0
Why You Shouldn’t Email Your   Sensitive Documents           David Strom        david@strom.com   TechNet Mid America July...
Email docs to yourself
Email is inherently insecure…
Obstacles to Email Encryption           Adoption Today• Unencrypted emails are too easy to send• IT admins think encryptio...
Investors’ Email Compromises Have           Consequences!                5
Secure email alternatives•   Cloud-based storage•   Secure document delivery services•   Data loss prevention products•   ...
File sendingservices
YouSendIt Privacy PolicyCertain information may become accessible,  such as the text and subject of messages you  have sen...
Responses to MegaUpload shutdown
Secure document services
Secure document issues• Do you need secure intra- or inter-enterprise  collaboration?• Can you recall sent messages?• What...
Data loss prevention•   Global Velocitys GV-2010 security appliance•   BlueCoat Networks DLP appliance•   SendmailsSentrio...
DLP Drawbacks• You are tracking rather than encrypting  messages• Once a message leaves your premises, you  can’t do anyth...
Full encryption choices•   Voltage SecureMail•   PGP Universal Server•   Sophos Email Appliance•   Cisco IronPort•   Proof...
Common product features• Crypto key management• Auto encrypt sensitive info as part of their  policies• Lots more rules pr...
Encryption Landscape   Vendor           Approach               Key/Certificate          Mobile capability                 ...
Voltage’sSecure emailmobile client
Questions?           David Strom     david@strom.com          314 277 7832     @dstrom (Twitter)http://strominator.com
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
How to secure your emails for sensitive docs
Upcoming SlideShare
Loading in...5
×

How to secure your emails for sensitive docs

542

Published on

This was a presentation that I gave at Technet MidAmerica conference in St. Louis in July 2012

Published in: Travel, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
542
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • v2
  • http://www.finra.org/Investors/ProtectYourself/InvestorAlerts/FraudsAndScams/P125460
  • From the Wall Street Journal, but there were lots of other reports. The Chamber had at least six weeks worth of email data containing sensitive information stolen in a breach that was widely reported
  • This expert from the Brookings Institute is the extreme case. When he travels in China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely.
  • There are a whole series of cloud-based document sending services such as Google Docs, Dropbox, Box.net, and others that can store documents in the cloud.
  • These services all share one common weakness: you can’t manage them well from an enterprise perspective. Also, browser-based FT is limited to 2 GB or less, and many of these services have other hidden limitationsEven when IT is aware of their use, the services generally lack transaction logging, which makes document control problematic and impedes litigation preparedness.
  • http://www.yousendit.com/aboutus/legal/privacy
  • Law enforcement shut down one of these services, MegaUpload, and in the ensuing months other peer file sharing services have curtailed their activities.
  • This is a sample screen from Docusign
  • There are more than a dozen DLP vendors, and these products offer a wide range of protective features, and some even integrate with endpoint security products, proxy/caching servers, and network intrusion protection appliances. However, while DLP products are great at identifying security breaches after the fact but don't do much to help keep your confidential information contained within your enterprise. They are mostly used for compliance and other regulatory reasons.
  • This is Global Velocity’s DLP product and you can tune it to block Facebook messages for example, but allow users to add items to their Wall as an example.
  • These are various gateway appliances that operate inside your firewall, and automatically work in the background to encrypt and decrypt message traffic in conjunction with your mail servers. These are somewhat cumbersome but offer the following features
  • This is Mimecast’s Outlook plug in, and as you can see, there isn’t much to set up with it.
  • Not as easy to use as native email appsMany still employ symmetric keys Some can only read and not compose encrypted messagesThese all have a Web service that is hosted by the vendor on the public Internet and users connect via a browser to read and send messages. recipients don't have to download any special software when they get an encrypted message from you.
  • Transcript of "How to secure your emails for sensitive docs"

    1. 1. Why You Shouldn’t Email Your Sensitive Documents David Strom david@strom.com TechNet Mid America July 2012
    2. 2. Email docs to yourself
    3. 3. Email is inherently insecure…
    4. 4. Obstacles to Email Encryption Adoption Today• Unencrypted emails are too easy to send• IT admins think encryption is too expensive or cumbersome or complex• Compliance regsshould drive more email encryption usage (but don’t…)• The mobile encryption experience hasn’t been so wonderful 4
    5. 5. Investors’ Email Compromises Have Consequences! 5
    6. 6. Secure email alternatives• Cloud-based storage• Secure document delivery services• Data loss prevention products• Full encryption choices
    7. 7. File sendingservices
    8. 8. YouSendIt Privacy PolicyCertain information may become accessible, such as the text and subject of messages you have sent, the name and content of the User Files you have sent, the date and time messages were sent, and the email addresses of the recipients.
    9. 9. Responses to MegaUpload shutdown
    10. 10. Secure document services
    11. 11. Secure document issues• Do you need secure intra- or inter-enterprise collaboration?• Can you recall sent messages?• What happens when someone leaves your company?• How does the service affect users’ existing email experience?• Can you authenticate recipients and thwart malware such as key-loggers?
    12. 12. Data loss prevention• Global Velocitys GV-2010 security appliance• BlueCoat Networks DLP appliance• SendmailsSentrion email server• McAfee Host DLP• Symantec/Vontu DLP v10• Safend Protector• Trend Micro DLP
    13. 13. DLP Drawbacks• You are tracking rather than encrypting messages• Once a message leaves your premises, you can’t do anything about it• Can be expensive
    14. 14. Full encryption choices• Voltage SecureMail• PGP Universal Server• Sophos Email Appliance• Cisco IronPort• Proofpoint Protection Server• Mimecasts Unified Email Messaging• Echoworx Encrypted Mail
    15. 15. Common product features• Crypto key management• Auto encrypt sensitive info as part of their policies• Lots more rules processing• Outlook plug-ins
    16. 16. Encryption Landscape Vendor Approach Key/Certificate Mobile capability ManagementCisco IronPort Symmetric key per CRES (cloud) Web-based message Or on premise Proofpoint Symmetric key per PP Key service or on premise Web-based; read message onlySymantec/PGP PKI PGP Directory or on premise Web-based; read only Entrust PKI Entrust PKI or on premise Web-based Zix PKI Zix Directory Web-based Voltage Identity-based Cloud-based Native app encryption Echoworx PKI Echoworx PKI Native app
    17. 17. Voltage’sSecure emailmobile client
    18. 18. Questions? David Strom david@strom.com 314 277 7832 @dstrom (Twitter)http://strominator.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×