präsentiert SecureMail Deutschlands fleissigste Virtuelle Poststelle Security- Breakfast der Pallas GmbH 21. Oktober 2011
Zertificon Solutions GmbH Object of the Company Zertificon Solutions entwickelt und vertreibt Software, die den Einsatz von Sicherheitstechnologien wie Verschlüsselung, elektronische Signatur und Zertifikatsverwaltung vereinfacht. Die IT-Security-Produkte richten sich an professionelle Anwender in Unternehmen und Institutionen und zeichnen sich durch komfortable Bedienung und optimalen Administrationsaufwand aus. Das Kern-Produkt SecureMail Gateway schützt den kompletten EMail-Verkehr einer Organisation durch zentrale Verschlüsselung und elektronische Signatur. SecureMail, 2010 Zertificon Solutions GmbH, slide 2
Zertificon Solutions GmbH Facts & Figures Start of the business: 1998 Start of the development of the system: 1999 Market launch of the system: 2001 Awards: Best Product of Internet World 2002 IT-Sicherheitspreis NRW 2005 Number of employees: 31 management board: 2 sales / marketing: 6 professional service: 6 Development/Q-Mgmt.: 12 administration: 5 Service / Support by default 9:00 18:00 o'clock CET/CEST, Mo Fr at maximum 4 hours response time from professional staff SecureMail, 2010 Zertificon Solutions GmbH, slide 3
Zertificon Solutions GmbH References Finance/Insurance SecureMail-Produktfamilie: Über 300 Installationen im produktiven Einsatz! Allianz Suisse UniVersa LBBW Landesbank Baden-Württemberg (inkl. RheinlandPfalz und Sachsen) Liechtensteinische Landesbank SüdFactoring DSGV Deutsche Sparkassen- und Giro-Verband S-ProFinanz Köln / Bonn GaVI Gesellschaft für angewandte Versicherungs-Informatik GmbH und deren Verbundpartner Öffentliche Versicherung Braunschweig Lippische Landes-Brandversicherungsanstalt IVV Informationsverarbeitung für Versicherungen Deutsche Leasing SecureMail, 2010 Zertificon Solutions GmbH, slide 4
Zertificon Solutions GmbH References Industry/Retail SecureMail-Produktfamilie: Über 300 Installationen im produktiven Einsatz! Otto GmbH & Co. KG bon prix Handelsgesellschaft mbh Lidl Stiftung & Co. KG REWE Informationssysteme GmbH Fielmann AG Weseler Teppich GmbH & Co. KG Nordmilch AG Nordzucker AG Martin Braun Backmittel und Essenzen KG Stiftung Warentest SecureMail, 2010 Zertificon Solutions GmbH, slide 5
Zertificon Solutions GmbH References Health Care SecureMail-Produktfamilie: Über 300 Installationen im produktiven Einsatz! St. Joseph Krankenhaus Tempelhof Privat-Nerven-Klinik Dr. med. Kurt Fontheim gematik BKK Verkehrsbau Union AOK Berlin Boehringer Ingelheim Pharma DiaMed Diagnostika LTS Lohmann Therapie System Biodenta Swiss (CH) SWICA Gesundheitsorganisation (CH) SecureMail, 2010 Zertificon Solutions GmbH, slide 6
Zertificon Solutions GmbH References Energy SecureMail-Produktfamilie: Über 300 Installationen im produktiven Einsatz! EnBW Energieversorger Baden-Württemberg GDF Suez (Belgien, Deutschland) Gazprom Germania EVN AG Energieversorgung Niederösterreich MIDEWA Wasserversorgung in Mitteldeutschland DREWAG Stadtwerke Dresden Stadtwerke Bonn, Düsseldorf, Erfurt, Georgsmarienhütte, Leipzig, Menden, Mühlhausen, Solingen, St. Ingbert, Weinheim, Witten, Magdeburg Energie und Wasser Potsdam GmbH 24/7 Services GmbH LEW Lechwerke AG REWAG Regensburger Energie- und Wasserversorgung SecureMail, 2010 Zertificon Solutions GmbH, slide 7
Zertificon Solutions GmbH References Finance/Insurance SecureMail-Produktfamilie: Über 300 Installationen im produktiven Einsatz! Bayern Invest Investitions- und Strukturbank Rheinland-Pfalz Investitionsbank des Landes Brandenburg Süd-West-Kreditbank Finanzierung VÖB Bundesverband Öffentlicher Banken VÖB Service GmbH VÖB ZVD Bank SecureMail, 2010 Zertificon Solutions GmbH, slide 8
