cryptzone outbound content compliance[1]

8/7/2019 Cryptzone outbound content compliance[1]

http://slidepdf.com/reader/full/cryptzone-outbound-content-compliance1 1/32

Outbound ContentCompliance

Best Practices of Email Security for Regulatory Compliance



Content

1 INTRODUCTION ........................................................................................................................ 4

1.1 WHY IS OUTBOUND CONTENT COMPLIANCE AN ISSUE? ....................................................................... 4

1.2 COMPANIES MUST COMPLY TO LAWS AND REGULATIONS................................................. ................... 5

1.3 RECENT EXAMPLES OF DATA LEAKS.................................................... ............................................... 6

1.4 COSTS OF A DATA BREACH...................................................... ........................................................ 7

2 SECURED EMAIL – CLIENT APPLICATION OF THE SIMPLE ENCRYPTION PLATFORM .................. 8

2.1 SECURED EMAIL - END POINT SECURITY FOR EMAIL ENCRYPTION................................................ .......... 8

2.2 SECURED ECONTROL - INTEGRATES WITH SECURED EMAIL FOR ENFORCED ACTIONS .................................. 8

2.3 SECURED EFILE - ENCRYPT NETWORK FILES/FOLDERS FOR AUTOMATIC AUTHENTICATION........................... 8

2.4 SECURED EDISK PROTECT - WHOLE DRIVE ENCRYPTION–

ENTERPRISE MANAGEMENT .............................. 9 2.5 SECURED EUSB – ENCRYPTS ANY USB FLASH DRIVE IN THE MARKET TODAY! .......................................... 9

2.6 SECURED EGUARD - END POINT SECURITY - CONTROL, MONITOR AND LOG ENDPOINT ACCESS..................... 9

3 SECURED EMAIL ...................................................................................................................... 10

3.1 SENDING SECURED EMAILS - USER PERSPECTIVE...................................................... ......................... 10

3.1.1 Establishment of a Secured Channel – Identification of the receiver ................... ........ 10

3.2 CHOICES WHEN OPENING A SECURED EMAIL – A USER PERSPECTIVE ................................... 12

3.3 SECURITY PERSPECTIVE – SKG - STRONGEST LINK IN ENCRYPTION ............................................... ........ 13

3.3.1 Encryption .................................................................................................................... 14

3.3.2 The encryption procedure step by step ......................................................... ............... 14

3.3.3 Centrally managed keys ....................... ....................................................... ................. 15

3.4 ENTERPRISE PERSPECTIVE ...................................................... ...................................................... 17 3.4.1 Central Management ................................... .......................................................... ...... 17

3.4.2 Global Object Synchronization ...................... ....................................................... ........ 17

3.4.3 Role based administration ............................................................................................ 18

3.4.4 System Access Rules and Procedures ........................................................................... 18

3.4.5 Seamless integration with existing infrastructure ................................................ ........ 18

3.4.6 Flexible Deployment ............................................... ...................................................... 19

3.4.7 Policy Management.............................. ......................................................... ............... 19

3.4.8 License Management ................................... .......................................................... ...... 19

3.4.9 Central Password Management ................................................................................... 20

3.4.10 Education management ......................................... ...................................................... 20

4 SEP ENTERPRISE DEPLOYMENT AND SCALING......................................................................... 21

4.1 OVERVIEW OF SEP COMPONENTS .................................................... ............................................. 21

4.1.1 SEP Database................................................................................................................ 21

4.1.2 SEP Server ...................................................... ....................................................... ........ 21

4.1.3 SEP Clients .................................................................................................................... 21

4.2 SCALABILITY AND FAILOVER.................................................... ...................................................... 22

4.2.1 SEP Database................................................................................................................ 22

4.2.2 SEP Server ...................................................... ....................................................... ........ 22

4.2.3 SEP Management Console ............................................................................................ 22

4.3 PERFORMANCE AND STORAGE ......................................................... ............................................. 23

4.3.1 SQL Database Size ...................... ......................................................... ......................... 23

4.3.2 Load on SEP Server ....................................................................................................... 23

4.3.3 Load on SQL Server .............................................................................. ......................... 24

4.3.4 Load on Network .......................................... ........................................................ ........ 24 4.3.5 Load on Active Directory ........................................................... ................................... 24



4.4 DEPLOYMENT STRATEGIES ..................................................... ...................................................... 25

4.4.1 Single Region / Small Medium Enterprise .................................................................... 25

4.4.2 Single Region / Small Medium Enterprise with Failover ............................................... 26

4.4.3 Multi Region / Large Enterprise.................................................................................... 27

4.5 RECOMMENDATIONS .................................................................................................................. 28

4.5.1 Number of Endpoints per Server ......................................................... ......................... 28

4.5.2 Hardware for SEP Server ................................................. ............................................. 28 4.5.3 Number of SEP Servers ................................................................................................. 29

4.5.4 SQL Database ..................................... ........................................................... ............... 30

4.6 POTENTIAL BOTTLENECKS ...................................................... ...................................................... 31

4.6.1 Active Directory Synchronization ......................................................... ......................... 31

4.6.2 Connection Congestion .................................................... ............................................. 31

4.6.3 Secured eUSB Log Synchronization............................................................................... 31

5 SUMMARY .............................................................................................................................. 32



1 Introduction

What is Outbound Content Compliance? Outbound Content Compliance (alsooutbound content security or OCC) is a new segment of the computer security field,which aims to detect and prevent outbound content that violates policy of theorganization and/or government regulations. OCC deals with internal threats either malicious or accidental as oppose to more traditional security solutions (firewall, anti-virus, anti-spam etc.) that are dealing with external threats. Therefore, it is sometimescalled inside-out security. These systems are designed to prevent and detect theaccidental sending of sensitive and confidential information outside of theorganization at the same time – educating information workers on the organizations‟

security policies, industry and/or regulatory compliance.

