hpe secure mail - 敦新科技dawning … securemail...hpe ibe: flexible authentication •key...
TRANSCRIPT
23
Transformto a hybrid
infrastructure
Enableworkplace
productivity
Protect yourdigital enterprise
Empowerthe data-drivenorganization
Proactively protect the interactions between users, applications and data across any location or device.
Hewlett Packard Enterprise: Protect your digital enterprise
What Problems Does it Solve
Data-centric security for email and attachments
Compliance with privacy regulations
Protection of intellectual property
Migration to cloud business email
4
Important HPE SecureMail Requirements
Simple User Experience – Like Regular Email
Single Technology – HPE IBE – for All Use Cases
Simple to Manage – Stateless Architecture
DLP, AV / AS, Archive, eDiscovery Support
Outlook, Exchange, Windows AD Support
HPE Data Security – SecureMailAbout HPE Identity Base Encryption (IBE)
5
Challenges with Traditional Technologies
Difficult to Use
Not business
friendly / no ad-hoc
Incompatible (Gmail,
Android)
High TCO
Legacy PKI:
S/MIME, PGP,
OpenPGP
Proprietary
Symmetric
Key
Proprietary
Webmail
Data Loss Risk
Complex key
management
Active code in
messages / PDFs
High TCO
Costs Rise w/ Use
Key and message
stores to manage
e-discovery breaks,
fines
Limited functionality
The HP Security Voltage Unique Advantage
HPE Identity-based Encryption (IBE) and Stateless Architecture
• 60-80% lower cost of operations, 75% less infrastructure
• Simple user experience across desktop, Web, and mobile
• Seamlessly integrates with email and enterprise ecosystem
What is Identity-based Encryption (IBE)?
IBE is a public-private key technology• Ad-hoc: Keys generated from email addresses
• Stateless: No keys store – generated on the fly
• 100% Push: Single message format
Concept originally proposed by Adi Shamir in 1984• Eliminate the complexity of traditional PKI
DoD funded research at Stanford in 2000• Voltage formed in 2002
Extensive peer review and standardization• IEEE 1363.3 – Standard for Identity-Based Cryptographic
Techniques using Pairings
• RFCs: RFC 5091, RFC 5408, RFC 5409
Innovation
HP Identity-based Encryption (IBE): How it Works
HP SecureMail
Key Server
BobAlice
Bob’s Private Key
1
2
3
Alice Sends Email to Bob
HPE IBE: Scalability & Disaster Recovery
Scales to Millions of Users
• No user key store
• No message store
• Load balanced servers
Disaster Recovery is Effortless
• One time backup of base key
• Fast recovery with no data loss
HP SecureMail
Servers 3 & 4HP SecureMail
Servers 1 & 2
HPE IBE: Flexible Authentication
• Key generation is independent of authentication
• Authentication can be dynamically changed to meet policy requirements
• Out of the box support for AD, LDAP, native enrollment server
• Authentication Adapter to meet other authentication requirements
Auth
Service
HP
SecureMail
Key Server Auth
Service
Auth
Service
Auth
Service
HP Security Voltage
Client – Protect Email and Files End-to-End
HPE SecureMail Outlook Plug-In
• Send Secure within Outlook
• Access Global Address List
• Send to Distribution Lists based on AD membership
• Windows AD single sign-on
• Enforce client encryption rules
HPE SecureFile Office & Windows Plug-Ins
• HP SecureFile Encryption button within Microsoft Office
• Right-click to encrypt files supported on Windows (e.g., PDF)
HPE SecureMail
HPE SecureFile
Simple Browser Interface for Recipients
• HTML message pushed to existing mailbox
• Open in browser – no client software to install
• Easy for anyone to do business with you
• Simple and familiar user experience
ZDM
Hi all,
HPE SecureMail Mobile
• Simple, native user experience – smartphones and tablets
• Data centric protection for all mobile use cases and users
• Full functionality: read, compose, contacts, policies, more
• Protect beyond MDM and Containers – B2B and B2C
• Message-level policy control
• App store distribution
HPE SecureMail Architecture
15
HPE SecureMail ArchitectureOne Solution for Desktop, Web, Mobile, Cloud, Applications, and Automation
16DMZ Internet
Corporate Network
HPE SecureMail
Gateway + Key Server
+ ZDM Server
DLP / AV
AS / MTA
Archive
Mail Server &
Mobile Server
Native Mobile
Apps
Native Mobile
Apps
HPE SecureMailEncryption client
HPE SecureMailEncryption client
HPE SecureMailApplications (REST API)
HPE SecureMail
ZDM Client
ZDM
HPE SecureMail
Gateway
17
Anti-Spam
Anti-VirusData Leak
Prevention
Server
HPE SecureMail
Gateway + Key Server
Inspection for Encrypted Messages
