Global Marketing

Data Security & Privacy Certification: Understanding Email Encryption

Global ServicesConfidential2

Introduction to Encryption

Introduction to encryption

Organizations are buying email encryption TODAY

They can buy from YOU or they can buy from your competitor

Once you have an encryption customer they are a customer for life as changing providers is costly and complex

Global ServicesConfidential3

What is encryption• Encryption transforms readable data into

unreadable data (cipher text) using an algorithm• Only those possessing the decryption “key” can

unlock the data • The use of encryption/decryption is as old as the art

of communication. It has been used for centuries, and in time of war to protect confidential information from the enemy

Global ServicesConfidential4

Encryption benefitsWith a focus on policy-based encryption:

• Eliminates the possibility of confidential information being read by anyone other than the intended recipient• Helps organizations meet compliance regulations• Automatically encrypts emails based on pre-defined policies• Enables security audits and tracking• Good business practice

Global ServicesConfidential5

Gartner recommends that all companies make efforts to broadly install encryption across all their

workstationsMagic Quadrant , Sept 7, 2011

Global ServicesConfidential6

Why?• To comply with data protection regulations• To follow best practices• To take a more proactive approach to data

protection and avoid– high costs– heavy fines– brand damage– operational disruption caused by a data breach

Global ServicesConfidential7

Organizations want to buy from YOU!

Solutions involving encryption have seen the biggest increase in IT budget earmarks over the past year

Global ServicesConfidential8

If they don’t they are vulnerable to...• Significant fines• Loss of reputation• Loss of customers• Possible business data loss and

failure

Global ServicesConfidential9

The cost of encryption • The cost of a data breach is always higher

than the cost to invest in preventive measures• Organizations can pay for encryption upfront

or run the risk of paying more later

Global ServicesConfidential10

Best practice• As content can be easily intercepted,

encryption is synonymous with best practice• Most companies, even if not in regulated

industries, recognize that encrypting business data is best practice

Global ServicesConfidential11

Did you know?• Email is still the # 1

communications tool• Workers spend on average 152

minutes per day on email• 1 in 5 outgoing emails contain

content that poses a legal, financial, or regulatory risk

• 75% of all corporate email contain some Intellectual Property

• Worldwide email accounts are projected to increase from over 2.9 billion in 2010, to over 3.8 billion by 2014

• 26% of these will belong to corporate users

Global ServicesConfidential12

Encrypting everything?• Encrypting everything is only a viable solution if time

and money are not factors in the decision process:– High up front capital investment in the encryption

solution – most are not subscription model-based– Investment in newer equipment that can handle the

burden of constant encryption– Increased training in both solution administration and

management– Additional administration of password or key

management– And more …

Global Services

Data Leakage

Global ServicesConfidential14

Data leakage

• Since the invention of the floppy disk, data leakage has been on the minds, and often in the nightmares, of all IT security personnel

• You could make the direct correlation between data leakage and the creation of the IT Security industry as a whole

Global ServicesConfidential15

Defining data leakageTHE HUMAN EFFECT (inadvertent)• Verbally reveals confidential information to outsiders• Confidential information is revealed on Twitter, Facebook, etc.• An ex-employee discusses trade secrets with a new employer• Confidential data is inadvertently left in a public place

THE TECHNOLOGY EFFECT (malicious)• Malicious hacking or use of virus, bots, trojans, etc., to gain access to

critical systems through corporate firewalls and other safeguards• Sharing secure email communications via unsecure channels• Downloading confidential information on portable devices such as

thumb drives, iPods, etc.• Physically stealing laptops, hard drives, etc.

