Outbound Content

Compliance
Best Practices of Email Security for Regulatory Compliance

Page 1
Content
1 INTRODUCTION ........................................................................................................................ 4
1.1 WHY IS OUTBOUND CONTENT COMPLIANCE AN ISSUE? ....................................................................... 4
1.2 COMPANIES MUST COMPLY TO LAWS AND REGULATIONS .................................................................... 5
1.3 RECENT EXAMPLES OF DATA LEAKS................................................................................................... 6
1.4 COSTS OF A DATA BREACH .............................................................................................................. 7
2 SECURED EMAIL – CLIENT APPLICATION OF THE SIMPLE ENCRYPTION PLATFORM .................. 8
2.1 SECURED EMAIL - END POINT SECURITY FOR EMAIL ENCRYPTION.......................................................... 8
2.2 SECURED ECONTROL - INTEGRATES WITH SECURED EMAIL FOR ENFORCED ACTIONS .................................. 8
2.3 SECURED EFILE - ENCRYPT NETWORK FILES/FOLDERS FOR AUTOMATIC AUTHENTICATION ........................... 8
2.4 SECURED EDISK PROTECT - WHOLE DRIVE ENCRYPTION – ENTERPRISE MANAGEMENT .............................. 9
2.5 SECURED EUSB – ENCRYPTS ANY USB FLASH DRIVE IN THE MARKET TODAY! .......................................... 9
2.6 SECURED EGUARD - END POINT SECURITY - CONTROL, MONITOR AND LOG ENDPOINT ACCESS..................... 9
3 SECURED EMAIL ...................................................................................................................... 10
3.1 SENDING SECURED EMAILS - USER PERSPECTIVE............................................................................... 10
3.1.1 Establishment of a Secured Channel – Identification of the receiver ........................... 10
3.2 CHOICES WHEN OPENING A SECURED EMAIL – A USER PERSPECTIVE ................................... 12
3.3 SECURITY PERSPECTIVE – SKG - STRONGEST LINK IN ENCRYPTION ....................................................... 13
3.3.1 Encryption .................................................................................................................... 14
3.3.2 The encryption procedure step by step ........................................................................ 14
3.3.3 Centrally managed keys ............................................................................................... 15
3.4 ENTERPRISE PERSPECTIVE ............................................................................................................ 17
3.4.1 Central Management ................................................................................................... 17
3.4.2 Global Object Synchronization ..................................................................................... 17
3.4.3 Role based administration ............................................................................................ 18
3.4.4 System Access Rules and Procedures ........................................................................... 18
3.4.5 Seamless integration with existing infrastructure ........................................................ 18
3.4.6 Flexible Deployment ..................................................................................................... 19
3.4.7 Policy Management...................................................................................................... 19
3.4.8 License Management ................................................................................................... 19
3.4.9 Central Password Management ................................................................................... 20
3.4.10 Education management ............................................................................................... 20
4 SEP ENTERPRISE DEPLOYMENT AND SCALING ......................................................................... 21
4.1 OVERVIEW OF SEP COMPONENTS ................................................................................................. 21
4.1.1 SEP Database................................................................................................................ 21
4.1.2 SEP Server ..................................................................................................................... 21
4.1.3 SEP Clients .................................................................................................................... 21
4.2 SCALABILITY AND FAILOVER .......................................................................................................... 22
4.2.1 SEP Database................................................................................................................ 22
4.2.2 SEP Server ..................................................................................................................... 22
4.2.3 SEP Management Console ............................................................................................ 22
4.3 PERFORMANCE AND STORAGE ...................................................................................................... 23
4.3.1 SQL Database Size ........................................................................................................ 23
4.3.2 Load on SEP Server ....................................................................................................... 23
4.3.3 Load on SQL Server ....................................................................................................... 24
4.3.4 Load on Network .......................................................................................................... 24
4.3.5 Load on Active Directory .............................................................................................. 24

Page 2
 4.4 DEPLOYMENT STRATEGIES ........................................................................................................... 25
4.4.1 Single Region / Small Medium Enterprise .................................................................... 25
4.4.2 Single Region / Small Medium Enterprise with Failover ............................................... 26
4.4.3 Multi Region / Large Enterprise.................................................................................... 27
4.5 RECOMMENDATIONS .................................................................................................................. 28
4.5.1 Number of Endpoints per Server .................................................................................. 28
4.5.2 Hardware for SEP Server .............................................................................................. 28
4.5.3 Number of SEP Servers ................................................................................................. 29
4.5.4 SQL Database ............................................................................................................... 30
4.6 POTENTIAL BOTTLENECKS ............................................................................................................ 31
4.6.1 Active Directory Synchronization .................................................................................. 31
4.6.2 Connection Congestion ................................................................................................. 31
4.6.3 Secured eUSB Log Synchronization............................................................................... 31
5 SUMMARY .............................................................................................................................. 32

Page 3
1 Introduction
What is Outbound Content Compliance? Outbound Content Compliance (also
outbound content security or OCC) is a new segment of the computer security field,
which aims to detect and prevent outbound content that violates policy of the
organization and/or government regulations. OCC deals with internal threats either
malicious or accidental as oppose to more traditional security solutions (firewall, anti-
virus, anti-spam etc.) that are dealing with external threats. Therefore, it is sometimes
called inside-out security. These systems are designed to prevent and detect the
accidental sending of sensitive and confidential information outside of the
organization at the same time – educating information workers on the organizations‟
security policies, industry and/or regulatory compliance.

1.1 Why is Outbound Content

Compliance an issue?

Email communications is the number one method of

communicating between individuals either personal or
business to business. In the past 15 years, IT has been
focused on security concerns outside of the Enterprise
network and attacks upon enterprise networks trying to
penetrate the network. Billions of dollars has been spent
to protect the network, building a wall or firewall
protecting against those attacks. Since most
information workers are inside the network, the
challenge has been to open up ports to allow outbound
communication. That is the issue! Information workers
are sending critical and sensitive information to partners,
customers, and stockholders through the open
communication channels over the Internet, without
regarding the protection of the information. Over the
past 5 or more years, there have been federal and state
or provincial laws and industry regulations to control and
protect the use and movement of sensitive data.
Companies are mandated to encrypt information by
LAW and the penalties are punitive. The overall cost of
non-compliance is significant because the liability is
more than a fine. The greatest impact is the overall
value of the corporation in the stock market or impact
to revenues.

