VP, Software Development Product Presentation by Ian Treleaven VP, Software Development
Ecrypt One Architecture
Ecrypt One Email Server IMAP . ActiveSync . Users . Emails . Cryptographic Services Crypto Plugin . Key Store Plugin . Message Scanning Filter . Workflow Rules Anti-Malware Services Anti-Virus Plugin . Anti-Spam Plugin . Multi-Factor Authentication Auth. Plugin . Key points: it’s a full email server, with standard email client protocols (IMAP, ActiveSync) so that users can ‘do email’ just as they always do: messaging, contacts and calendars. Cryptographic servers refer to data protection while stored in the database. It’s important to note that we provide our own crypto services layer so that the product doesn’t depend on external configuration that may be challenging for an IT administrator. You can also plug in your own crypto if you have an algorithm you prefer to use that we don’t offer. The most important part here is the smallest: the Worflow Rules. This the rules engine that the External Address Book is built on. It lets administrators control the flow of messages and also control what content is allowed to move from party to party, internal and external.
Secure Foundation: Trust No One Tenants: Blacklist the Internet Whitelist Trusted Parties Internal and External Ensure Security Correctness
Security Experts Not Required User Focus Security Experts Not Required Users are the common point of security failure Eliminate Common Attack Vectors like Phishing, Tracking
Conventional Email ? ? ?
Ecrypt One Email ? ?
Visitor Access Point Ecrypt One Email Server Cryptographic Services IMAP . ActiveSync . Users . Emails . Cryptographic Services Crypto Plugin . Key Store Plugin . Message Scanning Filter . Workflow Rules Anti-Malware Services Anti-Virus Plugin . Anti-Spam Plugin . Multi-Factor Authentication Auth. Plugin .
Web Mail Interface
Demo
Vendor Visitor Access Point Customer Ecrypt One Email System Partner
Example: adding a user to the External Address Book. Important: Because it says Bob @ FedEx must use the portal to receive messages (see the top two radio button settings), email messages sent internally to bob@fedex.com will be put in his portal account INSTEAD of sent to bob@fedex.com. This means employees don’t have to remember the ‘proper’ way to interact with an outside person. The system takes care of redirecting messages. You’ll also notice that messages sent to or from Bob will be converted to PDF. This is important. If Bob tries to send an infected document, it will be turned into a benign PDF so that internal employees can not get attacked through traditional phishing means. In the other direction, when internal users send messages to Bob, converting to PDF makes sure no editable documents get to Bob that might allow him to easily change the content. Notice it says messages from Bob will be converted to plain text. If Bob inserts any type of tracking in an HTML-format message or tries to take advantage of special fonts or other types of attack vectors, this will be thwarted by converting the message he sends to plain text. Finally, notice the two items: Block Sent File Externsions and Block Received File Extensions. They both have the value ‘Inherit’. This has two important aspects to it. Blocking particular file extensions flowing either in or out gives control to the admin. Blocking incoming spreadsheet file allows blocking of common phishing attack vectors. Blocking outgoing file extensions such as spreadsheets prevents internal users from leaking intellectual property outside the company. The values ‘Inherit’ mean that higher level rules apply here. You can create a rule that applies more broadly and the user entry for Bob will take (inherit) that value.
This is an example of adding a domain to the External Address book This is an example of adding a domain to the External Address book. The settings and rules configured and inherited will apply to all users from that domain. Note that domain entries have a lower priority than user entries. This allows user-specific rules to over-ride domain entries. For example, you could specify that users from AOL will have all attachments blocked but then add an over-ride for a specific person who can send attachments.
This shows the granularity of attachment control that’s available if you want to take advantage of it.
