SlideShare une entreprise Scribd logo

Security Built Upon a Foundation of Trust

L
lmgangi

Security is about freedom that can only be achieved through solutions built upon a foundation of trust.

1  sur  10
Secure Messaging -built on a- Foundation of Trust Len Gangi, CISA 17 October, 2009
“We must plan for freedom, and not only for security, if for no other reason than that only freedom can make security secure.” The Open Society and Its Enemies (1945) Karl Raimund Popper (28 July 1902 – 17 September 1994) History Often Repeats Itself Before the Internet was commonplace, enterprise networks were protected by a strategy developed during the Middle Ages. Just as feudal lords shielded their castles through the use of moats and drawbridges, security administrators protected their networks by limiting access to ―trustworthy‖ individuals communicating over private lines with static firewalls. Both of these approaches focused their energy on preventing external threats from piercing reinforced and gated perimeters. Obviously, this incorrectly presumed that valuable assets were always inside the secured perimeter and that all internal sources could be trusted. Facts speak differently today with human error, sabotage, policy circumvention and physical theft headlining the list of data loss events, many of these related to ―trusted‖ users and confidential data compromised while outside of the corporate castle and its feudal defense. A Paradigm Shift With the Internet having become a utility for businesses and individuals alike, innovative forms of communications and commerce continue to proliferate at an unprecedented rate. It is within this highly dynamic and robust environment that we continuously labor over how best to balance the constructive use and protection of confidential information, especially that which is transported and stored as email. The key to building a business enabled network is through a strong foundation based upon the elements of trust, integrity and privacy. These elements must be pervasive and transparent, and should operate without having to confront users with complex technical or procedural security demands. By closely integrating with a user’s daily tasks we can minimize the perceived need or ability to bypass essential safeguards. Most importantly, the security of these foundation elements and the information that they preserve must travel whenever and wherever protection is required. The Internet has not only raised the importance of security, it has also brought about a significant paradigm shift in what makes security secure. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 2
The Current Environment Although the well-accepted perimeter defense continues to have merit in any network security architecture, businesses must increasingly extend information to remote employees, partners and customers to be successful. In doing so, corporate data becomes widely distributed across a diverse range of stationary and mobile computing devices that have significant storage and networking capabilities. More often than not, these devices hold confidential information that is not under the direct control of the business owner. The integrity and privacy of sensitive data deployed across this type of landscape creates an increasingly complex and spiraling information security challenge. To say the least, this is a significant management risk for any organization just as it is a very worthwhile and, in many cases, mandatory security mission. The Need for Secure Messaging In the paper-based world of business correspondence, companies rely upon a number of guarantees for their transactions: confidentiality, that the contents remain private; authenticity, that the document comes from the individual who signed it; integrity, that the contents have not been modified since being signed; and non- repudiation, that an individual cannot refute a signed transaction after the fact. In electronic business communications these same guarantees remain important, but must operate with much greater speed and sophistication than paper. As a result of several high-profile world events underlying the introduction and acceptance of numerous Information Privacy, Protection and Digital Signature legislation*, the very notion of what is secure and what is private has fallen under very close scrutiny and formal government regulation. Businesses worldwide now have a responsibility to make the protection and integrity of their information and messaging content a priority. * Sample References: 1) UETA (Unified Electronic Transactions Act) – currently adopted into the laws of 47 US States and 3 US Provinces. Remaining States have individually created electronic signature laws. 2) Health Insurance Portability and Accountability Act (HIPAA), enacted by the U.S. Congress in 1996. 3) Gramm-Leach-Bliley Act (GLBA), 12 November, 1999. 4) European Union Directive on Electronic Signatures, 13 December, 1999. 5) ESIGN Act (Electronic Signatures in Global and National Commerce Act) – US Federal Law as of 30 June, 2000. 6) PIPEDA (Personal Information Protection and Electronic Documents Act, Canadian Law as of 13 April, 2000. 7) Sarbanes-Oxley Act, US Federal Law as of 30 July, 2002. 8) HITECH Act (Health Information Technology for Economic and Clinical Health Act), part of the American Recovery and Reinvestment Act of 2009. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 3
Where Complexity Originates To focus this white paper on business email (messaging), once a casual means of inter-departmental correspondence between colleagues, we must first acknowledge its importance and ubiquity as being supported by email having very few limitations on use, content or network reach. Email is relied upon for timely and accurate corporate information exchange, supports numerous workflow applications, and is the platform of choice for a multitude of commerce-enabled services that extend well beyond the enterprise control boundary. Recognizing that email can transport large and often un-monitored amounts of confidential data, and that tampering with un-protected email communications is relatively easy, organizations are urged to aggressively investigate and manage their email-bound content. This is especially important in highly regulated business environments where numerous government mandates and email-centric court decisions continue to (re)define corporate responsibilities. Significant legal and financial penalties have been directly attributable to mismanaged information and email content, making it vital for organizations to not only understand these issues and risks but to implement solutions that mitigate their consequences. Unfortunately, while there is a genuine need for email security, few organizations have secure email infrastructures, usage policies and monitoring practices in place. Foundation Elements of Security When considering any type of business-enabled application or process, enterprises should plan for the six essential foundation elements of security: Trust, Authentication, Privacy, Integrity, Non-Repudiation and Ease of Use. Trust From a security administrator’s viewpoint, not all users are to be created equal. Each member of an organization should only be ―trusted‖ with access to information that has been classified and authorized for use according to their specific functional role, management status or another approved authorization criteria. For example, a message sent to a business partner must not contain information classified for use only by the company’s executive team. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 4