Examples of sensitive information are; corporate

financial records, corporate intellectual property,
internal manufacturing cost analysis, human resources
records, customer account information, patient records,
and strategic marketing plans. Most of these are
examples of records or documents that have been
entrusted into the hands of valued peoples. The CFO is
emailing the corporate financials to their outside
accounting firm for the quarterly close of the books; the
Director of Production sends the signed contract for a
new technology being manufactured in China; and the

Page 4
sales manager sends a customer database and the “agreed to” marketing plan to
an outside marketing company for the first activity in the marketing plan. Some are
accidents waiting to happen; while others are malicious attempts to deceive the
company.

1.2 Companies Must Comply to Laws and Regulations

Many organizations now fall under oversight of government and industry regulations
that mandate control over private information, including HIPAA in health and
benefits, GLBA and BASEL II in finance, Payment Card Industry DSS standards,
Sarbanes-Oxley, and more than 42 states in United States have passed data privacy
or breach notification laws that require organizations to notify consumers when their
information may have been exposed. One high-profile example is California SB 1386.
The EU Data Protection Directive was first introduced 1995 and have since then been
updated and implemented by all member countries.

Most recently as September 24, 2009, the United States announced the HIPAA Hitech
Act that provides a "safe harbor" for Protected Health Information and that safe
harbor is achieved through the use of encryption technology to achieve the goals of
protecting sensitive and confidential information.

The Gramm-Leach-Bliley Act already has had an impact on financial services

companies. Federal agencies are grappling with the Federal Information Security
Management Act. Publicly held companies are looking at what role information
security will play in assuring their internal controls, as required by the Sarbanes-Oxley
Act's Section 404. Companies that do business in California are sorting out SB 1386,
which requires them to have processes in place to notify customers whose personal
information has been compromised. Yet no other industry has done as much to
comply with such regulations, or been as open about their compliance efforts as the
healthcare industry. Most CIO‟s are complying with HIPAA and California or New York
State privacy Law and voluntarily, Sarbanes-Oxley.

The Health Insurance Portability and Accountability Act of 1996, was passed by
United States Congress to improve the efficiency and effectiveness of the health care
system, and reduce the incidence of fraud. There are three basic component of the
basic security rule - confidentiality, integrity and availability of electronic protected
health information. The focus of this policy requires increasing the secure automation
of patient records and electronic health care information transfers. With the advent
of automated health systems there are increasing number of transfers of information
between users which poses more new security and privacy risks that have never
existed before. In recognition of this increased risk, the drafters of this legislation
included provisions for the regulation of information privacy and information systems
security. Access Control provides users with rights and privileges to access and
perform functions using information systems, applications, programs and files.

The EU Data Protection Directive (Directive 95/46/EC) has been implemented by all
member states and the purpose is that “Everyone has the right to respect for his
private and family life, his home and his correspondence.” This regulation applies to
any operation involving personal data including collection and storing of the data.
The directive is requiring organizations to handle all personal data in a manner that is
secure and appropriate. More info can be found at the following link;
http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

Page 5
1.3 Recent examples of data leaks

The Data Loss Database http://datalossdb.org/ is a research project aimed at

documenting known and reported data loss incidents world-wide and gives a
excellent overview for deeper research. Below are a few examples taken over the
past months showing organizations that have been forced to be disclosed and made
the newspaper.

August 3, 2009
National Finance Center – 27,000 via unencrypted email
An employee with the National Finance Center mistakenly sent an Excel spreadsheet
containing the employees' personal information to a co-worker via e-mail in an
unencrypted form. The names and Social Security numbers of at least 27,000
Commerce Department employees were exposed.
……………………………………………………………………………………………………………
August 4, 2009
US Army National Guard sends email w/131,000 sensitive data
A individual sends an unencrypted email with the personal information of
soldiers enrolled in the Army National Guard Bonus and Incentive Program.
The data includes the names, social security numbers incentive payment
amounts and payment dates. The soldiers will be notified by letter.
…………………………………………………………………………………………
August 6, 2009
Department of Corrections – Email breach – 1,084 people
Social Security Numbers of 1,084 Department of Corrections Employees
Emailed Out
…………………………………………………………………………………………
July 31, 2009
Jackson Memorial Hospital – Via email
A Miami man was charged with buying confidential patient records from a Jackson
Memorial Hospital employee over the past two years, and sending them through
email and selling them to a lawyer suspected of soliciting the patients to file personal-
injury claims.
……………………………………………………………………………………………………………
July 16, 2009
Broadridge Financial Solution,Inc. – 10,000 Customers Proxy emailed
Broadridge Financial Solution, Inc. emailed proxy services for clients, including the
processing, distribution and tabulation of Annual Meeting Proxy materials for
registered shareholders of publically traded companies. The firm inadvertently
disclosed Dynegy shareholder information including name, address, Social Security
number and other account information to another client.
.……………………………………………………………………………………………………………
June 6, 2009
Ohio State Dining Services – 150 students Sensitive Information breached
Student employees had their social security numbers accidentally leaked in an e-
mail. The hiring coordinator for Dining Services, and OSU student, received an e-mail
with an attachment that included students' names and social security numbers. He
accidentally sent the attachment in an e-mail reminding student employees to sign
their waivers for the Ohio Employees Retirement System. Sent
.……………………………………………………………………………………………………………

Page 6
1.4 Costs of a data breach

The exact cost of a data breach can be debated but the bottom line that all
business managers agree that it is expensive and can affective the overall value of
an organization.

Figure 1 Cost of a data breach

Page 7
2 Secured eMail – Client Application of
the Simple Encryption Platform

The Simple Encryption Platform, SEP, provides an organization with the possibility to
achieve full DLP through one platform. SEP is a strategic framework that enables an
organization to be able to manage all of its data as well as all of its members.

