Choosing the Right Solution for Strategic Deployment of Encryption

Similar documents
Administration of Symantec Messaging Gateway 10.5 Study Guide

Symantec Security.cloud

Symantec Small Business Solutions

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Symantec Security Monitoring Services

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Symantec Data Center Transformation

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

The business case for end-toend data protection

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Symantec Network Access Control Starter Edition

Protecting your data. EY s approach to data privacy and information security

Security and PCI Compliance for Retail Point-of-Sale Systems

Symantec Data Center Migration Service

COBIT 5 With COSO 2013

Best Practices in Securing a Multicloud World

Symantec Network Access Control Starter Edition

Office 365 Buyers Guide: Best Practices for Securing Office 365

Three Steps to Protect Your Virtual Systems

Plug-in for VMware vcenter

Symantec Protection Suite Add-On for Hosted Security

Evaluation Program for Symantec Mail Security Appliances

SOC for cybersecurity

QUICK START: SYMANTEC ENDPOINT PROTECTION FOR AMAZON EC2

Compliance in 5 Steps

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Symantec Network Access Control Starter Edition

Accelerate Your Enterprise Private Cloud Initiative

Sarbanes-Oxley Act (SOX)

QUICK START: VERITAS STORAGE FOUNDATION BASIC FOR AMAZON EC2

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

GLBA. The Gramm-Leach-Bliley Act

PROTECT AND AUDIT SENSITIVE DATA

Microsoft 365 Business FAQs

CLOUD COMPUTING READINESS CHECKLIST

Secure Messaging Buyer s Guide

The Device Has Left the Building

Symantec Business Continuity Solutions for Operational Risk Management

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

The Honest Advantage

01.0 Policy Responsibilities and Oversight

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Cloud-based data backup: a buyer s guide

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Security and Architecture SUZANNE GRAHAM

White Paper. How to Write an MSSP RFP

Archiving. Services. Optimize the management of information by defining a lifecycle strategy for data. Archiving. ediscovery. Data Loss Prevention

Data Insight Feature Briefing Box Cloud Storage Support

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Workday s Robust Privacy Program

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Remote Expert Installation Service for Symantec Mail Security 8300

Symantec Enterprise Vault

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

The case for cloud-based data backup

Secure Government Computing Initiatives & SecureZIP

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

HIPAA Compliance Checklist

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

Symantec Client Security. Integrated protection for network and remote clients.

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Data Center Management and Automation Strategic Briefing

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Symantec System Recovery 2011 FAQ

Security Management Models And Practices Feb 5, 2008

SIEM: Five Requirements that Solve the Bigger Business Issues

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Symantec Secure One Services Program Brief

GDPR: A QUICK OVERVIEW

TechValidate Survey Report: SaaS Application Trends and Challenges

EXAM PREPARATION GUIDE

Build a viable plan for disaster recovery and crisis management.

Agenda. Introduction & Drivers of Networks DLP. Requirements, Challenges of Network DLP. Addressing Network DLP with Fidelis XPS

Symantec Document Retention and Discovery

SARBANES-OXLEY (SOX) ACT

McAfee Total Protection for Data Loss Prevention

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

IT Analytics 7.1 for Altiris IT Management Suite from Symantec

Trend Micro Professional Services Partner Program

DETAILED POLICY STATEMENT

Run the business. Not the risks.

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Security Information & Policies

Embedding Privacy by Design

SAP PartnerEdge Program Guide for Authorized Resellers

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Network Time Synchronization Why It is Crucial for Regulatory Compliance in Enterprise Applications

Future-ready security for small and mid-size enterprises

Symantec To Acquire VeriSign s Identity and Authentication Business. May 19, 2010

3all environmental impact and business enabling green benefits that

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

TEL2813/IS2820 Security Management

IBM SmartCloud Notes Security

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

ITSM SERVICES. Delivering Technology Solutions With Passion

Transcription:

Choosing the Right Solution for Strategic Deployment of Email Encryption

White Paper: Enterprise Email Encryption Email Protection Buyer s Guide Choosing the Right Solution for Strategic Deployment of Email Encryption Contents Executive Summary...................................................................................... 1 I. Assessing Email Encryption Products.................................................................... 1 Define business strategy for email encryption................................................................ 1 Use Operational Best Practices for Email Encryption........................................................... 3 Provide automatic encryption of email and attachments without requiring user action.............................. 3 Use automation for deployment and management............................................................. 3 Centrally manage email encryption policy.................................................................... 4 Ensure interoperability by using an open system.............................................................. 4 Automate logging and reporting for policy compliance......................................................... 4 Deploy solutions that scale with ease........................................................................ 4 II. Checklist for Email Encryption Technical Specifications................................................... 5 III. Guidelines for Choosing a Vendor...................................................................... 5 Appendix I: Using Email Encryption for Regulatory Compliance............................................... 6 Appendix II: Symantec Email Encryption Solutions......................................................... 8

