Need for Email Privacy

Email Privacy is needed by enterprises for one or more of the following reasons:

1. Regulatory and compliance requirements mandated by the laws of the land.
2. Prevention of Industrial Espionage.
3. Financial reasons.
4. Protection of business communication.

Email is Inherently Non-Private

How Email Works

Email, for practical reasons, has been an open, unencrypted, store-and-forward messaging system. When a user (Sender) sends an email to another user (Recipient) over the Net, the Sender’s email application hands off the message to the email server specified in the mail account configuration. The email server then delivers the message to either the Recipient’s email server or some other email server for subsequent routing to the Recipient. Thus the message may pass through multiple email servers before it is delivered to the Recipient’s email server.

An email server is required to store messages for some time at least to allow for the cases where the next email server or the end user is not available to take delivery of the messages. An email server will make multiple attempts at trying to deliver email to the next email server.

The user’s email software is typically called the Mail User agent (MUA or simply a mailer). Typical mailers are Outlook, Outlook Express, etc.

Security Holes

Most of the email servers that an email traverses are generally not under the control of the sender’s enterprise. All the email will sit for some time on the disks of the email servers. The email can be read at leisure by hackers and the system administrators of the email servers. The email can also be intercepted in transit by packet sniffers placed any where along the route, including at the very enterprise the sender is sending from.

Solution Approaches

TLS for Protecting Emails

Transport Layer Security (TLS) is a protocol used to provide secure (encrypted and authenticated) connections. Some organization use TLS to establish a secure connection email between the email client and the email server or between email servers. TLS can work in two modes:

1. Server only authentication mode
2. Server and Client authentication mode.

In the server only authentication mode, the server is required to have an SSL certificate that enables it to authenticate itself to the client. In the case of server and client authentication, both the server and the client have an SSL certificate to enable mutual authentication without the need for passwords.

Operation

Email is sent securely by the mailer to its email server using TLS. Typically, the first email server belongs to the enterprise. The email then gets stored on the email server. Subsequent email servers may receive the email over TLS if they are configured to do so, each email server in turn storing the emails without any protection, until the email is delivered to the recipient’s mail server and then to the recipient's mailer. Connections along the whole route may or may not be over TLS since the sending organizatiion has no enforcement authority over all the mail servers and therefore cannot dictate the use of TLS by all of them.

Deployment

Deployment of TLS for email communication requires managing the following issues:

1. Acquiring and managing the enterprise email server SSL certificate.
2. Configuring the enterprise email server to enforce the use TLS for all connections.
3. Requiring the use of TLS on subsequent hops from the enterprise email server. This is generally not possible if the email servers are not under the control of the enterprise.
4. Optionally, when TLS client authentication is required, issuing user SSL certificates to each of the users and installing them on each user’s mailer.

Advantages

When TLS is used on the enterprise email server, the sender’s mailer can create a secure connection to it. Email can be scanned for viruses and spyware at the enterprise email server.

Disadvantages

Data in Transit Vulnerability

The route from one email server to another along the way may not be protected with TLS all the way through. There is no way to enforce This will leave the email message and its sensitive content wide open for anyone to see and even save for future use. Anyone with a PC and sufficient knowledge to sniff the network can 'capture' the email message for its worth.

Data at Rest Vulnerability

Let’s suppose for the moment that every route segment along the way is protected with TLS. This still leaves the email message and its sensitive content wide open at the intermediate email servers.

Let's give a 'human face' to this vulnerability. At every intermediate email server, the email message can be read by employees in charge of the server infrastructure or hackers who hacked into the infrastructure. The 'private' email message is no more private than a postcard. never mind that the postcard happens to contain social security numbers and other identity information!

Client Certificate Management Problem

Managing client certificates is a big challenge. Certificates expire, users may forget to install the certificates in the mailer, they may not configure the mailer to use the right settings, etc. System administrators spend enough time handling password issues; handling additional client certificate issues will be an extremely high burden for them.

Password based encryption

Many users have used password to encrypt documents before sending them to recipients. There are a variety of password based encryption tools available. For example, Microsoft Word, Microsoft Excel, PKZip, etc. provide password-based encryption.

Operation

A password is selected. It is either something the sender creates himself or uses a password generator for. The document is encrypted using the password. The document is then emailed to the recipient. The recipient is informed of the password through other channels, for example via telephone, via personal contact, or via another email.