Security administrators implement levels of trust through Role-Based Access Controls (RBAC) and Group Policies which are typically integrated with corporate directory (e.g. Active Directory, LDAP) services. In conjunction with Digital Rights Management (DRM) and/or Data Leak Prevention (DLP) applications, the authorized level of access required for the use of digitally protected and classified content can be enforced regardless of location or recipient. Applying this to secure email, Trust is the overall foundation element established between the message sender and recipient(s) through an assured, recognizable and verifiable ―identity.‖ This can be accomplished through the use of identity verified digital client certificates issued by a recognized and reputable Certificate Authority (CA). In secure email, Trust is supported by the elements of Authentication, Integrity and Privacy which are outlined in the next several paragraphs. Authentication In general, authentication is used to confirm the identity and authority of an individual or device prior to granting access to an information or network resource. Comprehensive and federated forms of multi-factor authentication (e.g. ID / password supplemented by a digital client certificate or Token/PIN response) are often deployed in enterprises, especially when remote access to sensitive information is provided to employees, business partners or customers. Authentication solutions effectively reduce the risk of information theft or misuse by enforcing access control and usage authorization policies. Authentication, as it may be applied to secure email, confirms the identity of a message originator and message recipient(s) through the use of Public Key Infrastructure (PKI) digital client certificates and S/MIME capable email client software. Email authentication of the originator works by allowing the message recipient to test the validity and identity of the applied digital certificate through the issuing Certificate Authority’s (CA) Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL). Email client software (e.g. Microsoft Office Outlook®) automatically performs this test, and will alert the recipient if the certificate status test fails. This function enables a recipient to authenticate a digitally signed message with assurance. In reverse, authentication and access control of the intended recipient(s) is performed through the use of public key encryption. An originator can ensure that only the intended recipient will be able to read the message by applying encryption that is Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 5
uniquely decipherable by the recipients’ private key. Here again, the 3rd party issuance of certificates by a reputable CA represents a higher degree of assurance in the authenticity of certificate holders. Working in tandem with other technologies (i.e. encryption and digital signatures) and services (e.g. CA issuance practices) this foundation element provides comprehensive protection throughout the entire email creation, transmission, reception and storage process. Privacy Although email is an essential tool for increasing the productivity and efficiency of employees, it’s susceptible to a wide range of threats – including interception by malicious users. The transmission path over which email is routed and stored can be an exceptionally open and easy invitation to eavesdropping and other malevolent actions. As a result, privacy technologies are needed to ensure that messages are only viewable and actionable by their intended recipient(s). Email privacy protection is also established through encryption wherein the message and attachments are ―scrambled‖ before sending and ―deciphered‖ upon reception. This ensures that the message cannot be easily decoded at any point along its route. End to end (client to client) email encryption rather than, or in addition to, server to server encryption provides a higher degree of privacy, especially when local network intrusions and other insider threats are on the rise. Secure email that is based upon S/MIME (Secure / Multipurpose Internet Mail Extensions) capable email clients and secure email certificates may be used independently but work best within an overall enterprise PKI which can use the same certificate for network and application access controls, as well as for applying encryption and digital signatures to office documents, folders and files on network and endpoint devices. Many businesses also to take advantage of the speed and economy of document workflow processes using certificate-based digital signatures for authoritative approvals. Integrity One of the greatest strengths of electronic media is the ease with which content can be created, altered and communicated. However, when viewed from a security standpoint, these strengths can be a tremendous liability. Business transactions and relationships must be built upon a foundation of trust wherein the originator and recipient rely upon the transmitted information as not having been altered since Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 6
creation. Without integrity, electronically conveyed media cannot be trusted and, in turn, can cause business relationships to suffer. An effective means to establish the integrity of an email message is through a cryptographic checksum procedure called hashing or signing. A secure algorithm is used to create a unique ―hash‖ of the message content that is then encrypted with the originator's private key. The signed hash can only be deciphered and validated by a recipient using the originator's public key. If the hash signature successfully decodes and matches with the original checksum, the recipient can be reasonably assured that the message has not been altered. Digital signatures confirm the integrity of secure email messages as well as the originator’s identity. Digital signatures can also be applied to most other forms of electronic media including word documents, spreadsheets, graphics and other types of computer files as a means for a recipient (or originator) to confirm their integrity since being signed, approved or stored. *Graphic licensed according to Creative CommonsAttribution ShareAlike 3.0 (http://creativecommons.org/licenses/by-sa/3.0/) Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 7
