Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
1
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
IRS/FTA CSO Conference
EnterpriseImplementation of Secure Messaging Services
April 3, 2008Timothy R. Blevins , KDOR Chief Information Officer
2
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Secure Messaging Overview
What is Secure MessagingWhat does Secure Messaging doWhat does Secure Messaging Architecturelook likeUser Documentation
External User DocumentationInternal User Documentation
Mail PoliciesUsage ReportsLessons LearnedQuestions
2
3
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
`
Comprehensive Messaging Security PortfolioHelping enterprises manage, protect, and extend Internet communications
Protect email with comprehensive inbound andoutbound security
Secure all data exchanges between 3rd partieswith secure managed file transfer
MailGate™
SecureTransport™
Best IntellectualProperty Protection
Best Email Content Filtering Solution
Encrypt email at the gateway or desktop,automatically or manually
SecureMessenger™
Best EmailEncryption Solution
4
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
What Does Secure Messenger Do?Scan all messages and attachments
To identify sensitive contentTrigger secure delivery based on corporate email policy
Based on sender, recipient, and/or message contentEncrypt email and provide access through a secure Web
portalSend notification with link to encrypted messageLog in to secure Web server and download via SSL
Track and notify of deliveryAudit trail and reporting
For regulatory complianceEmail
Servers
Internet Emai
l not
ifica
tion
SSL
3
5
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Tumbleweed Secure MessengerUniversal delivery to any recipient
No client side software or certificates requiredEncrypts email and provides access through a secure web portal
Online and offline secure emailSupport pull and push methods with SecureEnvelope
Easy to support and manageSelf registration, zero registration, and automated user
managementVery large email attachment support
Highly secure and reliableTracking by recipient, by message,
and by attachmentRules for message expiration,
password requirements, domainlimits, message size, andmessage quotas.
CustomizableCustom branding of inbox and portalMultiple delivery profiles for by group
6
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Tumbleweed Secure Messenger
Content Analysis
• SSN, CCN• Customer data• Compliance info• Personnel data• Intellectual property• Trade secrets• Attachments
Delivery Analysis Policy Actions
• Block, Allow• Quarantine• Return• Notify mgrs• Strip attachments• Annotate• Change routing
Secure Delivery
• B2B encryption• B2C encryption• Web-based delivery• Offline access• Tracking• Auditing
Centralized & Delegated Management Reporting, Auditing, Message Tracking
High Performance Appliance
• Sender• Recipient• Role• Partner• Customer• Forwarding• Time
4
7
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Internal
EmailSMTP
Relay
External User’s
Personal Mailbox
(1)O
B S
MT
P E
ma
il bo
un
d
for S
M (#
sec
ure
#)
(1)OB SM TP Em ail
bound for SM (#secure#)
(1)OB SM TP Em ail bound for
SM (#secure#)
User
(3)OB Not if icat ion to Secure
M essenger User
(9)Em ail from
Secure Messenger
(9)Emai l f rom
Secure Messenger
(9)E
ma
il from
Se
cu
re M
es
se
ng
er
(2)Em ail Sent To Secure
M essenger
(5)O
B N
oti
fic
atio
n t
o
Se
cu
re M
ess
en
ge
r U
se
r
(6)User Regist rat ion at
First Login
(6) External User
Authent icates to Sec
M ess portal: SSL
Secure
Messenger
(2)#secure#
is rem oved
(2)Encrypts
Secure Em ail
(3)Not if icat ion
Generated
(4)Not if icat ion
relayed to User
(7) Com pose and
Send Secure Em ail
(6)User c licks on link
in not if icat ion
OR
(8) Secure
Em ail sent to
Dept .
(8) Secure Emai l
sent to EM F
EMF
SERVER
Secure Messenger Architecture and Data Flow Diagram03/17/2008
8
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
1 – External User – Notification of Secure Mail
What can the user expect to see when a secure email is sent to them throughSecure Messenger?•The user will receive a notification that a secure message is waiting for you.•A link is embedded in the notification for the user to click on and retrieve the secureemail
5
9
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
2 – External User – Security Certificate•If the user receives a Security Alert concerning the site’s security certificate, click on Yes toproceed.•KDOR does have a valid SSL Certificate on the server.