Deployment

Users can use many password based encryption tools to encrypt and decrypt the documents. Nothing special is required except installing the software or using the ones built into the word processing software or other applications.

Advantages

Password based encryption is very easy to understand and use.

Disadvantages

Good passwords have the following characteristics:

1. It should be extremely hard to guess a password.
2. Human beings do not generate good passwords.
3. It is hard to remember good passwords.
4. Passwords should never be reused.
5. Passwords should be communicated using a secure channel.

Most people end up reusing easy to remember passwords; a not very secure thing to do. When a user changes the password, the new password needs to be communicated to the recipient. Typically users send the password via email, or a phone call, sometimes leaving it in a voicemail. Sending a second email is as good as giving the secret away. Phone calls are inefficient and require the recipients to be available. Voicemail is fairly insecure. For high value information neither is secure. People will need to write the password down which is a security vulnerability if the password is complex and it is hard to understand the communication.

Not all password-based encryption software is good. There are password crackers available for Microsoft Office products. You need something that is verified by security experts.

Password based encryption prevents email virus and spam scanners to inspect the documents for malware. Most enterprises will have problems letting in or transmitting malware.

Password based encryption also prevents audit logging and tracking of Intellectual Property. The enterprise cannot comply with state and federal regulations regarding transmission of critical information, for example, an early disclosure of sales figures.

PKI based encryption

PKI based encryption is based on proven Public key based strong encryption. The most common for of Public Key Cryptography is RSA. Decryption is done using a separate private key and kept secret by the owner of the public key. The public key itself can be disseminated.

In order to ensure that a public key is associated with a particular user and only that user, an X.509 certificate is created with a digital signature from a known Certificate Authority (CA) like Verisign, GoDaddy, etc. The CA uses manual means (phone calls, signed certificates, etc.) to verify the identity of the user before handing out the certificates.

The entire infrastructure to create public and private keys, generating certificates, verification of certificates, the storage of certificates and private keys, etc. is called PKI.

Operation

The sender first gets the certificate belonging to a recipient and makes sure it is valid. The public key is then extracted from the recipient’s certificate and used to encrypt the email. Since public key encryption and decryption is relatively slow, the email is first encrypted using a secret key an encryption algorithm, for example AES or 3DES. The secret key is then encrypted using the public key of the recipient.

When the encrypted email gets to the recipient, she decrypts the secret key using her private key corresponding to the public key used for encryption. The secret key is then used to decrypt the message.

There is a standard for sending encrypted email, S/MIME, which is understood by most mailers and email servers.

Deployment

In general, the enterprise issues a certificate to a user. The user installs the certificate and the private key. This may be done under the auspices of a proper CA or the enterprise may act as its own CA to save money. The sender of the email requests the recipient(s) to send them their certificates. If the recipients do not have certificates they will need to get them from their own enterprises. Recipients not attached to an enterprise need to get individual certificates.

The sender installs the recipient’s certificate in his mailer and sends the email by selecting that option in the mailer. The recipient’s mailer generally can detect that the messages is in S/MIME format and goes about decrypting it using her private key.

Advantages

PKI based email encryption is proven to be very secure. It is almost impossible for lay humans to break the encryption. Once everything is installed in all the places, encryption and decryption is fairly seamless.

Disadvantages

There are several disadvantages with PKI based email encryption making it hard to deploy in reality with any effectives and adoption.

1. Assumes everyone has a certificate. This has turned out to be very hard for an enterprise to do.
2. Assumes everyone knows how to get a certificate. Users are completely unaware of how to run the software to create the correct request, deliver it to the CA, etc.
3. Assumes users know how to install a certificate. Most users have problems with knowing what to do with the certificates once they get them.
4. Assumes that users know how to send their certificates to senders who send who want to send them encrypted email.
5. Assumes that users know how to inspect certificates purportedly sent by others for their authenticity. It is perfectly possible to spoof other people’s certificates using small differences in name or by using an untrusted CA.
6. It is hard for two enterprises to enable mutual trust and they may not want to. Hence the certificates can be spoofed.
7. Certificates expire or need to be revoked when employees leave.
8. Certificate management is a very onerous task.