1.1

Why is Outbound Content

Compliance an issue?

Email communications is the number one method ofcommunicating between individuals either personal or business to business. In the past 15 years, IT has beenfocused on security concerns outside of the Enterprisenetwork and attacks upon enterprise networks trying to

penetrate the network. Billions of dollars has been spentto protect the network, building a wall or firewallprotecting against those attacks. Since mostinformation workers are inside the network, thechallenge has been to open up ports to allow outbound

communication. That is the issue! Information workersare sending critical and sensitive information to partners,customers, and stockholders through the opencommunication channels over the Internet, withoutregarding the protection of the information. Over thepast 5 or more years, there have been federal and stateor provincial laws and industry regulations to control andprotect the use and movement of sensitive data.Companies are mandated to encrypt information byLAW and the penalties are punitive. The overall cost ofnon-compliance is significant because the liability ismore than a fine. The greatest impact is the overall

value of the corporation in the stock market or impactto revenues.

Examples of sensitive information are; corporatefinancial records, corporate intellectual property,internal manufacturing cost analysis, human resources

records, customer account information, patient records,and strategic marketing plans. Most of these areexamples of records or documents that have beenentrusted into the hands of valued peoples. The CFO isemailing the corporate financials to their outsideaccounting firm for the quarterly close of the books; the

Director of Production sends the signed contract for anew technology being manufactured in China; and the

http://en.wikipedia.org/wiki/Computer_security

http://en.wikipedia.org/wiki/Firewall

http://en.wikipedia.org/wiki/Anti-virus




http://en.wikipedia.org/wiki/Firewall

http://en.wikipedia.org/wiki/Computer_security



sales manager sends a customer database and the “agreed to” marketing plan toan outside marketing company for the first activity in the marketing plan. Some areaccidents waiting to happen; while others are malicious attempts to deceive the

company.

1.2 Companies Must Comply to Laws and RegulationsMany organizations now fall under oversight of government and industry regulationsthat mandate control over private information, including HIPAA in health andbenefits, GLBA and BASEL II in finance, Payment Card Industry DSS standards,Sarbanes-Oxley, and more than 42 states in United States have passed data privacyor breach notification laws that require organizations to notify consumers when their

information may have been exposed. One high-profile example is California SB 1386.The EU Data Protection Directive was first introduced 1995 and have since then beenupdated and implemented by all member countries.

Most recently as September 24, 2009, the United States announced the HIPAA Hitech

Act that provides a "safe harbor" for Protected Health Information and that safeharbor is achieved through the use of encryption technology to achieve the goals ofprotecting sensitive and confidential information.

The Gramm-Leach-Bliley Act already has had an impact on financial servicescompanies. Federal agencies are grappling with the Federal Information Security

Management Act. Publicly held companies are looking at what role informationsecurity will play in assuring their internal controls, as required by the Sarbanes-OxleyAct's Section 404. Companies that do business in California are sorting out SB 1386,which requires them to have processes in place to notify customers whose personalinformation has been compromised. Yet no other industry has done as much to

comply with such regulations, or been as open about their compliance efforts as the

healthcare industry. Most CIO‟s are complying with HIPAA and California or New York State privacy Law and voluntarily, Sarbanes-Oxley.

The Health Insurance Portability and Accountability Act of 1996, was passed byUnited States Congress to improve the efficiency and effectiveness of the health care

system, and reduce the incidence of fraud. There are three basic component of thebasic security rule - confidentiality, integrity and availability of electronic protectedhealth information. The focus of this policy requires increasing the secure automationof patient records and electronic health care information transfers. With the adventof automated health systems there are increasing number of transfers of informationbetween users which poses more new security and privacy risks that have never existed before. In recognition of this increased risk, the drafters of this legislation

included provisions for the regulation of information privacy and information systemssecurity. Access Control provides users with rights and privileges to access andperform functions using information systems, applications, programs and files.

The EU Data Protection Directive (Directive 95/46/EC) has been implemented by all

member states and the purpose is that “Everyone has the right to respect for hisprivate and family life, his home and his correspondence.” This regulation applies toany operation involving personal data including collection and storing of the data.The directive is requiring organizations to handle all personal data in a manner that issecure and appropriate. More info can be found at the following link;

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

http://www.csoonline.com/glossary/term_popup.cfm?ID=1259















1.3 Recent examples of data leaks

The Data Loss Database http://datalossdb.org/ is a research project aimed atdocumenting known and reported data loss incidents world-wide and gives a

excellent overview for deeper research. Below are a few examples taken over the

past months showing organizations that have been forced to be disclosed and madethe newspaper.

August 3, 2009

National Finance Center – 27,000 via unencrypted email

An employee with the National Finance Center mistakenly sent an Excel spreadsheetcontaining the employees' personal information to a co-worker via e-mail in anunencrypted form. The names and Social Security numbers of at least 27,000Commerce Department employees were exposed.…………………………………………………………………………………………………………… August 4, 2009

US Army National Guard sends email w/131,000 sensitive data A individual sends an unencrypted email with the personal information ofsoldiers enrolled in the Army National Guard Bonus and Incentive Program.The data includes the names, social security numbers incentive paymentamounts and payment dates. The soldiers will be notified by letter.

