Скачать презентацию TLS Webinar Safeguarding Our Email Via TLS Presented Скачать презентацию TLS Webinar Safeguarding Our Email Via TLS Presented

99c8ea767859cb76c7820bdb10fbd162.ppt

  • Количество слайдов: 66

TLS Webinar Safeguarding Our Email Via TLS Presented by: Jim Rogers, Director of Distribution TLS Webinar Safeguarding Our Email Via TLS Presented by: Jim Rogers, Director of Distribution Technology, The Hartford Tim Woodcock, President, Courtesy Computers Jeff Yates, Executive Director, Agents Council for Technology Webinar will begin shortly! 1

TLS Webinar Safeguarding Our Email Via TLS Presented by: Jim Rogers, Director of Distribution TLS Webinar Safeguarding Our Email Via TLS Presented by: Jim Rogers, Director of Distribution Technology, The Hartford Tim Woodcock, President, Courtesy Computers Jeff Yates, Executive Director, Agents Council for Technology 2

Agenda Submit questions via the Question & Answer Log First 40 Minutes: § e. Agenda Submit questions via the Question & Answer Log First 40 Minutes: § e. Mail Usage § Security - Why you should care § Benefits § Resources § Q&A– Last 20 Minutes: § TLS Configuration of MS Exchange 2007 3 § Q&A

Background § Email has become a major component in every day agency/carrier business interactions. Background § Email has become a major component in every day agency/carrier business interactions. § Mail sent over the Internet is typically unprotected § The need to protect email continues to grow § The use of, and reliance on, email within core business workflows will continue to increase 4

Why Protect e-Mail? § e-Mail often contains sensitive customer information § Required by business Why Protect e-Mail? § e-Mail often contains sensitive customer information § Required by business contract § Is easily accessible to prying eyes on the Internet § Mandated by regulation 5

Existing Regulations and Standards Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Info. § non-public Existing Regulations and Standards Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Info. § non-public personal information (NPPI) in paper, electronic, or other form § NPII: personally identifiable information provided by a consumer or resulting from a transaction for a consumer § written information security program to address internal/external risks § physical, technical and administrative safeguards § oversee service providers Security Breach Notification Laws (Various states) § first/last name and SSN/drivers license/state ID/financial account + password § when not encrypted § must notify any resident of the state of a breach without unreasonable delay Payment Card Industry Data Security Standards (PCI-DSS) § cardholder data § certification of compliance with PCI-DSS depending upon level of merchant § firewall, encryption in storage/transmission, antivirus, etc. § assign individual user IDs 6

Recent Regulatory Developments Nevada 597. 970 “Restrictions on transfer of personal information through electronic Recent Regulatory Developments Nevada 597. 970 “Restrictions on transfer of personal information through electronic transmission” Massachusetts 201 CMR 17. 00 “Standards for The Protection of Personal Information of Residents of the Commonwealth” California Department of Motor Vehicles “On-Line DMV Special Permit Program” 7

TLS: Transport Layer Security § Provides secure e-Mail communications across the Internet through a TLS: Transport Layer Security § Provides secure e-Mail communications across the Internet through a standardized, secure, and non-proprietary mechanism § Eliminates the “drawbacks” that plague the commonly used tools and services § Is built-in to most modern e-Mail systems and just needs to be “turned on” by your technology professional 8

How Does TLS Work ? § At transmission time, TLS creates an encrypted communication How Does TLS Work ? § At transmission time, TLS creates an encrypted communication session between email servers § The e-Mail is then sent through a protected “tunnel” § The servers de-crypt the message and send it along to the client Encrypted Agency Partner Client 9 Carrier Client

Transport Layer Security: TLS Encrypted Message “$erm 840 kkfd 8820& l 1 k 6 Transport Layer Security: TLS Encrypted Message “$erm 840 kkfd 8820& l 1 k 6 ss” “My ssn is: 999 65 9999” § § § Safe/Secure Standard Protocol Available on most email systems Transparent to end-users Eliminates the need for hosted services § Negligible cost 10 “My ssn is: 999 65 9999”

