Choosing the Right Solution for Strategic Deployment of Email Encryption
White Paper: Enterprise Email Encryption Email Protection Buyer s Guide Choosing the Right Solution for Strategic Deployment of Email Encryption Contents Executive Summary...................................................................................... 1 I. Assessing Email Encryption Products.................................................................... 1 Define business strategy for email encryption................................................................ 1 Use Operational Best Practices for Email Encryption........................................................... 3 Provide automatic encryption of email and attachments without requiring user action.............................. 3 Use automation for deployment and management............................................................. 3 Centrally manage email encryption policy.................................................................... 4 Ensure interoperability by using an open system.............................................................. 4 Automate logging and reporting for policy compliance......................................................... 4 Deploy solutions that scale with ease........................................................................ 4 II. Checklist for Email Encryption Technical Specifications................................................... 5 III. Guidelines for Choosing a Vendor...................................................................... 5 Appendix I: Using Email Encryption for Regulatory Compliance............................................... 6 Appendix II: Symantec Email Encryption Solutions......................................................... 8
Executive Summary Email is an essential business tool that helps organizations to efficiently communicate both internally with colleagues and externally with customers, clients, and partners. Yet with this vital tool comes the specter of sensitive data exposure caused by sending unprotected email. The risk goes wherever unprotected email is transmitted or is stored including the Internet, cloud-based services, servers, desktop PCs, laptops, and mobile smartphones. The exposure of customer data, intellectual property, or legally protected data such as financial or personal health information can trigger penalties, lawsuits, damage to an organization s brand, and loss of business. Every organization should address these risks by protecting sensitive email, and the most effective way to do that is with email encryption. This buyer s guide presents selection criteria to help technical buyers of information technology choose the right solution for strategic deployment of email encryption. The guide presumes that you already understand the basics of encryption and how this security control can eliminate unauthorized access to sensitive email and attachments wherever they may go. It begins with six ideas for defining your organization s business strategy for email encryption and presents six operational best practices for using this technology. These elements are mandatory to ensure that your choice is cost effective, that it complies with relevant laws and regulations, and can scale with future requirements of your business. A checklist frames 11 important technical requirements in choosing a strategic solution. It also presents seven guidelines for choosing a vendor for your email encryption solution. Appendix I summarizes eight common regulatory categories or laws related to email encryption. Appendix II briefly describes features and benefits of five PGP from Symantec email encryption solutions. The guide minimizes technical jargon, which makes it appropriate as backup documentation for non- IT managers who may need to approve the purchase requisition. I. Assessing Email Encryption Products Choosing the right solution for strategic deployment of email encryption entails understanding points of risk, business requirements, and types of solution options. In conjunction with these, understanding operational best practices associated with email encryption helps an organization to assess the degree of effort associated with deployment and management of a particular solution. Define business strategy for email encryption Business strategy should drive the reasons for adopting a particular email encryption solution. Strategic deployment of email encryption will enable scalability while controlling costs of deployment and ongoing operational management. Considerations include: Points of Risk. Data transmitted through email can be vulnerable at many points. Sensitive data in email or an email attachment can be read from an endpoint including desktop, laptop, notebook, mobile smartphone, or other mobile computing device. It can also be downloaded from an email server, or other storage or backup device. It may be purposely or accidentally sent to a malicious or inappropriate user. It also can be sniffed from a network transmission or cloud-based application. Points of risk existing within your organization include trusted employees and administrators of email and network systems. They may include other points in the supply chain such as business partners, suppliers, service providers, customers, and any other place where 1
email can go. Your email encryption solution must address all points of risk to control unauthorized exposure of sensitive data. Interoperability. An open, standards-based email encryption solution will work with virtually any email client, endpoint operating system, and server. A proprietary solution provides restricted options. Choose an email encryption solution that meets current requirements, but provides flexibility should other needs arise. Business processes. Some solutions require users to manually execute multiple steps to initiate encryption and decryption of email. At the other end of the spectrum, a solution can fully automate all encryption and decryption without any user intervention. Some organizations require email encryption for a specific department handling sensitive information, such as legal, finance, and human resources. Other organizations prefer to encrypt all email. Determine what your organization needs to provide acceptable protection of sensitive data in email. Enterprise integration. Your organization might require other types of encryption, such as for individual files, all storage for a laptop or portable device, tape backup systems, or a database server. Implementing a point email encryption solution may bring complexity to key management if it does not integrate with other encryption solutions. All of these must also work with existing antivirus, antispam, content filtering, data loss prevention, and archiving applications. Lack of integration will substantially drive up costs of deployment and ongoing management of enterprise encryption solutions. Compliance. Determine specific regulatory compliance requirements that affect your organization, such as email encryption laws in U.S. States such as Massachusetts and Nevada, encryption mandated for cardholder data by the PCI Data Security Standard, the European Union s directive to protect personal information transmitted over networks, directives to protect personal privacy in Australia and Japan, and other global requirements for using encryption and digital signatures to protect personal information and financial reporting systems. 2
