Cloud Services
10/18/2014
Cloud Control Panel
Admin Guide
CONTENTS
Description of Policy Based Encryption ... 2
Policy Based Encryption and Email Content Control ... 2
Features Summary ... 3
Creating an Encryption Group ... 3
Defining an Encryption Rule ... 5
Tips & Suggestions ... 8
DESCRIPTION OF POLICY BASED ENCRYPTION
The Policy Based Encryption (PBE) service encrypts specific emails based on a policy – that is, a set of rules designed to analyze all email, and encrypt any email that matches the pre-‐defined conditions.
Policy Based Encryption uses the Email Content Control rules to identify which email needs to be encrypted.
The Policy Based Encryption Service is managed through the same control panel that you use to manage your Anti-‐Virus and Anti-‐Spam settings. This control panel can be accessed through the main Control Panel. Once logged in, click the Boundary Defense for Email icon:
Next, log into the Boundary Defense for Email Control Panel:
NOTE: If the password has been changed in the Boundary Defense for Email Control Panel, password will not be synched back to the Control Panel. In this case, that password that is displaying in the Control Panel will not work.
POLICY-BASED ENCRYPTION &
EMAIL CONTENT CONTROL
The Policy Based Encryption service is closely integrated with the Email Content Control service – the rule that defines whether an email is to be encrypted is set up in the Email Content Control
configuration screens in the Boundary Defense for Email Control Panel. The encryption rule has an action to redirect any emails that meet the rules conditions to a specified encryption email address.
This email address will be sent to the administrator when the service is purchased. This email address is used solely to process and encrypt the email.
FEATURES SUMMARY
PBE
Number of recipient languages supported 12
‘Best Method Of Delivery’ (BMOD)
Encryption strength (-‐bit) 128
Maximum size of an encrypted email (MB) 50
Maximum number of encrypted emails per user per month 240
Offline reading of emails (possible under certain circumstances)
Support for mobile devices (Blackberry and Windows Mobile 5)
Branding
Configurable password policy
Recipients able to reply securely
Secure portal email expiry time (days) 30
Portal session timeout if inactive (minutes) 10
US Infrastructure
European Infrastructure
CREATING AN ENCRYPTION GROUP
Prior to creating any encryption rules, an encryption group must be created. This group needs to be added to each rule, as an exception in order for the mail to be forwarded to the Policy Based Encryption Gateway. See below for instructions for adding this group to the encryption rule.
To create an encryption group:
1. Select Services > Email Services > Platform > User Groups, and click the [Create new group]
button.
2. Enter the Group name, for example “PBE Exclusion Do Not Delete.”
3. In the New users field, enter a non-‐valid email address (such as [email protected]).
4. Click [Add] button.
5. Select [Save and exit].
DEFINING AN ENCRYPTION RULE
To trigger mail to be encrypted, an Email Content Control rule must be configured with an action to redirect the mail to the specified email address for the service you are using. Define the rule to include the specific conditions that you want to cause email to be encrypted, for example, specific words contained in the header or body of the email.
The Email Content Control service scans email against the rules in the order they are listed in the BDE Control Panel portal. If an email triggers a rule with an exit action, it is subject to that action and does not pass on to be scanned for further rules. The redirection action for PBE rules is an exit action. So it is important to put encryption rules towards the bottom of the rule set, so that other rules defined to comply with the organization’s acceptable usage policy are acted on first.
NOTE: If an email triggers a rule with an exit action, such as a block action higher in the rule set, the email will not be encrypted, because the first rule, blocking the email, will take precedence.
NOTE: It is recommended that test groups be added to a rule initially for testing, to ensure the new encryption performs as expected. This will prevent potential problems on mail flow for the entire organization. Test groups are created only with valid corporate email addresses added to the rule instead non-‐valid email address.
To create an encryption rule:
1. Select Services > Email Services Configuration > Content Control, and click the [Ceate new rule]
button.
2. Give the rule a name and specify the rule to apply to Outbound mail.
3. In the Sender tab, select the user groups this rule applies to, if the rule will only be for a subset of your users. If you do not select any setting in this tab, the rule will apply to all users in your organization.
4 . In the Recipients tab, specify a user group condition. Please note the following:
• All encryption rules MUST specify a recipient user group condition.
• To encrypt emails sent by anyone in the organization, you will need to use the user group you created, and then select the option to All recipients EXCEPT those in selected groups.
The rule will then be applied to all of your users; so all emails will trigger the rule and therefore be encrypted.
o Select Use user groups in this rule from the User Groups section
o Select PBE Exclusion Do Not Delete All recipients EXCEPT those in selected groups o Select Add Group
o Select the group you created, and click Add Selected
• If a domain list is also specified as a recipient, in the Rule conditions section, you must select All the conditions below need to be satisfied….
NOTE: Any modifications to the rules will require replication throughout the platform before the rule is active.
5. In the Email Content tab, select the criteria that you desire to filter on. In this tab, you can also select if you want to Scan email body, Scan email subject line, Scan Microsoft Office & PDF documents, Scan email header.
• Email content section – you can select content from the drop-‐down list, or choose – Custom List – to add customized keywords. You will need to click the information in the Selected content section to filter on this content. (<CTRL> and click to select multiple items)
• Email templates section – you can select content to encrypt from Credit Card Numbers, Social Security Numbers, or Specific Credit Cards. You will need to click the information in the Selected templates section to filter on this content. (<CTRL> and click to select multiple items)
6. In the Attachment tab, you can select to ignore attachments based on size, or whether you want to encrypt all messages with a certain attachment type.
7. In the Time Intervals tab, specify a specific time period for the rule to run.
8. In the Actions & notifications tab, select the action Redirect to administrator from the drop-‐
down list, and check the Use Custom Email address box
In the Administrator’s email address box, enter the PBE-‐specific email address that was sent to your company administrator after the purchase of the PBE service.
9. Review the settings in the Summary tab, and click Save and exit.
TIPS & SUGGESTIONS
Below are some tips and suggestions for setting up and configuring the Policy Based Encryption Gateway:
• It is highly recommended to use a test group before activating the rules. This allows you to limit any issues caused by mail flow the rule to only affect a subset of the organization. Once the rule has been tested and proper functionality has been verified, the rule can be enabled for the entire organization.
• When setting up filter keywords, it is recommended to review the keywords internally, to ensure they meet the encryption needs of the organization.
• Each customer’s encryption requirements are different, so there are no default rules configured initially upon purchase of the service.
• When forwarding a message to the administrator email, it is vital the forwarding email address is correct in the administrator’s email address field. If this address is not correct, mail will not flow correctly, and will not reach the encryption gateway or the proper recipient.
• As messages flow through the system, they are filtered according to the order that the rules appear on the screen, from top to bottom. When a message meets the criteria of a rule, the actions of that rule are enforced, and the message will not reach the rules that follow.
• Policy Based Encryption rules should only be configured for outbound mail.
• Encrypted messages can be sent to any email user. If the recipient is not a subscriber, he or she will be directed to a secure web portal to access the encrypted message after creating a log-‐in.
If the recipient is a subscriber, the message will be delivered to the recipient’s mailbox.
• Policy Based Encryption can be used in conjunction with the Secure Mail encryption client.
• Policy Based Encryption encrypts messages sent via the Outlook client, the OWA web client, or any mobile device.
• If a rule is not working, the organization may want to deactivate the rule instead of deleting the rule. The rule will no longer filter messages, but it remains available so that the organization can refer back to the rule or activate it in the future, should the need arise.