Zertificon Solutions GmbH References Public Services SecureMail-Produktfamilie: Über 300 Installationen im produktiven Einsatz! Alle Lotto-/Toto-Gesellschaften (bis auf MecklenburgVorpommern) Hochtaunuskreis und Main-Kinzig-Kreis Landkreise von Mittelsachsen und Oberhavel Landratsamt Lichtenfels Senatsverwaltung für Wirtschaft, Arbeit und Frauen (Berlin) Stadt Bernau Norsk Tipping AS (NO) Gemeente Rotterdam (NL) Liechtensteinische Landesverwaltung (FL) Wirtschaftsprüferkammer Landeslizenz für Brandenburg Landeslizenz für Sachsen Landeslizenz für Bayern SecureMail, 2010 Zertificon Solutions GmbH, slide 9
Do you know who is reading your e-mail traffic? SecureMail, 2010 Zertificon Solutions GmbH, slide 10
E-Mail Security Facts Introduction ASW¹ expects for 2008 damage of 30 billion from industrial espionage IDC² determined in Q4 2008 that... 85% respondants were extremely concerned about data loss via E-Mail 28% already implemented security solutions 60% were planning to invest more for E-Mail-Security Footnotes: ¹: Arbeitsgemeinschaft für Sicherheit der Wirtschaft ²: Securing Email Against Today's Threats: A Wake Up Call on the Benefits of Comprehensive Messaging Security SecureMail Gateway, 2010 Zertificon Solutions GmbH, slide 11
What Does IT Security Mean for the End Customer in Germany? KonTraG ( Gesetz zur Kontrolle und Transparenz im Unternehmensbereich ) legal requirements TKG With section 91, paragraph 2 of the German Stock Companies Act, it led to legal obligations to establish effective IT security structures. The management board is personally liable for damages due to missing or insufficient IT security. Section 88 of the TKG obligates to the protection of the secrecy of telecommunications. ( Telekommunikationsgesetz ) for the IT security in companies BDSG On the basis of section 9 of the BDSG, data processors are obligated to establish security structures. ( Bundesdatenschutzgesetz ) SecureMail, 2010 Zertificon Solutions GmbH, slide 12
What Does IT Security Mean for the End Customer Internationally? Basel II Accord (recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision) According to the recommendations of Basel II, the amount to deposit for particular bank credits is to be rated in accordance with the risk of default in individual cases. The calculation of the operations risk of a company also includes IT security specific security ratings. Result: The higher the attestable IT security level, the better are the credit terms at the loan assignment. economic necessities in companies SOX The compliance with the SOX sets high standards for the transparency and checkability of the corporate IT. (Sarbanes-Oxley Act of 2002) SecureMail, 2010 Zertificon Solutions GmbH, slide 13
Conventional E-Mail Security with PKI: Too Complex for End Users CRL Trustcenter LDAP OCSP PGP PKI certificate S/MIME SecureMail Gateway, 2010 Zertificon Solutions GmbH, slide 14
Conventional E-Mail Security with PKI: Too Costly for Companies client installation central antivirus protection not possible user support user training SecureMail Gateway, 2010 Zertificon Solutions GmbH, slide 15
The Innovative, Easy-to-Use Solution: SecureMail Standard features: E-mail-encryption Electronic signature for e-mail Passwordbased Encryption Product variants: SecureMail Gateway SecureMail Messenger Enterprise Extensions SecureMail Easy HSM Connector CA Connector (incl. Onboard CA) ERP Connector Hardware Security Module integration High Volume/Automation Activation Clustering (high availability, scalability,...) Product extensions (optional): SecureMail, 2010 Zertificon Solutions GmbH, slide 16
