Upload
topper
View
33
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Data Security & Privacy Certification: Understanding Email Encryption. Introduction to E ncryption. Organizations are buying email encryption TODAY They can buy from YOU or they can buy from your competitor - PowerPoint PPT Presentation
Citation preview
Global Marketing
Data Security & Privacy Certification: Understanding Email Encryption
Global ServicesConfidential2
Introduction to Encryption
Introduction to encryption
Organizations are buying email encryption TODAY
They can buy from YOU or they can buy from your competitor
Once you have an encryption customer they are a customer for life as changing providers is costly and complex
Global ServicesConfidential3
What is encryption• Encryption transforms readable data into
unreadable data (cipher text) using an algorithm• Only those possessing the decryption “key” can
unlock the data • The use of encryption/decryption is as old as the art
of communication. It has been used for centuries, and in time of war to protect confidential information from the enemy
Global ServicesConfidential4
Encryption benefitsWith a focus on policy-based encryption:
• Eliminates the possibility of confidential information being read by anyone other than the intended recipient• Helps organizations meet compliance regulations• Automatically encrypts emails based on pre-defined policies• Enables security audits and tracking• Good business practice
Global ServicesConfidential5
Gartner recommends that all companies make efforts to broadly install encryption across all their
workstationsMagic Quadrant , Sept 7, 2011
Global ServicesConfidential6
Why?• To comply with data protection regulations• To follow best practices• To take a more proactive approach to data
protection and avoid– high costs– heavy fines– brand damage– operational disruption caused by a data breach
Global ServicesConfidential7
Organizations want to buy from YOU!
Solutions involving encryption have seen the biggest increase in IT budget earmarks over the past year
Global ServicesConfidential8
If they don’t they are vulnerable to...• Significant fines• Loss of reputation• Loss of customers• Possible business data loss and
failure
Global ServicesConfidential9
The cost of encryption • The cost of a data breach is always higher
than the cost to invest in preventive measures• Organizations can pay for encryption upfront
or run the risk of paying more later
Global ServicesConfidential10
Best practice• As content can be easily intercepted,
encryption is synonymous with best practice• Most companies, even if not in regulated
industries, recognize that encrypting business data is best practice
Global ServicesConfidential11
Did you know?• Email is still the # 1
communications tool• Workers spend on average 152
minutes per day on email• 1 in 5 outgoing emails contain
content that poses a legal, financial, or regulatory risk
• 75% of all corporate email contain some Intellectual Property
• Worldwide email accounts are projected to increase from over 2.9 billion in 2010, to over 3.8 billion by 2014
• 26% of these will belong to corporate users
Global ServicesConfidential12
Encrypting everything?• Encrypting everything is only a viable solution if time
and money are not factors in the decision process:– High up front capital investment in the encryption
solution – most are not subscription model-based– Investment in newer equipment that can handle the
burden of constant encryption– Increased training in both solution administration and
management– Additional administration of password or key
management– And more …
Global Services
Data Leakage
Global ServicesConfidential14
Data leakage
• Since the invention of the floppy disk, data leakage has been on the minds, and often in the nightmares, of all IT security personnel
• You could make the direct correlation between data leakage and the creation of the IT Security industry as a whole
Global ServicesConfidential15
Defining data leakageTHE HUMAN EFFECT (inadvertent)• Verbally reveals confidential information to outsiders• Confidential information is revealed on Twitter, Facebook, etc.• An ex-employee discusses trade secrets with a new employer• Confidential data is inadvertently left in a public place
THE TECHNOLOGY EFFECT (malicious)• Malicious hacking or use of virus, bots, trojans, etc., to gain access to
critical systems through corporate firewalls and other safeguards• Sharing secure email communications via unsecure channels• Downloading confidential information on portable devices such as
thumb drives, iPods, etc.• Physically stealing laptops, hard drives, etc.