………………………………………………………………………………………… August 6, 2009Department of Corrections – Email breach – 1,084 people

Social Security Numbers of 1,084 Department of Corrections EmployeesEmailed Out

………………………………………………………………………………………… July 31, 2009

Jackson Memorial Hospital–

Via emailA Miami man was charged with buying confidential patient records from a JacksonMemorial Hospital employee over the past two years, and sending them throughemail and selling them to a lawyer suspected of soliciting the patients to file personal-

injury claims.…………………………………………………………………………………………………………… July 16, 2009Broadridge Financial Solution,Inc. – 10,000 Customers Proxy emailed

Broadridge Financial Solution, Inc. emailed proxy services for clients, including theprocessing, distribution and tabulation of Annual Meeting Proxy materials for registered shareholders of publically traded companies. The firm inadvertentlydisclosed Dynegy shareholder information including name, address, Social Security

number and other account information to another client..……………………………………………………………………………………………………………

June 6, 2009Ohio State Dining Services – 150 students Sensitive Information breached

Student employees had their social security numbers accidentally leaked in an e-mail. The hiring coordinator for Dining Services, and OSU student, received an e-mailwith an attachment that included students' names and social security numbers. Heaccidentally sent the attachment in an e-mail reminding student employees to signtheir waivers for the Ohio Employees Retirement System. Sent

.……………………………………………………………………………………………………………

http://datalossdb.org/






1.4 Costs of a data breach

The exact cost of a data breach can be debated but the bottom line that all

business managers agree that it is expensive and can affective the overall value ofan organization.

Figure 1 Cost of a data breach



additional verifiable measures for protecting sensitive information. At the same time,data access is more distributed causing suppliers and partners to become deeplyintegrated into many organizations‟ business processes and IT infrastructures.

Continuous sharing of critical data internally and externally creates new securitychallenges for controlling access to data. Without strong data protection, enterprisesmay be exposed to significant financial and intellectual property loss, legal penalties,

and damage to the brand.

2.4 Secured eDisk Protect - Whole Drive Encryption – Enterprise Management

Secured eDisk Protect offers full hard drive encryption for laptops, workstations, and

servers to ensure the ultimate protection against unauthorized disclosure of data andsensitive information. Today, common threats include the misplacement of mobiledevices, theft of PCs, laptops, and servers, as well as data theft when systems arediscarded. Organizations need privacy management solutions that ensure sensitiveinformation is protected from unauthorized access as well as eliminate the risks

associated with losing mobile storage device.

2.5 Secured eUSB – Encrypts ANY USB flash drive in themarket today!

Secured eUSB is a software solution that converts and upgrades standard USB flashdrives to encrypted and secure USB flash drives with strong central policies. Thestorage capacity of USB flash drives have grown tremendously, with costs ever decreasing. The facts of life with most organizations are that employees are usingmore and more of these devices with or without approval of IT management. Withemployees using their own flash drives, traveling with data to customers, and/or

taking work home, organizations are constantly at risk from unprotected data on anunsecured flash drive. The consequences can be devastating - lost reputations, lostprofits, lost jobs. In short: all the horrors you read about in the daily news.

2.6 Secured eGuard - End Point Security - Control, monitor and log endpoint access

Secured eGuard is our enterprise-grade solution for portable device control thatproactively secures your most important corporate information. It controls, monitorsand logs how your data is downloaded and uploaded to the endpoints and allowsusers to create enforceable security policies, view real-time activity and results, and

centrally manage any type of removable media, portable storage device andcommunication interface. Secured eGuard‟s policy-based control of endpointaccess to portable storage devices and removable media effectively preventsunauthorized use of enterprise data and enforces endpoint security policies, whichcomply with regulatory requirements, such as Sarbanes-Oxley, California SB1386 or the Health Insurance Portability and Accountability Act (HIPAA). Secured eGuard isdeployed and managed centrally allowing security administrators to define policiesthat are automatically distributed to the endpoints using so called Endpoint Agents.These policies are enforced and all relevant events are communicated back to theManagement Server. Close integration with enterprise directories and enterprisemanagement systems enables easy deployment and extensive monitoring andreporting.



3 Secured eMail

Secured eMail is email security software that provides powerful end to end, easy touse email encryption. Email is commonly used to transmit sensitive or confidentialinformation - including operational data, trade secrets, and legal documents. Thanksto the Secured eMail Reader, recipients of secured emails do not need to purchase alicense in order to read or reply secured.

3.1 Sending Secured emails - User Perspective

Figure 2 - The Send secured button – When Secured eMail is installed the user will get

a new button, Send secured that enables the user to send secured emails.

From a user perspective, sending a secured email is done by clicking a „send

secured‟ button integrated within Microsoft Outlook or Lotus Notes. When a user “clicks the Send Secured” button the email will become encrypted, wrapped andsent. Wrapping of an email refers to Cryptzone‟s concept of delivering secure

messages, where the actual secured content is delivered as an attachment in anordinary MIME email. This is also referred to as “wrap-mail”. The enterprise solutionprovides the ability to customize the wrap-mail for specialized requirements.

The optional Secured eControl application delivers Data Leak Prevention (DLP)beyond encryption. Deployed on the client, you can control the flow of information

to any degree you wish. Ready-made policies for federal as well as state laws such asHIPAA, SOX, GLBA etc, make it easy for customers worldwide to deploy a solution for content encryption. When Secured eControl is installed and integrated with theSecured eMail application, security policies can be applied to enforce securing anemail when user clicks the „send‟ button in his mail client , without the need to pressthe Send Secured button. The Secured eControl polices are highly customizable rulesthat controls the outcome of a user action. The policies can for example be set toreact on recipient email addresses, or the very content of the sensitive informationitself, such as detection of social security numbers, credit card information and other

items of sensitive information.

3.1.1 Establishment of a Secured Channel – Identification of the

receiver

A “secured channel” is a term that represents a secured tunnel of communication

between a sender and recipient. The channel is created with the creation and use ofa shared secret and the identity of the sender and the identity of the receiver. Theidentities used are the email address of the sender and the address of the receiver.The shared secret is established by the sender to create a secured channel betweentwo parties.

The shared secret can be provided to the application in two ways; manually by the

user , or automatically with the use of an Enterprise Server .