Non-Repudiation Non-repudiation prevents an individual from refuting the content (obligation) of a document or message that has been cryptographically encoded with their digital signature. Far beyond the scope of this white paper, the enforceability of non-repudiation for business transactions is dependent upon many technical, physical and legal factors. Collectively, however, the key security elements of authentication, privacy and integrity can bolster its enforceability. Further, the authenticity asserted by a third-party validation of the individual to which a signature certificate has been issued, as well as the security of the private key used to create the public certificate from which the digital signature originates, are all crucial to establishing an unencumbered responsibility. Similar to the Post Office, a Document Courier Service or Public Notary, there are third-party eCommerce service providers that are beginning to manage and certify the signature, transport integrity, receipt and opening of high-priority electronic transactions. These services should begin to remove many of the legal concerns that have delayed the benefits and enforceability of non-repudiation in electronic business transactions. Ease of Use This last foundation element is sometimes overlooked, and can introduce significant risk when not adequately designed. Organizations must not only develop sound security measures, they must find ways to ensure consistent employee compliance. Ease of use is necessary to prevent security applications from being willfully or unintentionally circumvented. If users find security measures cumbersome and time- consuming, they are likely to find ways to bypass them— thereby putting your business at risk. Organizations can facilitate consistent compliance through; • Systematic Application - The solution should automatically enforce the security policy, preventing human error, willful abandonment or malicious action. The more transparent the security mechanism, the easier it is for end-users— the more likely they are to use and be protected by it. Ideally, compliance with security polices should eliminate the need for users to read detailed manuals and follow elaborate procedures. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 8
• Commonality – Strive to find and use security mechanisms that can work across multiple business applications. For example, you can often use the same digital client certificate whether you want to secure email, sign or encrypt documents or files, or authenticate and establish remote communications over a virtual private network. PKI solutions were designed with all of the security fundamentals (Trust, Authentication, Privacy, Integrity, Non-Repudiation and Ease of Use) in mind. Bringing it All Together Beyond being a security deployment intended to protect company assets, the mandatory use and benefits derived from secure email are essential for all businesses. By reducing the level of risk (liability) associated with continuously evolving threats and vulnerabilities, prevention-based security infrastructures must be built upon a strong foundation comprised of elements outlined in this paper. Organizations spend significant amounts of effort and money on implementing solutions ―designed‖ to increase enterprise security, but sometimes neglect the effort necessary to consider how a new technology must integrate with day-to-day user tasks. The evaluation and benefits of any business application or process will always be improved by incorporating user responsibilities and input during the formulation of requirements, and throughout the assessment, implementation and monitoring of solutions. All of the security and secure messaging technologies in the world will have little effect if they lack acceptance, awareness and monitoring mechanisms to compliment their purpose. Begin by fully evaluating the various uses, applications and devices associated with email, as well as the security classifications, destinations (logical & physical) and entities (i.e. internal or external) involved with the information being conveyed. This will allow you to create a ―utilization matrix‖ to assess the impact and risks that could result from any potential vulnerability or threat (e.g. loss, theft, exploitation) to your business. This form of risk management planning is very useful in defining usage policies that complement and reinforce the selection of available technologies. Businesses must act to protect specific legal and operational responsibilities, as well as the value of their continued relationships with partners and customers. Whether secure messaging technologies are currently deployed in an enterprise environment or not, organizations are urged to craft, communicate and enforce email policies. Be Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 9
sure that all usage dimensions are considered, and be fanatical about user awareness and support. This measure, alone, can go a long way in preventing many related threats from harming your business. The Reality of a Secure Messaging Infrastructure Email is a prolific and important enterprise application, one that requires careful security and legal considerations. With email usage and content being a potential risk to an enterprise, security must be purposefully designed and managed. Solutions and policies must be economical, complementary, easy to use and easy to enforce if critical information is to be kept secure. Just as they are a critical, manageable and real requirement for any security architecture, the foundation elements of Trust, Authentication, Privacy, Integrity, Non- repudiation and Ease of Use are key business enablers. “We must plan for freedom, and not only for security, if for no other reason than that only freedom can make security secure.” - Karl Popper About the Author Len Gangi has been awarded scientific degrees and certifications in Electronics Engineering and Business Administration from New York University and Queensborough College. Formally qualified as a Certified Information Systems Auditor (CISA) by ISACA, and as an examiner for the National Quality Award (Malcolm Baldrige) program, Len is an eCommerce services and security professional with extensive business, product and quality management experience. Comments and suggestions are welcome to be received via Len's LinkedIn profile at http://www.linkedin.com/in/lengangi Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 10