SMTP/IMAP/ActiveSync Visitor Access Point Ecrypt One Email Server IMAP . ActiveSync . Users . Emails . Cryptographic Services Crypto Plugin . Key Store Plugin . Message Scanning Filter . Workflow Rules Anti-Malware Services Anti-Virus Plugin . Anti-Spam Plugin . Multi-Factor Authentication Auth. Plugin . SMTP, IMAP and ActiveSync are the email protocols used by common email clients such as Outlook (example screen shot on next slide)
This is Outlook 2013
Here are screen shots from an iPhone
Internet Email Disabled Visitor Access Point Enabled White List Only Persistent Email and Database Encryption Two-Factor Authentication Required Exchange ActiveSync Over SSL Only IMAP Over SSL Only ActiveSync Over SSL Only POP Disabled Web Access Over SSL Only Direct Server Access Disabled Built In Anti-Malware Encrypted Link Capabilities Key point: all the things you need to worry about configuring correctly in a traditional email server. I.e., we take care of this in EcryptOne.
SMTP Visitor Access Point Ecrypt One Email Server IMAP . ActiveSync . Users . Emails . Cryptographic Services Message Scanning Filter . Workflow Rules Crypto Plugin . Key Store Plugin . Anti-Malware Services Multi-Factor Authentication Auth. Auth. Plugin . Anti-Virus Plugin . Anti-Spam Plugin .
SMTP Visitor Access Point Ecrypt One Email Server Workflow Rules IMAP . Users . ActiveSync . Emails . Cryptographic Services Message Scanning Filter . Workflow Rules Crypto Plugin . Key Store Plugin . Anti-Malware Services Multi-Factor Authentication Auth. Auth. Plugin . Anti-Virus Plugin . Anti-Spam Plugin .
This is the Rules interface, where you can do more advanced rule management in addition to tweaking the External Address Book entries that are turned into rules.
Here’s an example of a rule that checks for special keywords: Secret or Sensitive in the subject, Secret in the message body. If they are found, the message is blocked and a copy is sent to the auditor.
Here’s what happens when you try to send a message that gets blocked: you get a reply that the message was not authorized.
Here’s a rule that prevents users in the Accounting group from sending messages with spreadsheets outside of the company. Only internal users or portal users are allowed to see such messages. Keeping the message within the portal allows an external person to see the message and attached spreadsheet but because its in the portal (WebMail), the content doesn’t leave the company’s servers.
Demo: Rules
End User Experience
Is this attachment safe to open? Should I encrypt this email? Is it safe to email this person? Is this attachment safe to open? Should I encrypt this email?
Lockheed Martin Network RSA Email System RSA Network SecurID Database
Vendor Visitor Access Point Unknown Ecrypt One Email System Customer
Risk Tolerance Threshold Zero Low Medium High
Ecrypt One Email System Unregistered Vendor
Ecrypt One Email System Unregistered Vendor External users can be given a link to request a portal account. This is what they’ll see.
The administrator approves or denies external users once they apply.
Ecrypt One Email System Unregistered Vendor
SysAdmin Experience
I hope someone out there knows where to find that setting Am I supposed to enable that? I don’t think we need that feature…
Internet Email Disabled Visitor Access Point Enabled White List Only Persistent Email and Database Encryption Two-Factor Authentication Required Exchange ActiveSync Over SSL Only IMAP Over SSL Only ActiveSync Over SSL Only POP Disabled Web Access Over SSL Only Direct Server Access Disabled Built In Anti-Malware Encrypted Link Capabilities
Administrative Web Interface Visitor Access Point Email Database internal SSL AES SSL Administrative Web Interface Email Services Employee Webmail SSL internal SSL User Database SSL Email Client Software AES
LOCATION 1 LOCATION 2 Mail Store Mail Store Encrypted Link Ecrypt One Server Ecrypt One Server Ecrypt One Server Ecrypt One Server AES. Custom Crypto . AES. AES. AES . This is a planned feature, not yet implemented. You could do this with standard VPN and similar technology now. The EcryptOne solution will have the servers be controlling the handshake so they know the connection is secured. Web Server Web Server
SMTP Visitor Access Point Ecrypt One Email Server IMAP . Users . ActiveSync . Emails . Cryptographic Services Crypto Plugin . Key Store Plugin . Message Scanning Filter . Workflow Rules Anti-Malware Services Anti-Virus Plugin . Anti-Spam Plugin . Multi-Factor Authentication Auth. Auth. Plugin .
Email As A Cloud Service
? ? ? ? ? ?
Thoughts to Ponder…
Questions?
1.866.204.6703 info@ecryptinc.com www.ecryptinc.com