In the first example, the user is prompted to create a custom shared secret. The bit-strength of the shared secret created by the user can be controlled with the use of



password policies. These policies control the number of characters of the secret, aswell as what kind of characters that needs to be used.

In the second scenario, the client will retrieve the shared secret from the EnterpriseServer. If the Enterprise Server cannot deliver a stored shared secret, the user will beprompted to create the secret himself.

Once the secured channel has been established, the client application maintains thetrusted relationship. This means that once an email has been secured, there will be no

need to define a shared secret again. The next email will be sent securely throughthe channel, with automatic authentication, without the need of a password – forever.

During the process of sending a secured email, the sender has the option to providea custom unencrypted message that gets embedded with the wrap-mail. The

unencrypted message is a valuable option for communicating per-messageinformation in a plain form, readable by the recipient.

Once an email has been created and sent to an external recipient, the sender isresponsible to provide the means for the shared secret exchange. The shared secretis an authentication tool to verify that only the correct receiver can read the secured

email. The exchange of the shared secret will only be done once and it will only beentered once by the receiver. When the verification is done the sender and thereceiver can continue to send secured emails to each other forever without beingasked for any new verifications. It is possible to set up a policy so the receiver willhave to verify again every month if those requirements exists.

The shared secret can be a combination of information that is known by both parties.For example, a shared secret may be a customer number, the last six digits of their social security number, initials plus last four digits of the social security number,

anything that the recipient would know without forgetting the information. There is amultitude of agreed upon shared secrets that provides a high level of security and

can be easy of remembered by the sender and the recipient. Additional methods ofcommunicating the shared secret can be done by built-in functionalities such asusing fax-printouts, email-drafts or verbally by the user himself. As for inboundcommunication the server will handle all key-exchange.

It is our belief that sending a secured email is an end to end-point based processwhich can be done without the use, need and cost of a gateway. The Secured eMailand Secured eControl application can be used in an offline or online environment, asif they are still connected to the Internet. When a user sends an email in an offlinestate, the user will see their secured email “become encrypted” and end up in his

outbox - at the time of sending the email. When the user connects to the Internet,the email will be automatically sent out of the “outbox” and deposited in the sentfolder.

One key differentiator of the Secured eMail application is the recipient accessibility ofthe secured content. As Secured eMail‟s secured content is sent using the MIME layer,

as an attachment to the wrap-mail, which allows the user to access their emails fromanywhere, including public mail-services such as gmail, hotmail etc.

Required components when sending secured emails are Outlook or Lotus Notes inconjunction with the Secured eMail Client, which is a Windows Application.



3.2 Choices when Opening a Secured eMail – A User Perspective

A recipient of an encrypted email will first experience the deliver of the wrap-mail,which is a notification to the recipient that they have received an encrypted email

and special instructions on how to read the encrypted email. Within the content ofthe wrap-mail, the user is provided an option to download either the Full Reader Application or the Reader Lite, which will be required to open the secured email. Theuser must have administrative rights in order to install the Full Reader.

For users that don‟t have administrative rights, the Reader Lite application is a perfect

solution. The Reader Lite does not require administrative rights, though JAVA isrequired on the recipient computer.

In Outlook and Lotus notes, the user will simply double click the email to open it. Thepreview pane will display the content of the wrap-mail. As for users with other mail-

clients in-conjunction with Secured eMail client will simply be required to open the

secured content as an attachment to the wrap-mail. The email will then be displayedas created by the sender “within the local-machine web-browser”.

Figure 3 Cryptzone standard wrapmail –Cryptzone Enterprise solution is delivered with several well tested wrapmails ( instructions for the reciever ). The above example shows different instructions for internal users and external users.

Once the software is installed, and the user wants to open a secured email, thecontent has to be decrypted with the key used at the time of encryption. Theinstructions on the wrap-mail will provide a way to communicate the means to

retrieve the secret used. Many implementations currently do this favorably using

already established ways to communicate to the customers, such as profile-drivenforums or by fax, postal mail or even verbally.



In enterprise scenarios, and inbound messaging, the key is retrieved automaticallyand seamlessly from the Enterprise server.

Once a secured channel has been established, our client software maintains‟ the

secure channel and will never have to be recreated. The next time an email isreceived from the sender, the encrypted email is automatically opened without the

use of the shared secret. The client software, if used in conjunction with Outlook or Lotus Notes allows the recipient to reply securely to the recipient without the need ofsoftware license.

Required components when opening a secured email is to use any mail-clienttogether with the Secured eMail Client, or Reader Lite (Java web-start applicationthat in turn requires Java 1.4).

3.3 Security Perspective – SKG - strongest link in encryption

Secured eMail is based on pure end to end-point encryption concepts. The key usedto uphold a secured channel for email communication is discarded and does nolonger physically exist on the client side once an email has been sent or opened.Only a hashed version of the key exists locally on the client and centrally on the SEPEnterprise server and it will become the channel key to use when sending or openingan email next time.

Secured emails are encrypted using AES 256 PHM (padded hashed message). Anykey provided are prior to encryption brute force-protected using SHA2. Since SecuredeMail uses pure symmetric encryption concepts, there is no need for PKImanagement;, certificate enrollment; maintenance; and disaster-recovery; etc. An

email can be sent securely to anyone, at any given time. The Secured eMail client

protects all locally stored profile data in a secured database using AES256 and apolicy defined protection method.



3.3.1 Encryption

For secure client communication SEP uses SSL, implemented through the industrystandard Open SSL library. Encryption of databases, profiles and on client is doneusing AES 256 encryption. The example shows how a client encrypts a file, the same

approach and module is used by SEP, but then the result is stored as database tables.