In general, PKI based email encryption provides security but comes at a very high cost of management and user training. Many times users simply give up because the recipient does not want to get a certificate or finds it to difficult to get one. The sender then finally gives up.

Identity based encryption

Identity Based Encryption (IBE) is an approach to encryption that allows the sender to use the recipient’s email address to generate the public key. There are several encryption algorithms, all proprietary and under patent control. The recipient uses special software and server to create decrypt messages. Most IBE algorithms are considered cryptographically sound currently.

Operation

The sender uses the email address and some seed value it got from an IBE server to encrypt the email. The recipient contacts the IBE server and initializes itself. When it receives the encrypted messages, it is able to compute the private key and decrypt the message. Contact with the IBE server, the seeding, etc. depend on the IBE algorithms used.

Deployment

An enterprise installs an enterprise wide IBE server and a copy of the IBE client software on each of its users. The special software is generally in the form of a plugin for Outlook or other mailer.

Once everything is installed, users in an enterprise can send email to each other.

Advantages

Users can send each other email without worrying about recipient certificates.

Disadvantages

Both sender and recipient must use the same IBE server and must have the same software. This is hard to do between enterprises. The algorithms for encryption and decryption are patent protected and cannot be duplicated without substantial license cost. The software is also not available universally like RSA, AES, 3DES, etc. Unlike IBE, most new smart devices like smart cards, smart phones, secure USB, etc. understand RSA based X.509 certificates, AES, 3DES, etc. There is also just one original vendor of each algorithm and they will not interoperate unlike PKI based solutions.

Identity based encryption over PKI

Identity based encryption over PKI (IB-PKI) approaches the problem of certificate creation and distribution by automating it and hiding the complexity from users allowing users to send email to each other without worrying about acquiring recipient certificates. The users need to know only the email address of the recipient, just like in IBE, to send secure email.

Operation

PKI Benefits without PKI Problems

The goal is to realize the benefits of public key cryptography without the hassles of PKI deployment and also without the limitations of current PKI technology. The encryption technology is in public domain and free and clear of licenses.

Before DHCP (Dynamic Host Configuration Protocol), connecting to Internet was a difficult task that required technology savvy users and administrative effort. With DHCP even a technophobe can surf the Net by just plugging in.

Just as DHCP made Internet connectivity extremely easy, the TrustTone technology –Identifier Based PKI (IB-PKI) makes securing information extremely easy and enables new applications and markets. With IB-PKI, secure encrypted messages and documents, electronic signatures, authorization and access control, and secure business transactions are easily available to anyone on the Net.

Businesses can easily engage in secure electronic communication to other businesses or consumers, at will, without any prior setup. Government agencies can establish secure communication and transactions with various constituencies including but not limited to other agencies, scientists and other users.

The technology is the most useful enhancement to the Public Key Infrastructure and a critical piece of to enable business-to-business, business-to-consumer and consumer-to-consumer, easy, on-demand, secure transactions.

Without such an innovation to provide automatic, on-demand technology for authentication and accompanying large scale, global, security infrastructure of authentication, identity and trust, the growth of information security will be significantly limited.

Deployment

An IB-PKI server is installed which doles out standard X.509 certificates for everyone. Web-based email does not require a plugin. Outlook requires a plugin to insulate the user from all certificate and private key installation and lookup certificates for all recipients without the user being aware of any thing.

Advantages

1. Users are unaware of any technology.
2. Certificate installation and lookup is automated.
3. Administrator does not have to bother with user certificate installation.
4. Revocation is standards based and is easy for the administrator.
5. Unlike PKI, IBPKI does not require senders to request certificates of recipients before hand; IBPKI will do the lookup for them in a secure manner and will hide the complexity from the user.
6. Sending Secure Email at Will: Recipients do not need to request certificates for themselves before email can be sent to them by the sender.
7. Works across enterprises.
8. Uses S/MIME standard.
9. Encryption and decryption uses standard PKI technology including X.509, RSA, AES, and 3DES.

Disadvantages

1. No standards exist; which makes systems from different vendors un-interoperable
2. IBPKI, like IBE, encrypts emails using keys associated with the recipient email address. If a sender sends an encrypted email to a wrong recipient by mistake, the recipient will be able to decrypt the message. This problem can be addressed by using rights management technology.

Disclosure: TrustTone Stealth products use IBPKI technology for email encryption.