Global ServicesConfidential16
New data leakage culprit• Mobile devices are not part
of the internal company network
• Organizations are embracing BYOD (bring your own device)
• With a mobile workforce organizations rely more on mobile devices than ever before
Global ServicesConfidential17
The cost of a data breach• $140 per record
• $14 M cost on average (100,000 records)
• $5 M: Notification, legal expenses, discounts, telecoms
• $7.5 M: Opportunity cost: retention and acquisition of customers
Global ServicesConfidential18
The cost keeps growing
• $1.5 M: Productivity losses due to additional load on staff
• $79 per record lost (Gartner)
• $11.5 M in expenses directly related to exposure
• $15 M fine by Federal Trade Commission
• 75 out of 150 companies surveyed had a data loss in the last 12 months (Deloitte Survey)
Global Services
Encryption Sales Tools
Global ServicesConfidential20
Talk to the decision maker• Chief Info Security Officer (CISO)• Chief Compliance Officer (CCO)• Chief Information Officer (CIO )• VP IT• Director Security• Director MIS• Data processing • Security architects• Information architects
Global ServicesConfidential21
Tell them what they want to hear
• Easy to use email encryption for IT and end users i.e. forgot password link and other features means fewer calls to IT
• Minimum steps to send an encrypted email• Industry best in registration and pick up of emails• Administration console • Encryption expertise: working with someone that
understands encryption
Global ServicesConfidential22
How to displace the competition• Push and pull delivery i.e. recipient can choose how they
would like to receive their messages• Plain text notifications are branded and trusted so
recipients know it is not spam• Easy to use for mobile devices• Robust pick up center• Compliance driven reporting engine• Create bulk keys• Customize send and recipient groups
Global ServicesConfidential23
• Supports standards based encryption• Digital signatures on all notifications and messages• Trusted CA and Webtrust audited http://bit.ly/z6Odet • Interoperates with 3rd party PGP and S/MIME services• Helps make PGP a cloud-based solution
How to displace the competition
Global ServicesConfidential24
Talk technology • Cloud-based credential management• Data is digitally signed• Data remains encrypted while stored in the cloud• Standards-based PKI, X 509 certificates• Rapid deployment of multiple encryption applications on
one platform• Encryption complexities are hidden from the end user• Provide credential and identity-management services• Enable secure communications across a wide range of
applications, media, and mobile devices
Global Services
Technically Speaking
Global ServicesConfidential26
Types of email encryptionS/MIME (Secure/Multipurpose Internet Mail Extensions) Is included in email clients by default such as Outlook, and relies on the use of a Certificate Authority (CA) to issue a secure email certificate
TLS (Transport Layer Security) / SSL (Secure Socket Layer Security) Less secure forms of email encryption used to encrypt messages between two servers
Global ServicesConfidential27
Understanding S/MIMES/MIME provides two security services:
1. Digital signatures2. Message encryption
Global ServicesConfidential28
Understanding digital signatures• Digital signatures are the digital counterpart to the
traditional, legal signature on a paper document• As with a legal signature, digital signatures provide the
following security capabilities: 1. Authentication 2. Nonrepudiation 3. Data integrity
These security capabilities are the core functions of digital signatures. Together, they ensure recipients that the message came from the sender, and that the message received is the message that was sent
Global ServicesConfidential29
Understanding digital signatures• Authentication: A signature serves to validate an identity. It
verifies the answer to "who are you“. Because there is no authentication in SMTP e-mail, there is no way to know who actually sent a message. Authentication in a digital signature allows a recipient to know that a message was sent by the person or organization who claims to have sent the message.
• Nonrepudiation: The uniqueness of a signature prevents the owner of the signature from disowning the signature. This capability is called nonrepudiation. Thus, the authentication that a signature provides gives the means to enforce nonrepudiation. The concept of nonrepudiation is most familiar in the context of paper contracts: a signed contract is a legally binding document, and it is impossible to disown an authenticated signature.
• Data integrity: An additional security service that digital signatures provide is data integrity. With data integrity services, the recipient is assured that the e-mail message has not been altered while in transit.
