White paper
Why Encrypt?
The same can be said of enterprise data. If a company’s success is increasingly determined by its ability to act on information, a fundamental requirement of that success is the enablement of unfettered communications between co-workers, partners and clients.
Why encrypt?
For many companies, data loss prevention (DLP) has, for too long, emphasised the management of internal data, blocking sensitive information from leaving company networks. But this is not a real world solution when email continues to be the main channel over which employees distribute and share what is often confidential information.
Research undertaken by the Enterprise Strategy Group indicates that up to 75 per cent of intellectual property is sitting in email data stores. Forrester’s finding that email is second only to removable storage as the most common cause of enterprise data leakage puts a worrying slant on that first statistic, not least when you factor in their finding that one in five outgoing emails contains data that poses a legal, financial or regulatory risk. The great challenge of email is that its ubiquity and centrality to any organisation make it simultaneously the most vital and most vulnerable link in the business chain.
Encryption is a vital component of any DLP strategy. It allows businesses to exchange sensitive information
without compromising on security; even if data is intercepted, encryption makes it unreadable and renders it tamper-proof.
The evolving business landscape
While many organisations recognise the need to enable pervasive use of email and other, evolving, communications channels, they’re also increasingly concerned about the IT security risks arising from more open communications across the business. Preventing data loss, from accidentally misdirected email to the intentional and malicious revelation of trade secrets by an aggrieved employee, is a significant issue for any business.
Additional pressures have come in the form of a growing range of government and industry regulations aimed squarely at data security and privacy. In most of the world’s major markets, data security and privacy are now mandated by law for companies of all sizes and across industry sectors. Federal laws such as SOX, GLBA, HIPAA, the UK’s Data Protection Act and other similar national data privacy legislation in Australia and Japan, among others, all require that organisations don’t simply put policy in place and then forget about it, but that they proactively seek to prevent data breaches.
In the UK, for example, the Information Commissioner (ICO) has announced that data losses that occur ‘where encryption software has not been used to protect the data’ are likely to result in regulatory action against the offending organisation. Since 2010, the ICO has had the power to fine organisations that breach the Data Protection Act, with the largest fine to date being issued in June 2011: £120,000 for incorrectly addressing sensitive emails.
Meanwhile, in the US, the Ponemon Institute reports that the average cost of a cyber attack in the year to August 2011 was $416,000 – a 70% increase on the previous year. The same research found that each breach took an average of 18 days to resolve, rising to 45 if the source of the leak came from within the organisation.
Apart from the financial costs, current and future business lost through reputational damage and diminished customer trust form a significant component of the damage that can be caused by even the smallest of breaches. Waiting for something to happen isn’t just bad practice, it’s placing increasing pressure on IT security professionals tasked with managing and mitigating risk in a threat landscape that’s changing on an almost daily basis.
With research from a broad range of sources indicating that not only are data breaches on the rise, so too are the costs associated with them (upwards of £71 per record,
translating into almost £2 million per average incident in the UK in 2010, according to the Ponemon Institute), the stakes have never been higher. Research from the Ponemon Institute has found that 75 per cent of organisations implement security solutions after data breaches, with 70 per cent of them selecting encryption as their preventative measure of choice.
Clearswift’s SECURE Email Gateway provides an easy-to-use approach to secure email conversations. The technology enables customers to provide the privacy, authenticity and integrity of communications that secure messaging offers, but without the complexity and high
administration costs of other systems. The Clearswift SECURE Email Gateway with integrated encryption technology enables businesses to communicate with confidence while protecting them from the risk of sensitive data loss. Encryption and decryption are performed automatically and centrally, within flexible policy parameters and without the need for user interaction.
Choosing an email encryption solution
Simply adopting a one-size-fits-all approach and encrypting all company data is a costly exercise. Not all data is sensitive, and encrypting everything that enters and leaves your network can become a drain on resources as well as creating an unnecessary layer of complexity over day-to-day data access and use.
Among the factors to consider when choosing an encryption solution are user experience, deciding when to encrypt and the choice of underlying technology.
‘
Data losses that occur where
encryption software has not
been used to protect the
data are likely to result in
regulatory action
’
White paper:Why encrypt?
