME, and the device must be joined to the AD domain.

•

Message previews are not supported.

•

When using S/MIME in OWA, email preview and the conversation view are not supported; and email must be opened in a separate window.

S/MIME Key Management

S/MIME does not provide out-of-the box centralized key management for private or public keys. End-users must maintain both a certificate as well as a matching private key; and it is critical that the keys are properly stored and protected. Every user maintains the certificate and key without any standard key management procedure. It is recommended that administrators define and implement processes to securely back up user private keys, either by company policy or by setting up a key escrow and backup service.

Serious security risks are introduced – end-users can easily generate their own keys using a third party service, without approval or knowledge of the administrator. The third party service has access to the private key and the enterprise lacks oversight and supervision, creating a significant security gap.

S/MIME Support Summary

Encryption Feature S/MIME

Encryption Feature

Internal email messages encrypted6 _YES

Outbound email messages encrypted7 _NO

Outgoing email messages encrypted before arriving at the Exchange server YES

Incoming email messages encrypted NO

Email Subjects encrypted NO

Calendar items and invites encrypted NO

Tasks encrypted NO

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Encryption Feature S/MIME

Client Support

Mac/OSX Support YES

Android Support NO

IE browser support8 _YES

Other browser support NO

Distribution lists supported from POP3, IMAP and Mac clients NO Key Management

Keys cannot be accessed by Exchange YES

Out of the box support for private key backups NO

Centralized key management NO

Office 365 Feature Support

Server-side operations such as search and sort NO

Message Previews NO

e-Discovery9 _{support NO}

Scanning messages for policy violations NO

DLP support NO

Message archiving support NO

6 _{Internal messages are encrypted as long as no external recipients without available certificates are included.} 7 _{External messages are not encrypted unless the recipient has a certificate and emails it to the sender.}

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Appendix B

Office 365 Message Encryption

Office 365 Message Encryption, formerly called Exchange Hosted Encryption (EHE), is used for securing outbound emails based on administrator-defined policy. Recipients can use OWA and recipient identities are managed as Microsoft Online Services (MSOL) accounts, requiring users to maintain an MSOL account.

How Office 365 Message Encryption Works

Administrators set policy-based rules and once implemented, internal users can send and receive encrypted email directly from their desktops. This service sends a clear text email with the encrypted message included as an attachment. Using a web browser compatible with Office 365 Message Encryption, recipients must log in to the sender’s server and securely read the email in its original form.

Outgoing messages are encrypted once they leave the Exchange server. However, they are stored on the Exchange server in the clear.

Office 365 Message Encryption Limitations

While Office 365 Message Encryption is a partial solution for email security, governance and compliance, it falls short in the following areas:

•

Does not ensure all outgoing emails are persistently encrypted.

•

Does not encrypt incoming messages.

•

Does not encrypt internal messages.

•

Is not transparent to users and administrators.

•

Does not encrypt email subjects. The following example highlights the importance of encrypting subjects in addition to email messages: Subject: “Request 20% Discount for ABC Bank proposal to beat Competitor N.”

•

Emails are not encrypted while stored in the Exchange server transport.

•

Decrypts email messages for server-side operations such as search, sort and indexing.

Office 365 Message Encryption Key Management

Encryption key management remains a critical aspect of cloud encryption. Whoever owns and maintains the encryption keys controls access to the data. If the cloud service provider manages the keys on behalf of the customer – whether in memory or in an HSM – they can access the data, and are obligated to share the data with government officials if presented with a subpoena – without notifying the tenant organization.

Unique Office 365 Message Encryption keys are generated for each encrypted email. Keys are stored in the Office 365 data center, where Microsoft has access to the keys. Keys can be accessed from an Office 365 MSOL account using a password.

Office 365 Message Encryption Support Summary

The following table summarizes Office 365 Message Encryption capabilities.