Benefits of TLS § Provides the confidentiality of emails across the Internet § Requires Benefits of TLS § Provides the confidentiality of emails across the Internet § Requires no changes to the client § Is a standards-based protocol that is implemented on most e -Mail gateways and appliances § It’s free, no additional licensing is needed. Security certificate is required. 11

How Do I Get TLS ? § TLS is a standards-based protocol enabled on How Do I Get TLS ? § TLS is a standards-based protocol enabled on most serverbased email systems § Talk with your system support staff or e-Mail service provider § Most agencies that have an up-to-date in-house mail server are TLS capable. Agencies with a hosted Microsoft Exchange server are TLS capable as is gmail. Those with hosted email using hotmail and yahoo are not currently TLS capable 12

Detecting TLS How do you determine if TLS is active…. § Talk to the Detecting TLS How do you determine if TLS is active…. § Talk to the email server administrator § Some email contains a tag line if sent via TLS…. at the bottom of the email § More on this in our technical discussion 13

Carriers supporting TLS Some carriers are TLS enabled automatically for their agents who send Carriers supporting TLS Some carriers are TLS enabled automatically for their agents who send emails with TLS to them; others activate agencies for TLS only upon request. Please check with your carrier or look in the “Security & Privacy” section on ACT website for specific carrier info: § § § § § Allied/Nationwide Chubb Cincinnati CNA Concord Group Insurance EMC Fireman’s Fund Grange Insurance Harleysville The Hartford Liberty Agency Markets Met. Life – Met. Life Auto & Home MMG Insurance One. Beacon Progressive RLI Corporation Summit Holdings Travelers Westfield W. R. Berkley Companies Note: for updated list of carriers supporting TLS see “Agency Security” Section of www. independentagent. com/act or ask you carrier 14

MS Exchange 2003 – TLS Required Mode Both the sender and the receiver must MS Exchange 2003 – TLS Required Mode Both the sender and the receiver must maintain a directory of each other’s email domains in order for a TLS encrypted email to be exchanged If the receiver has TLS enabled in opportunistic mode, not Required mode, the email will still transmit in an encrypted format. If the receiving party does not have TLS enabled, the sender’s email will be sent but it will not be encrypted. MS Exchange 2003 MS Exchange 2007 TLS Required Mode TLS Opportunistic Mode Protected Tunnel Encrypted Insurance Agent TLS enabled Email Solution Carrier Rep No TLS encryption enabled Email sent/received is not encrypted! Policyholder

MS Exchange 2007 – TLS Opportunistic Mode A sender with TLS Opportunistic Mode enabled MS Exchange 2007 – TLS Opportunistic Mode A sender with TLS Opportunistic Mode enabled will check to see if the receiver has TLS enabled. If the receiver has TLS Opportunistic turned on, the outgoing email will be encrypted. If he does not, there are two potential scenarios depending on the sender’s infrastructure. 1) the email is sent out with no encryption 2) the sender sends the email out via an encryption tool such as Tumbleweed or Zix. Select MS Exchange 2007 TLS Opportunistic Mode Protected Tunnel Encrypted Insurance Agent Carrier Rep No TLS enabled Email Solution - OR - Email sent/received is not encrypted! Email sent via Tumbleweed with a secured link that the user opens Policyholder

TLS Summary Environment Conditions Result Sender Receiver TLS Enabled Emails are sent and received TLS Summary Environment Conditions Result Sender Receiver TLS Enabled Emails are sent and received encrypted TLS Enabled TLS not Enabled Email is sent but it is not encrypted TLS not Enabled MS Exchange 2007 Opportunistic Mode TLS Enabled Email is sent but it is not encrypted Sender and Receiver maintain each other’s email domain addressees in their respective TLS registries MS Exchange 2003 Required Mode Emails are sent and received encrypted Sender maintains Receiver’s email domain address Receiver does not maintain Sender’s email domain address Email will not be sent out. Sender does not maintain Receiver’s email domain address Receiver maintains Sender’s email domain address Email will be sent but not in encrypted format

