how to secure your emails for sensitive docs
DESCRIPTION
This was a presentation that I gave at Technet MidAmerica conference in St. Louis in July 2012TRANSCRIPT
Why You Shouldn’t Email Your Sensitive Documents
David [email protected]
TechNet Mid America July 2012
Email docs to yourself
Email is inherently insecure…
4
Obstacles to Email Encryption Adoption Today
• Unencrypted emails are too easy to send• IT admins think encryption is too expensive or
cumbersome or complex• Compliance regs should drive more email
encryption usage (but don’t…)• The mobile encryption experience hasn’t been
so wonderful
Investors’ Email Compromises Have Consequences!
5
Secure email alternatives
• Cloud-based storage• Secure document delivery services • Data loss prevention products• Full encryption choices
File sending services
YouSendIt Privacy Policy
Certain information may become accessible, such as the text and subject of messages you have sent, the name and content of the User Files you have sent, the date and time messages were sent, and the email addresses of the recipients.
Responses to MegaUpload shutdown
Secure document services
Secure document issues
• Do you need secure intra- or inter-enterprise collaboration?
• Can you recall sent messages? • What happens when someone leaves your
company? • How does the service affect users’ existing
email experience? • Can you authenticate recipients and thwart
malware such as key-loggers?
Data loss prevention
• Global Velocity's GV-2010 security appliance • BlueCoat Networks DLP appliance• Sendmail's Sentrion email server• McAfee Host DLP• Symantec/Vontu DLP v10• Safend Protector• Trend Micro DLP
DLP Drawbacks
• You are tracking rather than encrypting messages
• Once a message leaves your premises, you can’t do anything about it
• Can be expensive
Full encryption choices
• Voltage SecureMail• PGP Universal Server• Sophos Email Appliance• Cisco IronPort• Proofpoint Protection Server• Mimecast's Unified Email Messaging• Echoworx Encrypted Mail
Common product features
• Crypto key management• Auto encrypt sensitive info as part of their
policies• Lots more rules processing• Outlook plug-ins
Encryption LandscapeVendor Approach Key/Certificate Management Mobile capability
Cisco IronPort Symmetric key per message
CRES (cloud)Or on premise
Web-based
Proofpoint Symmetric key per message
PP Key service or on premise Web-based; read only
Symantec/PGP PKI PGP Directory or on premise Web-based; read only
Entrust PKI Entrust PKI or on premise Web-based
Zix PKI Zix Directory Web-based
Voltage Identity-based encryption
Cloud-based Native app
Echoworx PKI Echoworx PKI Native app
Voltage’s Secure email mobile client