Clearswift’s Encryption Technologies: Key features
ENCRYPTED (SITE TO SITE) ENCRYPTED (SITE TO RECIPIENT) ENCRYPTED (DESKTOP TO DESKTOP) STANDARDS BASED CRYPTO STRENGTH KEY EXCHANGE OR PASSWORD RECIPIENT TRANSPARENCY
TLS Yes No No Yes Medium No Yes
S/MIME, PGP Yes Yes Yes Yes High Yes
Site to Site - Yes Encrypted to Recipient may require key and
client plugin
Password (Windows) No Yes No Yes Medium Yes Yes
Password (AES) No Yes No Yes High Yes
Requires Zip package that supports
AES256
Portal No Yes No Yes High No
May require plugin for “push”
It’s a fact of human nature that the more difficult or cumbersome it is to do something, the more likely they’ll be to find a way of side-stepping it. Make the corporate email security experience a painful one and it’s likely that many of your employees will simply try and circumvent the system using webmail accounts to transmit company data. It’s vital that you factor ease-of-use into your choice.
When to encrypt
Best practice calls for encryption to be part of an automatically enforced Email Security Policy. Removing the decision-making from end users doesn’t mean limiting their ability to share and communicate information, however. A flexible system is context and content aware, subjecting data to deep analysis, content inspection and examining intended recipients before making the decision to encrypt whether the end-user selects that option or not.
Clearswift’s SECURE Email Gateway contains built-in routines allowing organisations to define automated parameters that will trigger encryption based on any of the following elements of a message: • Sender • Recipient • Subject line • X-header • Message body
simple word scanning.
Using defined triggers, SECURE Email Gateway may choose to encrypt a message containing an excessive number of credit card or social security numbers, for example. The solution can also use pre-defined dictionaries or permit users to create their own set of words and weightings. Clearswift’s solutions can detect business terms and profanities in 40 languages; an extensive collection of managed lists, editable terms and compliance dictionaries includes: • Payment Card Industry Data Security
Standard (PCI DSS)
• Personally identifiable information • Basel II
• Data Protection Act • Gramm-Leach-Blilely Act • Health Insurance Portability and
Accountability Act (HIPAA) • Securities and Equities Commission
(SEC)
• Sarbanes-Oxley Act (SOX)
The underlying technologies
No two companies are identical, so being able to offer a broad range of encryption technology options ensures maximum flexibility. The encryption requirements for securing B2B messages are, for example, likely to differ from those for B2C recipients. The technology used should be user and function appropriate.
encryption options available to end users, in a number of different industry-standard formats: S/MIME, PGP and ad hoc password protection, including AES (Advanced Encryption System).
The encryption protocols and standards used in Clearswift’s SECURE Email Gateway solution are:
Transport Layer Security (TLS) TLS is the email equivalent of Secure Sockets Layer (SSL) for the web. It allows seamless encryption between two servers without encrypting the message itself, offering, if you like, a secure tunnel through which the message can travel. No additional software or interaction between sender and recipient is required. TLS installs SSL certificates on the servers involved, establishing a safe, encrypted channel over which messages are delivered. This is particularly useful in situations where two different companies, such as a client and a vendor, wish to exchange confidential data.
Because TLS used in this way doesn’t protect messages sent to other addresses in the public domain, many organisations implement ‘opportunistic TLS’ mode. Messages sent to third parties in this mode automatically seek out and favour a connection using the TLS protocol. This eliminates the need to configure TLS for each separate party an organisation needs to communicate with. Clearswi ft Web Gatewa y Clearswif t Web Gatewa y Clearswif t Web Gateway Clearswif t Web Gatewa y TLS Alice Bob Encrypted Tunnel All traffic is encrypted Message is un-encrypted inside the organisation Message is encrypted following a key exchange
with the other gateway
Message is decrypted using this gateway
private key
Message is un-encrypted inside
Clearswift’s SECURE Email Gateway uses both forced and opportunistic TLS.
While the technology is widely used to secure the path over which data is transferred, it doesn’t secure the message itself. To do that, are variety of message encryption techniques are available:
Secure MIME (S/MIME)
This is a standards based message encryption algorithm based on a public key model. Supporting strong
encryption, S/MIME is effective for sharing sensitive data with users outside a TLS connection. All users have a pair of keys: one private, one public. Using S/MIME, messages are encrypted and decrypted when the sender and recipient exchange public keys. The information the recipient provides for the sender to encrypt the message is not the same as that used to decrypt it. Similarly, while the sender may use the recipient’s public key, they do so without fully knowing the information contained in it, thus adding a further layer of security.
Key exchange is both a strength and a weakness. On the one hand, both parties can exchange data with some assurance that they know who they’re communicating with. On the down side, the act of exchanging keys requires a conscious decision on the part of the sender and recipient, inserting an extra layer into what should be the simple process of sending and receiving mail.
