Data Security and Privacy Certification. Understanding Encryption

Data Security and Privacy Certification

2

Introduction to encryption

Email encryption

Organizations are buying email encryption

TODAY

They can buy from YOU or they can buy

from your competitor

Once you have an encryption customer

they are a customer for life as changing

providers is costly and complex

What is encryption

•

Encryption transforms readable data into unreadable data

(cipher text) using an algorithm

•

Only those possessing the decryption “key” can unlock the data

•

The use of encryption/decryption is as old as the art of

communication. It has been used for centuries, and in time of

war to protect confidential information from the enemy

Encryption benefits

With a focus on policy-based encryption:

• Eliminates the possibility of confidential information being read by anyone other than the intended recipient

• Helps organizations meet compliance regulations

• Automatically encrypts emails based on pre-defined policies

• Enables security audits and tracking

6

Gartner recommends that all companies make

efforts to broadly install encryption across all

their workstations

Why?

•

To comply with data protection regulations

•

To follow best practices

•

To take a more proactive approach to data protection

and avoid

–

high costs

–

heavy fines

–

brand damage

Organizations want to buy from YOU!

8

Solutions involving encryption have seen

the biggest increase in IT budget

If they don’t they are vulnerable to...

•

Significant fines

•

Loss of reputation

•

Loss of customers

10

The cost of encryption

•

The cost of a data breach is always higher than the

cost to invest in preventive measures

•

Organizations can pay for encryption upfront or run

Best practice

•

As content can be easily intercepted, encryption is

synonymous with best practice

•

Most companies, even if not in regulated industries,

12

Did you know?

•

Email is still the # 1 communications

tool

•

Workers spend on average 152

minutes per day on email

•

1 in 5 outgoing emails contain

content that poses a legal, financial,

or regulatory risk

•

75% of all corporate email contain

some Intellectual Property

•

Worldwide email accounts are

projected to increase from over 2.9

billion in 2010, to over 3.8 billion by

2014

•

26% of these will belong to

corporate users

Encrypting everything?

• Encrypting everything is only a viable solution if time and money are not factors in the decision process:

– High up front capital investment in the encryption solution – most are not subscription model-based

– Investment in newer equipment that can handle the burden of constant encryption

– Increased training in both solution administration and management

– Additional administration of password or key management

14

Data leakage

Data leakage

•

Since the invention of the floppy disk, data leakage has

been on the minds, and often in the nightmares, of all IT

security personnel

•

You could make the direct correlation between data

leakage and the creation of the IT Security industry as a

whole

Defining data leakage

THE HUMAN EFFECT (inadvertent)

• Verbally reveals confidential information to outsiders

• Confidential information is revealed on Twitter, Facebook, etc.

• An ex-employee discusses trade secrets with a new employer

• Confidential data is inadvertently left in a public place

THE TECHNOLOGY EFFECT (malicious)

• Malicious hacking or use of virus, bots, trojans, etc., to gain access to critical

systems through corporate firewalls and other safeguards

• Sharing secure email communications via unsecure channels

• Downloading confidential information on portable devices such as thumb

drives, iPods, etc.

• Physically stealing laptops, hard drives, etc.

New data leakage culprit

• Mobile devices are not part of the

internal company network

• Organizations are embracing BYOD

(bring your own device)

• With a mobile workforce

organizations rely more on mobile devices than ever before

18

The cost of a data breach

•

$140 per record

•

$14 M cost on average (100,000 records)

•

$5 M: Notification, legal expenses, discounts, telecoms

•

$7.5 M: Opportunity cost: retention and acquisition of

customers

The cost keeps growing

• $1.5 M: Productivity losses due to additional load on staff

• ChoicePoint: $79 per record lost (Gartner)

• $11.5 M in expenses directly related to exposure

• $15 M fine by Federal Trade Commission

• Average: $79 per record disclosed

• 75 out of 150 companies surveyed had a data loss in the last 12 months (Deloitte Survey)

20

Encryption sales tools

Understanding customer needs

Before you can fit an encryption solution to a customer, ask yourself the following questions:

• Does your customer require:

• End to end email security i.e. from desktop to desktop?

• Policy enforcement ?

• Encryption for a mobile workforce?