10
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
3 – External User – Self-Registration•The first time a secure email is read, the user will be required to perform a one-time, self registration.
oDuring self registration the user will be required to enter:oFirst name and last name in the first name and last name fields respectivelyoSelf-Assigned password, that can be remembered, in the new password fieldoRetype that password.oType in a password hint. This is important: In case the external user forgets their password, theycan have their password hint emailed to them.
oOnce the account is completely registered, the user will be brought into the secure email message.
6
11
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
4 – External User - Viewing the Email:•The user will have the option of composing a new email or replying to an existing email•When a secure email is sent to a Secure Messenger user by a KDOR employee, they willreceive a notification, but will not need to re-register.•When the link from within the notification is clicked, the user will be asked to enter thepassword they assigned themselves during the registration process.
12
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
5 – External User – NOTES•Once the user is logged into Secure Messenger, they will only be able to reply,forward, or send a new email to a KDOR employee.
•The user CANNOT reply, forward, or compose a new email to a non-KDOR emailaddress (without kdor.state.ks.us)
•If the user deletes a message from within their Secure Messenger mailbox, it will nolonger be available to them.
•SECURE MESSENGER WILL NOT WARN THE USER THAT THEY ARE ABOUT TODELETE AN EMAIL.
7
13
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Internal Users - Composing a Secure Email Using Secure Messengerto an External Customer
•Compose a new email in Lotus Notes
•In the subject, enter the string #secure#
•When the email is sent through Secure Messenger…•the #secure# string is stripped from the subject•#secure# is replaced in the subject with “This is A Secure Message from KDOR”•Note: Internal user may type other text (i.e. the subject matter of the email) before or after#secure# in the subject line
•Secure Messenger is only to be used to send emails that have PII (Personally IdentifiableInformation). Do not use Secure Messenger for normal, non-secure email.
•#secure# will only work when sending secure, outbound mail. Internal users do not need to add#secure# to any internal email as all internal email is already secure.
14
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Tumbleweed Mail PoliciesThe following slides describe the mail rules in
place by KDOR and what action each rule takes.
KDOR has 3 active policies that are used to logevent information about outbound emails sentwith PII (Personally Identifiable Information):• KDOR: SM-SSN Subject Block• KDOR: SM-Drivers License• KDOR: SM-FEIN
8
15
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
KDOR Policy EventsKDOR: SM-SSN Subject Block:Catch messages where… The entire message contains words in the list: ‘SM: SSNSubject Block”Take the following actions…Deliver normally and log the event ‘SM: SSN Subject Alerts’KDOR: SM- LicenseCatch messages where… The message text contains words in the list: ‘SM: License’Take the following actions…Deliver normally and log the event ‘SM: Drivers License’KDOR: SM-FEINCatch messages where… The entire message contains words in the list: ‘SM:Taxation Group’Take the following actions…Deliver normally and log the event ‘SM: FEIN MessagesKDOR: Encrypt Subject TriggerEncrypt and deliver the message via Secure Messenger using the ‘SecureMail’delivery profile prepend ‘This is a Secure Message from KDOR’ to the subject textand remove #secure# from the subject text
16
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Policy Word ListsKDOR Has Created 3 Word Lists That Are Used With Its
Tumbleweed Mail Policies. These Word Lists Look ForSocial Security Numbers, Federal EmployerIdentification Number, and Drivers License Numbers.
The Names of the Word Lists Are:• SM: License Words• SM: Taxation Group• SM: Test Words
9
17
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Tumbleweed Usage Reports
KDOR uses Tumbleweed reporting to monitor which emailsare routed through Tumbleweed with PII (PersonallyIdentifiable Information).
The following reports show message details of policyevents which were setup in Tumbleweed to monitor PIItraffic:
• SM Event Usage (SSN- w/event detail)• SM Event Usage (FEIN-w/event detail)• SM Event Usage (DL#-w/event detail)These reports are custom reports created specifically for
KDOR using Crystal Reports.