Global ServicesConfidential16

New data leakage culprit• Mobile devices are not part

of the internal company network

• Organizations are embracing BYOD (bring your own device)

• With a mobile workforce organizations rely more on mobile devices than ever before

Global ServicesConfidential17

The cost of a data breach• $140 per record

• $14 M cost on average (100,000 records)

• $5 M: Notification, legal expenses, discounts, telecoms

• $7.5 M: Opportunity cost: retention and acquisition of customers

Global ServicesConfidential18

The cost keeps growing

• $1.5 M: Productivity losses due to additional load on staff

• $79 per record lost (Gartner)

• $11.5 M in expenses directly related to exposure

• $15 M fine by Federal Trade Commission

• 75 out of 150 companies surveyed had a data loss in the last 12 months (Deloitte Survey)

Global Services

Encryption Sales Tools

Global ServicesConfidential20

Talk to the decision maker• Chief Info Security Officer (CISO)• Chief Compliance Officer (CCO)• Chief Information Officer (CIO )• VP IT• Director Security• Director MIS• Data processing • Security architects• Information architects

Global ServicesConfidential21

Tell them what they want to hear

• Easy to use email encryption for IT and end users i.e. forgot password link and other features means fewer calls to IT

• Minimum steps to send an encrypted email• Industry best in registration and pick up of emails• Administration console • Encryption expertise: working with someone that

understands encryption

Global ServicesConfidential22

How to displace the competition• Push and pull delivery i.e. recipient can choose how they

would like to receive their messages• Plain text notifications are branded and trusted so

recipients know it is not spam• Easy to use for mobile devices• Robust pick up center• Compliance driven reporting engine• Create bulk keys• Customize send and recipient groups

Global ServicesConfidential23

• Supports standards based encryption• Digital signatures on all notifications and messages• Trusted CA and Webtrust audited http://bit.ly/z6Odet • Interoperates with 3rd party PGP and S/MIME services• Helps make PGP a cloud-based solution

How to displace the competition

Global ServicesConfidential24

Talk technology • Cloud-based credential management• Data is digitally signed• Data remains encrypted while stored in the cloud• Standards-based PKI, X 509 certificates• Rapid deployment of multiple encryption applications on

one platform• Encryption complexities are hidden from the end user• Provide credential and identity-management services• Enable secure communications across a wide range of

applications, media, and mobile devices

Global Services

Technically Speaking

Global ServicesConfidential26

Types of email encryptionS/MIME (Secure/Multipurpose Internet Mail Extensions) Is included in email clients by default such as Outlook, and relies on the use of a Certificate Authority (CA) to issue a secure email certificate

TLS (Transport Layer Security) / SSL (Secure Socket Layer Security) Less secure forms of email encryption used to encrypt messages between two servers

Global ServicesConfidential27

Understanding S/MIMES/MIME provides two security services:

1. Digital signatures2. Message encryption

Global ServicesConfidential28

Understanding digital signatures• Digital signatures are the digital counterpart to the

traditional, legal signature on a paper document• As with a legal signature, digital signatures provide the

following security capabilities: 1. Authentication   2. Nonrepudiation   3. Data integrity   

These security capabilities are the core functions of digital signatures. Together, they ensure recipients that the message came from the sender, and that the message received is the message that was sent

Global ServicesConfidential29

Understanding digital signatures• Authentication: A signature serves to validate an identity. It

verifies the answer to "who are you“. Because there is no authentication in SMTP e-mail, there is no way to know who actually sent a message. Authentication in a digital signature allows a recipient to know that a message was sent by the person or organization who claims to have sent the message.

• Nonrepudiation: The uniqueness of a signature prevents the owner of the signature from disowning the signature. This capability is called nonrepudiation. Thus, the authentication that a signature provides gives the means to enforce nonrepudiation. The concept of nonrepudiation is most familiar in the context of paper contracts: a signed contract is a legally binding document, and it is impossible to disown an authenticated signature.

• Data integrity: An additional security service that digital signatures provide is data integrity. With data integrity services, the recipient is assured that the e-mail message has not been altered while in transit.