22 The answers to your questions will lead you down one of the following paths:

• End to end email encryption - Desktop encryption i.e. Messages are encrypted directly from the desktop by the sender

• Policy enforcement – Policy-based encryption i.e. emails are automatically encrypted at the gateway based on pre-defined policies

• Mobile workforce – Mobile encryption i.e. emails can be sent and received encrypted from any mobile device

• Outside the company network – Portal encryption i.e. emails are exchanged in a secure environment outside the company network

Email encryption solutions

Talk to the decision maker

• Chief Info Security Officer (CISO)

• Chief Compliance Officer (CCO)

• Chief Information Officer (CIO )

• VP IT • Director Security • Director MIS • Data processing • Security architects • Information architects

24

Tell them what they want to hear

• Easy to use email encryption for IT and end users i.e. forgot password link and other features means fewer calls to IT

• Minimum steps to send an encrypted email

• Industry best in registration and pick up of emails

• Administration console

• Encryption expertise: working with someone that understands encryption

How to displace the competition

• Push and pull delivery i.e. recipient can choose how they would like to receive their messages

• Plain text notifications are branded and trusted so recipients know it is not spam

• Easy to use for mobile devices

• Robust pick up center

• Compliance driven reporting engine

• Create bulk keys

26

How to displace the competition

• Supports standards based encryption

• Digital signatures on all notifications and messages

• Trusted CA and Webtrust audited http://bit.ly/z6Odet

• Interoperates with 3rd _{party PGP and S/MIME services}

Talk technology

• Cloud-based credential management

• Data is digitally signed

• Data remains encrypted while stored in the cloud

• Standards-based PKI, X 509 certificates

• Rapid deployment of multiple encryption applications on one platform

• Encryption complexities are hidden from the end user

• Provide credential and identity-management services

• Enable secure communications across a wide range of applications, media, and mobile devices

28

Technically speaking

Types of email encryption

S/MIME

(Secure/Multipurpose Internet Mail Extensions)

Is included in email clients by default such as Outlook, and relies on the use of a Certificate Authority (CA) to issue a secure email certificate

PGP

Takes a de-centralized approach to email encryption, it does not rely on a CA. The user creates their own encryption keys and they can choose

their key size, the signing algorithm and an expiry date. PGP is complicated to manage

TLS (Transport Layer Security) / SSL (Secure Socket Layer Security)

Less secure forms of email encryption used to encrypt messages between two servers

Understanding S/MIME

S/MIME provides two security services:

1.

Digital signatures

2.

Message encryption

Understanding digital signatures

• Digital signatures are the digital counterpart to the traditional, legal

signature on a paper document

• As with a legal signature, digital signatures provide the following security

capabilities:

1. Authentication

2. Nonrepudiation

3. Data integrity

These security capabilities are the core functions of digital signatures. Together, they ensure recipients that the message came from the sender, and that the message received is the message that was sent

Understanding digital signatures

• Authentication: A signature serves to validate an identity. It verifies the

answer to "who are you“. Because there is no authentication in SMTP e-mail, there is no way to know who actually sent a message. Authentication in a digital signature allows a recipient to know that a message was sent by the person or organization who claims to have sent the message.

• Nonrepudiation: The uniqueness of a signature prevents the owner of the signature from disowning the signature. This capability is called

nonrepudiation. Thus, the authentication that a signature provides gives the means to enforce nonrepudiation. The concept of nonrepudiation is most familiar in the context of paper contracts: a signed contract is a legally

binding document, and it is impossible to disown an authenticated signature.

• Data integrity: An additional security service that digital signatures provide is data integrity. With data integrity services, the recipient is assured that the e-mail message has not been altered while in transit.

Understanding digital certificates

• A digital certificate is an electronic “document" that

establishes your credentials and enables you to create a digital signature

• Supports the X.509 standard

• Think of a digital certificate as you would of a passport

Message encryption

• Digital signatures provide data integrity

• They do not provide confidentiality

• Messages with only a digital signature are sent in cleartext, similar to SMTP messages, and can be read by others

• To protect the contents of e-mail messages, you must use a message encryption solution like Echoworx Policy-Based Encryption

Types of encryption

Symmetric encryption

• The oldest and best-known encryption technique

• A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way

• It can be as simple as shifting each letter by a number of places in the alphabet

• As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key. The oldest and best-known encryption technique

• The problem with secret keys is exchanging them over the Internet or a large network while

preventing them from falling into the wrong hands

• Anyone who knows the secret key can decrypt the message

Asymmetric encryption

• Uses two keys rather than one and is known as a “key pair”

• The public key (key # 1) is made freely available to anyone who might want to send a message

• The private key (key # 2) is kept secret

• Messages encrypted using a public key can only be decrypted by using the matching private key (no risk as the public key is freely available)

• Because asymmetric encryption is more secure it is slower than symmetric encryption and uses more processing power to encrypt and decrypt the content