SEP is a centrally managed platform with integrated DLP applications such as

encryption, port & device control, content inspection as well as classification of data.
This data-centric approach protects data at rest, data in use and data in transit
whether the data is located within the network, on the computer or an endpoint
device such as a PDA or an USB flash drive.

2.1 Secured eMail - End Point Security for eMail Encryption

Securing data while it travels between colleagues, business partners, suppliers,

customers, and other members of an extended enterprise, is crucial. As enterprise
networks continue to become increasingly accessible, so do the risks that information
will be intercepted or altered in transmission. As a result of continued high-profile
information breaches, corporate enterprises will have strengthened the manner in
which they encrypt information as it travels through their network as well as to the
networks of their customers, partners and stakeholders. Cryptzone provides an email
encryption solution that combines state of- the-art encryption technology with ease
of use, allowing the use of secured messaging with confidence. Due to the simple
process of sending and receiving secured emails, businesses can now use email to
communicate and protect their privacy without complex implementation and
disrupting users‟ behavior.

2.2 Secured eControl - Integrates with Secured eMail for

enforced actions

Secured eControl is an integrated information leak prevention solution that protects

companies from data loss and information leakage, both inside the organization and
the perimeter. Security breaches are increasing in frequency and severity and
companies are facing the challenge of protecting their information and under
pressure from regulatory and compliance requirements. The Secured eControl
technology adds content aware policy triggering to compliance actions varying
from archiving, certified delivery, document rights, and encryption. The integrated
solution automatically discovers risk providing the user and the systems administrator
with active involvement in risk mitigation which in turn increases policy compliance.

2.3 Secured eFile - Encrypt Network Files/Folders for

automatic authentication

Protecting intellectual property and customer data are top security concerns for any
business today. Whether in transit over a network or at rest on your system, encryption
helps secure information, minimizing the risk of being altered or accessed by
unauthorized internal and external users. Secured eFile enables organizations, teams,
and information workers to easily share files and folders securely with individuals and
groups. Today customers, business partners, and regulators require stronger and

Page 8
additional verifiable measures for protecting sensitive information. At the same time,
data access is more distributed causing suppliers and partners to become deeply
integrated into many organizations‟ business processes and IT infrastructures.
Continuous sharing of critical data internally and externally creates new security
challenges for controlling access to data. Without strong data protection, enterprises
may be exposed to significant financial and intellectual property loss, legal penalties,
and damage to the brand.

2.4 Secured eDisk Protect - Whole Drive Encryption –

Enterprise Management

Secured eDisk Protect offers full hard drive encryption for laptops, workstations, and
servers to ensure the ultimate protection against unauthorized disclosure of data and
sensitive information. Today, common threats include the misplacement of mobile
devices, theft of PCs, laptops, and servers, as well as data theft when systems are
discarded. Organizations need privacy management solutions that ensure sensitive
information is protected from unauthorized access as well as eliminate the risks
associated with losing mobile storage device.

2.5 Secured eUSB – Encrypts ANY USB flash drive in the

market today!

Secured eUSB is a software solution that converts and upgrades standard USB flash
drives to encrypted and secure USB flash drives with strong central policies. The
storage capacity of USB flash drives have grown tremendously, with costs ever
decreasing. The facts of life with most organizations are that employees are using
more and more of these devices with or without approval of IT management. With
employees using their own flash drives, traveling with data to customers, and/or
taking work home, organizations are constantly at risk from unprotected data on an
unsecured flash drive. The consequences can be devastating - lost reputations, lost
profits, lost jobs. In short: all the horrors you read about in the daily news.

2.6 Secured eGuard - End Point Security - Control, monitor

and log endpoint access

Secured eGuard is our enterprise-grade solution for portable device control that
proactively secures your most important corporate information. It controls, monitors
and logs how your data is downloaded and uploaded to the endpoints and allows
users to create enforceable security policies, view real-time activity and results, and
centrally manage any type of removable media, portable storage device and
communication interface. Secured eGuard‟s policy-based control of endpoint
access to portable storage devices and removable media effectively prevents
unauthorized use of enterprise data and enforces endpoint security policies, which
comply with regulatory requirements, such as Sarbanes-Oxley, California SB1386 or
the Health Insurance Portability and Accountability Act (HIPAA). Secured eGuard is
deployed and managed centrally allowing security administrators to define policies
that are automatically distributed to the endpoints using so called Endpoint Agents.
These policies are enforced and all relevant events are communicated back to the
Management Server. Close integration with enterprise directories and enterprise
management systems enables easy deployment and extensive monitoring and
reporting.

Page 9
3 Secured eMail
Secured eMail is email security software that provides powerful end to end, easy to
use email encryption. Email is commonly used to transmit sensitive or confidential
information - including operational data, trade secrets, and legal documents. Thanks
to the Secured eMail Reader, recipients of secured emails do not need to purchase a
license in order to read or reply secured.

3.1 Sending Secured emails - User Perspective

Figure 2 - The Send secured button – When Secured eMail is installed the user will get
a new button, Send secured that enables the user to send secured emails.

From a user perspective, sending a secured email is done by clicking a „send

secured‟ button integrated within Microsoft Outlook or Lotus Notes. When a user
“clicks the Send Secured” button the email will become encrypted, wrapped and
sent. Wrapping of an email refers to Cryptzone‟s concept of delivering secure
messages, where the actual secured content is delivered as an attachment in an
ordinary MIME email. This is also referred to as “wrap-mail”. The enterprise solution
provides the ability to customize the wrap-mail for specialized requirements.

