office 365 ome or s/mime with an automated certificate … · 2019. 12. 6. · ome valuation....
TRANSCRIPT
![Page 1: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/1.jpg)
Office 365 OME or S/MIME with an automated certificate management
A comparison of security, usability and management
Dr. Gunnar Jacobson
![Page 2: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/2.jpg)
Need for secure E-Mail
▪ CEO Fraud / Business E-Mail Compromise− Global damage: $1.3 Bn. p.a.1
− Example Pathé NL: $21.5 Mio. 2
→ Solution: Digital Signature
▪ Economic Espionage− Damage in D: €43.4 Bn. over 2 years 3
− CLOUD Act obliges US companies to grantdata access for US administrations.Even outside of the USA!
→ Solution: E-Mail Encryption
2
1) FBI 20192) Forbes 20183) Bitkom 2018
OME or S/MIME?
![Page 3: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/3.jpg)
Secure E-Mail
3
BobAlice Sign
Private Key
Encrypt
Public Key
Certificate
OME or S/MIME?
![Page 4: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/4.jpg)
Office 365 Message Encryption
▪ OME− Online service for e-mail encryption
− Uses Rights Management Services (Azure RMS)as an encryption platform.
− Part of Azure Information Protection (AIP)
▪ Rights management− Publishing License
− AIP Labels
4OME or S/MIME?
![Page 5: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/5.jpg)
OME Key Management
5
Alice Bob
PublicTenant Key
PrivateTenant Key
1. Generation of AIP Tenant Key (BYOK)
2. Issue Client
Certificates during Login
Private Key
Public Key
Private Key
Public Key
OME or S/MIME?
![Page 6: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/6.jpg)
OME/RMS Process
6
Alice Bob
2.
Content Key
Pub. License„Bob“
Content
4. Re-Encryption 6. Decryption
Content
Content Key
Protected Message
Pub. License„Bob“
1. Encryption
OME or S/MIME?
![Page 7: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/7.jpg)
OME Valuation
▪ Advantages− Fully integrated with MS Azure− Encryption for external users via web portal− Comfortable for a user− Easy implementation & management
▪ Challenges− Proprietary solution, no standard− RMS & HSM is under control of Microsoft− No end-to-end security due to re-encryption− All content keys are temporarily available on RMS− The exchange of RMS protected messages between
organisations is only possible with Federated Trust− Digital signature is not supported
7OME or S/MIME?
![Page 8: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/8.jpg)
S/MIME
▪ Secure / Multipurpose Internet Mail Extensions
▪ S/MIME v3 (1999)− Current v3.2: RFC 5751, 2010
▪ Standard for the encryption and signatureof MIME-encapsulated e-mail
▪ Makes use of digital certificates (X.509)
▪ High distribution, good interoperability− MS Outlook, Notes, Thunderbird, …− Apple iOS, Android (Samsung,…)
▪ Is also supported by Office 365 (OWA)!
8OME or S/MIME?
![Page 9: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/9.jpg)
Verteilung von Zertifikaten
9
PartnerUser
Internet
Partner‘s certificateis required
Own certificate from a public CA is required
on all devices
OME or S/MIME?
![Page 10: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/10.jpg)
Windows S/MIME Enrollment
10
Public CA
ADKey ArchiveUser
Key archival withKey Recovery
Agent
User-Login →S/MIME
Autoenrollment
OME or S/MIME?
![Page 11: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/11.jpg)
Mobile S/MIME Enrollment
11
ManagedDevice
Key Archive
ProtectedNetwork
Password
Profile.P12
MDM
Private Key
UnmanagedDevice
.P12
OME or S/MIME?
![Page 12: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/12.jpg)
Global Certificate Retrieval
12
Partner
Encrypt
User
Search in morethan 140 global PKI-Directories
Pubish internal certificates
securely
Certificate uploadby partner
without directory
Encrypt foranyone with ad-hoc certificates
AD
OME or S/MIME?
![Page 13: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/13.jpg)
Mobile End-to-End Encryption
13
AD
Active
Directory
External
Certificate
Directories
MailApp
Global certificateretrieval by native
mail apps
ActiveSync Proxy
OME or S/MIME?
![Page 15: Office 365 OME or S/MIME with an automated certificate … · 2019. 12. 6. · OME Valuation. Advantages. −Fully integrated with MS Azure −Encryption for external users via web](https://reader035.vdocuments.mx/reader035/viewer/2022071510/612eb37c1ecc51586942facf/html5/thumbnails/15.jpg)
Evaluation
▪ S/MIME is standardised and widely distributed
▪ Supports encryption & signature
▪ User comfort and easy management by− Automated certificate enrollment & retrieval
− Central certificate lifecycle management
▪ Global end-to-end encryption fromany device to any partner
▪ SECARDEO TOPKI− PKI automation for arbitrary certificates
− S/MIME, SSL/TLS, VPN, Computer/Device, …
15OME or S/MIME?