Key GUID, non-sensitive attributes Cipher of ContentCipher of Randomized256 bit Key

Keyslot

K e y

Content

Randomized 256 bit key

K e y

Pl ai ntext

Key

Secured Data

SEP - Data Layer

Secured Content Layer

SEP - Rule Layer

Protection Method

Content Layer

P l a i n t e x t

Cryptzone Content Encryption Concept

AES256PHM AES256PHM

SEP – Interface Layer

SHA2 Hashing(Bruteforce

Protection)

SHA2 Hashing(Bruteforce

Protection)

Figure 4 Cryptzone content encryption concept

The encryption procedure is illustrated in the “Cryptzone content encryptionconcept”. To better understand the concept map, note that there are actually twokeys involved, one normal encryption key/shared secret and one fully randomized256 bit key. The randomizer uses a seed constructed from several factors including,but not limited to processor tick count, user input and hashing and other hardwarefactors. With each new key the seed pool gets scrambled.

3.3.2 The encryption procedure step by step

The process starts with a client getting instructions to encrypt a plaintext file.

1. An encryption key is generated or entered by a user, a shared secret.2. The key is sha2 hashed to provide brute force attack protection and pad the

key for AES that requires even key blocks to work.

3. The file gets encrypted with AES using the 256 Bit random key as encryptionkey; this is the cipher content in the graph.

4. The random key is in turn AES encrypted using the hashed user key/shared

secret and placed in the key slot.5. Temporary files are wiped from disk and memory to remove possibility ofindirect information leaks.



3.3.3 Centrally managed keys

The Enterprise Server is managed with the use of a powerful management console.The server‟s main task is to manage the company entities related to the Secured

eMail implementation, such as member-structures, secrets and policies. Furthermorethe Management Console hosts “services for helpdesk applications” such as lost

passwords and deployment tool creation.

With the use of the server, all client behavior can be centrally managed by a richpolicy system. The policy system provides a way to apply rules regarding a specificuser action to users or the user-group it belongs to. This provides the tools necessary

for an administrator to apply secure messaging in a controllable way.

While managing members, it is possible to create something referred to as Securedgroups. Secured group defines boundaries between members, where any user withinthe same secured group shares a given secret. The secret is defined when creating

the secured group, and can be changed at any given time.

When a user sends a secured email to a new contact, the Secured eMail client willperform a server-request to retrieve a secret to use with the contact. The server willresolve the client-request, and provide the secret with the help of predefinedSecured Groups. The user will never see this secret in plain text, and is only visible tothe administrator at the company at any given time. The actual seed provided to

client is not stored at the client machines, but mainly used to establish a securedchannel with the recipient as one of the channel‟s key generation factors. Using theshared secret of a Secured Group it is possible to access any email that has beensent or received through the group.

Figure 5 Secured Group Properties – It is possible to change shared secret for a group and also ask the system to generate unique seeds for each individual user in a secured group.

Any member-type of an Enterprise Server can have memberships in a secured group,including those manually created. It is however required that the receiving end have



connectivity to the Enterprise Server during the decryption phase to be able toautomatically retrieve the secret. This means that while external contacts can takepart of secured groups they will not be able to open the email unless this requirement

is fulfilled. As for external communication, the system relies on user to user communication of the shared secret, and that shared secrets are created by theusers themselves rather than managed with the help of Secured groups.

The wrap-mail that gets sent to a recipient is a central policy and the IT administrator can design several different wrap-mail templates and deploy them to the enterprise.

The secured email can then carry information about the company‟s policy to secure

information, as well as instructions how to access the secured content.

The per sender-and recipient- relationship-based shared secret design enablesSecured Groups to be used together with external recipients in a favorable way,since exposing the shared secret used in a secured channel between a sender and

recipient does no longer endanger the security of other secured channels, createdby other users using the same secured group. This in turn, makes Secured eMail ideallyfor B2C mail flows. When defining secured groups members, it is possible to create

wildcard members. Each wildcard represent a potential recipient within a specificnamespace boundary. A wildcard is typically defined to have an email address suchas *@hotmail.com meaning “anyone at hotmail”. This means the secured group will

automatically recognize members matching the wildcard as members of that group.

Figure 6 Add users – It is possible to add a wildcard for a specific group. In the example we have added a wildcard that will enable end users to send encrypted emails to anyone with the address @ford.com with a specified

shared secret .



3.4 Enterprise Perspective

The SEP Management Console has been empowered greatly to fit larger enterprises

with 100 thousand users plus. Focus has been at enhancing the member- and policy-systems, as well as a high-end security role system. MSI deployment features and atemplate design system.

Figure 7 SEP Management Console –Here the IT Administrator can manage users, groups,licenses, policies, security roles and secured groups.

3.4.1 Central Management

The Enterprise Server centrally manages and enforces security policies for allCryptzone products. It has the ability to create custom environments, specific settings

and permissions for different groups as well as specific users and then deploy thisacross an entire network. This managed system allows users to log in to anenvironment that is appropriate to their needs and consistent from one client to thenext.

3.4.2 Global Object Synchronization

A Global object is a piece of data that is synchronized between server and clients.

The data can be anything from policies, licenses, passwords to templates andenables synchronization for a single user between laptops, desktops and even a Citrixlogin. This technology makes sure that no matter what computer a user logs into, the

user will be able to use the technology they are licensed for, regardless if the user isonline or offline. Global Object Synchronization allows the power of the technology tobe in the hands of the user, as well as the IT administrator. For the IT administrator ‐ this



means that encryption keys, policies, licenses and passwords are alwaysautomatically archived for backup. In the case of a computer crash or a regulatoryaudit ‐ incident logging files and audit reports are close at hand.

3.4.3

Role based administration

The platform allows for permissions to be defined for individuals and groups, enablinga flexible, multi‐tiered administration system with effective delegation of access rightsand responsibilities through dedicated user ‐roles.

Figure 8 Security Roles – The picture shows the Security Roles feature where it is possible to create different security roles for users in the SEP Management Console.