Global ServicesConfidential30

Understanding digital certificates• A digital certificate is an

electronic “document" that establishes your credentials and enables you to create a digital signature

• Supports the X.509 standard

• Think of a digital certificate as you would of a passport

Global ServicesConfidential31

Message encryption• Digital signatures provide data integrity• They do not provide confidentiality• Messages with only a digital signature are sent in

cleartext, similar to SMTP messages, and can be read by others

• To protect the contents of e-mail messages, you must use a message encryption solution like Symantec Policy-Based Encryption provided by Echoworx

Global ServicesConfidential32

Types of encryptionSymmetric encryption

• The oldest and best-known encryption technique

• A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way

• It can be as simple as shifting each letter by a number of places in the alphabet

• As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key. The oldest and best-known encryption technique

• The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands

• Anyone who knows the secret key can decrypt the message

Asymmetric encryption• Uses two keys rather than one and is

known as a “key pair”• The public key (key # 1) is made freely

available to anyone who might want to send a message

• The private key (key # 2) is kept secret• Messages encrypted using a public key

can only be decrypted by using the matching private key (no risk as the public key is freely available)

• Because asymmetric encryption is more secure it is slower than symmetric encryption and uses more processing power to encrypt and decrypt the content

• PKI (Public Key Infrastructure) uses Asymmetric encryption

Global ServicesConfidential33

Pulling it all together

Global ServicesConfidential34

Understanding CA’s (certificate authority)• A CA is a trusted third party organization or company that is

allowed to issue and manage digital certificates • The role of the CA is to guarantee that the person granted the

digital certificate is who they say they are• CA’s are a critical component in data security because they

guarantee that the parties exchanging information are really who they claim to be

• Echoworx is a trusted CA and in order to maintain their designation, they are WebTrust audited by Deloitte annually

• There are two types of CA’s:1. Private CA – held by a private entity (Company,

Administration, the Military)2. Public CA – Echoworx, Verisign, Swisskey, Global-sign

Global ServicesConfidential35

Understanding PKI (Public Key Infrastructure)• PKI is a set of standards, procedures, software, and people for

implementing authentication using public key cryptography• PKI is the infrastructure that manages digital certificates. It is

used to request, install, configure, manage and revoke digital certificates

• PKI offers authentication via digital certificates, and these digital certificates are signed and provided by a Certificate Authority

• PKI uses public key cryptography and works with x509 standard certificates

• PKI enables authentication, nonrepudiation, and data integrity• PKI is an infrastructure in which many things happen and is not

a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work

Global ServicesConfidential36

PKI includes1. Certificate Authority (CA) which delivers digital

certificates2. A directory that stores digital certificates 3. A registration authority that allows for the enrollment

of digital certificates4. Centralized management functionality

Global Services

Policy-Based Encryption

Global ServicesConfidential38

Policy-based encryption

Automatically encrypts email at the gateway based on pre-defined policies and procedures

Global ServicesConfidential39

Symantec policy-based encryption• Automatic email encryption based on pre-defined policies and

procedures• No encryption action required for users and administrators• Fully hosted, easy-to-use service• Eliminates the need for on-premise installation • Flexible message delivery options to users and non-users of

policy-based encryption• Easy for recipients to receive and reply securely to messages• Supports mobile devices including iPhone, BB and Android• Works with third-party S/MIME and PGP credentials• Supports multiple tenancy, branding and multiple levels of

administration

Global ServicesConfidential40

DeploymentA typical installation includes the Echoworx policy engine residing on premises with the messages travelling via TLS connection to the Encryption engine at an Echoworx secure facility

Global ServicesConfidential41

How it Works

Global ServicesConfidential42

Where it fitsSymantec.cloud Content Control can trigger the encryption of an email

Global Services

Customer Scenario

Global ServicesConfidential44

Challenge• A National healthcare organization is actively seeking a way to secure emails and comply

with HIPAA

• They want to ensure that the messages never leave their environment if they contain certain key words or phrases

• They realize that human error plays a part in everything, and the organization needs a solution that will AUTOMATICALLY encrypt emails based on pre-defined polices

• Their requirements include: easy to use, automated, and flexible policy management

Solution• You recommend Policy-based encryption• Key factors you picked up on were:– Messages never leave their environment if they contain certain key words

or phrases– Needs a solution that will AUTOMATICALLY encrypt emails based on

certain rules or policies– Requirements: easy to use, automated, and flexible policy management

Global ServicesConfidential45

Resources• For educational papers, product sheets, videos and

more: http://www.echoworx.com/resources/

• For more on Symantec Policy-based encryption.cloud: http://www.symanteccloud.com/services/data_protection_management/email_policy_encryption.aspx

Thank You for Participating Certification is just a test away!