SecureMail Station/Gateway Technically Spoken SMTP proxy e-mail clients e-mail server SecureMail Firewall Internet SecureMail, 2010 Zertificon Solutions GmbH, slide 17
AS/AV Integration SecureMail, 2010 Zertificon Solutions GmbH, slide 18
Compatible with All Forms of E-Mail Standards SecureMail, 2010 Zertificon Solutions GmbH, slide 19
Encryption- & Hashalgorithm Es werden alle Verschlüsselungs- und Hashalgorithmen von OpenSSL (S/MIME) und GnuPG (OpenPGP) unterstützt! - Symmetrische Verschlüsselungsalgorithmen für S/MIME AES-256, AES-192, AES-128 RC2-128, RC-2-64, RC2-40 DES, Triple DES - Symmetrische Verschlüsselungsalgorithmen für OpenPGP AES-256, AES-192, AES-128 TWOFISH BLOWFISH CAST5 Triple DES - Asymmetrische Verschlüsselungsalgorithmus RSA wird bis zu einer Schlüssellänge von 4096 Bit unterstützt, sowie ElGAMAL (OpenPGP)! - Hashalgorithmen SHA-1 (224, 256) MD2, MD5 MDC2 RMD-160 SecureMail, 2010 Zertificon Solutions GmbH, slide 20
Global email VPN...@customer.com...@supplier.com SMGW SMGW...@uk.company.com Internet Virtual Private Email Network SMGW SMGW...@de.company.com SecureMail, 2010 Zertificon Solutions GmbH, slide 21
Clustering: High Availability, Load Balancing and Scalability automatic failover master-master principle SecureMail AS/AV content filter SYNC internal e-mail infrastructure SecureMail SYNC internal e-mail sender Internet AS/AV content filter external user (N parallel, automatically synchronizing SecureMail Systems) SecureMail SecureMail, 2010 Zertificon Solutions GmbH, slide 22
Multi-Client Capability z.b. uk.company.com E-Mail Clients Pro Mandant/Domäne: separate Schlüssel separate Policy separate Logs, Monitoring separate Konfiguration separate Admins Mailserver SMGW Internet (n Mandanten-Domains) z.b. de.company.com SecureMail, 2010 Zertificon Solutions GmbH, slide 23
External Certificates: Automatic Acquisition LDAP & PGP key server domain certificates / PGP keys from transient certificates e-mail messages DNS manual management by admin SecureMail Gateway SecureMail Gateway, 2010 Zertificon Solutions GmbH, slide 24
External Certificates: Automatic Validation SecureMail Gateway manual management by admin external CRL services CA certificates in DB external OCSP services SecureMail Gateway, 2010 Zertificon Solutions GmbH, slide 25
Difference Between Station and Gateway SecureMail, 2010 Zertificon Solutions GmbH, slide 26
SecureMail Governikus Edition SecureMail at public authorities e-mail based e-government SecureMail Governikus Edition web & OSCI based e-government form management portal solutions central services Governikus 3.3 References federal state Brandenburg federal state Sachsen SecureMail, 2010 Zertificon Solutions GmbH, slide 27
SecureMail Messenger encrypted e-mail SecureMail Station/Gateway (S/MIME or OpenPGP) e-mail external user with PGP key or S/MIME certificate yes SSL no Does the external user have X.509 / PGP? Internet internal e-mail sender encrypted HTTP or encrypted PDF intranet SecureMail Messenger (HTTPS or PDF) external user without key or certificate SecureMail, 2010 Zertificon Solutions GmbH, slide 28
Company Certificate vs Individual Certificate PGP S/MIME Unternehmenszertifikat für Verschlüsselung Unternehmenszertifikat für Signatur? Personenzertifikate für Verschlüsselung Personenzertifikate für Signatur SecureMail, 2010 Zertificon Solutions GmbH, slide 29