Tags: email encryption | Encryption

Comments 2 | Hits: 1192 | Read more...

According to the IDC Enterprise Panel (August 2008), the main challenges and issues facing cloud computing are Security (74.6%) followed by Performance (63.1%), Availability (63.1%). Regulatory requirements prohibit cloud computing in fully 49.2%. In the coming years, federal and state regulatory requirements related to Personal Information, Patient Health Information, Credit Card information, etc. will get more strict so I fully expect to see increase in challenges related to using cloud computing.

There are some security advantages in moving to a Cloud Computing model. For example homogeneity makes securing and testing simpler, security management can be automated, redundancy and disaster recover more easily available, and highly skilled security people can be utilized effectively. That is, only if the Cloud Computing enterprise is Well Run.

Cloud Computing comes with its own set of Security Requirements

You, the customer, have to ask the right questions and verify the information provided by the vendor before signing up for their services. Remember that it is your business that is directly liable for any and all security violations. Most state and federal security regulations require you to make sure that any third party handling Personal and related information provided by you also meet the regulatory standards. You must verify the management, ownership, location, accessibility, service track record, etc.

The Cloud Computing service provider must be able to provide you verifiable security processes that are in place to respond security attacks and breaches. If the breach involves regulated information, they may have compliance requirements forcing them to report them to state and/or federal authorities, and in some states, the affected party, for example, a patient. The service provider must have processes in place to warn you of security related events in a timely, complete, and transparent manner. The service provider must support you during any investigation, must provide you with accountability regarding their administration of the service, allow you to examine any customization in lieu of loss of physical control.

Apart from standard security practices that are already being deployed in enterprises (firewalls, malware protection, access control, encryption, etc.), Cloud Computing adds some new things quirks to worry about:

* Elastic computing allows for provisioning and deprovisioning opening up vulnerabilities in the provisioning service itself.
* Data storage can be compromised. Encryption will help but there have to be tools to manage the keys and policies to prevent data leakage.
* Virtual Machines can be compromised due to multi-tenancy and hypervisor vulnerabilities. Newer software helps with better isolation, sandboxing, etc.
* The relatively fast allocation and deallocation of resources may prevent breaches from being noticed. Post breach analysis becomes hard when the Virtual Machines have been torn down. Malware can sit around and hide in the clutter of Virtual Machines and resources being constantly allocated and freed.
* Data storage may end up overseas where they are subject to different laws and may be also be subject to espionage, encryption prohibition, different or non-existent privacy laws.

Conclusion:

If you choose Cloud Computing for your applications, make sure to do your due-diligence especially with security offered by the provider.

Tags: Cloud Computing | Security

Hits: 502 | Read more...

Protection of Personal Information of Residents of the Commonwealth

This blog captures basic essential aspects of Massachusetts Personal Infomation Law. More details are available in white paper form elsewhere on the site.

Massachusetts 201 CMR 17 adopted regulations on Sept. 22, 2008 that will require all organizations that own, license, store or maintain Personal Information of the residents of the Commonwealth of Massachusetts to protect it. Personal Information is defined as the first name, last name, the initials, or any combination of the them and one or more of the following data: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.

The IT Manager must start out by identifying all the forms in which Personal Information exists in the organization and assess the risk of security breach of the information and improve, where necessary, the protection of Personal Information. Improvements include the use of encryption, access controls to limit access to only authorized personnel, ability to revoke access, intrusion prevention systems, intrusion detection systems, monitoring and logging of systems including access to Personal Information, keeping the systems up-to-date with security patches, ensure Personal Information on mobile devices is encrypted, removing access for terminated employees, ensure that Personal Information sent over the Internet is encrypted, etc. Most IT managers are already familiar with the the security measures described above except that the regulation requires a certain amount of administrative and process overhead including training, monitoring, reporting, etc.

Encrypted Email and Saving Money

One area where the regulation can actually save an enterprise money is the section 17.04(3)to use encryption for sending Personal Information over the Internet. The use of encrypted email can reduce mailing and handling costs for enterprises apart from saving time. For example, encrypted email can contain not only Personal Information but also loan documents, medical reports including x-rays, bills, etc. Email is easy to use and an intelligent email encryption system can use policies to ensure that any thing containing Personal Information gets automatically encrypted.