18
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Reports
All of the reports but the Message Volume and Size Report werecreated using Crystal Reports.•SM Event Usage (7 days) – Displays a summary of how many messages haveSecure Messenger policy events•SM Event Usage (w/event detail) – Displays the message details of the SMEvent Usage report summary•SM Event Usage (SSN-w/event detail) – Displays the message details of ID504 – Emails with Social Security Numbers•SM Event Usage (FEIN-w/event detail) – Displays the message details ofevent ID 505 – Emails with Federal Employment Identification Numbers•SM Event Usage (DL#-w/event detail) – Displays the message details ofevent ID 507 – Emails with Drivers License Numbers•SM Event Usage (Securely Sent Mail) – Displays the message details ofemails sent through Secure Messenger•Secure Messenger Users and Directory Location – Displays the list ofusers with Secure Messenger accounts and the directory path the accounts are in•Message Volume and Size Report – Displays the total count of messages thatroute through EMF
10
19
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
SM Event Usage (7 days)(Created using Crystal Reports)
20
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Event Report w/DetailsSocial Security Number (Created using Crystal Reports)
11
21
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Event Report w/DetailsFEIN-Federal Employer Identification Number (Created using Crystal Reports)
22
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Event Report w/DetailsDrivers License (Created using Crystal Reports)
12
23
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Monitor Policy Event Reporting Metrics• Your report results will tell you which emails contain the information that
would route mail through Secure Messenger.
• Breakout reports and events so you have separated inbound andoutbound reports (outbound email with sensitive information is the firstconcern)
• Review report results to make sure the policy you will be enabling isdetecting the proper information within emails.
• You can watch email traffic through these reports without quarantiningor implementing the policies
• Learn through the reporting for several reporting periods prior toattempting to block traffic automatically (False Positives)
24
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Enabling an Existing Policy to Route Mail ThroughSecure Messenger
• Click on Policies from side menu to view the existing policies.• Find the policy you want open and click on the link.
13
25
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Making Secure Messenger Documentation EasilyAccessible to External Users.
Implementation Strategy:• Put a copy of the external user documentation on KDOR public web
site.• Modify the Secure Messenger notification page located on the Secure
Messenger server.• Add a web link to the secure mail notification page. The web link will
direct the external user to where the Secure Messengerdocumentation is stored on KDOR’s public web site.
– This secure mail notification is what external users will receivewhen a secure email is sent to them.
26
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Recognizing the Global Effect of Changing a Policy ToRoute Mail Through Secure Messenger
When changing an existing policy from routing mail normally to routing throughSecure Messenger, it is important to recognize possible negative results:• When a policy is set to route mail through Secure Messenger, it is
important to realize that any external recipient stated in a policy-caughtemail will receive a Secure Messenger notification.
• Be sure that false-positives are at a very minimal level before enabling apolicy to automatically route mail through Secure Messenger.
• False-Positives can lead to embarrassment to agency and customerfrustration
• Work with your Messaging Administrator to view emails appearingas a false-positive. This will allow you to confirm if this is true or not.
14
27
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Recognizing the Global Effect of Changing a Policy ToRoute Mail Through Secure Messenger (cont)
False-PositivesPrevention of False-Positives (A false-positive in this context is an email
that is flagged by a policy to have PII, but in actuality does not.)
• Enable a Tumbleweed Secure Messenger Policy to Quarantine flaggedemails instead of routing normally and before sending through SecureMessenger.
• This will allow emails to be manually reviewed and recognized as afalse-positive
– If an outbound, quarantined email is found to be a legitimateemail that should’ve been routed through Secure Messenger,the Tumbleweed Administrator will contact the KDOR senderand ask them to resend the email with #secure# in the subject.
– Any false-positives can be released to the intended recipient,returned to the sender or deleted
28
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Archive Internal Secure Messages to CERA• KDOR Employees have the ability to retain secure messages in CERA (Central Email
Record Archive) by selecting the Secure Email Messaging category within the CERAdatabase.
15
29
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
Lessons LearnedMonitor Policy Event Reporting Metrics Before Turning On
Secure Messenger Routing
Understanding the Global Effect of an Enabled SecureMessenger Policy
External Secure Messenger Users need agency documentation.
Archive Internal Secure Messages to CERA
Start with small diverse messaging groups
Separate internal reporting between outbound and inboundmessaging traffic
30
Kathleen Sebelius, Governor
Joan Wagnon, Secretary
www.ksrevenue.org
ANY QUESTIONS?
EnterpriseImplementation of Secure MessagingServicesApril 3, 2008Timothy R. Blevins , KDOR ChiefInformation [email protected]