Recommandé

Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonnORagh
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsJeremy Hilton
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 

Recommandé

Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonnORagh
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsJeremy Hilton
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for GovernmentsCloudMask inc.
 
The Data Privacy Imperative
The Data Privacy ImperativeThe Data Privacy Imperative
The Data Privacy Imperativebutest
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Davis Wright Tremaine LLP
 
Report on Network Security And Privacy
Report on Network Security And PrivacyReport on Network Security And Privacy
Report on Network Security And PrivacyManan Gadhiya
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce SecurityLindsey Landolfi
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldIdentive
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10Pimsat University
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecuritycrazyivan389
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-mainCaio Sanchez Christino
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slidesmonchai sopitka
 
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison FellAgiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison FellAgiles2009
 
The new Russian Anti-Bribery-Law
The new Russian Anti-Bribery-LawThe new Russian Anti-Bribery-Law
The new Russian Anti-Bribery-Lawvivacidade
 

Contenu connexe

Tendances

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for GovernmentsCloudMask inc.
 
The Data Privacy Imperative
The Data Privacy ImperativeThe Data Privacy Imperative
The Data Privacy Imperativebutest
 
Report on Network Security And Privacy
Report on Network Security And PrivacyReport on Network Security And Privacy
Report on Network Security And PrivacyManan Gadhiya
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldIdentive
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecuritycrazyivan389
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slidesmonchai sopitka
 

Tendances (20)

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for Governments
 
The Data Privacy Imperative
The Data Privacy ImperativeThe Data Privacy Imperative
The Data Privacy Imperative
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
 
Report on Network Security And Privacy
Report on Network Security And PrivacyReport on Network Security And Privacy
Report on Network Security And Privacy
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next Dimension
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurity
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 

En vedette

Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison FellAgiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison FellAgiles2009
 
The new Russian Anti-Bribery-Law
The new Russian Anti-Bribery-LawThe new Russian Anti-Bribery-Law
The new Russian Anti-Bribery-Lawvivacidade
 
Progetto Continuità- Lezione 1
Progetto Continuità- Lezione 1Progetto Continuità- Lezione 1
Progetto Continuità- Lezione 1CristinaGalizia
 
Rispetto e Bullo_ Giacomo Colaneri
Rispetto e Bullo_ Giacomo ColaneriRispetto e Bullo_ Giacomo Colaneri
Rispetto e Bullo_ Giacomo ColaneriCristinaGalizia
 
Rainbow Anti regole_Legalità in gioco
Rainbow Anti regole_Legalità in giocoRainbow Anti regole_Legalità in gioco
Rainbow Anti regole_Legalità in giocoCristinaGalizia
 
What I've Learned Developing for iOS
What I've Learned Developing for iOSWhat I've Learned Developing for iOS
What I've Learned Developing for iOSAndrew Chalkley
 

En vedette (9)

Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison FellAgiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
Agiles 2009 - Agilidad en la Produccion de Videojuegos - Pauline Morrison Fell
 
The new Russian Anti-Bribery-Law
The new Russian Anti-Bribery-LawThe new Russian Anti-Bribery-Law
The new Russian Anti-Bribery-Law
 
Progetto Continuità- Lezione 1
Progetto Continuità- Lezione 1Progetto Continuità- Lezione 1
Progetto Continuità- Lezione 1
 
Le Web, Web 2 0 Kesako ?
Le Web, Web 2 0 Kesako ?Le Web, Web 2 0 Kesako ?
Le Web, Web 2 0 Kesako ?
 