3.4.4 System Access Rules and Procedures

Client authentication can be customized depending on the need for user identity

verification. From single sign‐on (SSO) using windows authentication, down toauthenticating users every time a secured email is opened. SEP Server authenticationcan be either Windows® authentication or user name and password. The rolesassigned to the user then dictate what is possible to view, edit and create.

3.4.5 Seamless integration with existing infrastructure

Leveraging existing directory applications such as Active Directory or LDAPfunctionalities, the SEP provides a one‐way synchronization process to centrally

administer security policies for user groups. The Simple Encryption Platform is locatedon top of the existing infrastructure as a thin layer, designed to be flexible and

extensible for interoperability with existing infrastructure.



3.4.6 Flexible Deployment

The Simple Encryption Platform is designed to be able to run in multiple environmentsincluding as a managed service, hosted location and/or in the company‟s existing IT

infrastructure. The Simple Encryption Platform is delivered with the first encryption

application which allows organizations to quickly roll out new applications simply bydownloading a new license.

3.4.7 Policy Management

SEP Management Console offers an easy and scalable way to deploy securitypolicies and monitor security to ensure compliance with corporate security policies.Centrally define, enforce and monitor information policies from a single,enterprise‐wide console, ensuring a consistent policy across all users in the

organization, or customized policies for groups within the organization.

Figure 9 Policy management –

It is possible to create one or several polices and then deploy to users, groups and/or entire ADs. The system comes with ready to go polcies created by Cryptzone Professional Services team.

3.4.8 License Management

The SEP license management system makes it possible to add, remove andexchange licenses between users, groups and active directories. Licenses can alsobe issued on a temporary basis to external parties or consultants and then withdrawnupon demand. Depending on which license the user profile has included, the clientwill enable or disable the products dynamically.



3.4.9 Central Password Management

Synchronizing user profiles to a SEP client also means giving access to secure groups,secure channels and policy settings for passwords, which can be controlled throughpolicies. Users can use Window® Authentication or their SEP Password to access all

encrypted data. The SEP Management Console will manage user rights and accessto secured data using the infrastructure you already invested in – Active Directory. Ifyou don‟t have your own structure you can easily use the SEP Management Console

to create your own structure.

3.4.10 Education management

For a successful deployment of a security solution it is important that end users get theright understanding on how to use the new security solution. The SEP solutions offer

centralized templates where it is possible for the administrator to customize end user messages. The SEP solution also includes a multitude of different education tools.



4 SEP Enterprise Deployment and Scaling

This section is aimed to give system administrators an overview of the SEP Enterprisesolution from a scalability and performance perspective. It discusses deploymentstrategies, hardware recommendations, potential bottlenecks and how to overcomethem.

4.1 Overview of SEP Components

There are three main components to take into account when considering scaling for SEP.

4.1.1 SEP Database

The SEP Database holds all the central information relating to SEP. This includes user information, user profiles, licenses, groups, policies, security roles etc. It goes withoutsaying that it is the most critical part of SEP.

SEP Database runs on SQL Server 2000 or later and is supported for Express editions of

SQL Server as well.

4.1.2 SEP Server

SEP Server processes requests from SEP Client and is managed through SEPManagement Console. SEP Server also performs periodic synchronization with ActiveDirectory to keep the SEP Database up to date. The SEP Server uses the SEP Database

to store data.

SEP Server runs on .NET Framework 2.0 and is supported on all Windows versionssupporting .NET Framework 2.0.

4.1.3 SEP Clients

SEP Clients provide functionality to the user and synchronize with the SEP Server inintervals which are dependent on user action. A USB stick that is secured usingSecured eUSB also will act as a standalone client. It will connect to the server andsynchronize with the server independently from the SEP Client which was used to

secure the stick.

Desktop SEP Client

The Desktop SEP Client provides functionality to the user for all the SEP products andperforms profile synchronization with the SEP Server

Secured eUSB Client

The Secured eUSB client is a secured area on a USB memory device that is createdwith the Secured eUSB product. It is used to protect the sensitive information on a USBdevice. An endpoint refers to the SEP Client or to the Secured eUSB client throughout

this document.



4.2 Scalability and Failover

4.2.1

SEP Database

The most common methods for SQL Server scaling are the following:

SQL Server Clustering

SQL Server Clustering involves clustering two or more servers on the same locationtogether as one database server, usually attached to the same SAN (Storage AreaNetwork) . This method provides both failover and load balancing possibilities. SQLServer Clustering is suitable for use with the SEP Database.

SQL Server Mirroring

SQL Server Mirroring makes it possible to create read only copies of a database in adifferent location. This does not provide any load balancing possibility as the mirror databases are read only, however it can be used for failover.

SQL Server Replication

SQL Server Replication allows replicating a database against multiple regions and itallows data to be updated in all replicates. However this requires data on thedatabase to be partitioned to avoid conflicts in the database. This is not supportedby default by the SEP Server, however can be achieved with a special configuration.

4.2.2 SEP Server

The SEP Server only performs business logic and does not store any kind of businessdata. This makes it easily replaceable and scalable. An unlimited number of SEP

Servers can be setup to communicate against the same SEP database. Due to this,we recommend that a SEP Server is installed for each region and that a fast line isavailable to the central SEP Database from the servers.

SEP server also performs periodic synchronization against the Active Directory andhaving each individual server to synchronize separately would be redundant. It is

enough to use one server as the synchronization server and let the other servers onlyhandle client requests.

4.2.3 SEP Management Console

SEP Management Console has large memory requirements when managing a server with very large numbers of entities (100,000+). Although the Management Console ishighly optimized to work with large number of entities, it is recommended that it is runfrom a machine with a lot of spare memory for managing a database with largenumber of endpoints.