Global ServicesConfidential30
Understanding digital certificates• A digital certificate is an
electronic “document" that establishes your credentials and enables you to create a digital signature
• Supports the X.509 standard
• Think of a digital certificate as you would of a passport
Global ServicesConfidential31
Message encryption• Digital signatures provide data integrity• They do not provide confidentiality• Messages with only a digital signature are sent in
cleartext, similar to SMTP messages, and can be read by others
• To protect the contents of e-mail messages, you must use a message encryption solution like Symantec Policy-Based Encryption provided by Echoworx
Global ServicesConfidential32
Types of encryptionSymmetric encryption
• The oldest and best-known encryption technique
• A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way
• It can be as simple as shifting each letter by a number of places in the alphabet
• As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key. The oldest and best-known encryption technique
• The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands
• Anyone who knows the secret key can decrypt the message
Asymmetric encryption• Uses two keys rather than one and is
known as a “key pair”• The public key (key # 1) is made freely
available to anyone who might want to send a message
• The private key (key # 2) is kept secret• Messages encrypted using a public key
can only be decrypted by using the matching private key (no risk as the public key is freely available)
• Because asymmetric encryption is more secure it is slower than symmetric encryption and uses more processing power to encrypt and decrypt the content
• PKI (Public Key Infrastructure) uses Asymmetric encryption
Global ServicesConfidential33
Pulling it all together
Global ServicesConfidential34
Understanding CA’s (certificate authority)• A CA is a trusted third party organization or company that is
allowed to issue and manage digital certificates • The role of the CA is to guarantee that the person granted the
digital certificate is who they say they are• CA’s are a critical component in data security because they
guarantee that the parties exchanging information are really who they claim to be
• Echoworx is a trusted CA and in order to maintain their designation, they are WebTrust audited by Deloitte annually
• There are two types of CA’s:1. Private CA – held by a private entity (Company,
Administration, the Military)2. Public CA – Echoworx, Verisign, Swisskey, Global-sign
Global ServicesConfidential35
Understanding PKI (Public Key Infrastructure)• PKI is a set of standards, procedures, software, and people for
implementing authentication using public key cryptography• PKI is the infrastructure that manages digital certificates. It is
used to request, install, configure, manage and revoke digital certificates
• PKI offers authentication via digital certificates, and these digital certificates are signed and provided by a Certificate Authority
• PKI uses public key cryptography and works with x509 standard certificates
• PKI enables authentication, nonrepudiation, and data integrity• PKI is an infrastructure in which many things happen and is not
a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work
Global ServicesConfidential36
PKI includes1. Certificate Authority (CA) which delivers digital
certificates2. A directory that stores digital certificates 3. A registration authority that allows for the enrollment
of digital certificates4. Centralized management functionality
Global Services
Policy-Based Encryption
Global ServicesConfidential38
Policy-based encryption
Automatically encrypts email at the gateway based on pre-defined policies and procedures
Global ServicesConfidential39
Symantec policy-based encryption• Automatic email encryption based on pre-defined policies and
procedures• No encryption action required for users and administrators• Fully hosted, easy-to-use service• Eliminates the need for on-premise installation • Flexible message delivery options to users and non-users of
policy-based encryption• Easy for recipients to receive and reply securely to messages• Supports mobile devices including iPhone, BB and Android• Works with third-party S/MIME and PGP credentials• Supports multiple tenancy, branding and multiple levels of
administration
Global ServicesConfidential40
DeploymentA typical installation includes the Echoworx policy engine residing on premises with the messages travelling via TLS connection to the Encryption engine at an Echoworx secure facility
Global ServicesConfidential41
How it Works
Global ServicesConfidential42
Where it fitsSymantec.cloud Content Control can trigger the encryption of an email
Global Services
Customer Scenario
Global ServicesConfidential44
Challenge• A National healthcare organization is actively seeking a way to secure emails and comply
with HIPAA
• They want to ensure that the messages never leave their environment if they contain certain key words or phrases
• They realize that human error plays a part in everything, and the organization needs a solution that will AUTOMATICALLY encrypt emails based on pre-defined polices
• Their requirements include: easy to use, automated, and flexible policy management
Solution• You recommend Policy-based encryption• Key factors you picked up on were:– Messages never leave their environment if they contain certain key words
or phrases– Needs a solution that will AUTOMATICALLY encrypt emails based on
certain rules or policies– Requirements: easy to use, automated, and flexible policy management
Global ServicesConfidential45
Resources• For educational papers, product sheets, videos and
more: http://www.echoworx.com/resources/
• For more on Symantec Policy-based encryption.cloud: http://www.symanteccloud.com/services/data_protection_management/email_policy_encryption.aspx
Thank You for Participating Certification is just a test away!