Embed Size (px)
Citation preview
Contents An analogy .................................................................................................................................................................... 4
Electronic communication ............................................................................................................................................ 5
Risks .......................................................................................................................................................................... 5
Legislation ................................................................................................................................................................. 5
‘Add-In’ vs ‘Browser Experience’ ................................................................................................................................... 8
Secure Community ........................................................................................................................................................... 9
Password management .................................................................................................................................................... 9
Recipient ID Challenge Guidelines .............................................................................................................................. 10
Varying levels of protection ........................................................................................................................................ 10
Auditing Secure Transmissions - Archiving & Journaling ................................................................................................. 11
Archiving ..................................................................................................................................................................... 11
Journaling ................................................................................................................................................................... 11
Auditing Secure Email ................................................................................................................................................ 11
Systems Integration .................................................................................................................................................... 12
The level of security we apply to our property can vary hugely. An example of this is the security associated with
the front door to our own homes.
The application of security ‘at the front door’ in the form of a lock and key, reduces the risk or likelihood of theft at
the expense of an increased burden placed upon the user, namely having to carry multiple keys to gain access!
Household insurance providers will often place a burden upon us to conform to certain minimum security
standards and may reward us with lower premiums or ‘excesses’ where we apply these recommended levels of
security.
e.g. 5 lever mortice lock / key operated window locks / the provision of a ‘Safe box’ to store our high value items
etc.
In principle, we apply greater levels of security to higher value items.
In electronic terms, and with email in particular; these key principles remain relevant.
Sending sensitive information within a normal email has been compared with writing such information on a postcard and sending it through the postal service for all to see.
Wrapping a secure process around an otherwise unsecure ‘medium’, namely email / messaging, implicitly relies upon an increased degree of user interaction.
We seek to secure the users email, maximising security whilst minimising user impact and affording the system user (the sender) the ability to define the level of security and the manner in which it is exercised.
The risks associated with an unwanted third-party interception of sensitive data can be extraordinarily high and lead to significant financial penalties and immeasurable reputational damage.
Under the Data Protection Act (DPA), the Information Commissioners Office (ICO) can take action against a data controller and fine individuals / organisations up to £500,000 for each data security infringement.
The impending General Data Protection Regulation (GDPR) allows action to be taken against both the data controller and the data processor if it believes they have both played a role in breaching the legislation.
In addition, the bar is lifted as far as potential fines are concerned, rising to up to 20 Million Euro or 4% of group global turnover.
Consider telephony banking . . . . . .
In contacting our banks by telephone, we are presented with a number of ‘pre-agreed CHALLENGES.
Each ANSWER we give to the operator is keyed into the banks system and, assuming we meet the series of challenges with the corresponding correct answers, the operator is able to identify us on behalf of the bank and to a degree of certainty that satisfies them.
This enables their call centre operator to subsequently take our verbal instructions and transact on our behalf.
This process deliberately seeks to put some distance between the operator and the callers ANSWERS, such that the likelihood of an operator recording and subsequently using the ANSWERS in a fraudulent manner are minimised.
As such the challenges / answers / methodology used by an organisation to identify their customers must remain sacrosanct.
Some organisations insist upon using a digital keypad and unique codes that must be entered when we want to view our bank accounts online whilst others will accept a simple username and password.
allows the sender to define this process and determine the level of security. We call this . . .
‘digital recorded delivery®’
The platform
…. allows the sender to consider their requirements and ‘fine tune’ security levels according to their audience, simultaneously presenting a simple user experience.
Example:
Sending an encrypted email with a simple challenge such as the recipients mobile phone number provides a significantly higher degree of security than the same communication
sent ‘in the clear’ given the underlying encryption and platform operating model.
Using a mobile number presents a lighter touch approach than the use of a ‘bespoke’ challenge such as that described above in the telephony banking example.
Naturally the latter provides a higher degree of security but imposes a greater degree of user interaction.
Microsoft enable Outlook users to install third party integrations in the form of an ‘add-in’ which helps streamline specialist functions.
The ‘plug-in’ affords a highly-integrated and secure user experience whilst recipients can read email via a ‘web browser’ for convenience.i
enables users to create their own secure, trusted communication community by assisting the email sender to verify the identity of their intended recipient. Having completed this initial process, and in order to simplify usage, the sender need not challenge their recipient’s identity, unless they opt to do so, in order to accommodate the conversational nature of messaging.
Naturally the end user needs to identify themselves to the core platform thereby avoiding the so called ‘Identity Substitution Fraud’.
Mindful of the above, the initial ID verification process can be defined by the sender and can adopt any existing ‘risk policy’ as per that defined in the telephony banking example already described.
The infrastructure neither holds nor can open the senders’ data including recipient ID verification parameters, thereby allowing system users to adopt a uniform identification password approach.
The system seeks to allow its users to adopt an approach conducive with the Seven Law Of Identity, affording the user an infrastructure which can be tailored to meet specific needs and operating models.
The following principles might assist in determining appropriate security levels for secure communications:
Level 1:
Documents considered to contain highly confidential information
These may warrant the prior exchange of a personal password which might take place during an initial face to face consultation, a private telephone conversation or an SMS (text message) where the sender and recipient agree a ‘private’ word or phrase.
Level 2:
Documents considered to contain confidential information
These may be protected by way of a client or case reference number that is held within the sender’s back office system and communicated to the client, as part of the client on-boarding process, an approach potentially adopted where there are multiple recipients.
Level 3:
Documents considered by the sender to contain less confidential information
These might be protected using a simple challenge such as the recipients mobile number; clearly in this case, no prior exchange is needed.
When choosing an appropriate challenge, the user / Automated Delivery System, should consider how best to uniquely confirm that the intended recipients Identity can be authenticated without using a ‘test’ that might be met by anyone other than the intended recipient.
As an example, simply using a user’s mobile phone number / policy number that could potentially be known to a would-be thief may be considered as a poor choice.
Archiving is designed to manage the size of the individual’s email mailboxes by moving messages that have been present beyond a pre-determined period from the working environment into historical records, commonly referred to as archives.
These records and their content still form part of the client communication audit trail and therefore may need to be searchable and recoverable.
Journaling is the act of recording every message that passes through a mail server thus providing a complete communication audit trail that can be referenced and searched.
messages are encrypted ‘client-side’ and one would therefore expect traditional archiving and journaling mechanisms to capture the ‘secure envelope’ rather than the open content and attachments.
To accommodate compliance activities, such as archiving, journaling and data leakage systems, the Outlook add-in may be extended to export messages and attachments accordingly.
For example in Microsoft Office 365, the server journal file is implemented as a simple mailbox which may be written to programmatically.
The Outlook add-in may be extended to write sent and received emails directly to the journal file or indeed the administrator / user may elect for secure outbound messages to reside in their ‘Sent Items’ in an open format following the ‘Send Secure’ process.
In the same way, once a secure message has been opened following ID authentication, as governed by the sender, the user / administrator may also elect for that message to ‘live’ in the ‘Inbox’ in a decrypted form to facilitate ongoing ease of use / access/ offline operations.
may be integrated with your chosen Client Relationship Management System (CRM), email system or simple record keeping arrangements by using the export function alongside a dedicated interface.
Contact for more details or visit www.beyondencryption.com or register and download the add-in and use our FREEmium service.
See the Feature List to further understand the various account types available
i ‘Browser Read’ function can be impeded by the sender as an option
