Slide 1

Consolidated Email Hygiene and Encryption Service

E-Hub

Slide 2

• E-Hub Service Overview

• E-Hub Benefits & Features

• E-Hub Rates and Implementation

• Microsoft FOPE Hygiene Overview

• Demo

• Microsoft FOPE Encryption Overview

• Demo

• Questions

Agenda

2

OTECH E-HUB SERVICE OVERVIEW

Slide 3

Slide 4

Current Environment

• E-mail hygiene – a variety of solutions are in production throughout the state

• Inter-departmental e-mail is exposed to the public Internet (sent clear text)

• E-mail is scanned as potential spam at each department• No consistent e-mail audit capabilities exist to monitor

confidential and inappropriate e-mail transmissions by state employees (i.e. SSN, HIPAA & credit card data)

• No consistent e-mail encryption solution in the state for sending confidential information to citizens, businesses and partners

Slide 5

E-Hub Purpose

Secure and protect the State’s inbound, outbound, and inter-departmental e-mail by implementing a highly available e-mail hygiene solution with a rich tool set and additional capabilities including e-mail encryption and content filtering while preserving departmental autonomy to create and manage email security and compliance policies.

Slide 66

E-Hub Workshop Participants

E-HUB BENEFITS AND FEATURES

Slide 7

Slide 8

E-Hub Benefits

• Establish base level e-mail security settings to protect all state e-mail systems

• Consistent security practices that will improve incident response

• Compliance with regulations such as HIPAA, FTI, and PCI-DSS

• Statewide reporting capabilities on e-mail volume as well as agency level reporting

Slide 9

E-Hub Functions

• E-mail Hygiene (anti-spam & anti-virus)

• Inter-departmental e-mail no longer traverses the public Internet in clear text

• E-mail content filtering capability

• Outbound e-mail encryption service as an option

E-HUB RATES AND IMPLEMENTATION

Slide 10

Slide 11

• Rates are per mailbox per month

• Encryption is an add on to Hygiene

* Rate if agency holds a Microsoft Enterprise Client Access License (ECAL)

E-Hub Rates

11

Hygiene $0.56

Hygiene with ECAL * $0.13

Encryption (optional) $1.08

Slide 12

OTech Internal Process for Customer Migration to E-Hub

MICROSOFT FOPE OVERVIEW

Slide 13

Online Services Help Meet Email Challenges

“… it is time for organizations to explore how a software-plus-servicesstrategy can help them be better at and smarter about running their businesses.”

IDC, Microsoft Online Services: Giving Businesses a New Choice for Productivity Tools , July 200814

Microsoft Online Services

Real-time threat preventionLayered anti-spam and antivirusCustomized policy enforcement

Gateway, policy-based e-mail encryptionNo public and private key managementFull e-mail encryption

Forefront Online Protection for ExchangeMultilayer spam and virus protection and policy enforcement

End User Quarantine

AntiAnti--spamspam

AntivirusAntivirus

PolicyPolicy

AdministratorConsole

CorporateNetwork

MessagingAdministrator

Employees

Inbound FilteredE-mail

About 90% ofE-mail is junk

LegitimateE-mail

Outbound FilteredE-mail

Also incorporates Also incorporates technology fromtechnology from……

Junk E-mail

Edg

e B

lock

ing

External Senders / Recipients

Exchange Server

** EncryptionEncryption

* Requires additional Exchange Hosted Encryption License

Active Directory

EHS Directory Synchronization Tool

Rapid E-mail Delivery(Average delivery commitment

of less than 1 minute)

99.999%

Network Uptime

100%

VirusProtection

Against all known e-mail viruses

98%

SpamDetection

Of all inbound e-mails

1:250,000

False Positive Ratio

Filtering Network Filtering Network PerformancePerformance

Spam and VirusSpam and VirusFiltering EffectivenessFiltering Effectiveness

*Terms and conditions apply. Please visit

Forefront Online Protection for Exchange SLAs

• FOPE provides a comprehensive set of SLAs covering network performance and spam and virus filtering effectiveness

• Each SLA is backed by a financial commitment from Microsoft

http://go.microsoft.com/fwlink/?LinkId=138884Please contact your reseller or Microsoft Account Manager if you wish to view terms or have questions prior to signing up for the service.

Global Network InfrastructureNetwork infrastructure helps deliver reliability and

scalability

• Services provisioned across a global network infrastructure

• Fully redundant and load-balanced architecture

• Scalability to handle all message volume variations

• Processes 2 - 4 billion e-mails on average per day

• E-Hub traffic routed through US data centers only

E-Hub Statewide Policies

E-Hub Statewide Service Settings

So How Well Does It Work?

• Total Messages Inbound: 10,218,225• Delivered: 1,576,010 (15%)• Spam: 8,642,215 (85%)

– Blocked at Edge (DirSynch): 278,334

• File Scanned: 1,587,726• Virus: 3,047 (.03%)• Quarantined: 1,221 (.01%)• Total Message Volume in GB’s: 263 GB’s

Slide 22

MICROSOFT FOPE ENCRYPTION OVERVIEW

Slide 23

Identity-Based Encryption (IBE) –Breakthrough in Cryptography

• IBE - proposed 20 years ago as next generation encryption– In 1984 Adi Shamir, co-inventor of the RSA Algorithm, challenged

cryptographers to invent IBE

• IBE solution is created 2 decades later in 2001– Research funded by DARPA (DoD research)– Boneh-Franklin Algorithm published at Crypto 2001 – An award-winning breakthrough in security and usability

• Industry acceptance– Over 1000 scientific publications on IBE/Pairings– Dan Boneh awarded 2005 RSA Conference Award for Mathematics

• Standardization Efforts– IBE being standardized by IEEE 1363.3– Invited by IETF to form new extension to S/MIME– Voltage Toolkit FIPS 140-2 certified; Common Criteria EAL2 certified

(one of the only secure email solutions to have this)

The “Secret Sauce”:Identity-Based Encryption

Basic Idea: Public-key Encryption where Identities are Public Keys

• IBE Public Key:

alice@corp.com

• RSA Public Key:

Public exponent=0x10001Modulus=13506641086599522334960321627880596993888147

5605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563

How IBE Works in Practice:Alice Sends a File or Message to Bob

KeyServer

bob@agency.govalice@corp.com

bob@corp.com

key request +

authenticate

Corporate Network

Recipient Network

FilteringManagedAnti-Virus

ManagedAnti-Spam

PolicyEnforcement

Encrypt Rule

GatewayEncryption

Server

KeyServer

IINNTTEERRNNEETTTLS Encrypted E-

mail

Global Data Center Network Secure Replyvia ZDM

FOPE EncryptionPolicy-based e-mail encryption for the enterprise:

• Policy-based encryption from sender to recipient - Policy-based encryption consistently and automatically encrypts messages at the gateway based on policy rules.

• IBE Technology uses a common ID for Public Key

• Web-based decryption and encrypted replies - The Zero Download Messenger enables Web-based decryption and encrypted replies for any recipient of encrypted messages with no end user training or software installation.

Lessons Learned

• Make sure you work with your IPM to implement your initial policies

• Do bring your policies from existing on premise email hygiene systems

• Don’t bring your ‘white’ & ‘black’ lists, let the service work first and then determine if you need to add allow or reject exceptions

• If you have Microsoft Premier Support make sure you notify your TAM that you’re moving to EHUB

Slide 29

Questions?

For answers to additional questions related to the E-Hub contact your OTechCustomer Service Representative to schedule a meeting.

Customer Delivery Division

info@state.ca.gov

(916) 454-7225