Architecture. Specity the email encryption architecture to satisfy your organizations's businesss requirements. There are five architecutural options, detailed by Osterman Research, Inc. These include: Endpoint-to-endpoint. Encrypts email from sender to recipient; cannot decrypt email protected during transmission of the message. Gateway-to-gateway. Uses an email encryption gateway. This eliminates a need for client software, which simplifies administration. It encrypts email between gateways, but not within the sender s or recipient s organizations. Gateway-to-web. Only secures email between the gateway and a web portal. Useful for external destinations not on your organization s email encryption system. Gateway-to-endpoint. For email encryption inside the firewall, but still leaves originating messages in plain text before reaching the gateway. Secure managed file transfer. Useful for transmitting secure content without requiring a full-blown email encryption solution, which minimizes storage and bandwidth requirements. Use Operational Best t Practices for Email Encryption Provide automatic encryption of email and attachments without requiring user action Use automation for deployment and management 3
Centrally manage email encryption policy Ensure interoperability by using an open system Automate logging ging and reporting for policy compliance Deploy solutions that scale with ease 4
II. Checklist for Email Encryption Technical Specifications III. Guidelines for Choosing a Vendor Many organizations select a vendor and purchase a solution, yet later find that the solution did not quite fulfill requirements as planned. Deployments are often stalled by product limitations and exceptions that are not explicitly clarified prior to purchase. To ensure a successful solution selection and deployment, your organization should strive for clear and detailed proposals framed by precise needs and requirements. Following are vendor selection guidelines to help ensure successful solution acquisition and deployment. Choose a leader. Look for an email encryption solution provider with an established track record and experienced management team. You will be betting the security of your organization s data on the provider of the email encryption solution, so make sure the provider s reputation, business practices, and product line provide a solid foundation for your decision. Look at the vendor s market share and financial stability. Look for industry awards and expert accolades to support the company s story. Vet the solution. Ensure the product has passed public scrutiny and does what the vendor says it will do. Study independent testing reports of product performance. Observe the product running in the vendor s demonstration lab. If possible, run your own test bed to verify features and performance before committing to purchase and deployment. 5
Query references. Have the vendor provide as many user references as possible and talk to your peers about their purchases. Make sure references are for companies with successful large-scale deployments equal to or larger than the one you are planning. Formally survey their experiences and rank responses with an objective measurement system. Verify their satisfaction with the purchase decision. Seek depth of product line. Your organization s immediate goal may be email encryption alone, but most organizations eventually will require a comprehensive encryption strategy and solution set. For example, operational and regulatory requirements may also require encryption capability for individual files or endpoints. Look for an email encryption vendor that can fulfill a broad range of messaging security solution requirements. Get familiar with the vendor s product roadmap to understand where your solution options will be in one, three and five years. Explore licensing options. Business requirements change constantly, so look for an email encryption provider that offers multiple options for licensing. Options may include a perpetual license with annual technical support, a subscription license, and hosted or managed offerings. Specify your requirements. Use the suggestions described in this Buyer s Guide to specify exactly what your organization needs in an email encryption solution. Put all specifications into a written plan covering business strategy, compliance requirements for email security, operational best practices, and technical requirements. Set timelines for each phase of your organization s deployment with performance and service level benchmarks. Be clear and specific for each requirement. Create a Request for Proposal. The Request for Proposal (RFP) will allow your organization to present its requirements with precision and objectively compare offerings from each vendor. A typical RFP will include these sections: RFP planning and schedule Administrative requirements Documentation of existing enterprise email architecture Technical requirements of an encryption solution Support and professional services requirements Project management requirements Qualifications and references Project plan Pricing, including detailed component and per-seat metrics Appendices of diagrams Appendix I: Using Email Encryption for Regulatory Compliance Compliance is a major driver for deployment of email encryption. Some laws and industry regulations explicitly require encryption of protected information transmitted over networks. Others are less explicit and rely on the guidance of auditors, who usually prescribe implementation of a standard security framework like the Control Objectives for Information and related Technology (COBIT) produced by the Information Systems Audit and Control Association. The table below includes typical laws and regulations where deployment of email encryption can help with compliance. Consult your organization s legal counsel and audit committee for requirements. 6
7 Email Protection Buyer s Guide
Appendix II: Symantec Email Encryption Solutions Symantec provides targeted, flexible email encryption solutions that enable your organization to meet current and future data protection needs. The table below summarizes highlights from the portfolio of PGP email encryption solutions. Consult the PGP website at www.pgp.com for descriptions of other PGP encryption solutions, or ask your PGP sales representative for guidance on specific requirements. 8
9 Email Protection Buyer s Guide
About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security, and application security solutions. Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 11/2010 21158819