4.3 Performance and Storage

4.3.1 SQL Database Size

In general, when not using Secured eUSB logging features, SEP Enterprise hasconsiderably lower database size requirements. A 4GB database, which is themaximum size supported by SQL Server Express will be able to accommodate up to

5000 users.

Secured eUSB however requires more space as the number of devices grows. Logfiles are kept indefinitely in the database until the device itself is deleted through themanagement console. Even though log files are stored in compressed form, the sizewill grow over time as more and more devices are added. There are considerations

to add options to be able to delete older log fi les automatically.

For more information about database size requirements, see the section ondatabases in “Recommendations”.

4.3.2 Load on SEP Server

There are three main areas where the server uses processing power:

a) Active Directory Synchronization: During this process, the server will retrieve acopy of the remote AD and compare it with the locally stored copy. Anychanges detected in the remote AD will be reflected through databaseupdates to the local copy. Depending on AD size, this process can have largememory requirements. The frequency of the synchronization can beconfigured.

b) Processing client requests: The clients will ask to retrieve any changes to their profile during synchronization to the server. The clients use “lazy

synchronization”, which means they will only synchronize when the user is

using the client. This means that synchronization won‟t happen during

Windows startup, for example.

Some possible cases where synchronization or contact with the server willhappen from the client:

1. SEP Client is installed on the machine for the first time.2.

When SEP Client is in a signed out state (tray icon is grayed out), the

user initiates an action which requires the client: securing a file, un-securing a file, securing a USB stick, sending a secured email to a newcontact.

3. When the “synchronize” button is clicked on the SEP Settings dialog.

During normal usage of the computer, there is no periodic backgroundsynchronization taking place.

c) Analyzing Secured eUSB logs: The Secured eUSB client will save its logs. After the Secured eUSB logs are synchronized with the server; they‟re put on a

queue to be processed. The server will then build a list of changes since the

last revision of the stick.

Each log file contains information about the changes on the sticks. Changes



on the stick are events such as deletion, copying, moving or editing of files.Only the changes since the last synchronization will be sent to the server.

4.3.3 Load on SQL Server

Bulk of the load on the SQL server will be during Active Directory synchronization andSEP Client synchronization.

Most of the insertions to the database will be done in these scenarios:

An Active Directory source is added and the server is synchronizing with thedirectory. In this case, the information in the Active Directory will be imported

in to the database.A secured eUSB client synchronizes its logs which will be saved and processedin the database.

4.3.4 Load on Network

The SEP Server and Clients communicate through a compressed SSL stream, and assuch the bandwidth used for each synchronization is minimal.

The amount of data transferred for a simple client synchronization where there are nochanges in the user profile (the most common scenario) is around 3KB. Depending onhow often the client is used (see section Load on SEP Server), on average 5 to 10synchronizations a day can be expected. Thus each client can be expected to usearound 15KB to 30KB of bandwidth on average per day.

A compressed secured eUSB log is on average 700 bytes. An active Secured eUSBthus might log around 20 to 30 events a day, which will result in 14-21KB of logs beingtransferred per Secured eUSB device each day.

4.3.5 Load on Active Directory

The SEP Server performs a number of queries to the Active Directory during itssynchronization process. Depending on if partial synchronization or fullsynchronization is selected, the SEP Server will query the various parts of the Active

Directory and retrieve objects such as Organizational Units, Users and Groups. Thesynchronization interval can be configured to longer intervals (default is every 30minutes) reduce the number of queries per day on the Active Directory.

For small directories, the synchronization takes seconds, for larger ones (100,000+objects) it might take a few minutes. The first synchronization to Active Directory when

it is first added to the SEP Server always takes the longest.



4.4 Deployment Strategies

4.4.1 Single Region / Small Medium Enterprise

For deployments of this size, a single SEP Server and a single SEP Database running onan SQL database is sufficient. A single SEP server can handle as many endpoints (SEPClient + Secured eUSB) as 50,000. The single SEP server will perform all the duties

including Active Directory synchronization and synchronization with the clients.

Domain ControllerSEP Server

SEP Clients

``

SEP Database

Figure 12: Single Server Deployment



4.4.2 Single Region / Small Medium Enterprise with Failover

In the cases where the operation of SEP Server is business critical, it is recommendedthat there are two SEP Servers deployed for failover purposes. The SQL Server shouldalso have some failover capability, either through SQL Server Mirroring or Clustering.

In this case the clients would be configured to connect to a primary server and

secondary server in case the first one goes down. It is enough that only the primaryserver performs synchronization with Active Directory.

Figure 13: Single region with failover and load balancing



4.4.3 Multi Region / Large Enterprise

For very large number of users on multiple regions (50,000+), a different deploymentstrategy is recommended. The recommended strategy is to use a SEP Server for eachregion, combined with a common high performance clustered SQL Server. Each

region can also have other SEP Server for failover purposes, as in the Single Regionexample. Only one of the SEP Server would be designated to synchronize with Active

Directory while the rest would only provide functionality for the clients.


SEP Clients

``

Region 1 Region 2 Region 3

SEP Database (Cluster)

SEP Server uses DomainController for both Authentication

and Synchronization

SEP Server uses DomainController only for Authentication

SEP Server uses DomainController only for Authentication

Central SEP Database is used by all theSEP Servers

SEP Clients use theSEP Server in their

own region


SEP Clients

``


SEP Clients

``

Figure 14: Deployment strategies for 3 regions



4.5 Recommendations

4.5.1

Number of Endpoints per Server

An endpoint is either a SEP Client or a Secured eUSB device. The total number ofendpoints would be number of SEP Clients installed + number of Secured eUSBdevices.

4.5.2 Hardware for SEP Server

In general, SEP Server‟s hardware and memory requirements depend on the number

of endpoints and size of the AD used. It is recommended for the servers that areperforming synchronization with very large Active Directories that the server hasplenty of free memory.