• PKI (Public Key Infrastructure) uses Asymmetric encryption

Pulling it all together

•

NON-REPUDIATION:

proof of signature i.e. legally binding • INTEGRITY:

ensures email message has not been altered in transit • CONFIDENTIALITY: keeping information private • AUTHENTICATION: validates an identity i.e. who are you DIGITAL SIGNATURE MESSAGE ENCRYPTION DIGITAL SIGNATURE HASH ALGORITHIMS 36

Understanding CA’s

(certificate authority)

• A CA is a trusted third party organization or company that is allowed to issue

and manage digital certificates

• The role of the CA is to guarantee that the person granted the digital

certificate is who they say they are

• CA’s are a critical component in data security because they guarantee that

the parties exchanging information are really who they claim to be

• Echoworx is a trusted CA and in order to maintain their designation, they are

WebTrust audited by Deloitte annually

• There are two types of CA’s:

1. Private CA – held by a private entity (Company, Administration, the Military)

Understanding PKI

(Public Key Infrastructure)

• PKI is a set of standards, procedures, software, and people for implementing authentication using public key cryptography

• PKI is the infrastructure that manages digital certificates. It is used to request, install, configure, manage and revoke digital certificates

• PKI offers authentication via digital certificates, and these digital certificates are signed and provided by a Certificate Authority

• PKI uses public key cryptography and works with x509 standard certificates

• PKI enables authentication, nonrepudiation, and data integrity

• PKI is an infrastructure in which many things happen and is not a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work

PKI includes

1. Certificate Authority (CA) which delivers digital certificates

2. A directory that stores digital certificates

3. A registration authority that allows for the enrollment of digital certificates

40

Policy-based encryption

Policy-based encryption

Automatically encrypts email at the

gateway based on pre-defined policies and

procedures

Policy-based encryption

• Automatic email encryption based on pre-defined policies and procedures

• No encryption action required for users and administrators

• Fully hosted, easy-to-use service

• Eliminates the need for on-premise installation

• Flexible message delivery options to users and non-users of policy-based encryption

• Easy for recipients to receive and reply securely to messages

• Supports mobile devices including iPhone, BB and Android

• Works with third-party S/MIME and PGP credentials

• Supports multiple tenancy, branding and multiple levels of administration

Deployment

• Boundary based S/MIME encryption in the cloud (SaaS)

• Customers use their existing TLS channel to deliver messages, no extra deployment is needed

• Uses standard email protocols for communication

• Typical installations include the Echoworx policy engine residing on premises with the messages travelling via TLS connection to the Encryption engine at an Echoworx secure facility

44

How it Works

Desktop email encryption

•

Emails are encrypted at the

desktop by the sender,

completely eliminating the

possibility of confidential

information being read by

anyone other than the

intended recipient

•

Not even IT can read an email

that is encrypted at the

desktop

Desktop email encryption

• Users can send encrypted messages to anyone

• Non-encryption users access their messages through a secure pickup portal

• Provides endpoint to endpoint encryption (S/MIME)

• Seamless integration with popular email clients like Outlook

• Stand-alone “reader” works with web-based email clients like Gmail

• Use PKI for digital certificate management and message encryption

• Centrally and dynamically branded user interface

48

Deployment

• Desktop application is deployed in one of two ways:

– “Pushed out” with MSI (Microsoft Installer), or

– One-time installation of software on each desktop or laptop

• PKI is managed offsite by Echoworx

• Message pickup for non-encryption users is a fully manged web-based portal

50

Portal encryption

Portal email encryption

•

Secure web-based

portal that enables

disparate organizations

to work together and

share confidential

information within a

secure environment

•

Fully branded for each

customer

52

Portal email encryption

• Secure, encrypted communication web portal

• No desktop software needed and can be used by any desktop or mobile browser

• Full audit and tracking capability around message access i.e. read receipts, email notifications, etc.

• Messages are stored encrypted

• Includes an inbox for self management and message compose

Deployment

• SaaS operated model through a secure https channel

• Acts as a closed community portal

• Enables non-subscribers to pickup secure messages

• Supports multiple tenancy, branding without deployment

54

How it works

Mobile encryption

• On-the-device email encryption solution

• Enables mobile users to send and receive encrypted messages directly on their mobile device

• IT administrators can easily provision and manage users over-the-air (OTA)

• Employees can use their existing company email address to send and receive encrypted messages directly on their device

• Encrypted messages can also be read on a desktop

Mobile encryption

• All messages are received and stored encrypted on the device

• The credentials are stored encrypted in the native keychain

• User activation, provisioning, and credential management are all done over-the-air

• Encrypted data will not be compromised if the device is lost, stolen or hacked

• Secure messages are stored on the phone, and sent messages are available for archiving

• Draft messages are automatically saved

• Enterprise users can send encrypted messages to anybody using their existing email account

