10/6/2010. Safeguarding Our . Safeguarding Our . Agenda. Background. Via TLS. Presented by:

Transcription

1 Safeguarding Our Presented by: Safeguarding Our Jim Rogers The Hartford Via TLS Wayne Libonati Performance Connectivity Julio Ochoa Webjogger Mike Gragg Hudson River Technology Agenda Usage Security - Why you should care Benefits Resources Options Discussion Discuss TLS Configuration of MS Exchange 2003 & 2007 Q&A 2 Background has become a major component in every day agency/carrier business interactions. Mail sent over the Internet is typically unprotected The need to protect continues to grow The use of, and reliance on, within core business workflows will continue to increase 3 1

2 Why Protect ? often contains sensitive customer information Required by business contract Is easily accessible to prying eyes on the Internet Mandated by regulation 4 Existing Regulations and Standards Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Info. non-public personal information (NPPI) in paper, electronic, or other form NPII: personally identifiable information provided by a consumer or resulting from a transaction for a consumer written information security program to address internal/external risks physical, technical and administrative safeguards oversee service providers Security Breach Notification Laws (Various states) first/last name and SSN/drivers license/state ID/financial account + password when not encrypted must notify any resident of the state of a breach without unreasonable delay Payment Card Industry Data Security Standards (PCI-DSS) cardholder data certification of compliance with PCI-DSS depending upon level of merchant firewall, encryption in storage/transmission, antivirus, etc. assign individual user IDs 5 Recent Regulatory Developments Nevada Restrictions on transfer of personal information through electronic transmission Massachusetts 201 CMR Standards for The Protection of Personal Information of Residents of the Commonwealth California Department of Motor Vehicles On-Line DMV Special Permit Program 6 2

3 TLS: Transport Layer Security Provides secure communications across the Internet through a standardized, secure, and non-proprietary mechanism Eliminates the drawbacks that plague the commonly used tools and services Is built-in to most modern systems and just needs to be turned on by your technology professional 7 How Does TLS Work? At transmission time, TLS creates an encrypted communication session between servers The is then sent through a protected tunnel The servers de-crypt the message and send it along to the client Encrypted 8 Client Agency Partner Carrier Client Transport Layer Security: TLS Encrypted Message $erm840 kkfd8820& l1k6ss My ssn is: Safe/Secure Standard Protocol Available on most systems Transparent to end-users Eliminates the need for hosted services Negligible cost My ssn is:

4 Benefits of TLS Provides the confidentiality of s across the Internet Requires no changes to the client Is a standards-based protocol that is implemented on most gateways and appliances It s free, no additional licensing is needed. Security certificate is required. 10 How Do I Get TLS? TLS is a standards-based protocol enabled on most serverbased systems Talk with your system support staff or service provider Most agencies that have an up-to-date in-house mail server are TLS capable. Agencies with a hosted Microsoft Exchange server are TLS capable as is gmail. Those with hosted using hotmail and yahoo are not currently TLS capable 11 Detecting TLS How do you determine if TLS is active. Talk to the server administrator Some contains a tag line if sent via TLS. at the bottom of the More on this in our technical discussion 12 4

5 Carriers supporting TLS Some carriers are TLS enabled automatically for their agents who send s with TLS to them; others activate agencies for TLS only upon request. Please check with your carrier or look in the Security & Privacy section on ACT website for specific carrier info: Allied/Nationwide Chubb Cincinnati CNA EMC Grange Insurance Harleysville The Hartford, Liberty Agency Markets MetLife MetLife Auto & Home MMG Insurance OneBeacon Progressive RLI Corporation Summit Holdings Travelers Westfield W.R. Berkley Companies Note: for updated list of carriers supporting TLS see Agency Security Section of or ask you carrier 13 MS Exchange 2003 TLS Required Mode Both the sender and the receiver must maintain a directory of each other s domains in order for a TLS encrypted to be exchanged If the receiver has TLS enabled in opportunistic mode, not Required mode, the will still transmit in an encrypted format. If the receiving party does not have TLS enabled, the sender s will be sent but it will not be encrypted. MS Exchange 2003 MS Exchange 2007 TLS Required Mode TLS Opportunistic Mode Protected Tunnel Encrypted Insurance Agent Carrier Rep TLS enabled Solution No TLS encryption enabled sent/received is not encrypted! Policyholder Policyholder MS Exchange 2007 TLS Opportunistic Mode A sender with TLS Opportunistic Mode enabled will check to see if the receiver has TLS enabled. If the receiver has TLS Opportunistic turned on, the outgoing will be encrypted. If he does not, there are two potential scenarios depending on the sender s infrastructure. 1) the is sent out with no encryption 2) the sender sends the out via an encryption tool such as Tumbleweed or ZixSelect MS Exchange 2007 TLS Opportunistic Mode MS Exchange 2007 TLS Opportunistic Mode Protected Tunnel Encrypted Insurance Agent Carrier Rep TLS enabled Solution No TLS enabled - OR - sent via Tumbleweed with a secured link that the user opens sent/received is not encrypted! Policyholder Policyholder 5