Encryption key management can also become an administrative headache. Keys have to be monitored, stored, applied and, on occasion, revoked. They must be available 24/7 if information is to flow freely. For the same reasons, they need to be backed up. In large organisations sending large volumes of email, the number of keys to be managed can grow at an exponential rate.
Clearswift’s encryption solution eliminates these concerns as there are no certificates or keys for users to worry about. The SECURE Email Gateway is centrally configured, encrypting and signing mails without the need for end user action.
S/MIME can be used in gateway to gateway mode, where Systems Administrators create a secure connection between systems in much the same way as they do for TLS, but this method can also be used to secure mail exchanged between desktops. The SECURE Email Gateway automates this process, detecting the content or direction of travel before encrypting on the sender’s behalf in one of the following ways:
1. Desktop to desktop, with content checking of messages
2. Gateway to gateway, with content checking prior to encryption 3. Gateway to desktop, with content checking followed by encryption OpenPGP (PGP)
White paper: Why encrypt?
Clearswi ft Web Gatewa y Clearswif t Web Gatewa y Clearswif t Web Gateway Clearswif t Web Gatewa y
S/MIME & PGP - GATEWAY TO GATEWAY
Alice Bob Message is sent encrypted Message is un-encrypted inside the organisation
Message is encrypted using the public key from the
target gateway
Message is decrypted using the private key
of this gateway Message is un-encrypted inside the organisation Clears wift Web Gate way Clears wift Web Gate way Clearswift Web Gatewa y Clears wift Web Gate way
S/MIME & PGP - GATEWAY TO RECIPIENT
Alice Bob Message is sent encrypted Message is un-encrypted inside the organisation
Message is encrypted using Bob’s public key which has been registered in the local certificate store
Message can not be decrypted unless it has a copy of Bob’s
private key
Bob can decrypt the message using his
This protocol, like S/MIME, defines standard formats for encrypted messages, signatures and certificates for exchanging public keys. Although PGP and S/MIME offer similar services, they have very different formats, making them incompatible and therefore incapable of sharing certificates.
Clearswift’s solution supports both standards, secure communications between users of either format are enabled.
As with the other encryption technologies used in Clearswift’s SECURE Email Gateway, this process can be automated based on content or destination in one of the following ways:
2. Gateway to gateway, with content checking prior to encryption
3. Gateway to desktop, with content checking followed by encryption Clearswif t Web Gatewa y Clearswif t Web Gatewa y Clearswif t Web G ateway Clearswif t Web Gatewa y
SECURE ENCRYPTION PORTAL
Alice Bob
Notification message generated for recipient
Message is
un-encrypted recipient from senders gateway to Notification message sent to preserve SPF (etc) records for
authenticity of sender
Bob receives message and clicks on hyperlink to connect to portal Bob can also reply to Alice via
the Secure Portal Message is sent to Pickup
Centre using TLS encryption
Message is secured so that only the intended recipient can read it
Browser HTTP/S
Portal based encryption As with the other encryption options in Clearswift’s SECURE Email Gateway, portal based encryption can be automated to perform the task on the user’s behalf, based on either content or direction of travel:
1. Gateway to desktop using ‘web pull’ delivery
2. Gateway to desktop using ‘web push’ delivery
Given that the technological savvy of your intended recipient can often dictate which method of encryption you use, it’s worth noting that portal based encryption is an easy-to-use method requiring no knowledge of encryption. Encrypted messages sent using PBE can be opened on
all types of devices, from PCs to phones and tablets.
Using an Infrastructure as a Service (IaaS) hosted encryption platform in conjunction with a SECURE Email Gateway customer allows users to receive and reply to encrypted messages and attachments without the need for any special client software.
Encryption makes sense
Encryption enables organisations of all sizes and functions to deliver the privacy, authenticity and integrity of communications that today’s business and regulatory environment demands. Clearswift’s SECURE Email Gateway with integrated encryption technology takes the uncertainty, complexity and high administration costs out of the process, enabling businesses
to communicate effectively with the confidence that they are protected from the risk of sensitive data loss.
As the international regulatory environment increasingly requires that any organisation engaged in the processing of personal data take proactive steps to protect against leakage, encryption has moved up the business agenda as a key component of any strategy to
mitigate risk, including criminal liability, heavy fines and reputational damage. As human error continues to be the main cause of data breach, Clearswift’s automated encryption solution can help your organisation to take the guess work out of security, providing you with an
interoperable one-stop shop for all encryption requirements, giving IT administrators total control over their web and email environments.