Rispetto e Bullo_ Giacomo Colaneri
Rispetto e Bullo_ Giacomo ColaneriRispetto e Bullo_ Giacomo Colaneri
Rispetto e Bullo_ Giacomo Colaneri
 
Message aux animateurs de l’an prochain
Message aux animateurs de l’an prochainMessage aux animateurs de l’an prochain
Message aux animateurs de l’an prochain
 
La coopération
La coopérationLa coopération
La coopération
 
Rainbow Anti regole_Legalità in gioco
Rainbow Anti regole_Legalità in giocoRainbow Anti regole_Legalità in gioco
Rainbow Anti regole_Legalità in gioco
 
What I've Learned Developing for iOS
What I've Learned Developing for iOSWhat I've Learned Developing for iOS
What I've Learned Developing for iOS
 

Similaire à Security Built Upon a Foundation of Trust

Information security
Information securityInformation security
Information securityOnkar Sule
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Understand Risk in Communications and Data Breach
Understand Risk in Communications and Data BreachUnderstand Risk in Communications and Data Breach
Understand Risk in Communications and Data BreachJon Gatrell
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsCSantosConleyha
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsCAbbyWhyte974
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to itIT-Toolkits.org
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
cnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdfcnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdfRiyaSonawane
 
Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...
Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...
Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...zainsmith017
 
Strengthening Online Security with eSignatures.pdf
Strengthening Online Security with eSignatures.pdfStrengthening Online Security with eSignatures.pdf
Strengthening Online Security with eSignatures.pdfDrysign By Exela
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxcuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxsalmonpybus
 

Similaire à Security Built Upon a Foundation of Trust (20)

Information security
Information securityInformation security
Information security
 
unit-1-is1.pptx
unit-1-is1.pptxunit-1-is1.pptx
unit-1-is1.pptx
 
Information security
Information securityInformation security
Information security
 
Understand Risk in Communications and Data Breach
Understand Risk in Communications and Data BreachUnderstand Risk in Communications and Data Breach
Understand Risk in Communications and Data Breach
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
 
Analysis the attack and E-commerce security
Analysis the attack and E-commerce securityAnalysis the attack and E-commerce security
Analysis the attack and E-commerce security
 
Ss
SsSs
Ss
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
cnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdfcnsunit1-slide-220111071646 (1).pdf
cnsunit1-slide-220111071646 (1).pdf
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...
Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...
Document Security in the Digital Age: Strategies for Protecting Sensitive Inf...
 
Strengthening Online Security with eSignatures.pdf
Strengthening Online Security with eSignatures.pdfStrengthening Online Security with eSignatures.pdf
Strengthening Online Security with eSignatures.pdf
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 