DMZ InternetCorporate Network
18
Internal Encryption
Mail Server
HPE
SecureMail
Key Server
Hardware
Security ModuleActive
Directory
Corporate Network
HPE SecureMail
Management
Console
Same solution for
internal and external
19
Supervisory Control & eDiscovery
Approach 2
Approach 3
Approach 1*
Mail Server
Mail Archive with
HPE SecureMail Archive
Connector*
HPE SecureMail
Encryption
Gateway
Mail Archive
Mail Archive
Corporate Network
Supervisory
Control
* Symantec Enterprise Vault onlyHPE SecureMail
eDiscovery
Accelerator (for IT/IS)
20
Multi-tenant Architecture
–Independent tenants for
– Lines of business
– Use cases
– Geographies
–Each tenant uniquely supports
– Policies and reports
– Branding and languages
– Role-Based admin
– Base keys and districts
–All tenants managed
– Centrally or by line of business
T-1
T-2
T-3
T…N
Commercial Insurance
Commercial Banking
Wealth Management
Personal Banking
Loans and Credit
HPE Data Security – SecureMailSummary
21
Value of HPE SecureMail
Simple, Native User Experience – Just Like Regular Email
• Outlook, iPhone, iPad, Android, Blackberry, Web
HPE Stateless Key Management Architecture• No key or message store to manage
• Low operational and infrastructure costs
Single HP IBE Solution for All Use Cases• Internal and external protection and compliance
• Single technology (HP IBE, 100% push, message format)
DLP, AV / AS, Archive, eDiscovery Support• Full content scanning, filtering, and supervisory control
Outlook, Exchange, Windows AD Support• Global Address List, Distribution Lists, Contacts
• AD Authentication, AD Groups
Competitor Category &
Strategy
Key Weaknesses Key Strengths Replacement
Examples/Wins
• Weak.
• Brand based sell.
• Bundled with other
products
• PGP – keys and certificates
• Cloud solution is Echoworx
• Multiple delivery methods
• No innovation from Symantec
• Brand
• Legacy PGP base
• Symantec Channel
• Major Global Bank based
in HK/UK, Global Credit
Card Brand, Major Wall
St Bank.
• Weak
• Brand based sell
• Bundled with other
products.
• IronPort Encryption Appliance EOL
• Migrating customers to CRES
• Mobile solution – no central policy
management
• Brand
• IronPort Appliance for
email routing is solid.
• CISCO Channel
• Top US Health Insurer,
Major US Global
Investment Bank, Top 10
US Payment Processor
• Strong
• Consolidation play
vs Best of breed,
cloud play.
• Mid market focus
• SKI – per message keys
• Cloud only
• Poor mobile experience
• Full service cloud
email management
including encryption
• Major US Investment
Fund Management Firm
• Top 10 US Bank
• Weak in enterprise,
strong in SMB
Healthcare
• Service play
• Best Method of Delivery means
inconsistent user experience
• ZixOne - No Data on the Device
• Integrated with Google
Apps
• Reseller channel
• Mostly cloud impact
• Some Cloud users moved
to Zix, then back to
Voltage after a few
months.
Voltage SecureMail Competitors
HPE Data Security – SecureMail Add-onApplication Edition
24
Application Edition
• Protect email that is sent and received by applications & websites
• Data is at risk even in your network – protects internal & inbound email
• Protect email off the backbone – minimize changes to mail flow
• Web Services API enables simple, fast, and low cost integration
Application Edition
Employees
HP SecureMail
Server
Application
Corporate Network
Before
After
Example Use Cases
Internal Approval Workflows
Inbound Web Form Submissions
Provisioning Credentials
Password Reset Messages
Fax to Email
Scheduled Reports
Enterprise Collaboration Tools
Enterprise Private Social Networks
SMTP
HPE Data Security – SecureMailBackup Slides
27
HPE IBE: Key Generation
Public KeyEmail + Public Params
Private KeyEmail + Master Secret
HPE
SecureMail
Key Server
HSM*
* Optional
Public Parameters
P=1564585547321
Master Secret
S=1872361923616378
HPE IBE: Key Expiration and Rotation
• Keys are automatically rotated weekly
• What happens if Bob loses his private key?
• Key Server generates any required key on the fly
• How are emails accessed for eDiscovery?
• On-the-fly key generation provides auditor access
e-mail address weekly nonce
|| week = 252
Flexible Deployment Options
HPE SecureMail can be deployed
• In the cloud, on-premise, hybrid
• For public clouds (e.g., Office365)
Solutions can be migrated* from
• On-premise Cloud
• Cloud On-premise
• . . . with no loss of data
* May depend on selected licensing option
HPE Security Voltage
Thank youRicky Mok, [email protected]
31