Securing Email before the advent of Data-Centric Security
Teleworking, public and home networks, personal devices, and cloud email services have combined to open up email to become the dominant source of security and information breaches. On the one hand spam, malware and spyware are increasingly making its way into the enterprise, and on the other hand, confidential information being shared, even with internal employees, is winding up on unmanaged personal devices. Daily collaboration with external agencies like partners, vendors, and customers, has escalated the problem of addressing security, visibility, and compliance exponentially.
Enterprises have hitherto been focused on inspecting and blocking emails at the “perimeter” of the enterprise, which in turn breaks the business process flows. Conversely monitoring the flow of sensitive information via email places the enterprise in a reactionary security paradigm, chasing data and the “bad actors”, as the data has already left the organization.
Email encryption technologies have existed for a long time, however high user involvement and clunky key exchange mechanisms have hindered large-scale adoption. There is also a false sense of security since the email is only secured in transit i.e. once the email has been decrypted, the sender no longer has any control of what is happening with the information and has zero visibility as to what the recipient is doing with the information.
Enter persistent data-centric security (DCS)
DCS has evolved from encryption and digital rights management (DRM) technologies of the past. DCS extends encryption by adding a security policy which controls the four “W’s” of data i.e. 1) “WHO” can access the information (people, groups, within or outside the enterprise), 2) “WHAT” can they do with the information (view, edit, print, copy/paste, share, screen capture, etc.), 3) “WHEN” can the information be accessed (specific date/time range), and 4) “WHERE” can the information be accessed from (geo-fencing). Not only can the DCS system control the information usage based on the four “W’s” … it can also audit WHO did WHAT with the information, WHEN and from WHERE. This data-centric audit (DCA) is extremely useful in meeting regulations like ITAR/EAR and GDPR which are themselves, data-centric regulations.
“Seclore-It” - Protection Beyond Encryption
“Best of Breed” Email Protection
Seclore is a Fabric-Ready partner in Fortinet’s Open Fabric Ecosystem. Together with Fortinet, Seclore provides best-of-breed joint solutions including the Seclore DCS and FortiMail Secure Email Gateway, to address concerns of threat and data protection. Where FortiMail stops volume-based and targeted cyber threats to help secure the dynamic enterprise attack surface, and help maintain compliance with regulations, Seclore DCS protects incoming and outgoing email from data breaches by attaching persistent encryption and the “four W” security policy (a.k.a. Seclore-It) across all confidential information.
The integrated solution achieves comprehensive threat and data protection by tagging any incoming or outgoing email as confidential and automatically “Secloring” the email. This is done with no human involvement by the sender, recipient, or the email administrator and thus makes the system deliver value at scale, instantaneously. The ability to “Seclore” both outgoing and incoming emails ensures that confidential data flowing in either direction can be protected and tracked. Perhaps the most important aspect of this combination is that it works across all email systems and all devices and without any of the users needing to download or install special software to access their email.
The combination of Fortinet FortiMail’s scanning and discovery, along with Seclore’s Email Encryption Plus, ensures information which leaves (or enters) the enterprise is always protected, trackable and revocable. Leveraging FortiMail’s configurable business logic, sensitive emails can be rerouted through Seclore’s Mail Transfer Agent (MTA) to automate granular Rights Management.
Delivered both on-premise or in the cloud, the functionality of the joint solution is summarized in the illustration below.
Ease of Integration
Integration is achieved through the simple configuration of Seclore’s Mail Transfer Agent (MTA). Any number of rules can be defined, which starts with the “Condition”. The “Condition” can be based upon the Sender, Recipient, Subject Line, or in most cases the “X-Header”, which then triggers the “Action”.
The “Action” performs the protection, which can include the attachments and/or the body of the email itself. The “Action” can assign the “Owner” to the email, which can be the Sender, or a pre-defined user. The “Action” can also assign the Recipients, which can be the users initially provided by the Sender, or select users. And finally the “Action” invokes the protection itself, previously referred to as the four “W’s”.
Seclore’s MTA Configuration Screen
Now that the file has been protected, downstream access to the file is managed by Seclore’s policy engine. Examples of policy-based access could be end-user location, data type, user group, time of day, or any other combination of policy choices. The key principle here is the file is protected regardless of where it goes and enforced by a Seclore policy that the organization sets. If a user accesses the file, an audit trail is recorded to assure that organizations have the confidence that data is properly protected. The audit logs show allows and denies, completing the data visibility requirements.
Addressing one last concern; if a file is “lost” or the need to restrict access to files that are no longer in direct control such as when a user leaves the company, or if the organization simply wants to update policies on protected files, the policy on those files can be dynamically updated. This addresses a major data loss concern that companies have for cloud service providers and general data use for remote users. Ensuring files are always protected, regardless of scenario is simple to achieve with Seclore by taking the action to update a policy. Once the policy has been updated, even files on a thumb drive stuffed in a drawer are now re-protected from accidental or intentional disclosure.
This article addresses several notable concerns for customers involved in daily collaboration. Important/sensitive data can now be effortlessly protected as it migrates to its ultimate destination. The organization can prove compliance to auditors that the data was protected and continues to be protected. Security operations can track incidents and follow the access history of files. Finally, the joint solution is easy to use and enables businesses to confidently conduct business in a secure manner.