messaging:protecting your data and your reputation
DESCRIPTION
Corporate email systems are vital to the successful operation of a business. They can contain sensitive data which should never be exposed to outside parties and needs to be totally secure; whilst providing users with flexible access from a wide range of devices and locations. Andrew Quinn and Nigel Robson, discuss the myriad of security, regulatory, and corporate compliance issues facing organisations today. How can we ensure that our data is safe and accessible, and that our corporate image is presented in a consistent and defined manner?TRANSCRIPT
Messaging: Protecting your Data and your Reputation
Andrew Quinn & Nigel Robson
1/11/2013
Email and your Business
• Primary method of business communications
• Stores critical business data• One of the main sources of data leaks• Your organisation’s identity• Your electronic ambassador
Protecting your Identity
• Your domain is your identity on the internet• People recognise this and trust it• Its important to protect this asset• It’s incredibly easy to fake!
Sender Spoofing Demo
Protecting your Identity:Sender Policy Framework (SPF)
• Allows receiving mail servers to check domain identity via public records (DNS)
• Addresses of authorised mail servers added to public DNS records
• If an email comes from an unlisted address it’s a fake
• SPF is free to set up• Make sure you can list everything that sends
emails from your domain!
Protecting your Identity:Sender Policy Framework (SPF)
Email is NOT Secure
• Email is NOT a secure communications channel
• Emails can easily be intercepted, viewed, altered and forwarded on
• Sensitive information should never be sent via email unless security is enhanced
Email Capture Demo
Email is NOT Secure:Transport Layer Security (TLS)
TLS Encryption
Email is NOT Secure:Transport Layer Security (TLS)
• Secures messages in transit• Newer email systems support basic
functionality out of the box• Some organisations will not do business
with you without it• Can be configured for “best efforts” or
guaranteed security
A Familiar Story?
Mobile Device Management (MDM)
• Majority of organisations allow employees to access corporate email from mobile devices
• Emails contain sensitive data, which is stored in memory, and usually not encrypted
• What happens if that device is lost or stolen?• Approx. 300 mobiles stolen in London per day• Approx. 20,000 UK mobiles lost or stolen per day
Mobile Device Management (MDM)
• MDM allows corporate devices to be managed centrally
• Policies can be applied to all devices independent of make and model
• Devices can be forced to be encrypted• Devices can be remote wiped if required• Microsoft Exchange provides basic MDM via
ActiveSync but more granular control can be provided by other products
Journaling & Archiving
• Two phrases which are often mixed up• Serve different purposes• Archiving – moving data to alternate
storage for long term retention• Journaling – keeping a separate,
immutable copy of messages sent & received
Journaling & Archiving
Why Archive?
• Reduce storage costs• Improve scalability• Provide longer-term storage to users• Eliminate a reliance on PST files
Why Journal?
• Compliance with retention policies• Provide an electronic paper trail• Prove what was said / agreed• Information cannot be lost when people
leave
Journaling Considerations
• If the email is modified in order to copy it (e.g. silently add BCC address), it may not stand up in court
• If end-users can access the “journal”, it is an “archive”
• Access to journaled messages should be audited
Data Loss Prevention
• Email is one of the largest sources of data leaks
• Data leaks are usually accidental• Once an email is sent, you can’t get it
back!
Data Loss Prevention
• Technology to manage the exposure of information is built into the Microsoft platform– Windows– MS Office (Word, Excel, PowerPoint, Outlook,…)– Exchange Server
• Lots of acronyms…– Rights Management Services (RMS)– Information Rights Management (IRM)– Message Classification– File Classification Infrastructure (FCI)– Data Loss Prevention (DLP)
Data Loss Prevention
• Add Classification– Provides information– Can be used for file
system security
• Apply Rights Management– Restricts data usage
even when you have access
• Process can be automated
Data Loss Prevention
So what does this do for us?Classification...Rights Management...
This is confidential. Don’t distribute it!
Outlook warnsExchange blocksOutlook blocks sendingRecipient can't open
Data Loss Prevention Demo
Branding
• Present a consistent corporate image• Provide contact details• Support marketing campaigns• Comply with legal requirements
Signature Management
Andrew Quinn - Executive Consultant: Infrastructure TechnologyOffice: 0845 094 094 5 | Mobile: 07710 374895 | Website: www.waterstons.com
Waterstons Limited. Registered in England and Wales No. 3818424Our registered office is at Liddon House, Belmont Business Park, Durham, DH1 1TWDISCLAIMER:The information contained in this email is intended for the named recipient only. It may contain confidential information. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Please note that neither Waterstons Limited nor the sender accepts any responsibility for viruses and it is your responsibility to scan attachments (if any).
Email Branding Demo
Q & A
Coming up…
Messaging: Harnessing the Cloud
15th November 2013