• Non-subscribers pick up encrypted messages from a secure pickup center

• Enables strong authentication with a local key and a password

• Issues PKI X.509 certificates that are backed by a globally recognized Certificate Authority

• Easy to use enterprise tools for bulk enrolling users, revoking certificates, key recovery, password recover, and customized branding

58

User Experience (iOS)

COMPOSE SCREEN

• Open the app and choose “compose”

• Compose an email and click “encrypt”

• Content is immediately encrypted and press send

HOME SCREEN

• Compose a new message • View draft messages • Review sent message

VIEW MESSAGES

• Simply click on the message • Enter your secure password

which decrypts the message for viewing

• Choose “verify” to see the sender’s profile

NON-SUBSCRIBERS

• mobilEncrypt automatically forwards the message to the portal

• An email notification is then sent to the recipient

Deployment

• Deployment can be done individually by the employee where they simply

download the app from the app store

• Or deployment can be done by IT, where the IT manager pushes the plug-in

directly to the device

• Through the Admin Console, administrators have the ability to manage users

i.e. adding new users and providing unique activation codes, deleting users, revoking keys, etc.

Mobile security strategy

60 Securing the mobile enterprise Policies, Awareness, & Education Mobile Malware, Phishing, & Anti-virus VPN on Mobile Phones Mobile Device Management Mobile Email Encryption Mobile Credentials & Credential Management Organizations require a

comprehensive set of mobile usage policies.

For example:

• Define BYOD (bring your own device)

• Rules handling around malware and viruses on devices

• Rules handling around VPN access and corporate assets • MDM (mobile device

management) strategy

• Protecting confidential data

Encryption and MDM

–

THE MISSING LINK

Credential Management

PKI, CA, S/MIME

Credential Management SDK / API Email Encryption Security Enforcement Theft-Loss Protection Application Management Settings Management Asset Management Mobile device management (MDM) Email encryption MDM ADVANTAGES

• MDM solutions play a key role in tracking, locating and remote wiping mobile devices

• These capabilities keep pace with inventory management and strengthening security

MDM CHALLENGES

• Significant time lags between a device being lost or stolen and disabling it

• Users do not contact IT the moment they notice their device is missing

• Rather users hope that it will eventually turn up eventually

• The waiting period is all the time the hacker needs to turn off the phone, then power it on in an isolated area where IT can't remotely destroy it

THE MISSING LINK

62

Customer scenarios

Challenge

• The IT administrator of a small regional law firm asks if you provide a solution that can help his

attorneys secure confidential emails to their clients

• The solution should be easy to use, with a simple click-of –a-button to secure individual emails

• No IT staff available; the solution would rely on each attorney’s judgment

• The solution should ensure that the email is secure from the attorney to the client, never

traveling without the actual message being unencrypted….

Solution

• You recommend Desktop encryption • Key factors you picked up on were:

– Easy to use

– No IT staff, so any solution would rely more on the individual attorney’s judgment

– Ensure that the email is secure from the attorney to the client, never traveling without the actual message being unencrypted

Challenge

• A National healthcare organization is actively seeking a way to secure emails and comply with HIPAA

• They want to ensure that the messages never leave their environment if they contain certain key

words or phrases

• They realize that human error plays a part in everything, and the organization needs a solution that

will AUTOMATICALLY encrypt emails based on pre-defined polices

• Their requirements include: easy to use, automated, and flexible policy management

64

Solution

• You recommend Policy-based encryption • Key factors you picked up on were:

– Messages never leave their environment if they contain certain key words or phrases

– Needs a solution that will AUTOMATICALLY encrypt emails based on certain rules or policies – Requirements: easy to use, automated, and flexible policy management

Challenge

• A global insurance company uses independent agents to sell its suite of products to the market

• The CIO understands that they have little ability to influence the technical knowledge or infrastructure used by their agents

• Requirements:

– Ensure that agents send and receive sensitive emails securely

– They don’t want to set policies or train the agents on proprietary software

– Simple, centralized location that the agents can log into and send or receive encrypted Emails, regardless of their hardware platform

– Ability to add and subtract authorized users in a quick and efficient manner

Solution

• You recommend Portal-base encryption • Key factors:

– No ability to influence the technical knowledge or infrastructure their agents use – Does no want to set policies or train the agents on a proprietary software technology

– Simple, centralized location that the agents can log into and send or receive encrypted Emails, regardless of their hardware platform

Resources

• For educational papers, product sheets, videos and more:

http://www.echoworx.com/resources/

Certification is just a test away!

• You are very close now to becoming Echoworx certified

• Use what you have learned from this PPT and take the test

• Visit: http://www.echoworx.com/partners/