Encryption Feature _EncryptionOffice 365

Encryption

Internal email messages encrypted NO

Outgoing email messages encrypted YES

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Email subjects encrypted NO

All emails consistently encrypted NO

Calendar items and invites encrypted NO

Tasks encrypted NO

Emails encrypted while stored in the Exchange server transport NO Client Support

Mac/OSX Support

Android Support NO

Browser Support YES

Distribution lists supported from POP3 and IMAP clients YES

Key Management

Keys are maintained by the end-user NO Office 365 Feature Support

Server-side operations such as search and sort on encrypted data10 _NO

Recipient can access their email seamlessly through their inbox NO

Recipients must maintain an MSOL account YES

Message Previews NO

e-Discovery support on encrypted data12 _NO

Scanning encrypted messages for policy violations13 _NO

DLP support for encrypted messages14 _NO

Message archiving support for encrypted messages15 _NO

10 _{In order to provide server-side operations including search and sort, Microsoft decrypts your data and processes it in the clear.} 11 _{http://technet.microsoft.com/en-us/library/dd298021(v=exchg.150).aspx}

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Appendix C

Exchange Information Rights Management (IRM)

IRM, built on Microsoft AD Rights Management Service (RMS), outlines content access control based on policy. The policy can be defined per message or document, and permissions are granularly defined including reading, copying and pasting, editing, or printing content.

How IRM Works

IRM utilizes public-key cryptography – public and private keys. When IRM is applied to an email message, once the item is in the Exchange system a key is generated per item to maintain restrictions and access associated with the content. The per-item key is encrypted using the RMS public key. When the item is sent, it is accompanied by a license specifying the restrictions and limitations in accessing the content. The recipient’s client software must contact the RMS server in order to decrypt the message, and should respect (but cannot enforce) the attached RMS license.

IRM Limitations

IRM defines and provides notification of specific corporate polices for a subset of data and email transfers. However, IRM is not intended for use as a security tool and is limited in the following areas:

•

Email subjects are not encrypted. The following example highlights the importance of encrypting subjects in addition to email messages: Subject: “Request 20% Discount for ABC Bank proposal to beat Competitor N”

•

Not encrypted: Calendars, Invitations, tasks and other Exchange items.

•

Internal email messages are encrypted only after they arrive at the Exchange server unless sent

from Outlook.

•

Messages are only encrypted when sent internally. If a single recipient is external, the email will not be encrypted when sent to any of the recipients, nor will it be encrypted in the sender’s Sent Items folder.

•

Only Microsoft desktop clients, mobiles and OWA support IRM. Mac mail, POP3, IMAP, Linux and Thunderbird are not supported.

•

The Exchange server has access to the encryption keys and decrypts IRM messages when performing

the following:

•

When indexing messages for server searches

•

DLP scanning and Transport Rule evaluations

•

Journaling

•

OWA views

•

ActiveSync downloads

•

OWA indexing

•

The Exchange server provides bulk decryption of messages; unacceptable for many security-aware or regulated organizations.

•

Administrators must configure a highly-available AD RMS infrastructure in order to maintain functionality.

•

Message previews are not supported. In particular,

OWA short preview and conversation view is blank.

IRM Key Management

Individual users are provided with private keys for decryption based on their AD identity. Public keys are generated and encrypted per message and accompany the message when sent.

The AD RMS private key is either stored in an on premise RMS server, requiring a solid backup facility; or on an Office 365 RMS server with on premise hardware security module (HSM). Although the keys are stored on premises, the Exchange server constantly accesses the keys and decrypts the content to enable ActiveSync, OWA, Journaling, indexing and

transport scanning.

IRM Support Summary

VAULTIVE & MICROSOFT:

COMPLEMENTARY ENCRYPTION SOLUTIONS

Encryption Feature IRM

Encryption

Internal messages encrypted – once they arrive at the Exchange server YES

Email Subjects encrypted NO

Outgoing email messages encrypted at the sender's client YES

Incoming email messages encrypted NO

Calendar items encrypted NO

Tasks encrypted NO

Encryption achieved seamlessly NO

Client Support

Mac/OSX Support NO

Android Support NO

POP, IMAP NO

Key Management

Tenant organization retains exclusive access to encryption keys NO Office 365 Feature Support

Server-side operations such as search and sort on encrypted data 16 _NO

Message Previews YES

e-Discovery support on encrypted data17 _NO

DLP support for encrypted messages18 _NO

Message archiving support for encrypted messages19 _NO

16 _{In order to provide server-side operations including search and sort, Microsoft decrypts your data and processes it in the clear.}

17 _{In order to provide native Exchange feature support, including e-discovery, DLP and archiving, Microsoft decrypts your data and processes it in the clear.} 18 _{In order to provide native Exchange feature support, including e-discovery, DLP and archiving, Microsoft decrypts your data and processes it in the clear.} 19 _{In order to provide native Exchange feature support, including e-discovery, DLP and archiving, Microsoft decrypts your data and processes it in the clear.}