Security Built Upon a Foundation of Trust

  • 1. Secure Messaging -built on a- Foundation of Trust Len Gangi, CISA 17 October, 2009
  • 2. “We must plan for freedom, and not only for security, if for no other reason than that only freedom can make security secure.” The Open Society and Its Enemies (1945) Karl Raimund Popper (28 July 1902 – 17 September 1994) History Often Repeats Itself Before the Internet was commonplace, enterprise networks were protected by a strategy developed during the Middle Ages. Just as feudal lords shielded their castles through the use of moats and drawbridges, security administrators protected their networks by limiting access to ―trustworthy‖ individuals communicating over private lines with static firewalls. Both of these approaches focused their energy on preventing external threats from piercing reinforced and gated perimeters. Obviously, this incorrectly presumed that valuable assets were always inside the secured perimeter and that all internal sources could be trusted. Facts speak differently today with human error, sabotage, policy circumvention and physical theft headlining the list of data loss events, many of these related to ―trusted‖ users and confidential data compromised while outside of the corporate castle and its feudal defense. A Paradigm Shift With the Internet having become a utility for businesses and individuals alike, innovative forms of communications and commerce continue to proliferate at an unprecedented rate. It is within this highly dynamic and robust environment that we continuously labor over how best to balance the constructive use and protection of confidential information, especially that which is transported and stored as email. The key to building a business enabled network is through a strong foundation based upon the elements of trust, integrity and privacy. These elements must be pervasive and transparent, and should operate without having to confront users with complex technical or procedural security demands. By closely integrating with a user’s daily tasks we can minimize the perceived need or ability to bypass essential safeguards. Most importantly, the security of these foundation elements and the information that they preserve must travel whenever and wherever protection is required. The Internet has not only raised the importance of security, it has also brought about a significant paradigm shift in what makes security secure. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 2
  • 3. The Current Environment Although the well-accepted perimeter defense continues to have merit in any network security architecture, businesses must increasingly extend information to remote employees, partners and customers to be successful. In doing so, corporate data becomes widely distributed across a diverse range of stationary and mobile computing devices that have significant storage and networking capabilities. More often than not, these devices hold confidential information that is not under the direct control of the business owner. The integrity and privacy of sensitive data deployed across this type of landscape creates an increasingly complex and spiraling information security challenge. To say the least, this is a significant management risk for any organization just as it is a very worthwhile and, in many cases, mandatory security mission. The Need for Secure Messaging In the paper-based world of business correspondence, companies rely upon a number of guarantees for their transactions: confidentiality, that the contents remain private; authenticity, that the document comes from the individual who signed it; integrity, that the contents have not been modified since being signed; and non- repudiation, that an individual cannot refute a signed transaction after the fact. In electronic business communications these same guarantees remain important, but must operate with much greater speed and sophistication than paper. As a result of several high-profile world events underlying the introduction and acceptance of numerous Information Privacy, Protection and Digital Signature legislation*, the very notion of what is secure and what is private has fallen under very close scrutiny and formal government regulation. Businesses worldwide now have a responsibility to make the protection and integrity of their information and messaging content a priority. * Sample References: 1) UETA (Unified Electronic Transactions Act) – currently adopted into the laws of 47 US States and 3 US Provinces. Remaining States have individually created electronic signature laws. 2) Health Insurance Portability and Accountability Act (HIPAA), enacted by the U.S. Congress in 1996. 3) Gramm-Leach-Bliley Act (GLBA), 12 November, 1999. 4) European Union Directive on Electronic Signatures, 13 December, 1999. 5) ESIGN Act (Electronic Signatures in Global and National Commerce Act) – US Federal Law as of 30 June, 2000. 6) PIPEDA (Personal Information Protection and Electronic Documents Act, Canadian Law as of 13 April, 2000. 7) Sarbanes-Oxley Act, US Federal Law as of 30 July, 2002. 8) HITECH Act (Health Information Technology for Economic and Clinical Health Act), part of the American Recovery and Reinvestment Act of 2009. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 3
  • 4. Where Complexity Originates To focus this white paper on business email (messaging), once a casual means of inter-departmental correspondence between colleagues, we must first acknowledge its importance and ubiquity as being supported by email having very few limitations on use, content or network reach. Email is relied upon for timely and accurate corporate information exchange, supports numerous workflow applications, and is the platform of choice for a multitude of commerce-enabled services that extend well beyond the enterprise control boundary. Recognizing that email can transport large and often un-monitored amounts of confidential data, and that tampering with un-protected email communications is relatively easy, organizations are urged to aggressively investigate and manage their email-bound content. This is especially important in highly regulated business environments where numerous government mandates and email-centric court decisions continue to (re)define corporate responsibilities. Significant legal and financial penalties have been directly attributable to mismanaged information and email content, making it vital for organizations to not only understand these issues and risks but to implement solutions that mitigate their consequences. Unfortunately, while there is a genuine need for email security, few organizations have secure email infrastructures, usage policies and monitoring practices in place. Foundation Elements of Security When considering any type of business-enabled application or process, enterprises should plan for the six essential foundation elements of security: Trust, Authentication, Privacy, Integrity, Non-Repudiation and Ease of Use. Trust From a security administrator’s viewpoint, not all users are to be created equal. Each member of an organization should only be ―trusted‖ with access to information that has been classified and authorized for use according to their specific functional role, management status or another approved authorization criteria. For example, a message sent to a business partner must not contain information classified for use only by the company’s executive team. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 4