Number of Endpoints (Client +eUSB)

Number of CPU Units* Memory

0-10,000 1 1GB10,000-30,000 2 2GB30,000-50,000 2 3GB

50,000-75,000 4 4GB75,000-100,000 4 6GB

100,000+ 4+ 8GB

* 1 CPU unit is equivalent to a 1.5GHz single core Intel Xeon or Opteron processor.

SEP Server does not have any storage requirements outside of what is required toinstall the software.

SEP server is supported on all 32 and 64-bit Windows versions that have support for .NET Framework 2.0.



4.5.3 Number of SEP Servers

In general, more than one SEP Server are only necessary if the operation of the SEPServer is business critical or if there will be a very large number of endpoints. The SEPClient is designed to be run offline and should operate very well in the conditions

where the SEP Server is not available.

For a company in multiple regions, the company can choose to have multiple SEP

Servers covering different regions for load balancing purposes and to avoid trafficacross different regions.

Each SEP Server has a limit on the number of simultaneous connections it can handle.This limit controls the number of SEP Clients that can be connected to the server atthe same time. This option is configurable through the SEP Management Console. It iscalculated that at most 1% of the available endpoints will be connected to the server at the same time.

Number of Endpoints (Client +eUSB) Number of Simultaneous Connections

0-10,000 100

10,000-30,000 20030,000-50,000 40050,000-75,000 500*

75,000-100,000 750*

100,000+ 1000+*

*: Multiple servers are recommended for this number of endpoints



4.5.4 SQL Database

The following SQL Server versions are supported:

SQL Server 2000 Standard, Enterprise

SQL Server 2005 Standard, Express*, EnterpriseSQL Server 2008 Standard, Express*, Enterprise

*: 4GB database size limit

The SQL Database size is related to the number of user profiles stores on the server

and the number of eUSB endpoints that will be used actively by the users. SecuredeUSB log data is kept indefinitely in the database until the device is deleted. In thatcase the log data will be wiped.

We have calculated the footprint of a single Secured eUSB log file on the database

to be around 512 bytes. An active eUSB device might be calculated to have around20 events per day on average. For a single user this will result in 10KB of per day ofstorage.

SQL Database Sizes for number of profiles

Number of Users (Profiles) Database Size

0-5,000 4GB

5,000-10,000 8GB

10,000-50,000 40GB50,000-100,000 80GB100,000+ 120GB+

For storing eUSB log data for at least 3 years, we would recommend the followingminimum database sizes:

SQL Database sizes for number of eUSB endpoints

Number of active eUSB Endpoints Database Size

0-10,000 50GB

10,000-50,000 200GB

50,000-100,000 400GB

100,000+ 800GB+

For Secured eUSB users that are using the logging features, SQL Server Express is not

recommended due to database size limits.



4.6 Potential Bottlenecks

4.6.1 Active Directory Synchronization

In a large Active Directory, if only a small portion of the users are going to be usingthe SEP software, only parts of the AD should be synchronized to reduce the load onthe Active Directory and on the SEP Server. As more and more users are deployed,

the parts of Active Directory that are synchronized can be dynamically expanded.

4.6.2 Connection Congestion

In the scenario where a large number of users start to do a synchronizationsimultaneously, and the server is not configured to support as many simultaneousconnections, the server will be unreachable for the same user. The SEP Clients willcontinue to operate offline however and this should not cause any side effects. For a

solution to this, consider increasing the number of simultaneous connections on theserver or adding additional SEP Servers for load balancing.

4.6.3 Secured eUSB Log Synchronization

It is possible in a company deploying Secured eUSB that not all the users need thelogging feature for Secured eUSB. It can easily be controlled through central policieswhich parts of Active Directory will have logging enabled or disabled. Reducing thenumber of users that use Secured eUSB logging will ease the requirements on theserver and database hardware.



5 Summary

The intent of this document is to give the reader a thorough understanding of

Cryptzone‟s current Secured eMail Enterprise version, as well a view of our upcomingrelease of v4.5 (Announced GA is spring 2010). The Secured eMail solution is today

used by over 1000 organizations helping them to keep sensitive and private datasecured.

Cryptzone´s approach is to create a solution that fits for any size of company. Thebasis of Secured eMail is that the application creates an end to end – virtual channel

between the sender and the receiver. It doesn‟t matter how the recipient receives

their email – Outlook, Microsoft OWA, Gmail, Yahoo, Thunderbird – any method.

Most important is that our technology helps our customers to meet world wideregulatory compliance of sensitive information laws as well as HIPAA Hitech, SarbanesOxley, HIPAA, Payment Card Industry DSS standards, the EU Data Protection Directiveand GBLA. We use the strongest encryption method – AES 256 as well as system SKG,

which generates dynamic one time encryption keys for every email sent. It is virtuallyimpossible for somebody to hack your emails when they are secured. All the sender has to do it simply press a button “send secured” and everything else is taken care of.

Organizations looking to be compliant should ask themselves questions like;

Who can access our mail servers and all the emails located on them?

In what region and country is the mail server located? Is personal informationstored in another country? What laws and regulations are then applied?Who can access our archiving system and all emails stored there? What lawsand regulations are applied to emails containing sensitive information in anarchiving system?

How do we protect the locally stored email on laptops and desktops?Is it ok that IT administrators can access sensitive information?If it is ok that IT administrators access sensitive information do we make themsign agreements of silence?How do we track what users that have accessed unsecured sensitiveinformation?

Whatever the answers are to these very difficult questions, Cryptzone´s Secured eMailapplication can protect an organizations sensitive data sent by email no matter itslocation and restrict access to only the sender, the receiver and the organizationsmost trusted information workers.

cryptzone outbound content compliance[1]

Documents