The optional Secured eControl application delivers Data Leak Prevention (DLP)
beyond encryption. Deployed on the client, you can control the flow of information
to any degree you wish. Ready-made policies for federal as well as state laws such as
HIPAA, SOX, GLBA etc, make it easy for customers worldwide to deploy a solution for
content encryption. When Secured eControl is installed and integrated with the
Secured eMail application, security policies can be applied to enforce securing an
email when user clicks the „send‟ button in his mail client, without the need to press
the Send Secured button. The Secured eControl polices are highly customizable rules
that controls the outcome of a user action. The policies can for example be set to
react on recipient email addresses, or the very content of the sensitive information
itself, such as detection of social security numbers, credit card information and other
items of sensitive information.

3.1.1 Establishment of a Secured Channel – Identification of the

receiver

A “secured channel” is a term that represents a secured tunnel of communication

between a sender and recipient. The channel is created with the creation and use of
a shared secret and the identity of the sender and the identity of the receiver. The
identities used are the email address of the sender and the address of the receiver.
The shared secret is established by the sender to create a secured channel between
two parties.

The shared secret can be provided to the application in two ways; manually by the
user, or automatically with the use of an Enterprise Server.

In the first example, the user is prompted to create a custom shared secret. The bit-
strength of the shared secret created by the user can be controlled with the use of

Page 10
password policies. These policies control the number of characters of the secret, as
well as what kind of characters that needs to be used.

In the second scenario, the client will retrieve the shared secret from the Enterprise
Server. If the Enterprise Server cannot deliver a stored shared secret, the user will be
prompted to create the secret himself.

Once the secured channel has been established, the client application maintains the
trusted relationship. This means that once an email has been secured, there will be no
need to define a shared secret again. The next email will be sent securely through
the channel, with automatic authentication, without the need of a password –
forever.

During the process of sending a secured email, the sender has the option to provide
a custom unencrypted message that gets embedded with the wrap-mail. The
unencrypted message is a valuable option for communicating per-message
information in a plain form, readable by the recipient.

Once an email has been created and sent to an external recipient, the sender is
responsible to provide the means for the shared secret exchange. The shared secret
is an authentication tool to verify that only the correct receiver can read the secured
email. The exchange of the shared secret will only be done once and it will only be
entered once by the receiver. When the verification is done the sender and the
receiver can continue to send secured emails to each other forever without being
asked for any new verifications. It is possible to set up a policy so the receiver will
have to verify again every month if those requirements exists.

The shared secret can be a combination of information that is known by both parties.
For example, a shared secret may be a customer number, the last six digits of their
social security number, initials plus last four digits of the social security number,
anything that the recipient would know without forgetting the information. There is a
multitude of agreed upon shared secrets that provides a high level of security and
can be easy of remembered by the sender and the recipient. Additional methods of
communicating the shared secret can be done by built-in functionalities such as
using fax-printouts, email-drafts or verbally by the user himself. As for inbound
communication the server will handle all key-exchange.

It is our belief that sending a secured email is an end to end-point based process
which can be done without the use, need and cost of a gateway. The Secured eMail
and Secured eControl application can be used in an offline or online environment, as
if they are still connected to the Internet. When a user sends an email in an offline
state, the user will see their secured email “become encrypted” and end up in his
outbox - at the time of sending the email. When the user connects to the Internet,
the email will be automatically sent out of the “outbox” and deposited in the sent
folder.

One key differentiator of the Secured eMail application is the recipient accessibility of
the secured content. As Secured eMail‟s secured content is sent using the MIME layer,
as an attachment to the wrap-mail, which allows the user to access their emails from
anywhere, including public mail-services such as gmail, hotmail etc.

Required components when sending secured emails are Outlook or Lotus Notes in
conjunction with the Secured eMail Client, which is a Windows Application.

Page 11
3.2 Choices when Opening a Secured eMail –
A User Perspective

A recipient of an encrypted email will first experience the deliver of the wrap-mail,
which is a notification to the recipient that they have received an encrypted email
and special instructions on how to read the encrypted email. Within the content of
the wrap-mail, the user is provided an option to download either the Full Reader
Application or the Reader Lite, which will be required to open the secured email. The
user must have administrative rights in order to install the Full Reader.

For users that don‟t have administrative rights, the Reader Lite application is a perfect
solution. The Reader Lite does not require administrative rights, though JAVA is
required on the recipient computer.

In Outlook and Lotus notes, the user will simply double click the email to open it. The
preview pane will display the content of the wrap-mail. As for users with other mail-
clients in-conjunction with Secured eMail client will simply be required to open the
secured content as an attachment to the wrap-mail. The email will then be displayed
as created by the sender “within the local-machine web-browser”.

Figure 3 Cryptzone standard wrapmail – Cryptzone Enterprise solution is delivered with

several well tested wrapmails ( instructions for the reciever ). The above example shows
different instructions for internal users and external users.

Once the software is installed, and the user wants to open a secured email, the
content has to be decrypted with the key used at the time of encryption. The
instructions on the wrap-mail will provide a way to communicate the means to
retrieve the secret used. Many implementations currently do this favorably using
already established ways to communicate to the customers, such as profile-driven
forums or by fax, postal mail or even verbally.

Page 12
In enterprise scenarios, and inbound messaging, the key is retrieved automatically
and seamlessly from the Enterprise server.

Once a secured channel has been established, our client software maintains‟ the
secure channel and will never have to be recreated. The next time an email is
received from the sender, the encrypted email is automatically opened without the
use of the shared secret. The client software, if used in conjunction with Outlook or
Lotus Notes allows the recipient to reply securely to the recipient without the need of
software license.

Required components when opening a secured email is to use any mail-client

together with the Secured eMail Client, or Reader Lite (Java web-start application
that in turn requires Java 1.4).

3.3 Security Perspective – SKG - strongest link in encryption

Secured eMail is based on pure end to end-point encryption concepts. The key used
to uphold a secured channel for email communication is discarded and does no
longer physically exist on the client side once an email has been sent or opened.
Only a hashed version of the key exists locally on the client and centrally on the SEP
Enterprise server and it will become the channel key to use when sending or opening
an email next time.

Secured emails are encrypted using AES 256 PHM (padded hashed message). Any
key provided are prior to encryption brute force-protected using SHA2. Since Secured
eMail uses pure symmetric encryption concepts, there is no need for PKI
management;, certificate enrollment; maintenance; and disaster-recovery; etc. An
email can be sent securely to anyone, at any given time. The Secured eMail client
protects all locally stored profile data in a secured database using AES256 and a
policy defined protection method.