  • 5. Security administrators implement levels of trust through Role-Based Access Controls (RBAC) and Group Policies which are typically integrated with corporate directory (e.g. Active Directory, LDAP) services. In conjunction with Digital Rights Management (DRM) and/or Data Leak Prevention (DLP) applications, the authorized level of access required for the use of digitally protected and classified content can be enforced regardless of location or recipient. Applying this to secure email, Trust is the overall foundation element established between the message sender and recipient(s) through an assured, recognizable and verifiable ―identity.‖ This can be accomplished through the use of identity verified digital client certificates issued by a recognized and reputable Certificate Authority (CA). In secure email, Trust is supported by the elements of Authentication, Integrity and Privacy which are outlined in the next several paragraphs. Authentication In general, authentication is used to confirm the identity and authority of an individual or device prior to granting access to an information or network resource. Comprehensive and federated forms of multi-factor authentication (e.g. ID / password supplemented by a digital client certificate or Token/PIN response) are often deployed in enterprises, especially when remote access to sensitive information is provided to employees, business partners or customers. Authentication solutions effectively reduce the risk of information theft or misuse by enforcing access control and usage authorization policies. Authentication, as it may be applied to secure email, confirms the identity of a message originator and message recipient(s) through the use of Public Key Infrastructure (PKI) digital client certificates and S/MIME capable email client software. Email authentication of the originator works by allowing the message recipient to test the validity and identity of the applied digital certificate through the issuing Certificate Authority’s (CA) Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL). Email client software (e.g. Microsoft Office Outlook®) automatically performs this test, and will alert the recipient if the certificate status test fails. This function enables a recipient to authenticate a digitally signed message with assurance. In reverse, authentication and access control of the intended recipient(s) is performed through the use of public key encryption. An originator can ensure that only the intended recipient will be able to read the message by applying encryption that is Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 5
  • 6. uniquely decipherable by the recipients’ private key. Here again, the 3rd party issuance of certificates by a reputable CA represents a higher degree of assurance in the authenticity of certificate holders. Working in tandem with other technologies (i.e. encryption and digital signatures) and services (e.g. CA issuance practices) this foundation element provides comprehensive protection throughout the entire email creation, transmission, reception and storage process. Privacy Although email is an essential tool for increasing the productivity and efficiency of employees, it’s susceptible to a wide range of threats – including interception by malicious users. The transmission path over which email is routed and stored can be an exceptionally open and easy invitation to eavesdropping and other malevolent actions. As a result, privacy technologies are needed to ensure that messages are only viewable and actionable by their intended recipient(s). Email privacy protection is also established through encryption wherein the message and attachments are ―scrambled‖ before sending and ―deciphered‖ upon reception. This ensures that the message cannot be easily decoded at any point along its route. End to end (client to client) email encryption rather than, or in addition to, server to server encryption provides a higher degree of privacy, especially when local network intrusions and other insider threats are on the rise. Secure email that is based upon S/MIME (Secure / Multipurpose Internet Mail Extensions) capable email clients and secure email certificates may be used independently but work best within an overall enterprise PKI which can use the same certificate for network and application access controls, as well as for applying encryption and digital signatures to office documents, folders and files on network and endpoint devices. Many businesses also to take advantage of the speed and economy of document workflow processes using certificate-based digital signatures for authoritative approvals. Integrity One of the greatest strengths of electronic media is the ease with which content can be created, altered and communicated. However, when viewed from a security standpoint, these strengths can be a tremendous liability. Business transactions and relationships must be built upon a foundation of trust wherein the originator and recipient rely upon the transmitted information as not having been altered since Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 6
  • 7. creation. Without integrity, electronically conveyed media cannot be trusted and, in turn, can cause business relationships to suffer. An effective means to establish the integrity of an email message is through a cryptographic checksum procedure called hashing or signing. A secure algorithm is used to create a unique ―hash‖ of the message content that is then encrypted with the originator's private key. The signed hash can only be deciphered and validated by a recipient using the originator's public key. If the hash signature successfully decodes and matches with the original checksum, the recipient can be reasonably assured that the message has not been altered. Digital signatures confirm the integrity of secure email messages as well as the originator’s identity. Digital signatures can also be applied to most other forms of electronic media including word documents, spreadsheets, graphics and other types of computer files as a means for a recipient (or originator) to confirm their integrity since being signed, approved or stored. *Graphic licensed according to Creative CommonsAttribution ShareAlike 3.0 (http://creativecommons.org/licenses/by-sa/3.0/) Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 7