6 TLS Summary Environment Conditions Result Sender Receiver MS Exchange 2007 Opportunistic Mode TLS Enabled TLS Enabled s are sent and received encrypted TLS Enabled TLS not Enabled is sent but it is not encrypted TLS not Enabled TLS Enabled is sent but it is not encrypted Sender and Receiver maintain each other s domain addressees in their respective TLS registries s are sent and received encrypted MS Exchange 2003 Sender maintains Receiver s domain address Receiver does not maintain Sender s domain address will not be sent out. Required Mode Sender does not maintain Receiver s Receiver maintains Sender s will be sent but not in domain address domain address encrypted format Additional Considerations Important to have your technical support implement TLS Your technical support can tell you which of your carriers and clients are enabled for TLS If using an external spam/anti-virus filter, you need to make sure it is enabled for TLS. Also, some of these external spam/anti-virus providers offer a hosted option that can be enabled for TLS Many hosted solutions are not enabled for TLS (e.g., hotmail and yahoo), but gmail provides some secure options You also need to make sure that the connections between your server and your remote computers and mobile devices are encrypted Use your real-time tools wherever possible to transmit client personal information because it is encrypted If TLS or Real Time not available, send application information using a password protected pdf or zip file 17 Feedback - TLS Article 18 6

7 Feedback - FAQs 19 TLS Links ACT Web site for TLS Article,FAQs, & TLS enabled carriers Security & Privacy Quick Link Technical Links How to Configure TLS Procure SSL Certificates Representative purposes only and steps here may not be suitable for all environments Will cover Exchange 2003 and 2007 If you are on a different platform, please consult your technical support 21 7

8 Several Sources for Security Certificates certificate authority (CA) -an entity that issues digital certificates Verisign Network Solutions GoDaddy Comodo Digi-Sign HOW TO: Use Certificates with Virtual Servers in Exchange Server 22 Difference between Exchange 2003 & 2007 Exchange 2003 requires a valid X.509 server certificate (suitable for TLS usage) DOES NOT support Opportunistic TLS Requires to manually configure TLS (minimum 6 steps) Difficult to monitor TLS transmit-receive success/failures 23 Exchange 2007/2010 requires a valid X.509 server certificate (suitable for TLS usage) Opportunistic TLS is automatically enabled (by default) Easy to monitor TLS transmit-receive success/failures Greater Message Control with Robust Transport Rules Features Block, Bounce, Copy, append, Send to Archive, Quarantine Verifying successful TLS session with MS Office

9 Questions 25 Mutual TLS With Mutual TLS authentication, each server verifies the identity of the other server by validating a certificate that is provided by that other server. In this scenario, where messages are received from external domains over verified connections in an Exchange 2007 environment, Microsoft Office Outlook 2007 will display a Domain Secured icon. 26 Mutual TLS Enabling Process with Exchange 2007 Process for Server to Server Mutual TLS 1. Configure an additional IP Address (as necessary) 2. Create & Configure the SMTP Send Connector 3. Create & Configure SMTP Receive Connector 4. Test & Verify Mutual TLS between remote domain server 27 9

10 Mutual TLS Enabling Process with Exchange 2007 Mutual TLS Demonstration Scenario 1. Insurance Carrier requires a Mutual TLS Session between their mail server and the agency s mail server 2. Small agency with single Microsoft Exchange Server 3. No Edge Transport Servers are present in their network. 28 Verifying x.509 Certificate in Exchange Verifying x.509 Certificate in Exchange

11 Verifying x.509 Certificate in Exchange Configure Additional IP Address (as needed) 32 Configure Additional IP Address (as needed) 33 11

12 Configure Additional IP Address (as needed) 34 Configure Additional IP Address (as needed) 35 Configure Additional IP Address (as needed) 36 12

13 Configure Additional IP Address (as needed) 37 Configure Additional IP Address (as needed)

14

15

16

17 Create Receive Connector for Mutual TLS 49 Create Receive Connector for Mutual TLS 50 Create Receive Connector for Mutual TLS 51 17

18 Create Receive Connector for Mutual TLS 52 Create Receive Connector for Mutual TLS 53 Create Receive Connector for Mutual TLS 54 18

19 Create Receive Connector for Mutual TLS 55 Create Receive Connector for Mutual TLS 56 Questions 57 19