HPE Secure MailHPE Data Security

HP PresalesBill Lee李柏厚Bill.lee2@hpe.com0919255161

23

Transformto a hybrid

infrastructure

Enableworkplace

productivity

Protect yourdigital enterprise

Empowerthe data-drivenorganization

Proactively protect the interactions between users, applications and data across any location or device.

Hewlett Packard Enterprise: Protect your digital enterprise

What Problems Does it Solve

Data-centric security for email and attachments

Compliance with privacy regulations

Protection of intellectual property

Migration to cloud business email

4

Important HPE SecureMail Requirements

Simple User Experience – Like Regular Email

Single Technology – HPE IBE – for All Use Cases

Simple to Manage – Stateless Architecture

DLP, AV / AS, Archive, eDiscovery Support

Outlook, Exchange, Windows AD Support

HPE Data Security – SecureMailAbout HPE Identity Base Encryption (IBE)

5

Challenges with Traditional Technologies

Difficult to Use

Not business

friendly / no ad-hoc

Incompatible (Gmail,

Android)

High TCO

Legacy PKI:

S/MIME, PGP,

OpenPGP

Proprietary

Symmetric

Key

Proprietary

Webmail

Data Loss Risk

Complex key

management

Active code in

messages / PDFs

High TCO

Costs Rise w/ Use

Key and message

stores to manage

e-discovery breaks,

fines

Limited functionality

The HP Security Voltage Unique Advantage

HPE Identity-based Encryption (IBE) and Stateless Architecture

• 60-80% lower cost of operations, 75% less infrastructure

• Simple user experience across desktop, Web, and mobile

• Seamlessly integrates with email and enterprise ecosystem

What is Identity-based Encryption (IBE)?

IBE is a public-private key technology• Ad-hoc: Keys generated from email addresses

• Stateless: No keys store – generated on the fly

• 100% Push: Single message format

Concept originally proposed by Adi Shamir in 1984• Eliminate the complexity of traditional PKI

DoD funded research at Stanford in 2000• Voltage formed in 2002

Extensive peer review and standardization• IEEE 1363.3 – Standard for Identity-Based Cryptographic

Techniques using Pairings

• RFCs: RFC 5091, RFC 5408, RFC 5409

Innovation

HP Identity-based Encryption (IBE): How it Works

HP SecureMail

Key Server

BobAlice

Bob’s Private Key

bob@corp.com

1

2

3

Alice Sends Email to Bob

HPE IBE: Scalability & Disaster Recovery

Scales to Millions of Users

• No user key store

• No message store

• Load balanced servers

Disaster Recovery is Effortless

• One time backup of base key

• Fast recovery with no data loss

HP SecureMail

Servers 3 & 4HP SecureMail

Servers 1 & 2

HPE IBE: Flexible Authentication

• Key generation is independent of authentication

• Authentication can be dynamically changed to meet policy requirements

• Out of the box support for AD, LDAP, native enrollment server

• Authentication Adapter to meet other authentication requirements

Auth

Service

HP

SecureMail

Key Server Auth

Service

Auth

Service

Auth

Service

HP Security Voltage

Client – Protect Email and Files End-to-End

HPE SecureMail Outlook Plug-In

• Send Secure within Outlook

• Access Global Address List

• Send to Distribution Lists based on AD membership

• Windows AD single sign-on

• Enforce client encryption rules

HPE SecureFile Office & Windows Plug-Ins

• HP SecureFile Encryption button within Microsoft Office

• Right-click to encrypt files supported on Windows (e.g., PDF)

HPE SecureMail

HPE SecureFile

Simple Browser Interface for Recipients

• HTML message pushed to existing mailbox

• Open in browser – no client software to install

• Easy for anyone to do business with you

• Simple and familiar user experience

ZDM

Larry.ballmer@gmail.com

Hi all,

HPE SecureMail Mobile

• Simple, native user experience – smartphones and tablets

• Data centric protection for all mobile use cases and users

• Full functionality: read, compose, contacts, policies, more

• Protect beyond MDM and Containers – B2B and B2C

• Message-level policy control

• App store distribution

HPE SecureMail Architecture

15

HPE SecureMail ArchitectureOne Solution for Desktop, Web, Mobile, Cloud, Applications, and Automation

16DMZ Internet

Corporate Network

HPE SecureMail

Gateway + Key Server

+ ZDM Server

DLP / AV

AS / MTA

Mail

Archive

Mail Server &

Mobile Server

Native Mobile

Apps

Native Mobile

Apps

HPE SecureMailEncryption client

HPE SecureMailEncryption client

HPE SecureMailApplications (REST API)

