email and data encryption
DESCRIPTION
Email and data encryption. SecurityPoint 2008 David Strom [email protected] +1 (310) 857-6867. Summary. How private is your data The role of encryption in data protection Different kinds of email and disk encryption Encryption deployment options - PowerPoint PPT PresentationTRANSCRIPT
(c) David Strom Inc. SecurityPoint 2008 2
Summary
• How private is your data• The role of encryption in data protection
• Different kinds of email and disk encryption
• Encryption deployment options • The role of regulatory requirements and compliance
(c) David Strom Inc. SecurityPoint 2008 3
How private is your personal data?
• What information do you routinely provide online:– Birth date (Facebook)– Postal codes and address (eCommerce)– Age and gender – Email address
• What information is on your laptop?
(c) David Strom Inc. SecurityPoint 2008 4
How private is your corporate data?
• Who has admin rights to everything?• Where do you keep your backups?• What customer info is sent via the
Internet?• How many laptop users and where do
they routinely take them?
(c) David Strom Inc. SecurityPoint 2008 5
Are these actions privacy invasions?
• Sending out a single piece of email with everyone's email address clearly visible in the header
• A Web site that tries to make it easier for its customers to login and track their accounts
• Is a piece of software that records the IP address of the machine it is running on and phones home with the results spyware?
• A US Web site that allows anyone to look up a postal address attached to a telephone no.
(c) David Strom Inc. SecurityPoint 2008 6
(c) David Strom Inc. SecurityPoint 2008 7
What kinds of information do the proposed new laws
consider private?• Your IP address• Your Ethernet MAC address/Windows GUID• Your purchase history with a Web storefront• Your postal address and phone• Your email address• Your credit card, banking account numbers
(c) David Strom Inc. SecurityPoint 2008 8
Be afraid. Be very afraid.
• Lost laptops with customer data • Misplaced USB thumb drives and CDs• Webmail logins from public kiosks• Spyware-infected laptops inside your
firewall• And …
(c) David Strom Inc. SecurityPoint 2008 9
Is your email private? No!
• Sending email is like writing a (unsigned) postcard
• Then leaving it on your kitchen counter• Then handing it to some random
passer-by to give to someone else• Who eventually gives it to the recipient• And, wait, there is more…
(c) David Strom Inc. SecurityPoint 2008 10
And of course, breaches!
• http://www.pogowasright.org/index.php?topic=Breaches
• http://www.privacyrights.org/ar/ChronDataBreaches.htm
• Some scary cost numbers: http://www.crn.com/security/205207370
• http://www2.csoonline.com/exclusives/column.html?CID=33366
(c) David Strom Inc. SecurityPoint 2008 11
The many faces of insecure email
• Webmail: unless you use https, EVERYTHING is in the clear
• Server backups: email stored in many different places that anyone can read
• Logins: POP, SMTP and IMAP do not encrypt your credentials
• Identifying info: SMTP includes IP address, email software version, and other information that could be a privacy concern
(c) David Strom Inc. SecurityPoint 2008 12
And email is easily compromised!
• Modified messages: anyone with system admin access can read, delete, and change any message
• Fabricated senders: anyone can set up a server with any domain name
• Non-repudiation: no delivery confirmation on most systems
• Unprotected backups!
(c) David Strom Inc. SecurityPoint 2008 13
The current state of privacy best practices
• No clear privacy policy or protection• Sometimes, a small obscure link at the
bottom of a Web page that links to a privacy policy in extreme legalese
• Press releases when a breach occurs• Sometimes you remember to type https:• A few people using encryption products
(c) David Strom Inc. SecurityPoint 2008 14
Microsoft is no privacy paragon
• Hotmail break-ins galore• Global ID transmitted inside Word docs• Network collapse from poor DNS config
(2001)• Software updates that scan your disk
(c) David Strom Inc. SecurityPoint 2008 15
The problem
• The laws are changing, and getting tougher on breaches
• Your customer data is no longer a corporate asset -- now it is a liability
• Your employees are entitled to some modicum of data privacy
• There is no such thing as a secure perimeter in the age of the Internet
(c) David Strom Inc. SecurityPoint 2008 16
The end of the secure perimeter
• Remote email, laptops now the norm• IM becoming more popular for corporate use• Most corporations have servers accessible
from the Internet• Most corporations don’t do very much in the
way of endpoint security• Even Hollywood knows about it: the USB
thumb drive in the movie “The Recruit”
(c) David Strom Inc. SecurityPoint 2008 17
So how can encryption help?
• Protect your files on your laptops• Protect your communications between
employees --– Email– IM
(c) David Strom Inc. SecurityPoint 2008 18
Types of disk encryption
• Simple passwords on MS Office docs• File-based encryption like PC-encrypt • Password-protected U3 USB thumb
drives• Laptops with fingerprint scanners• “Whole disk” encryption software
(c) David Strom Inc. SecurityPoint 2008 19
Issues with disk encryption
• User apathy• Lost password recovery• Fear that the files won’t be available
(c) David Strom Inc. SecurityPoint 2008 20
Types of email encryption
• S/Mime• PGP• TLS/SSL on top of SMTP relays
(c) David Strom Inc. SecurityPoint 2008 21
(c) David Strom Inc. SecurityPoint 2008 22
What email encryption buys you
• Eyes only for the recipient• Proves you were the actual sender• Recipient knows whether a message
was modified in transit
(c) David Strom Inc. SecurityPoint 2008 23
Email encryption issues
• No one cares about my communications• Which standard do I get behind?• How do I set up my PKI?• How do I track my certs?• How do I recover a forgotten password?• What happens when my recipients don’t
cooperate?• My early experiences http://strom.com/awards/227.html
(c) David Strom Inc. SecurityPoint 2008 24
Email encryption deployment options
• Always use https: and SSL • Use some form of VPN (1) (2)• Use a secure service provider:
– ZixCorp.com– HushMail.com– Secure-tunnel.com – Even Network Solutions!
(c) David Strom Inc. SecurityPoint 2008 25
(c) David Strom Inc. SecurityPoint 2008 26
And PGP!
• Universal product for Webmail and external communications
• Desktop product for email and disk encryption
• Netshare product for file sharing protection
(c) David Strom Inc. SecurityPoint 2008 27
Keyserver issues
• Not everyone lists their PGP key on them for all of their email accounts
• Only work with PGP versions• You may have a private server• Users need some training to use them
(c) David Strom Inc. SecurityPoint 2008 28
Regulatory requirements and
compliance• What encryption can bring to the party• Privacy protection in advance of
pending legislation• Avoid being tomorrow’s headline about
your next breach or data leak
(c) David Strom Inc. SecurityPoint 2008 29
Encryption compliance benefits
• End-to-end traffic protection• Policy-based key management• Digital signing for authentication and
repudiation• Content scanning for data leaks• Phishing, virus, and spyware prevention
(c) David Strom Inc. SecurityPoint 2008 30
Fred Avolio wrote
• If our business is worthless, if we never have a good idea, if there is nothing about what we do that anyone else would want, then we may be correct. However, that is not a description of our business, at least not for most of us.
• Start signing your e-mail messages with your digital certificate. Use it when confidentiality is important (which is a good deal of the time, is it not?). Just start using it.
http://www.avolio.com/columns/email-security.html (5/2000!)
(c) David Strom Inc. SecurityPoint 2008 31
PGP Resources
• Tom’s Page on PGP http://www.mccune.cc/PGP.htm
• Martin’s client list http://www.bretschneidernet.de/tips/secmua.html