Page 13
3.3.1 Encryption

For secure client communication SEP uses SSL, implemented through the industry
standard Open SSL library. Encryption of databases, profiles and on client is done
using AES 256 encryption. The example shows how a client encrypts a file, the same
approach and module is used by SEP, but then the result is stored as database tables.

Cryptzone Content Encryption Concept

Content Layer Content

SEP - Rule Layer

Protection Method

Pl
a
in
te
tx
SEP - Data Layer Key
Ke

Randomized 256 bit key

y

Pla

Key
in
SEP – Interface Layer
tex
t

SHA2 Hashing SHA2 Hashing

(Bruteforce AES256PHM (Bruteforce AES256PHM
Protection) Protection)

Secured Data

Keyslot
Secured Content Layer Key GUID, non- Cipher of Randomized
Cipher of Content
sensitive attributes 256 bit Key

Figure 4 Cryptzone content encryption concept

The encryption procedure is illustrated in the “Cryptzone content encryption

concept”. To better understand the concept map, note that there are actually two
keys involved, one normal encryption key/shared secret and one fully randomized
256 bit key. The randomizer uses a seed constructed from several factors including,
but not limited to processor tick count, user input and hashing and other hardware
factors. With each new key the seed pool gets scrambled.

3.3.2 The encryption procedure step by step

The process starts with a client getting instructions to encrypt a plaintext file.

1. An encryption key is generated or entered by a user, a shared secret.

2. The key is sha2 hashed to provide brute force attack protection and pad the
key for AES that requires even key blocks to work.
3. The file gets encrypted with AES using the 256 Bit random key as encryption
key; this is the cipher content in the graph.
4. The random key is in turn AES encrypted using the hashed user key/shared
secret and placed in the key slot.
5. Temporary files are wiped from disk and memory to remove possibility of
indirect information leaks.

Page 14
3.3.3 Centrally managed keys

The Enterprise Server is managed with the use of a powerful management console.
The server‟s main task is to manage the company entities related to the Secured
eMail implementation, such as member-structures, secrets and policies. Furthermore
the Management Console hosts “services for helpdesk applications” such as lost
passwords and deployment tool creation.

With the use of the server, all client behavior can be centrally managed by a rich
policy system. The policy system provides a way to apply rules regarding a specific
user action to users or the user-group it belongs to. This provides the tools necessary
for an administrator to apply secure messaging in a controllable way.

While managing members, it is possible to create something referred to as Secured

groups. Secured group defines boundaries between members, where any user within
the same secured group shares a given secret. The secret is defined when creating
the secured group, and can be changed at any given time.

When a user sends a secured email to a new contact, the Secured eMail client will
perform a server-request to retrieve a secret to use with the contact. The server will
resolve the client-request, and provide the secret with the help of predefined
Secured Groups. The user will never see this secret in plain text, and is only visible to
the administrator at the company at any given time. The actual seed provided to
client is not stored at the client machines, but mainly used to establish a secured
channel with the recipient as one of the channel‟s key generation factors. Using the
shared secret of a Secured Group it is possible to access any email that has been
sent or received through the group.

Figure 5 Secured Group Properties – It is possible to change shared secret for a group and
also ask the system to generate unique seeds for each individual user in a secured group.

Any member-type of an Enterprise Server can have memberships in a secured group,

including those manually created. It is however required that the receiving end have

Page 15
connectivity to the Enterprise Server during the decryption phase to be able to
automatically retrieve the secret. This means that while external contacts can take
part of secured groups they will not be able to open the email unless this requirement
is fulfilled. As for external communication, the system relies on user to user
communication of the shared secret, and that shared secrets are created by the
users themselves rather than managed with the help of Secured groups.

The wrap-mail that gets sent to a recipient is a central policy and the IT administrator
can design several different wrap-mail templates and deploy them to the enterprise.
The secured email can then carry information about the company‟s policy to secure
information, as well as instructions how to access the secured content.

The per sender-and recipient- relationship-based shared secret design enables

Secured Groups to be used together with external recipients in a favorable way,
since exposing the shared secret used in a secured channel between a sender and
recipient does no longer endanger the security of other secured channels, created
by other users using the same secured group. This in turn, makes Secured eMail ideally
for B2C mail flows. When defining secured groups members, it is possible to create
wildcard members. Each wildcard represent a potential recipient within a specific
namespace boundary. A wildcard is typically defined to have an email address such
as *@hotmail.com meaning “anyone at hotmail”. This means the secured group will
automatically recognize members matching the wildcard as members of that group.

Figure 6 Add users – It is possible

to add a wildcard for a specific
group. In the example we have
added a wildcard that will enable
end users to send encrypted emails
to anyone with the address
@ford.com with a specified
shared secret.

Page 16
3.4 Enterprise Perspective

The SEP Management Console has been empowered greatly to fit larger enterprises
with 100 thousand users plus. Focus has been at enhancing the member- and policy-
systems, as well as a high-end security role system. MSI deployment features and a
template design system.

Figure 7 SEP Management Console – Here the IT Administrator can manage users, groups,
licenses, policies, security roles and secured groups.

3.4.1 Central Management

The Enterprise Server centrally manages and enforces security policies for all
Cryptzone products. It has the ability to create custom environments, specific settings
and permissions for different groups as well as specific users and then deploy this
across an entire network. This managed system allows users to log in to an
environment that is appropriate to their needs and consistent from one client to the
next.

3.4.2 Global Object Synchronization

A Global object is a piece of data that is synchronized between server and clients.
The data can be anything from policies, licenses, passwords to templates and
enables synchronization for a single user between laptops, desktops and even a Citrix
login. This technology makes sure that no matter what computer a user logs into, the
user will be able to use the technology they are licensed for, regardless if the user is
online or offline. Global Object Synchronization allows the power of the technology to
be in the hands of the user, as well as the IT administrator. For the IT administrator ‐ this

Page 17
means that encryption keys, policies, licenses and passwords are always
automatically archived for backup. In the case of a computer crash or a regulatory
audit ‐ incident logging files and audit reports are close at hand.

3.4.3 Role based administration

The platform allows for permissions to be defined for individuals and groups, enabling
a flexible, multi‐tiered administration system with effective delegation of access rights
and responsibilities through dedicated user‐roles.

Figure 8 Security Roles – The picture shows the Security Roles feature where it is possible to
create different security roles for users in the SEP Management Console.

3.4.4 System Access Rules and Procedures

Client authentication can be customized depending on the need for user identity
verification. From single sign‐on (SSO) using windows authentication, down to
authenticating users every time a secured email is opened. SEP Server authentication
can be either Windows® authentication or user name and password. The roles
assigned to the user then dictate what is possible to view, edit and create.

3.4.5 Seamless integration with existing infrastructure

Leveraging existing directory applications such as Active Directory or LDAP

functionalities, the SEP provides a one‐way synchronization process to centrally
administer security policies for user groups. The Simple Encryption Platform is located
on top of the existing infrastructure as a thin layer, designed to be flexible and
extensible for interoperability with existing infrastructure.

Page 18
3.4.6 Flexible Deployment

The Simple Encryption Platform is designed to be able to run in multiple environments

including as a managed service, hosted location and/or in the company‟s existing IT
infrastructure. The Simple Encryption Platform is delivered with the first encryption
application which allows organizations to quickly roll out new applications simply by
downloading a new license.

3.4.7 Policy Management

SEP Management Console offers an easy and scalable way to deploy security
policies and monitor security to ensure compliance with corporate security policies.
Centrally define, enforce and monitor information policies from a single,
enterprise‐wide console, ensuring a consistent policy across all users in the
organization, or customized policies for groups within the organization.

Figure 9 Policy management – It is possible to create one or several polices and then deploy
to users, groups and/or entire ADs. The system comes with ready to go polcies created by
Cryptzone Professional Services team.

3.4.8 License Management

The SEP license management system makes it possible to add, remove and
exchange licenses between users, groups and active directories. Licenses can also
be issued on a temporary basis to external parties or consultants and then withdrawn
upon demand. Depending on which license the user profile has included, the client
will enable or disable the products dynamically.

Page 19
3.4.9 Central Password Management

Synchronizing user profiles to a SEP client also means giving access to secure groups,
secure channels and policy settings for passwords, which can be controlled through
policies. Users can use Window® Authentication or their SEP Password to access all
encrypted data. The SEP Management Console will manage user rights and access
to secured data using the infrastructure you already invested in – Active Directory. If
you don‟t have your own structure you can easily use the SEP Management Console
to create your own structure.

3.4.10 Education management

For a successful deployment of a security solution it is important that end users get the
right understanding on how to use the new security solution. The SEP solutions offer
centralized templates where it is possible for the administrator to customize end user
messages. The SEP solution also includes a multitude of different education tools.

Page 20
4 SEP Enterprise Deployment and Scaling
This section is aimed to give system administrators an overview of the SEP Enterprise
solution from a scalability and performance perspective. It discusses deployment
strategies, hardware recommendations, potential bottlenecks and how to overcome
them.

4.1 Overview of SEP Components

There are three main components to take into account when considering scaling for
SEP.
4.1.1 SEP Database

The SEP Database holds all the central information relating to SEP. This includes user
information, user profiles, licenses, groups, policies, security roles etc. It goes without
saying that it is the most critical part of SEP.

SEP Database runs on SQL Server 2000 or later and is supported for Express editions of
SQL Server as well.

4.1.2 SEP Server

SEP Server processes requests from SEP Client and is managed through SEP
Management Console. SEP Server also performs periodic synchronization with Active
Directory to keep the SEP Database up to date. The SEP Server uses the SEP Database
to store data.

SEP Server runs on .NET Framework 2.0 and is supported on all Windows versions
supporting .NET Framework 2.0.

4.1.3 SEP Clients

SEP Clients provide functionality to the user and synchronize with the SEP Server in
intervals which are dependent on user action. A USB stick that is secured using
Secured eUSB also will act as a standalone client. It will connect to the server and
synchronize with the server independently from the SEP Client which was used to
secure the stick.

Desktop SEP Client

The Desktop SEP Client provides functionality to the user for all the SEP products and
performs profile synchronization with the SEP Server

Secured eUSB Client

The Secured eUSB client is a secured area on a USB memory device that is created
with the Secured eUSB product. It is used to protect the sensitive information on a USB
device. An endpoint refers to the SEP Client or to the Secured eUSB client throughout
this document.

Page 21
4.2 Scalability and Failover

4.2.1 SEP Database

The most common methods for SQL Server scaling are the following:

SQL Server Clustering

SQL Server Clustering involves clustering two or more servers on the same location
together as one database server, usually attached to the same SAN (Storage Area
Network) . This method provides both failover and load balancing possibilities. SQL
Server Clustering is suitable for use with the SEP Database.

SQL Server Mirroring

SQL Server Mirroring makes it possible to create read only copies of a database in a
different location. This does not provide any load balancing possibility as the mirror
databases are read only, however it can be used for failover.

SQL Server Replication

SQL Server Replication allows replicating a database against multiple regions and it
allows data to be updated in all replicates. However this requires data on the
database to be partitioned to avoid conflicts in the database. This is not supported
by default by the SEP Server, however can be achieved with a special configuration.

4.2.2 SEP Server

The SEP Server only performs business logic and does not store any kind of business
data. This makes it easily replaceable and scalable. An unlimited number of SEP
Servers can be setup to communicate against the same SEP database. Due to this,
we recommend that a SEP Server is installed for each region and that a fast line is
available to the central SEP Database from the servers.

SEP server also performs periodic synchronization against the Active Directory and
having each individual server to synchronize separately would be redundant. It is
enough to use one server as the synchronization server and let the other servers only
handle client requests.