Additional Considerations § Important to have your technical support implement TLS § Your technical Additional Considerations § Important to have your technical support implement TLS § Your technical support can tell you which of your carriers and clients are enabled for TLS § If using an external spam/anti-virus filter, you need to make sure it is enabled for TLS. § Also, some of these external spam/anti-virus providers offer a hosted email option that can be enabled for TLS § Many hosted email solutions are not enabled for TLS (e. g. , hotmail and yahoo), but gmail provides some secure options § You also need to make sure that the connections between your email server and your remote computers and mobile devices are encrypted § Use your real-time tools wherever possible to transmit client personal information because it is encrypted § If TLS or Real Time not available, send application information using a password protected pdf or zip file 18

Feedback - TLS Article 19 Feedback - TLS Article 19

Feedback - FAQs 20 Feedback - FAQs 20

TLS Links ACT Web site for TLS Article, FAQs, & TLS enabled carriers www. TLS Links ACT Web site for TLS Article, FAQs, & TLS enabled carriers www. independentagent. com/act “Security & Privacy” Quick Link Technical Links http: //msexchangeteam. com/archive/2006/10/04/429090. aspx http: //technet. microsoft. com/enus/library/bb 430753(EXCHG. 80). aspx 21

How to Configure TLS • Will cover how to procure SSL Certificates • Representative How to Configure TLS • Will cover how to procure SSL Certificates • Representative purposes only and steps here may not be suitable for all environments • Will cover Exchange 2003 and 2007 • If you are on a different platform, please consult your technical support 22

Several Sources for Security Certificates certificate authority (CA) -an entity that issues digital certificates Several Sources for Security Certificates certificate authority (CA) -an entity that issues digital certificates Verisign http: //www. verisign. com Network Solutions http: //www. networksolutions. com Go. Daddy http: //www. godaddy. com Comodo http: //www. comodo. com/ Digi-Sign http: //www. digi-sign. com HOW TO: Use Certificates with Virtual Servers in Exchange Server http: //support. microsoft. com/kb/319574/ 23

Difference between Exchange 2003 & 2007 Exchange 2003 • • requires a valid X. Difference between Exchange 2003 & 2007 Exchange 2003 • • requires a valid X. 509 server certificate (suitable for TLS usage) DOES NOT support ‘Opportunistic TLS’ Requires to manually configure TLS (minimum 6 steps) Difficult to monitor TLS transmit-receive success/failures Exchange 2007/2010 • • requires a valid X. 509 server certificate (suitable for TLS usage) ‘Opportunistic TLS is automatically enabled (by default) Easy to monitor TLS transmit-receive success/failures Greater Message Control with Robust ‘Transport Rules’ Features • Block, Bounce, Copy, append, Send to Archive, Quarantine 24

Verifying successful TLS session with MS Office 2007 25 Verifying successful TLS session with MS Office 2007 25

Questions So Far before Technical Demonstration 26 Questions So Far before Technical Demonstration 26

Follow Up • Follow up email with our email addresses • Power. Point & Follow Up • Follow up email with our email addresses • Power. Point & Recording of presentation posted on “Security & Privacy” link at www. independentagent. com/act • See more detailed info about security & privacy laws and regulations in the Appendix section of the posted Power. Point

Mutual TLS With Mutual TLS authentication, each server verifies the identity of the other Mutual TLS With Mutual TLS authentication, each server verifies the identity of the other server by validating a certificate that is provided by that other server. In this scenario, where messages are received from external domains over verified connections in an Exchange 2007 environment, Microsoft Office Outlook 2007 will display a ‘Domain Secured’ icon. 28