  • 8. Non-Repudiation Non-repudiation prevents an individual from refuting the content (obligation) of a document or message that has been cryptographically encoded with their digital signature. Far beyond the scope of this white paper, the enforceability of non-repudiation for business transactions is dependent upon many technical, physical and legal factors. Collectively, however, the key security elements of authentication, privacy and integrity can bolster its enforceability. Further, the authenticity asserted by a third-party validation of the individual to which a signature certificate has been issued, as well as the security of the private key used to create the public certificate from which the digital signature originates, are all crucial to establishing an unencumbered responsibility. Similar to the Post Office, a Document Courier Service or Public Notary, there are third-party eCommerce service providers that are beginning to manage and certify the signature, transport integrity, receipt and opening of high-priority electronic transactions. These services should begin to remove many of the legal concerns that have delayed the benefits and enforceability of non-repudiation in electronic business transactions. Ease of Use This last foundation element is sometimes overlooked, and can introduce significant risk when not adequately designed. Organizations must not only develop sound security measures, they must find ways to ensure consistent employee compliance. Ease of use is necessary to prevent security applications from being willfully or unintentionally circumvented. If users find security measures cumbersome and time- consuming, they are likely to find ways to bypass them— thereby putting your business at risk. Organizations can facilitate consistent compliance through; • Systematic Application - The solution should automatically enforce the security policy, preventing human error, willful abandonment or malicious action. The more transparent the security mechanism, the easier it is for end-users— the more likely they are to use and be protected by it. Ideally, compliance with security polices should eliminate the need for users to read detailed manuals and follow elaborate procedures. Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 8
  • 9. • Commonality – Strive to find and use security mechanisms that can work across multiple business applications. For example, you can often use the same digital client certificate whether you want to secure email, sign or encrypt documents or files, or authenticate and establish remote communications over a virtual private network. PKI solutions were designed with all of the security fundamentals (Trust, Authentication, Privacy, Integrity, Non-Repudiation and Ease of Use) in mind. Bringing it All Together Beyond being a security deployment intended to protect company assets, the mandatory use and benefits derived from secure email are essential for all businesses. By reducing the level of risk (liability) associated with continuously evolving threats and vulnerabilities, prevention-based security infrastructures must be built upon a strong foundation comprised of elements outlined in this paper. Organizations spend significant amounts of effort and money on implementing solutions ―designed‖ to increase enterprise security, but sometimes neglect the effort necessary to consider how a new technology must integrate with day-to-day user tasks. The evaluation and benefits of any business application or process will always be improved by incorporating user responsibilities and input during the formulation of requirements, and throughout the assessment, implementation and monitoring of solutions. All of the security and secure messaging technologies in the world will have little effect if they lack acceptance, awareness and monitoring mechanisms to compliment their purpose. Begin by fully evaluating the various uses, applications and devices associated with email, as well as the security classifications, destinations (logical & physical) and entities (i.e. internal or external) involved with the information being conveyed. This will allow you to create a ―utilization matrix‖ to assess the impact and risks that could result from any potential vulnerability or threat (e.g. loss, theft, exploitation) to your business. This form of risk management planning is very useful in defining usage policies that complement and reinforce the selection of available technologies. Businesses must act to protect specific legal and operational responsibilities, as well as the value of their continued relationships with partners and customers. Whether secure messaging technologies are currently deployed in an enterprise environment or not, organizations are urged to craft, communicate and enforce email policies. Be Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 9
  • 10. sure that all usage dimensions are considered, and be fanatical about user awareness and support. This measure, alone, can go a long way in preventing many related threats from harming your business. The Reality of a Secure Messaging Infrastructure Email is a prolific and important enterprise application, one that requires careful security and legal considerations. With email usage and content being a potential risk to an enterprise, security must be purposefully designed and managed. Solutions and policies must be economical, complementary, easy to use and easy to enforce if critical information is to be kept secure. Just as they are a critical, manageable and real requirement for any security architecture, the foundation elements of Trust, Authentication, Privacy, Integrity, Non- repudiation and Ease of Use are key business enablers. “We must plan for freedom, and not only for security, if for no other reason than that only freedom can make security secure.” - Karl Popper About the Author Len Gangi has been awarded scientific degrees and certifications in Electronics Engineering and Business Administration from New York University and Queensborough College. Formally qualified as a Certified Information Systems Auditor (CISA) by ISACA, and as an examiner for the National Quality Award (Malcolm Baldrige) program, Len is an eCommerce services and security professional with extensive business, product and quality management experience. Comments and suggestions are welcome to be received via Len's LinkedIn profile at http://www.linkedin.com/in/lengangi Secure Messaging: Built on a Foundation of Trust Author Reserves All Rights 10