Executive Summary Email is an essential business tool that helps organizations to efficiently communicate both internally with colleagues and externally with customers, clients, and partners. Yet with this vital tool comes the specter of sensitive data exposure caused by sending unprotected email. The risk goes wherever unprotected email is transmitted or is stored including the Internet, cloud-based services, servers, desktop PCs, laptops, and mobile smartphones. The exposure of customer data, intellectual property, or legally protected data such as financial or personal health information can trigger penalties, lawsuits, damage to an organization s brand, and loss of business. Every organization should address these risks by protecting sensitive email, and the most effective way to do that is with email encryption. This buyer s guide presents selection criteria to help technical buyers of information technology choose the right solution for strategic deployment of email encryption. The guide presumes that you already understand the basics of encryption and how this security control can eliminate unauthorized access to sensitive email and attachments wherever they may go. It begins with six ideas for defining your organization s business strategy for email encryption and presents six operational best practices for using this technology. These elements are mandatory to ensure that your choice is cost effective, that it complies with relevant laws and regulations, and can scale with future requirements of your business. A checklist frames 11 important technical requirements in choosing a strategic solution. It also presents seven guidelines for choosing a vendor for your email encryption solution. Appendix I summarizes eight common regulatory categories or laws related to email encryption. Appendix II briefly describes features and benefits of five PGP from Symantec email encryption solutions. The guide minimizes technical jargon, which makes it appropriate as backup documentation for non- IT managers who may need to approve the purchase requisition. I. Assessing Email Encryption Products Choosing the right solution for strategic deployment of email encryption entails understanding points of risk, business requirements, and types of solution options. In conjunction with these, understanding operational best practices associated with email encryption helps an organization to assess the degree of effort associated with deployment and management of a particular solution. Define business strategy for email encryption Business strategy should drive the reasons for adopting a particular email encryption solution. Strategic deployment of email encryption will enable scalability while controlling costs of deployment and ongoing operational management. Considerations include: Points of Risk. Data transmitted through email can be vulnerable at many points. Sensitive data in email or an email attachment can be read from an endpoint including desktop, laptop, notebook, mobile smartphone, or other mobile computing device. It can also be downloaded from an email server, or other storage or backup device. It may be purposely or accidentally sent to a malicious or inappropriate user. It also can be sniffed from a network transmission or cloud-based application. Points of risk existing within your organization include trusted employees and administrators of email and network systems. They may include other points in the supply chain such as business partners, suppliers, service providers, customers, and any other place where 1

email can go. Your email encryption solution must address all points of risk to control unauthorized exposure of sensitive data. Interoperability. An open, standards-based email encryption solution will work with virtually any email client, endpoint operating system, and server. A proprietary solution provides restricted options. Choose an email encryption solution that meets current requirements, but provides flexibility should other needs arise. Business processes. Some solutions require users to manually execute multiple steps to initiate encryption and decryption of email. At the other end of the spectrum, a solution can fully automate all encryption and decryption without any user intervention. Some organizations require email encryption for a specific department handling sensitive information, such as legal, finance, and human resources. Other organizations prefer to encrypt all email. Determine what your organization needs to provide acceptable protection of sensitive data in email. Enterprise integration. Your organization might require other types of encryption, such as for individual files, all storage for a laptop or portable device, tape backup systems, or a database server. Implementing a point email encryption solution may bring complexity to key management if it does not integrate with other encryption solutions. All of these must also work with existing antivirus, antispam, content filtering, data loss prevention, and archiving applications. Lack of integration will substantially drive up costs of deployment and ongoing management of enterprise encryption solutions. Compliance. Determine specific regulatory compliance requirements that affect your organization, such as email encryption laws in U.S. States such as Massachusetts and Nevada, encryption mandated for cardholder data by the PCI Data Security Standard, the European Union s directive to protect personal information transmitted over networks, directives to protect personal privacy in Australia and Japan, and other global requirements for using encryption and digital signatures to protect personal information and financial reporting systems. 2