ERP Connector The alternative approach to configure SecureMail Station/Gateway: management of entities (users, domains, groups, mandators) management of the attributes of entities, e.g.: keys and certificates all types of policies planned for the future: management of the logging planned for the future: global configuration planned for the future: system management ERP System ERP Connector ERP Connector SecureMail Station/Gateway SecureMail, 2010 Zertificon Solutions GmbH, slide 30
CA Connector onboard PKI An action can be triggered: manually by the administrator (using the Admin Webclient) S/Mime + PGP automatically by ERP Connector automatically by AutoTrigger issue a new certificate revoke a certificate renew an existing certificate trigger action Z 1 Onboard CA C A Microsoft CA C o n n e c t o r internal party Use the CA Connector: to integrate external trust centers S/Mime only TC-TrustCenter to integrate the onboard PKI to integrate internal 3rd party PKIs 3rd Entrust CA S-Trust Comodo external trust centers S/Mime only SecureMail, 2010 Zertificon Solutions GmbH, slide 31
How to Protect the Private Keys with Hardware Security Modules Scenario with Enterprise Requirements Maximize the security level of your SecureMail Solution by using Hardware Security Modules in combination with HSM Connector! using crypto boards to provide high e-mail traffic HSM Connector SYNC SYNC Can contain an unlimited number of keys! Is clusterable! SYNC SYNC Supports the whole private key live cycle! SecureMail, 2010 Zertificon Solutions GmbH, slide 32
User Interface Für den Benutzer läuft die Ver-/Entschlüsselung, die Signatur und SignaturValidierung transparent ab! Der Benutzer hat jedoch Eingriffsmöglichkeiten: durch Kommandos in der Betreff-Zeile, deren Syntax durch den Administrator definiert werden kann und die einzelnen Kommandos müssen vom Administrator freigeschaltet werden. Empfehlung: Sicherheitserhöhende Kommandos sollten erlaubt sein, sicherheitssenkende Kommandos nicht! Eingehende emails können am Ende einen Text enthalten, die den Benutzer über den Status der email informieren, wie z.b.: Diese email war verschlüsselt und signiert. Die Signatur war korrekt. Der Text kann vom Administrator definiert werden. SecureMail, 2010 Zertificon Solutions GmbH, slide 35
Platforms That Are Supported by SecureMail Gateway supported for existing customers recommended for new customers future support - Appliance - Appliance (hardware or virtual) - all future versions of Appliance - Debian 5.0 (Lenny) - Debian 5.0 (Lenny) - all future versions of Debian - Solaris 10 (sparc64) - Solaris 10 (sparc64) - all future versions of Solaris (sparc64) Other platforms are supported on request and on project basis Last updated: 2010-06-09 SecureMail, 2010 Zertificon Solutions GmbH, slide 40
Internal encryption with SecureMail End2End There is no dedicated server needed for this service. AS/AV can be done here! Mail in cleartext here End2End Service SecureMail Gateway S/MIME, PGP E xt e r n a l E d g e Extern 2 In te r n al Intern 1 S/MIME e-mail End2End key Schlüsselmaterial E d g e S/MIME e-mail S/MIME e-mail Intern 2 Internal Mail-Srv Internal certs CryptPDF, HTTPS End2End cert Internal certs z.b. MS AD + MS PKI Extern 1 z.b. Black Berry SecureMail Messenger SecureMail, 2010 Zertificon Solutions GmbH, slide 43
SecureMail - De-Mail I Unternehmen Unternehmen INTERNET S/MIME Gateway SC Mail Server Gateway TLS SC De-Mail Provider Mail Server VPN GW TLS Provider https DE-Mail User... Provider **** De-Mail, 2010 Zertificon Solutions GmbH, slide 44