Mutual TLS Enabling Process with Exchange 2007 Process for ‘Server to Server’ Mutual TLS Mutual TLS Enabling Process with Exchange 2007 Process for ‘Server to Server’ Mutual TLS 1. Configure an additional IP Address (as necessary) 2. Create & Configure the SMTP Send Connector 3. Create & Configure SMTP Receive Connector 4. Test & Verify Mutual TLS between remote domain server 29

Mutual TLS Enabling Process with Exchange 2007 Mutual TLS Demonstration Scenario 1. Insurance Carrier Mutual TLS Enabling Process with Exchange 2007 Mutual TLS Demonstration Scenario 1. Insurance Carrier requires a ‘Mutual TLS’ Session between their mail server and the agency’s mail server 2. Small agency with single Microsoft Exchange Server 3. No ‘Edge Transport Servers’ are present in their network. 30

Verifying x. 509 Certificate in Exchange 2007 31 Verifying x. 509 Certificate in Exchange 2007 31

Verifying x. 509 Certificate in Exchange 2007 32 Verifying x. 509 Certificate in Exchange 2007 32

Verifying x. 509 Certificate in Exchange 2007 33 Verifying x. 509 Certificate in Exchange 2007 33

Configure Additional IP Address (as needed) 34 Configure Additional IP Address (as needed) 34

Configure Additional IP Address (as needed) 35 Configure Additional IP Address (as needed) 35

Configure Additional IP Address (as needed) 36 Configure Additional IP Address (as needed) 36

Configure Additional IP Address (as needed) 37 Configure Additional IP Address (as needed) 37

Configure Additional IP Address (as needed) 38 Configure Additional IP Address (as needed) 38

Configure Additional IP Address (as needed) 39 Configure Additional IP Address (as needed) 39

Configure Additional IP Address (as needed) 40 Configure Additional IP Address (as needed) 40

Create Send Connector for Mutual TLS 41 Create Send Connector for Mutual TLS 41

Create Send Connector for Mutual TLS 42 Create Send Connector for Mutual TLS 42

Create Send Connector for Mutual TLS 43 Create Send Connector for Mutual TLS 43

Create Send Connector for Mutual TLS 44 Create Send Connector for Mutual TLS 44

Create Send Connector for Mutual TLS 45 Create Send Connector for Mutual TLS 45

Create Send Connector for Mutual TLS 46 Create Send Connector for Mutual TLS 46

Create Send Connector for Mutual TLS 47 Create Send Connector for Mutual TLS 47

Create Send Connector for Mutual TLS 48 Create Send Connector for Mutual TLS 48

Create Send Connector for Mutual TLS 49 Create Send Connector for Mutual TLS 49

Create Send Connector for Mutual TLS 50 Create Send Connector for Mutual TLS 50

Create Receive Connector for Mutual TLS 51 Create Receive Connector for Mutual TLS 51

Create Receive Connector for Mutual TLS 52 Create Receive Connector for Mutual TLS 52

Create Receive Connector for Mutual TLS 53 Create Receive Connector for Mutual TLS 53

Create Receive Connector for Mutual TLS 54 Create Receive Connector for Mutual TLS 54

Create Receive Connector for Mutual TLS 55 Create Receive Connector for Mutual TLS 55

Create Receive Connector for Mutual TLS 56 Create Receive Connector for Mutual TLS 56

Create Receive Connector for Mutual TLS 57 Create Receive Connector for Mutual TLS 57

Create Receive Connector for Mutual TLS 58 Create Receive Connector for Mutual TLS 58

Questions 59 Questions 59

Appendices § Details on State Security Regulations Appendices § Details on State Security Regulations

Nevada 597. 970 Who it applies to: “a business in this state” What information Nevada 597. 970 Who it applies to: “a business in this state” What information it applies to: first/last name and SSN/drivers license/state ID/financial account + password when not encrypted Examples: tax ID of small businesses, commercial fleet drivers’ license numbers What is required: Encryption of electronic transmission, except facsimiles What this means: Organizations doing business in or with other organizations in Nevada must support encryption if sharing data through e-mail, web sites, batch file transfers (FTP), Real Time, file uploads, wireless, web conferencing, etc. Effective Date: October 1, 2008 Security controls to consider: email……. . TLS*, proprietary solutions web site, Real Time…SSL batch file transfers. …PGP, SFTP, VPN file-uploads…. PGP, SFTP, FTPS, other wireless…. 802. 11 i, LEAP, WPA 2 enterprise web conferencing…. SSL For more information see http: //na. iiaa. org/ACT/downloads/ACT_TLS_FAQ. doc

Massachusetts 201 CMR 17. 00 Who it applies to: all “entities” that own, license, Massachusetts 201 CMR 17. 00 Who it applies to: all “entities” that own, license, store or maintain personal information about a resident of Massachusetts What information it applies to: first/last name + SSN/drivers license/state ID/financial account - password when not encrypted of any resident of the state Examples: Insureds, claimants, employees Applications for insurance, claims, premium payments, claim payments, personnel records, etc. What is required: • • Designating someone to maintain a comprehensive written security program Assessing internal and external risks to electronic and paper records Imposing disciplinary measures for violations of the security program Other common elements of a security program: monitoring, updating safeguards, annual review of program, etc.

Massachusetts 201 CMR 17. 00 New items of note: • Security of paper and Massachusetts 201 CMR 17. 00 New items of note: • Security of paper and electronic records taken off site • Assigning unique user IDs and securing passwords • Terminating logon accounts and passwords of terminated employees • Contractually requiring vendors to comply with these requirements • Limiting time this information is retained (records management) • Documenting breaches and conducting post-incident reviews of incidents • Encryption of portable devices required (laptops, PDA’s, phones, Blackberries, CD, DVD, USB drives) • Encryption of transmitted information where feasible • Reasonably update firewalls and patching of systems connected to the Internet Effective Date: March 1, 2010

Massachusetts 201 CMR 17. 00 What this means for our industry / security controls: Massachusetts 201 CMR 17. 00 What this means for our industry / security controls: • Agents, carriers and vendors must have a formal security program including specific physical, technical and administrative security measures, including third party oversight and management of portable devices • Increased need for carriers and vendors to modify their systems, web sites, and Real Time interfaces to support industry standards for user administration and password management in agencies • Implementation of TLS where technically feasible • Organizations must have security staff or consultants available for administration of firewalls and patching of servers and workstations For more information see: http: //www. mass. gov/Eoca/docs/idtheft/201 CMR 17 amended. pdf

California DMV Who it applies to: • • Entities that provide access to entities California DMV Who it applies to: • • Entities that provide access to entities that are authorized DMV “requestors” Entities that access DMV information on behalf of authorized “requestors” What information it applies to: • • Personnel information provided by the DMV Examples: MVR (CLUE, scoring, resident addresses) What is required: • Various requirements depending upon the circumstances. For example…. Those organizations with direct access to DMV systems and information must: • • lockdown servers user accounts must lock out after 5 unsuccessful logon attempts users must select their own passwords and expire within 90 days potential security incidents must be reported within 1 business day to the DMV Those permitting direct electronic access to information must identify the account ID’s being used for that access so that it can be programmed into the system

California DMV Individuals with access to DMV information must sign a security agreement form California DMV Individuals with access to DMV information must sign a security agreement form (1128), even if that individual is in another organization. Agreement requires • No password sharing • Storing passwords in a secure place • Any administrator or other with incidental access must sign agreement as well What this means for our industry / security controls: • Carriers/vendors using DMV information to provide interactive rating information to agencies, must store agency account IDs so that these IDs can be passed through their systems. • Carriers/vendors which access this information for agencies or pass this information to agencies, must retain specific logs of all such access for 2 - 5 years • Carriers/vendors which access this information for agencies or pass this information to agencies must provide a copy of the agency contract upon request. Effective Date: Various (all currently in effect) For more information see http: //www. dmv. ca. gov/forms_cra. htm