Architecture. Specity the email encryption architecture to satisfy your organizations's businesss requirements. There are five architecutural options, detailed by Osterman Research, Inc. These include: Endpoint-to-endpoint. Encrypts email from sender to recipient; cannot decrypt email protected during transmission of the message. Gateway-to-gateway. Uses an email encryption gateway. This eliminates a need for client software, which simplifies administration. It encrypts email between gateways, but not within the sender s or recipient s organizations. Gateway-to-web. Only secures email between the gateway and a web portal. Useful for external destinations not on your organization s email encryption system. Gateway-to-endpoint. For email encryption inside the firewall, but still leaves originating messages in plain text before reaching the gateway. Secure managed file transfer. Useful for transmitting secure content without requiring a full-blown email encryption solution, which minimizes storage and bandwidth requirements. Use Operational Best t Practices for Email Encryption Provide automatic encryption of email and attachments without requiring user action Use automation for deployment and management 3

Centrally manage email encryption policy Ensure interoperability by using an open system Automate logging ging and reporting for policy compliance Deploy solutions that scale with ease 4

II. Checklist for Email Encryption Technical Specifications III. Guidelines for Choosing a Vendor Many organizations select a vendor and purchase a solution, yet later find that the solution did not quite fulfill requirements as planned. Deployments are often stalled by product limitations and exceptions that are not explicitly clarified prior to purchase. To ensure a successful solution selection and deployment, your organization should strive for clear and detailed proposals framed by precise needs and requirements. Following are vendor selection guidelines to help ensure successful solution acquisition and deployment. Choose a leader. Look for an email encryption solution provider with an established track record and experienced management team. You will be betting the security of your organization s data on the provider of the email encryption solution, so make sure the provider s reputation, business practices, and product line provide a solid foundation for your decision. Look at the vendor s market share and financial stability. Look for industry awards and expert accolades to support the company s story. Vet the solution. Ensure the product has passed public scrutiny and does what the vendor says it will do. Study independent testing reports of product performance. Observe the product running in the vendor s demonstration lab. If possible, run your own test bed to verify features and performance before committing to purchase and deployment. 5

Query references. Have the vendor provide as many user references as possible and talk to your peers about their purchases. Make sure references are for companies with successful large-scale deployments equal to or larger than the one you are planning. Formally survey their experiences and rank responses with an objective measurement system. Verify their satisfaction with the purchase decision. Seek depth of product line. Your organization s immediate goal may be email encryption alone, but most organizations eventually will require a comprehensive encryption strategy and solution set. For example, operational and regulatory requirements may also require encryption capability for individual files or endpoints. Look for an email encryption vendor that can fulfill a broad range of messaging security solution requirements. Get familiar with the vendor s product roadmap to understand where your solution options will be in one, three and five years. Explore licensing options. Business requirements change constantly, so look for an email encryption provider that offers multiple options for licensing. Options may include a perpetual license with annual technical support, a subscription license, and hosted or managed offerings. Specify your requirements. Use the suggestions described in this Buyer s Guide to specify exactly what your organization needs in an email encryption solution. Put all specifications into a written plan covering business strategy, compliance requirements for email security, operational best practices, and technical requirements. Set timelines for each phase of your organization s deployment with performance and service level benchmarks. Be clear and specific for each requirement. Create a Request for Proposal. The Request for Proposal (RFP) will allow your organization to present its requirements with precision and objectively compare offerings from each vendor. A typical RFP will include these sections: RFP planning and schedule Administrative requirements Documentation of existing enterprise email architecture Technical requirements of an encryption solution Support and professional services requirements Project management requirements Qualifications and references Project plan Pricing, including detailed component and per-seat metrics Appendices of diagrams Appendix I: Using Email Encryption for Regulatory Compliance Compliance is a major driver for deployment of email encryption. Some laws and industry regulations explicitly require encryption of protected information transmitted over networks. Others are less explicit and rely on the guidance of auditors, who usually prescribe implementation of a standard security framework like the Control Objectives for Information and related Technology (COBIT) produced by the Information Systems Audit and Control Association. The table below includes typical laws and regulations where deployment of email encryption can help with compliance. Consult your organization s legal counsel and audit committee for requirements. 6

7 Email Protection Buyer s Guide

Appendix II: Symantec Email Encryption Solutions Symantec provides targeted, flexible email encryption solutions that enable your organization to meet current and future data protection needs. The table below summarizes highlights from the portfolio of PGP email encryption solutions. Consult the PGP website at www.pgp.com for descriptions of other PGP encryption solutions, or ask your PGP sales representative for guidance on specific requirements. 8

9 Email Protection Buyer s Guide

About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security, and application security solutions. Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 11/2010 21158819

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback