enterprise - old.taxadmin.org · timothy r. blevins , kdor chief information officer 2 kathleen...

1

1

Kathleen Sebelius, Governor

Joan Wagnon, Secretary

www.ksrevenue.org

IRS/FTA CSO Conference

EnterpriseImplementation of Secure Messaging Services

April 3, 2008Timothy R. Blevins , KDOR Chief Information Officer

2



www.ksrevenue.org

Secure Messaging Overview

What is Secure MessagingWhat does Secure Messaging doWhat does Secure Messaging Architecturelook likeUser Documentation

External User DocumentationInternal User Documentation

Mail PoliciesUsage ReportsLessons LearnedQuestions

2

3



www.ksrevenue.org

`

Comprehensive Messaging Security PortfolioHelping enterprises manage, protect, and extend Internet communications

Protect email with comprehensive inbound andoutbound security

Secure all data exchanges between 3rd partieswith secure managed file transfer

MailGate™

SecureTransport™

Best IntellectualProperty Protection

Best Email Content Filtering Solution

Encrypt email at the gateway or desktop,automatically or manually

SecureMessenger™

Best EmailEncryption Solution

4



www.ksrevenue.org

What Does Secure Messenger Do?Scan all messages and attachments

To identify sensitive contentTrigger secure delivery based on corporate email policy

Based on sender, recipient, and/or message contentEncrypt email and provide access through a secure Web

portalSend notification with link to encrypted messageLog in to secure Web server and download via SSL

Track and notify of deliveryAudit trail and reporting

For regulatory complianceEmail

Servers

Internet Emai

l not

ifica

tion

SSL

3

5



www.ksrevenue.org

Tumbleweed Secure MessengerUniversal delivery to any recipient

No client side software or certificates requiredEncrypts email and provides access through a secure web portal

Online and offline secure emailSupport pull and push methods with SecureEnvelope

Easy to support and manageSelf registration, zero registration, and automated user

managementVery large email attachment support

Highly secure and reliableTracking by recipient, by message,

and by attachmentRules for message expiration,

password requirements, domainlimits, message size, andmessage quotas.

CustomizableCustom branding of inbox and portalMultiple delivery profiles for by group

6



www.ksrevenue.org

Tumbleweed Secure Messenger

Content Analysis

• SSN, CCN• Customer data• Compliance info• Personnel data• Intellectual property• Trade secrets• Attachments

Delivery Analysis Policy Actions

• Block, Allow• Quarantine• Return• Notify mgrs• Strip attachments• Annotate• Change routing

Secure Delivery

• B2B encryption• B2C encryption• Web-based delivery• Offline access• Tracking• Auditing

Centralized & Delegated Management Reporting, Auditing, Message Tracking

High Performance Appliance

• Sender• Recipient• Role• Partner• Customer• Forwarding• Time

4

7



www.ksrevenue.org

Internal

EmailSMTP

Relay

External User’s

Personal Mailbox

(1)O

B S

MT

P E

ma

il bo

un

d

for S

M (#

sec

ure

#)

(1)OB SM TP Em ail

bound for SM (#secure#)

(1)OB SM TP Em ail bound for

SM (#secure#)

Email

User

(3)OB Not if icat ion to Secure

M essenger User

(9)Em ail from

Secure Messenger

(9)Emai l f rom

Secure Messenger

(9)E

ma

il from

Se

cu

re M

es

se

ng

er

(2)Em ail Sent To Secure

M essenger

(5)O

B N

oti

fic

atio

n t

o

Se

cu

re M

ess

en

ge

r U

se

r

(6)User Regist rat ion at

First Login

(6) External User

Authent icates to Sec

M ess portal: SSL

Secure

Messenger

(2)#secure#

is rem oved

(2)Encrypts

Secure Em ail

(3)Not if icat ion

Generated

(4)Not if icat ion

relayed to User

(7) Com pose and

Send Secure Em ail

(6)User c licks on link

in not if icat ion

OR

(8) Secure

Em ail sent to

Dept .

(8) Secure Emai l

sent to EM F

EMF

SERVER

Secure Messenger Architecture and Data Flow Diagram03/17/2008

8



www.ksrevenue.org

1 – External User – Notification of Secure Mail

What can the user expect to see when a secure email is sent to them throughSecure Messenger?•The user will receive a notification that a secure message is waiting for you.•A link is embedded in the notification for the user to click on and retrieve the secureemail

5

9



www.ksrevenue.org

2 – External User – Security Certificate•If the user receives a Security Alert concerning the site’s security certificate, click on Yes toproceed.•KDOR does have a valid SSL Certificate on the server.

10



www.ksrevenue.org

3 – External User – Self-Registration•The first time a secure email is read, the user will be required to perform a one-time, self registration.

oDuring self registration the user will be required to enter:oFirst name and last name in the first name and last name fields respectivelyoSelf-Assigned password, that can be remembered, in the new password fieldoRetype that password.oType in a password hint. This is important: In case the external user forgets their password, theycan have their password hint emailed to them.

oOnce the account is completely registered, the user will be brought into the secure email message.

6

11



www.ksrevenue.org

4 – External User - Viewing the Email:•The user will have the option of composing a new email or replying to an existing email•When a secure email is sent to a Secure Messenger user by a KDOR employee, they willreceive a notification, but will not need to re-register.•When the link from within the notification is clicked, the user will be asked to enter thepassword they assigned themselves during the registration process.

12



www.ksrevenue.org

5 – External User – NOTES•Once the user is logged into Secure Messenger, they will only be able to reply,forward, or send a new email to a KDOR employee.

•The user CANNOT reply, forward, or compose a new email to a non-KDOR emailaddress (without kdor.state.ks.us)

•If the user deletes a message from within their Secure Messenger mailbox, it will nolonger be available to them.

•SECURE MESSENGER WILL NOT WARN THE USER THAT THEY ARE ABOUT TODELETE AN EMAIL.

7

13



www.ksrevenue.org

Internal Users - Composing a Secure Email Using Secure Messengerto an External Customer

•Compose a new email in Lotus Notes

•In the subject, enter the string #secure#

•When the email is sent through Secure Messenger…•the #secure# string is stripped from the subject•#secure# is replaced in the subject with “This is A Secure Message from KDOR”•Note: Internal user may type other text (i.e. the subject matter of the email) before or after#secure# in the subject line

•Secure Messenger is only to be used to send emails that have PII (Personally IdentifiableInformation). Do not use Secure Messenger for normal, non-secure email.

•#secure# will only work when sending secure, outbound mail. Internal users do not need to add#secure# to any internal email as all internal email is already secure.

14



www.ksrevenue.org

Tumbleweed Mail PoliciesThe following slides describe the mail rules in

place by KDOR and what action each rule takes.

KDOR has 3 active policies that are used to logevent information about outbound emails sentwith PII (Personally Identifiable Information):• KDOR: SM-SSN Subject Block• KDOR: SM-Drivers License• KDOR: SM-FEIN

8

15



www.ksrevenue.org

KDOR Policy EventsKDOR: SM-SSN Subject Block:Catch messages where… The entire message contains words in the list: ‘SM: SSNSubject Block”Take the following actions…Deliver normally and log the event ‘SM: SSN Subject Alerts’KDOR: SM- LicenseCatch messages where… The message text contains words in the list: ‘SM: License’Take the following actions…Deliver normally and log the event ‘SM: Drivers License’KDOR: SM-FEINCatch messages where… The entire message contains words in the list: ‘SM:Taxation Group’Take the following actions…Deliver normally and log the event ‘SM: FEIN MessagesKDOR: Encrypt Subject TriggerEncrypt and deliver the message via Secure Messenger using the ‘SecureMail’delivery profile prepend ‘This is a Secure Message from KDOR’ to the subject textand remove #secure# from the subject text

16



www.ksrevenue.org

Policy Word ListsKDOR Has Created 3 Word Lists That Are Used With Its

Tumbleweed Mail Policies. These Word Lists Look ForSocial Security Numbers, Federal EmployerIdentification Number, and Drivers License Numbers.

The Names of the Word Lists Are:• SM: License Words• SM: Taxation Group• SM: Test Words

9

17



www.ksrevenue.org

Tumbleweed Usage Reports

KDOR uses Tumbleweed reporting to monitor which emailsare routed through Tumbleweed with PII (PersonallyIdentifiable Information).

The following reports show message details of policyevents which were setup in Tumbleweed to monitor PIItraffic:

• SM Event Usage (SSN- w/event detail)• SM Event Usage (FEIN-w/event detail)• SM Event Usage (DL#-w/event detail)These reports are custom reports created specifically for

KDOR using Crystal Reports.

18



www.ksrevenue.org

Reports

All of the reports but the Message Volume and Size Report werecreated using Crystal Reports.•SM Event Usage (7 days) – Displays a summary of how many messages haveSecure Messenger policy events•SM Event Usage (w/event detail) – Displays the message details of the SMEvent Usage report summary•SM Event Usage (SSN-w/event detail) – Displays the message details of ID504 – Emails with Social Security Numbers•SM Event Usage (FEIN-w/event detail) – Displays the message details ofevent ID 505 – Emails with Federal Employment Identification Numbers•SM Event Usage (DL#-w/event detail) – Displays the message details ofevent ID 507 – Emails with Drivers License Numbers•SM Event Usage (Securely Sent Mail) – Displays the message details ofemails sent through Secure Messenger•Secure Messenger Users and Directory Location – Displays the list ofusers with Secure Messenger accounts and the directory path the accounts are in•Message Volume and Size Report – Displays the total count of messages thatroute through EMF

10

19



www.ksrevenue.org

SM Event Usage (7 days)(Created using Crystal Reports)

20



www.ksrevenue.org

Event Report w/DetailsSocial Security Number (Created using Crystal Reports)

11

21



www.ksrevenue.org

Event Report w/DetailsFEIN-Federal Employer Identification Number (Created using Crystal Reports)

22



www.ksrevenue.org

Event Report w/DetailsDrivers License (Created using Crystal Reports)

12

23



www.ksrevenue.org

Monitor Policy Event Reporting Metrics• Your report results will tell you which emails contain the information that

would route mail through Secure Messenger.

• Breakout reports and events so you have separated inbound andoutbound reports (outbound email with sensitive information is the firstconcern)

• Review report results to make sure the policy you will be enabling isdetecting the proper information within emails.

• You can watch email traffic through these reports without quarantiningor implementing the policies

• Learn through the reporting for several reporting periods prior toattempting to block traffic automatically (False Positives)

24



www.ksrevenue.org

Enabling an Existing Policy to Route Mail ThroughSecure Messenger

• Click on Policies from side menu to view the existing policies.• Find the policy you want open and click on the link.

13

25



www.ksrevenue.org

Making Secure Messenger Documentation EasilyAccessible to External Users.

Implementation Strategy:• Put a copy of the external user documentation on KDOR public web

site.• Modify the Secure Messenger notification page located on the Secure

Messenger server.• Add a web link to the secure mail notification page. The web link will

direct the external user to where the Secure Messengerdocumentation is stored on KDOR’s public web site.

– This secure mail notification is what external users will receivewhen a secure email is sent to them.

26



www.ksrevenue.org

Recognizing the Global Effect of Changing a Policy ToRoute Mail Through Secure Messenger

When changing an existing policy from routing mail normally to routing throughSecure Messenger, it is important to recognize possible negative results:• When a policy is set to route mail through Secure Messenger, it is

important to realize that any external recipient stated in a policy-caughtemail will receive a Secure Messenger notification.

• Be sure that false-positives are at a very minimal level before enabling apolicy to automatically route mail through Secure Messenger.

• False-Positives can lead to embarrassment to agency and customerfrustration

• Work with your Messaging Administrator to view emails appearingas a false-positive. This will allow you to confirm if this is true or not.

14

27



www.ksrevenue.org

Recognizing the Global Effect of Changing a Policy ToRoute Mail Through Secure Messenger (cont)

False-PositivesPrevention of False-Positives (A false-positive in this context is an email

that is flagged by a policy to have PII, but in actuality does not.)

• Enable a Tumbleweed Secure Messenger Policy to Quarantine flaggedemails instead of routing normally and before sending through SecureMessenger.

• This will allow emails to be manually reviewed and recognized as afalse-positive

– If an outbound, quarantined email is found to be a legitimateemail that should’ve been routed through Secure Messenger,the Tumbleweed Administrator will contact the KDOR senderand ask them to resend the email with #secure# in the subject.

– Any false-positives can be released to the intended recipient,returned to the sender or deleted

28



www.ksrevenue.org

Archive Internal Secure Messages to CERA• KDOR Employees have the ability to retain secure messages in CERA (Central Email

Record Archive) by selecting the Secure Email Messaging category within the CERAdatabase.

15

29



www.ksrevenue.org

Lessons LearnedMonitor Policy Event Reporting Metrics Before Turning On

Secure Messenger Routing

Understanding the Global Effect of an Enabled SecureMessenger Policy

External Secure Messenger Users need agency documentation.

Archive Internal Secure Messages to CERA

Start with small diverse messaging groups

Separate internal reporting between outbound and inboundmessaging traffic

30



www.ksrevenue.org

ANY QUESTIONS?

EnterpriseImplementation of Secure MessagingServicesApril 3, 2008Timothy R. Blevins , KDOR ChiefInformation [email protected]

enterprise - old.taxadmin.org · timothy r. blevins , kdor chief information officer 2 kathleen...

Documents