Stealth Email Encryption Appliances

The TrustTone Stealth Encrypted Email appliances use policies to scan emails for Personal Information and other content that an organization deems confidential and encrypts the emails as required. This automation and ease of use reduces the effort required to train employees, reduces accidental exposure of Personal Information, enables logging of external transmission of Personal Information, etc.

The choice is simple: save money and comply with the law by using encrypted email OR don't use any email for fear of violating the law, paying fines, and getting sued for treble damages.

Summary

Most IT managers are already familiar with the the security measures described above except that the regulation requires a certain amount of administrative and process overhead including training, monitoring, reporting, etc. There are places where the IT manager can save money for the organization.

Tags: 201 CMR 17 | Massachusetts | Privacy law

Hits: 484 | Read more...

Introduction

This blog captures basic essential aspects of Nevada Personal Infomation Law. More details are available in white paper form elsewhere on the site.

"Personal information" ( NRS 603.A ) means a natural person’s first name (or first initial) and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

• social security number
• driver’s license number or identification card number
• account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account

There are several forms of protection that are mandated, creating a form of defense-in-depth:

• encryption of all personal data in motion and at rest
• protection of the network using firewalls
• use of secure remote access technologies like VPNs
• isolating critical infrastructure from other parts of the network
• systems are protected using the latest security patches
• strong passwords are used
• adequate access controls are implemented so that unauthorized users don't gain access to information they should not have

From an information leakage detection perspective, IT must:

• set up an intrusion detection system
• create audit logs of all access to personal information
• set up a process to notify authorities and the affected individuals in case of a breach

Finally, PCI compliance kicks in if the data contains any credit card-related information.

Most IT personnel are familiar with all of the above requirements and know one or more tools to address any of the major areas except for the following:

• encryption of personal information at rest and in motion
• a process to notify authorities and the affected individuals in case of a breach

Encrypting Personal Information Data in Motion

Surprisingly, protecting data in motion turns out to be a lot easier than protecting data at rest! But think about it: Is the communication between you and your bank more likely to be encrypted than the data residing on the bank's hard drives? Turns out, the use of SSL, SSL certificates, VPN, etc. has made it easier to have encrypted communication between two points. This is because the security people got in right at the point when the World Wide Web took off and introduced SSL, now known as TLS. Secure encrypted email has been around longer, with mainly the use of the technology being a hindrance. The advent of newer encryption and software have reduced the pain in deployment and administration. In fact, many enterprises now use email encryption appliances that scan email and encrypt content based on policies. The encryption policy could ensure adherence to the Nevada NRS 603.A law !

Encrypting Personal Information Data At Rest

The IT administrator first of all has to identify all the places where personal information is stored. Some of these may be:

• laptops
• smartphones including iPhones, RIM Blackberries, etc.
• removable media like USB flash drives
• employee machines at work
• machines used by telecommuting employees
• servers in the DMZ
• internal servers

In general, a good way to secure data is not to have it. The IT administrator MUST ask if the perambulating devices and media must hold personal information at all. It may be impossible, in many cases, to avoid personal information somehow sneaking into an employee's machine. For example, an employee may be working on a statistical model of delinquencies based on hard data. In these cases, the IT administrator MUST mandate the use of encryption. To be safe, all mobile devices must have encryption turned on. Problem solved; don't dither! Encrypt. In many cases, there may be a performance impact. The performance impact may be reduced by using encrypting drives or by moving the affected servers onto faster hardware.

There have been some industries, most notably the pharmaceuticals industry, which have approached the problem of creating a wall between personal information and data processing with a great deal of success. Most of us have heard of drug trials using double-blind studies. The data is anonymized and is still acceptable for analysis. Obviously, the keys are held by the CRO (Contract Research Organization) running the actual drug trial and they are subject to intrusion if the data is not kept encrypted and secure. However, it does provide a way forward for software companies creating packages that may manipulate personal information: separate out personal information as soon as possible, encrypt it, and then, join it to the anonymized data when you are sure that the accessor of the information has all the relevant rights.

A process to notify authorities and the affected individuals in case of a breach

The system administrator must do a CYA by reporting any known intrusion and information leakage, suspected or actual, in a concise manner to executive management.

Tags: SB227 | NRS 603.A | Privacy law | Nevada

Hits: 430 | Read more...