4.2.3 SEP Management Console

SEP Management Console has large memory requirements when managing a server
with very large numbers of entities (100,000+). Although the Management Console is
highly optimized to work with large number of entities, it is recommended that it is run
from a machine with a lot of spare memory for managing a database with large
number of endpoints.

Page 22
4.3 Performance and Storage

4.3.1 SQL Database Size

In general, when not using Secured eUSB logging features, SEP Enterprise has
considerably lower database size requirements. A 4GB database, which is the
maximum size supported by SQL Server Express will be able to accommodate up to
5000 users.

Secured eUSB however requires more space as the number of devices grows. Log
files are kept indefinitely in the database until the device itself is deleted through the
management console. Even though log files are stored in compressed form, the size
will grow over time as more and more devices are added. There are considerations
to add options to be able to delete older log files automatically.

For more information about database size requirements, see the section on
databases in “Recommendations”.

4.3.2 Load on SEP Server

There are three main areas where the server uses processing power:

a) Active Directory Synchronization: During this process, the server will retrieve a
copy of the remote AD and compare it with the locally stored copy. Any
changes detected in the remote AD will be reflected through database
updates to the local copy. Depending on AD size, this process can have large
memory requirements. The frequency of the synchronization can be
configured.

b) Processing client requests: The clients will ask to retrieve any changes to their
profile during synchronization to the server. The clients use “lazy
synchronization”, which means they will only synchronize when the user is
using the client. This means that synchronization won‟t happen during
Windows startup, for example.

Some possible cases where synchronization or contact with the server will
happen from the client:

1. SEP Client is installed on the machine for the first time.

2. When SEP Client is in a signed out state (tray icon is grayed out), the
user initiates an action which requires the client: securing a file, un-
securing a file, securing a USB stick, sending a secured email to a new
contact.
3. When the “synchronize” button is clicked on the SEP Settings dialog.

During normal usage of the computer, there is no periodic background

synchronization taking place.

c) Analyzing Secured eUSB logs: The Secured eUSB client will save its logs. After
the Secured eUSB logs are synchronized with the server; they‟re put on a
queue to be processed. The server will then build a list of changes since the
last revision of the stick.

Each log file contains information about the changes on the sticks. Changes

Page 23
 on the stick are events such as deletion, copying, moving or editing of files.
Only the changes since the last synchronization will be sent to the server.

4.3.3 Load on SQL Server

Bulk of the load on the SQL server will be during Active Directory synchronization and
SEP Client synchronization.

Most of the insertions to the database will be done in these scenarios:

An Active Directory source is added and the server is synchronizing with the
directory. In this case, the information in the Active Directory will be imported
in to the database.
A secured eUSB client synchronizes its logs which will be saved and processed
in the database.

4.3.4 Load on Network

The SEP Server and Clients communicate through a compressed SSL stream, and as
such the bandwidth used for each synchronization is minimal.

The amount of data transferred for a simple client synchronization where there are no
changes in the user profile (the most common scenario) is around 3KB. Depending on
how often the client is used (see section Load on SEP Server), on average 5 to 10
synchronizations a day can be expected. Thus each client can be expected to use
around 15KB to 30KB of bandwidth on average per day.

A compressed secured eUSB log is on average 700 bytes. An active Secured eUSB
thus might log around 20 to 30 events a day, which will result in 14-21KB of logs being
transferred per Secured eUSB device each day.

4.3.5 Load on Active Directory

The SEP Server performs a number of queries to the Active Directory during its
synchronization process. Depending on if partial synchronization or full
synchronization is selected, the SEP Server will query the various parts of the Active
Directory and retrieve objects such as Organizational Units, Users and Groups. The
synchronization interval can be configured to longer intervals (default is every 30
minutes) reduce the number of queries per day on the Active Directory.

For small directories, the synchronization takes seconds, for larger ones (100,000+
objects) it might take a few minutes. The first synchronization to Active Directory when
it is first added to the SEP Server always takes the longest.

Page 24
4.4 Deployment Strategies

4.4.1 Single Region / Small Medium Enterprise

For deployments of this size, a single SEP Server and a single SEP Database running on
an SQL database is sufficient. A single SEP server can handle as many endpoints (SEP
Client + Secured eUSB) as 50,000. The single SEP server will perform all the duties
including Active Directory synchronization and synchronization with the clients.

` `
SEP Clients

SEP Server Domain Controller

SEP Database

Figure 12: Single Server Deployment

Page 25
4.4.2 Single Region / Small Medium Enterprise with Failover

In the cases where the operation of SEP Server is business critical, it is recommended
that there are two SEP Servers deployed for failover purposes. The SQL Server should
also have some failover capability, either through SQL Server Mirroring or Clustering.

In this case the clients would be configured to connect to a primary server and
secondary server in case the first one goes down. It is enough that only the primary
server performs synchronization with Active Directory.

Figure 13: Single region with failover and load balancing

Page 26
4.4.3 Multi Region / Large Enterprise

For very large number of users on multiple regions (50,000+), a different deployment
strategy is recommended. The recommended strategy is to use a SEP Server for each
region, combined with a common high performance clustered SQL Server. Each
region can also have other SEP Server for failover purposes, as in the Single Region
example. Only one of the SEP Server would be designated to synchronize with Active
Directory while the rest would only provide functionality for the clients.

Region 1 Region 2 Region 3

` ` ` ` ` `
SEP Clients
SEP Clients SEP Clients

SEP Clients use the

SEP Server in their
own region

SEP Server Domain Controller

SEP Server Domain Controller SEP Server Domain Controller

SEP Server uses Domain

SEP Server uses Domain SEP Server uses Domain
Controller for both Authentication
Controller only for Authentication Controller only for Authentication
and Synchronization

Central SEP Database is used by all the

SEP Servers
SEP Database (Cluster)

Figure 14: Deployment strategies for 3 regions

Page 27
4.5 Recommendations

4.5.1 Number of Endpoints per Server

An endpoint is either a SEP Client or a Secured eUSB device. The total number of
endpoints would be number of SEP Clients installed + number of Secured eUSB
devices.

