White PapersSecuring e-mail communication through encryption and signatures is required in business for several important reasons. Remember that, by default, e-mail is sent over the Internet “in the clear” in an insecure way. This raises several important considerations for users.
First, much of the content of e-mail is either confidential or proprietary. Communications about plans, results, product development, competitive challenges and employee issues are all highly confidential and should be available only to the intended recipient. Privacy and compliance regulations require this in many industries, but even where it is not required by law, securing e-mail protects the organization’s most vital information: its intellectual property and methods of doing business.
Network Security Whitepaper Companywide E-mail Encryption for Midsize Businesses A simple solution for a complex task Version: 1.00 Date: 13 March 2006 Author: Udo Kerst Untitled Document 2006 Astaro 2 of 9 Companywide E-mail Encryptionfor Midsize BusinessesCONTENTS WHO NEEDS SECURE E-MAIL TRANSMISSION? ................................................................................ 3 AVAILABLE SOLUTIONS FOR E-MAIL ENCRYPTION........................................................................ 4 WHAT NEEDS DO MIDSIZE BUSINESSES HAVE?............................................................................... 5 THE ASTARO SOLUTION .................................................................................................................................. 5 ASTARO SECURITY GATEWAY E-MAIL ENCRYPTION...................................................................... 6 EASY SETUP ............................................................................................................................................................... 7 AUTOMATIC PROCESSING OF INCOMING KEYS........................................................................................................ 8 COMMUNICATION WITH EXTERNAL KEY SERVERS ................................................................................................... 8 CONCLUSION.......................................................................................................................................................... 9 Untitled Document 2006 Astaro 3 of 9 Companywide E-mail Encryptionfor Midsize BusinessesE-mail security today The number one use for the Internet today is the transmission of e-mail. E-mail is now so firmly established in day-to-day business that few users stop to wonder how their e-mails are in fact transmitted. In most cases, e-mails are sent through the Internet unprotected, comparable to a postcard. This isn t only due to lack of awareness on the part of users for the security risks involved, but is also due to a lack of easy-to-use technology allowing the average user to transmit secure e-mail using as encryption and/or digital signatures. While various solutions for secure e-mail transmission are available today, these are rarely suitable for wide application in smaller and midsize business. They generally either require additional software at the workstation, and each user is required to perform the necessary steps for each e-mail, or they are highly complex centralized solutions that can only be mastered by trained experts. As a result, e-mail encryption is only used if ever - in very large companies. However in many businesses, critical communications are transmitted simply as unprotected e-mail. Unprotected e-mail is convenient and efficient but insecure. The ideal solution - one that is efficient, secure and also simple and convenient - was not available until now. Who needs secure e-mail transmission? Securing e-mail communication through encryption and signatures is required in business for several important reasons. Remember that, by default, e-mail is sent over the Internet in the clear in an insecure way. This raises several important considerations for users. First, much of the content of e-mail is either confidential or proprietary. Communications about plans, results, product development, competitive challenges and employee issues are all highly confidential and should be available only to the intended recipient. Privacy and compliance regulations require this in many industries, but even where it is not required by law, securing e-mail protects the organization s most vital information: its intellectual property and methods of doing business. Some of the laws compelling e-mail security include: The Data Protection Act Basel II Industry/sector initiatives HIPAA Sarbanes-Oxley Act Untitled Document 2006 Astaro 4 of 9 Companywide E-mail Encryptionfor Midsize BusinessesSecond, many companies want to use e-mail to transmit data that will be processed automatically by the recipient. Clearly, for this kind of application the data should always be secured by encryption and/or a signature. This is not only absolutely necessary for effective protection from corporate and industrial espionage, but is also necessary to prevent the data from being read or altered by third parties. In light of the doubling of worldwide e-mail transmissions since 2002, the need has increased significantly for economical protection from industrial espionage and effective filter technologies in the business environment. Available solutions for e-mail encryption The classic approach to securing e-mail infrastructures has a decentralized design. Each user is supplied at his or her desktop with secure e-mail software, such as S/MIME or OpenPGP plug-ins for the e-mail client. All users are supplied from a central PKI (Public Key Infrastructure) with internal and external keys, which they administer in a decentralized manner on their own PCs. This solution currently offers sufficient functionality and is cheap to implement, but it has the disadvantage of high administrative costs (as with most desktop-based solutions) and is only suitable for experienced users who possess advanced knowledge about encryption and signature methods. These individual solutions are often critical to the security policy of a company, as their implementation is always dependent on the mastery of the application (training) and the discipline of the individual employee. Implementation of a centrally controlled security policy is not possible this way. Cryptographic operations, particularly when linked to an individual person or workstation, can also hinder workflows. For these reasons, centralized solutions have also been offered for some time now, which shift the encryption functionalities from the individual desktop to a dedicated e-mail gateway. These solutions are generally quite powerful and offer many features and configuration possibilities. This makes them highly complex and expensive, however, so that they are mostly used in only large companies with the corresponding know-how. In addition, the administrator is also required to integrate another special solution into the existing IT structure and to link it with other security components