HPE SecureMail

ZDM Client

ZDM

HPE SecureMail

Gateway

17

Anti-Spam

Anti-VirusData Leak

Prevention

Mail

Server

HPE SecureMail

Gateway + Key Server

Inspection for Encrypted Messages

DMZ InternetCorporate Network

18

Internal Encryption

Mail Server

HPE

SecureMail

Key Server

Hardware

Security ModuleActive

Directory

Corporate Network

HPE SecureMail

Management

Console

Same solution for

internal and external

19

Supervisory Control & eDiscovery

Approach 2

Approach 3

Approach 1*

Mail Server

Mail Archive with

HPE SecureMail Archive

Connector*

HPE SecureMail

Encryption

Gateway

Mail Archive

Mail Archive

Corporate Network

Supervisory

Control

* Symantec Enterprise Vault onlyHPE SecureMail

eDiscovery

Accelerator (for IT/IS)

20

Multi-tenant Architecture

–Independent tenants for

– Lines of business

– Use cases

– Geographies

–Each tenant uniquely supports

– Policies and reports

– Branding and languages

– Role-Based admin

– Base keys and districts

–All tenants managed

– Centrally or by line of business

T-1

T-2

T-3

T…N

Commercial Insurance

Commercial Banking

Wealth Management

Personal Banking

Loans and Credit

HPE Data Security – SecureMailSummary

21

Value of HPE SecureMail

Simple, Native User Experience – Just Like Regular Email

• Outlook, iPhone, iPad, Android, Blackberry, Web

HPE Stateless Key Management Architecture• No key or message store to manage

• Low operational and infrastructure costs

Single HP IBE Solution for All Use Cases• Internal and external protection and compliance

• Single technology (HP IBE, 100% push, message format)

DLP, AV / AS, Archive, eDiscovery Support• Full content scanning, filtering, and supervisory control

Outlook, Exchange, Windows AD Support• Global Address List, Distribution Lists, Contacts

• AD Authentication, AD Groups

Competitor Category &

Strategy

Key Weaknesses Key Strengths Replacement

Examples/Wins

• Weak.

• Brand based sell.

• Bundled with other

products

• PGP – keys and certificates

• Cloud solution is Echoworx

• Multiple delivery methods

• No innovation from Symantec

• Brand

• Legacy PGP base

• Symantec Channel

• Major Global Bank based

in HK/UK, Global Credit

Card Brand, Major Wall

St Bank.

• Weak

• Brand based sell

• Bundled with other

products.

• IronPort Encryption Appliance EOL

• Migrating customers to CRES

• Mobile solution – no central policy

management

• Brand

• IronPort Appliance for

email routing is solid.

• CISCO Channel

• Top US Health Insurer,

Major US Global

Investment Bank, Top 10

US Payment Processor

• Strong

• Consolidation play

vs Best of breed,

cloud play.

• Mid market focus

• SKI – per message keys

• Cloud only

• Poor mobile experience

• Full service cloud

email management

including encryption

• Major US Investment

Fund Management Firm

• Top 10 US Bank

• Weak in enterprise,

strong in SMB

Healthcare

• Service play

• Best Method of Delivery means

inconsistent user experience

• ZixOne - No Data on the Device

• Integrated with Google

Apps

• Reseller channel

• Mostly cloud impact

• Some Cloud users moved

to Zix, then back to

Voltage after a few

months.

Voltage SecureMail Competitors

HPE Data Security – SecureMail Add-onApplication Edition

24

Application Edition

• Protect email that is sent and received by applications & websites

• Data is at risk even in your network – protects internal & inbound email

• Protect email off the backbone – minimize changes to mail flow

• Web Services API enables simple, fast, and low cost integration

Application Edition

Employees

HP SecureMail

Server

Application

Corporate Network

Before

After

Example Use Cases

Internal Approval Workflows

Inbound Web Form Submissions

Provisioning Credentials

Password Reset Messages

Fax to Email

Scheduled Reports

Enterprise Collaboration Tools

Enterprise Private Social Networks

SMTP

HPE Data Security – SecureMailBackup Slides

27

HPE IBE: Key Generation

bob@corp.com

Public KeyEmail + Public Params

Private KeyEmail + Master Secret

HPE

SecureMail

Key Server

HSM*

* Optional

Public Parameters

P=1564585547321

Master Secret

S=1872361923616378

HPE IBE: Key Expiration and Rotation

• Keys are automatically rotated weekly

• What happens if Bob loses his private key?

• Key Server generates any required key on the fly

• How are emails accessed for eDiscovery?

• On-the-fly key generation provides auditor access

bob@corp.com

e-mail address weekly nonce

|| week = 252

Flexible Deployment Options

HPE SecureMail can be deployed

• In the cloud, on-premise, hybrid

• For public clouds (e.g., Office365)

Solutions can be migrated* from

• On-premise Cloud

• Cloud On-premise

• . . . with no loss of data

* May depend on selected licensing option

HPE Security Voltage

Thank youRicky Mok, ricky.mok@hpe.com

31