1 / 31

Email and data encryption

Email and data encryption. SecurityPoint 2008 David Strom david@strom.com +1 (310) 857-6867. Summary. How private is your data The role of encryption in data protection Different kinds of email and disk encryption Encryption deployment options

joann
Download Presentation

Email and data encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Email and data encryption SecurityPoint 2008 David Strom david@strom.com +1 (310) 857-6867

  2. Summary • How private is your data • The role of encryption in data protection • Different kinds of email and disk encryption • Encryption deployment options • The role of regulatory requirements and compliance (c) David Strom Inc. SecurityPoint 2008

  3. How private is your personal data? • What information do you routinely provide online: • Birth date (Facebook) • Postal codes and address (eCommerce) • Age and gender • Email address • What information is on your laptop? (c) David Strom Inc. SecurityPoint 2008

  4. How private is your corporate data? • Who has admin rights to everything? • Where do you keep your backups? • What customer info is sent via the Internet? • How many laptop users and where do they routinely take them? (c) David Strom Inc. SecurityPoint 2008

  5. Are these actions privacy invasions? • Sending out a single piece of email with everyone's email address clearly visible in the header • A Web site that tries to make it easier for its customers to login and track their accounts • Is a piece of software that records the IP address of the machine it is running on and phones home with the results spyware? • A US Web site that allows anyone to look up a postal address attached to a telephone no. (c) David Strom Inc. SecurityPoint 2008

  6. (c) David Strom Inc. SecurityPoint 2008

  7. What kinds of information do the proposed new laws consider private? • Your IP address • Your Ethernet MAC address/Windows GUID • Your purchase history with a Web storefront • Your postal address and phone • Your email address • Your credit card, banking account numbers (c) David Strom Inc. SecurityPoint 2008

  8. Be afraid. Be very afraid. • Lost laptops with customer data • Misplaced USB thumb drives and CDs • Webmail logins from public kiosks • Spyware-infected laptops inside your firewall • And … (c) David Strom Inc. SecurityPoint 2008

  9. Is your email private? No! • Sending email is like writing a (unsigned) postcard • Then leaving it on your kitchen counter • Then handing it to some random passer-by to give to someone else • Who eventually gives it to the recipient • And, wait, there is more… (c) David Strom Inc. SecurityPoint 2008

  10. And of course, breaches! • http://www.pogowasright.org/index.php?topic=Breaches • http://www.privacyrights.org/ar/ChronDataBreaches.htm • Some scary cost numbers: http://www.crn.com/security/205207370 • http://www2.csoonline.com/exclusives/column.html?CID=33366 (c) David Strom Inc. SecurityPoint 2008

  11. The many faces of insecure email • Webmail: unless you use https, EVERYTHING is in the clear • Server backups: email stored in many different places that anyone can read • Logins: POP, SMTP and IMAP do not encrypt your credentials • Identifying info: SMTP includes IP address, email software version, and other information that could be a privacy concern (c) David Strom Inc. SecurityPoint 2008

  12. And email is easily compromised! • Modified messages: anyone with system admin access can read, delete, and change any message • Fabricated senders: anyone can set up a server with any domain name • Non-repudiation: no delivery confirmation on most systems • Unprotected backups! (c) David Strom Inc. SecurityPoint 2008

  13. The current state of privacy best practices • No clear privacy policy or protection • Sometimes, a small obscure link at the bottom of a Web page that links to a privacy policy in extreme legalese • Press releases when a breach occurs • Sometimes you remember to type https: • A few people using encryption products (c) David Strom Inc. SecurityPoint 2008

  14. Microsoft is no privacy paragon • Hotmail break-ins galore • Global ID transmitted inside Word docs • Network collapse from poor DNS config (2001) • Software updates that scan your disk (c) David Strom Inc. SecurityPoint 2008

  15. The problem • The laws are changing, and getting tougher on breaches • Your customer data is no longer a corporate asset -- now it is a liability • Your employees are entitled to some modicum of data privacy • There is no such thing as a secure perimeter in the age of the Internet (c) David Strom Inc. SecurityPoint 2008

  16. The end of the secure perimeter • Remote email, laptops now the norm • IM becoming more popular for corporate use • Most corporations have servers accessible from the Internet • Most corporations don’t do very much in the way of endpoint security • Even Hollywood knows about it: the USB thumb drive in the movie “The Recruit” (c) David Strom Inc. SecurityPoint 2008

  17. So how can encryption help? • Protect your files on your laptops • Protect your communications between employees -- • Email • IM (c) David Strom Inc. SecurityPoint 2008

  18. Types of disk encryption • Simple passwords on MS Office docs • File-based encryption like PC-encrypt • Password-protected U3 USB thumb drives • Laptops with fingerprint scanners • “Whole disk” encryption software (c) David Strom Inc. SecurityPoint 2008

  19. Issues with disk encryption • User apathy • Lost password recovery • Fear that the files won’t be available (c) David Strom Inc. SecurityPoint 2008

  20. Types of email encryption • S/Mime • PGP • TLS/SSL on top of SMTP relays (c) David Strom Inc. SecurityPoint 2008

  21. (c) David Strom Inc. SecurityPoint 2008

  22. What email encryption buys you • Eyes only for the recipient • Proves you were the actual sender • Recipient knows whether a message was modified in transit (c) David Strom Inc. SecurityPoint 2008

  23. Email encryption issues • No one cares about my communications • Which standard do I get behind? • How do I set up my PKI? • How do I track my certs? • How do I recover a forgotten password? • What happens when my recipients don’t cooperate? • My early experiences http://strom.com/awards/227.html (c) David Strom Inc. SecurityPoint 2008

  24. Email encryption deployment options • Always use https: and SSL • Use some form of VPN (1)(2) • Use a secure service provider: • ZixCorp.com • HushMail.com • Secure-tunnel.com • Even Network Solutions! (c) David Strom Inc. SecurityPoint 2008

  25. (c) David Strom Inc. SecurityPoint 2008

  26. And PGP! • Universal product for Webmail and external communications • Desktop product for email and disk encryption • Netshare product for file sharing protection (c) David Strom Inc. SecurityPoint 2008

  27. Keyserver issues • Not everyone lists their PGP key on them for all of their email accounts • Only work with PGP versions • You may have a private server • Users need some training to use them (c) David Strom Inc. SecurityPoint 2008

  28. Regulatory requirements and compliance • What encryption can bring to the party • Privacy protection in advance of pending legislation • Avoid being tomorrow’s headline about your next breach or data leak (c) David Strom Inc. SecurityPoint 2008

  29. Encryption compliance benefits • End-to-end traffic protection • Policy-based key management • Digital signing for authentication and repudiation • Content scanning for data leaks • Phishing, virus, and spyware prevention (c) David Strom Inc. SecurityPoint 2008

  30. Fred Avolio wrote • If our business is worthless, if we never have a good idea, if there is nothing about what we do that anyone else would want, then we may be correct. However, that is not a description of our business, at least not for most of us.

 • Start signing your e-mail messages with your digital certificate. Use it when confidentiality is important (which is a good deal of the time, is it not?). Just start using it. http://www.avolio.com/columns/email-security.html (5/2000!) (c) David Strom Inc. SecurityPoint 2008

  31. PGP Resources • Tom’s Page on PGP http://www.mccune.cc/PGP.htm • Martin’s client list http://www.bretschneidernet.de/tips/secmua.html (c) David Strom Inc. SecurityPoint 2008

More Related