such as virus scanners and firewalls. Untitled Document 2006 Astaro 5 of 9 Companywide E-mail Encryptionfor Midsize BusinessesWhat needs do midsize businesses have? Centralized e-mail encryption tools are too complex and too expensive to be efficiently used by midsize companies. A suitable solution for smaller and midsize companies should therefore fulfill the following requirements: The solution must be easy to implement and administer, so that it can be used without the need for extensive knowledge. The solution should be easy to combine with other security components. Its use by individual users must be enforceable in order to allow company-wide security guidelines to be implemented In order to avoid hindering the work of the user with extra steps, the securing mechanisms should for the most part be transparent to the user No modifications should be necessary on the part of the clients and the existing infrastructure The solution must also be affordable for smaller businesses The Astaro solution Astaro is the first manufacturer to integrate a solution for central e-mail encryption into Unified Thread Management (UTM) appliances. These are security solutions that make comprehensive protection from threats from the Internet available in a central gateway. This includes functions such as a firewall, VPN, intrusion, anti-virus and anti-spam protection, and URL filtering. Astaro Security Gateways are distinguished by ease of operation and low cost, and are therefore ideal for small and midsize businesses. Integrated e-mail encryption is a part of Astaro Security Gateway Software V7, and is based on a technology from Utimaco Safeware AG, one of the leading makers of professional IT security solutions. Astaro Security Gateway appliances running V7 offer strong encryption, decryption, signature and verification in accordance with the common S/MIME and OpenPGP standards. To simplify administration, the Astaro Security Gateway is preset with optimized factory settings for e-mail encryption. This means that the administrative interface is greatly simplified, which reduces the long-term cost of using secure e-mail technologies. Because secure e-mail technology is seamlessly integrated into the other security functions of the Astaro Security Gateway, encrypted e-mails are also processed through its filtering mechanisms and are checked for damaging content by a centralized virus and content scanner. This achieves protection from viruses despite encryption. Untitled Document 2006 Astaro 6 of 9 Companywide E-mail Encryptionfor Midsize Businesses Astaro Security Gateway e-mail encryption Astaro Security Gateway e-mail protection is ideal for midsize businesses who want to integrate convenient, centralized gateway encryption into their IT environment, rather than a complicated individual security solution. Defined user groups or individual users can automatically encrypt and/or sign their e-mails through the central e-mail encryption in the Astaro Security Gateway before sending them. Whomever is requesting e-mail security, it is delivered in a way that's completely transparent to the user. All e-mail received is in turn automatically decrypted, verified and forwarded through the internal virus and content scanner for checking before being delivered to the user. Because all processing takes place on the Astaro Security Gateway, no additional software is necessary for this on the individual client machine. Acting as a central security check for e-mail the Astaro Security Gateway offers transparent confidentiality (encryption) and integrity (signatures) for all e-mail communication. Untitled Document 2006 Astaro 7 of 9 Companywide E-mail Encryptionfor Midsize BusinessesBy using the S/MIME and OpenPGP standards, the Gateway can communicate with other e-mail encryption gateways as well as with desktop-based solutions that support these standards. Easy setup Setup of e-mail encryption in Astaro Security Gateway is remarkably easy and requires only the following three steps. 1. Activate e-mail encryption through the graphic user interface (WebAdmin) 2. Enter e-mail addresses for internal users whose e-mails should automatically be encrypted or signed Keys and certificates for all users are then automatically generated and distributed to predefined key servers Complete domains may also be entered instead of individual e-mail addresses 3. Enter e-mail addresses for recipients for whom e-mail should always be encrypted You may also define whether e-mails for each recipient should be encrypted with S/MIME or PGP and/or signed Untitled Document 2006 Astaro 8 of 9 Companywide E-mail Encryptionfor Midsize Businesses After setup, the encryption/decryption and signature of e-mails is automatically carried out for all configured users. With these simple configuration settings, easy enforcement of central company guidelines regarding the distribution of e-mails as well as the application of cryptographic operations is ensured. In order to simplify the exchange of public keys with other users and servers and the integration of existing PKI infrastructures, the following additional mechanisms are available that automate these processes. Automatic processing of incoming keys The Astaro Security Gateway is capable of automatically extracting keys and certificates attached to incoming e-mails and integrating them into the Gateway. This means that once an external correspondent has sent a signed e-mail to any internal user, e-mail can then be sent with encryption to this external recipient. This functionality exists for the use of S/MIME as well as for that of OpenPGP. Communication with external key servers The Gateway can automatically query key servers, such as those of public Trust Centers, in order to verify the validity of keys and certificates. To communicate with these key servers, LDAP (Lightweight Directory Access Protocol) is available for S/MIME and OpenPGP, and HKP (Horowitz Key Protocol) is available for OpenPGP as well. Untitled Document 2006 Astaro 9 of 9 Companywide E-mail Encryptionfor Midsize Businesses Conclusion The centralized e-mail encryption in Astaro Security Gateway allows simple and economical secure transmission of e-mail for midsize companies. Integration into a UTM appliance allows an ideal combination with other security applications such as virus and content scanners to be achieved, offering network assurance in an easy-to-use, all-in-one solution. Key advantages: Significant simplification thanks to the centralized design Great user-friendliness, since there s no additional software to be learned and used Easy administration setup is completed in just a few steps Security is no longer a case-by-case decision of the user Allows virus scanning and content inspection of encrypted e-mails Low-cost solution The centralized Astaro Security Gateway decides how an e-mail can be securely sent to a particular recipient in a way that's completely transparent for the sender. The sender and recipient can better concentrate on their jobs while company information is secured.