4.5.2 Hardware for SEP Server

In general, SEP Server‟s hardware and memory requirements depend on the number
of endpoints and size of the AD used. It is recommended for the servers that are
performing synchronization with very large Active Directories that the server has
plenty of free memory.

Number of Endpoints (Client + Number of CPU Units* Memory

eUSB)
0-10,000 1 1GB
10,000-30,000 2 2GB
30,000-50,000 2 3GB
50,000-75,000 4 4GB
75,000-100,000 4 6GB
100,000+ 4+ 8GB

* 1 CPU unit is equivalent to a 1.5GHz single core Intel Xeon or Opteron processor.

SEP Server does not have any storage requirements outside of what is required to
install the software.

SEP server is supported on all 32 and 64-bit Windows versions that have support for
.NET Framework 2.0.

Page 28
4.5.3 Number of SEP Servers

In general, more than one SEP Server are only necessary if the operation of the SEP
Server is business critical or if there will be a very large number of endpoints. The SEP
Client is designed to be run offline and should operate very well in the conditions
where the SEP Server is not available.

For a company in multiple regions, the company can choose to have multiple SEP
Servers covering different regions for load balancing purposes and to avoid traffic
across different regions.

Each SEP Server has a limit on the number of simultaneous connections it can handle.
This limit controls the number of SEP Clients that can be connected to the server at
the same time. This option is configurable through the SEP Management Console. It is
calculated that at most 1% of the available endpoints will be connected to the server
at the same time.

Number of Endpoints (Client + Number of Simultaneous Connections

eUSB)
0-10,000 100
10,000-30,000 200
30,000-50,000 400
50,000-75,000 500*
75,000-100,000 750*
100,000+ 1000+*

*: Multiple servers are recommended for this number of endpoints

Page 29
4.5.4 SQL Database

The following SQL Server versions are supported:

SQL Server 2000 Standard, Enterprise

SQL Server 2005 Standard, Express*, Enterprise
SQL Server 2008 Standard, Express*, Enterprise

*: 4GB database size limit

The SQL Database size is related to the number of user profiles stores on the server
and the number of eUSB endpoints that will be used actively by the users. Secured
eUSB log data is kept indefinitely in the database until the device is deleted. In that
case the log data will be wiped.

We have calculated the footprint of a single Secured eUSB log file on the database
to be around 512 bytes. An active eUSB device might be calculated to have around
20 events per day on average. For a single user this will result in 10KB of per day of
storage.

SQL Database Sizes for number of profiles

Number of Users (Profiles) Database Size

0-5,000 4GB
5,000-10,000 8GB
10,000-50,000 40GB
50,000-100,000 80GB
100,000+ 120GB+

For storing eUSB log data for at least 3 years, we would recommend the following
minimum database sizes:

SQL Database sizes for number of eUSB endpoints

Number of active eUSB Endpoints Database Size

0-10,000 50GB
10,000-50,000 200GB
50,000-100,000 400GB
100,000+ 800GB+

For Secured eUSB users that are using the logging features, SQL Server Express is not
recommended due to database size limits.

Page 30
4.6 Potential Bottlenecks

4.6.1 Active Directory Synchronization

In a large Active Directory, if only a small portion of the users are going to be using
the SEP software, only parts of the AD should be synchronized to reduce the load on
the Active Directory and on the SEP Server. As more and more users are deployed,
the parts of Active Directory that are synchronized can be dynamically expanded.

4.6.2 Connection Congestion

In the scenario where a large number of users start to do a synchronization

simultaneously, and the server is not configured to support as many simultaneous
connections, the server will be unreachable for the same user. The SEP Clients will
continue to operate offline however and this should not cause any side effects. For a
solution to this, consider increasing the number of simultaneous connections on the
server or adding additional SEP Servers for load balancing.

4.6.3 Secured eUSB Log Synchronization

It is possible in a company deploying Secured eUSB that not all the users need the
logging feature for Secured eUSB. It can easily be controlled through central policies
which parts of Active Directory will have logging enabled or disabled. Reducing the
number of users that use Secured eUSB logging will ease the requirements on the
server and database hardware.

Page 31
5 Summary
The intent of this document is to give the reader a thorough understanding of
Cryptzone‟s current Secured eMail Enterprise version, as well a view of our upcoming
release of v4.5 (Announced GA is spring 2010). The Secured eMail solution is today
used by over 1000 organizations helping them to keep sensitive and private data
secured.

Cryptzone´s approach is to create a solution that fits for any size of company. The
basis of Secured eMail is that the application creates an end to end – virtual channel
between the sender and the receiver. It doesn‟t matter how the recipient receives
their email – Outlook, Microsoft OWA, Gmail, Yahoo, Thunderbird – any method.

Most important is that our technology helps our customers to meet world wide
regulatory compliance of sensitive information laws as well as HIPAA Hitech, Sarbanes
Oxley, HIPAA, Payment Card Industry DSS standards, the EU Data Protection Directive
and GBLA. We use the strongest encryption method – AES 256 as well as system SKG,
which generates dynamic one time encryption keys for every email sent. It is virtually
impossible for somebody to hack your emails when they are secured. All the sender
has to do it simply press a button “send secured” and everything else is taken care of.

Organizations looking to be compliant should ask themselves questions like;

Who can access our mail servers and all the emails located on them?
In what region and country is the mail server located? Is personal information
stored in another country? What laws and regulations are then applied?
Who can access our archiving system and all emails stored there? What laws
and regulations are applied to emails containing sensitive information in an
archiving system?
How do we protect the locally stored email on laptops and desktops?
Is it ok that IT administrators can access sensitive information?
If it is ok that IT administrators access sensitive information do we make them
sign agreements of silence?
How do we track what users that have accessed unsecured sensitive
information?

Whatever the answers are to these very difficult questions, Cryptzone´s Secured eMail
application can protect an organizations sensitive data sent by email no matter its
location and restrict access to only the sender, the receiver and the organizations
most trusted information workers.

Page 32