hpe secure mail - 敦新科技dawning … securemail...hpe ibe: flexible authentication •key...
TRANSCRIPT
![Page 2: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/2.jpg)
23
Transformto a hybrid
infrastructure
Enableworkplace
productivity
Protect yourdigital enterprise
Empowerthe data-drivenorganization
Proactively protect the interactions between users, applications and data across any location or device.
Hewlett Packard Enterprise: Protect your digital enterprise
![Page 3: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/3.jpg)
What Problems Does it Solve
Data-centric security for email and attachments
Compliance with privacy regulations
Protection of intellectual property
Migration to cloud business email
![Page 4: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/4.jpg)
4
Important HPE SecureMail Requirements
Simple User Experience – Like Regular Email
Single Technology – HPE IBE – for All Use Cases
Simple to Manage – Stateless Architecture
DLP, AV / AS, Archive, eDiscovery Support
Outlook, Exchange, Windows AD Support
![Page 5: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/5.jpg)
HPE Data Security – SecureMailAbout HPE Identity Base Encryption (IBE)
5
![Page 6: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/6.jpg)
Challenges with Traditional Technologies
Difficult to Use
Not business
friendly / no ad-hoc
Incompatible (Gmail,
Android)
High TCO
Legacy PKI:
S/MIME, PGP,
OpenPGP
Proprietary
Symmetric
Key
Proprietary
Webmail
Data Loss Risk
Complex key
management
Active code in
messages / PDFs
High TCO
Costs Rise w/ Use
Key and message
stores to manage
e-discovery breaks,
fines
Limited functionality
![Page 7: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/7.jpg)
The HP Security Voltage Unique Advantage
HPE Identity-based Encryption (IBE) and Stateless Architecture
• 60-80% lower cost of operations, 75% less infrastructure
• Simple user experience across desktop, Web, and mobile
• Seamlessly integrates with email and enterprise ecosystem
![Page 8: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/8.jpg)
What is Identity-based Encryption (IBE)?
IBE is a public-private key technology• Ad-hoc: Keys generated from email addresses
• Stateless: No keys store – generated on the fly
• 100% Push: Single message format
Concept originally proposed by Adi Shamir in 1984• Eliminate the complexity of traditional PKI
DoD funded research at Stanford in 2000• Voltage formed in 2002
Extensive peer review and standardization• IEEE 1363.3 – Standard for Identity-Based Cryptographic
Techniques using Pairings
• RFCs: RFC 5091, RFC 5408, RFC 5409
Innovation
![Page 9: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/9.jpg)
HP Identity-based Encryption (IBE): How it Works
HP SecureMail
Key Server
BobAlice
Bob’s Private Key
1
2
3
Alice Sends Email to Bob
![Page 10: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/10.jpg)
HPE IBE: Scalability & Disaster Recovery
Scales to Millions of Users
• No user key store
• No message store
• Load balanced servers
Disaster Recovery is Effortless
• One time backup of base key
• Fast recovery with no data loss
HP SecureMail
Servers 3 & 4HP SecureMail
Servers 1 & 2
![Page 11: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/11.jpg)
HPE IBE: Flexible Authentication
• Key generation is independent of authentication
• Authentication can be dynamically changed to meet policy requirements
• Out of the box support for AD, LDAP, native enrollment server
• Authentication Adapter to meet other authentication requirements
Auth
Service
HP
SecureMail
Key Server Auth
Service
Auth
Service
Auth
Service
HP Security Voltage
![Page 12: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/12.jpg)
Client – Protect Email and Files End-to-End
HPE SecureMail Outlook Plug-In
• Send Secure within Outlook
• Access Global Address List
• Send to Distribution Lists based on AD membership
• Windows AD single sign-on
• Enforce client encryption rules
HPE SecureFile Office & Windows Plug-Ins
• HP SecureFile Encryption button within Microsoft Office
• Right-click to encrypt files supported on Windows (e.g., PDF)
HPE SecureMail
HPE SecureFile
![Page 13: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/13.jpg)
Simple Browser Interface for Recipients
• HTML message pushed to existing mailbox
• Open in browser – no client software to install
• Easy for anyone to do business with you
• Simple and familiar user experience
ZDM
Hi all,
![Page 14: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/14.jpg)
HPE SecureMail Mobile
• Simple, native user experience – smartphones and tablets
• Data centric protection for all mobile use cases and users
• Full functionality: read, compose, contacts, policies, more
• Protect beyond MDM and Containers – B2B and B2C
• Message-level policy control
• App store distribution
![Page 15: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/15.jpg)
HPE SecureMail Architecture
15
![Page 16: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/16.jpg)
HPE SecureMail ArchitectureOne Solution for Desktop, Web, Mobile, Cloud, Applications, and Automation
16DMZ Internet
Corporate Network
HPE SecureMail
Gateway + Key Server
+ ZDM Server
DLP / AV
AS / MTA
Archive
Mail Server &
Mobile Server
Native Mobile
Apps
Native Mobile
Apps
HPE SecureMailEncryption client
HPE SecureMailEncryption client
HPE SecureMailApplications (REST API)
HPE SecureMail
ZDM Client
ZDM
HPE SecureMail
Gateway
![Page 17: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/17.jpg)
17
Anti-Spam
Anti-VirusData Leak
Prevention
Server
HPE SecureMail
Gateway + Key Server
Inspection for Encrypted Messages
DMZ InternetCorporate Network
![Page 18: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/18.jpg)
18
Internal Encryption
Mail Server
HPE
SecureMail
Key Server
Hardware
Security ModuleActive
Directory
Corporate Network
HPE SecureMail
Management
Console
Same solution for
internal and external
![Page 19: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/19.jpg)
19
Supervisory Control & eDiscovery
Approach 2
Approach 3
Approach 1*
Mail Server
Mail Archive with
HPE SecureMail Archive
Connector*
HPE SecureMail
Encryption
Gateway
Mail Archive
Mail Archive
Corporate Network
Supervisory
Control
* Symantec Enterprise Vault onlyHPE SecureMail
eDiscovery
Accelerator (for IT/IS)
![Page 20: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/20.jpg)
20
Multi-tenant Architecture
–Independent tenants for
– Lines of business
– Use cases
– Geographies
–Each tenant uniquely supports
– Policies and reports
– Branding and languages
– Role-Based admin
– Base keys and districts
–All tenants managed
– Centrally or by line of business
T-1
T-2
T-3
T…N
Commercial Insurance
Commercial Banking
Wealth Management
Personal Banking
Loans and Credit
![Page 21: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/21.jpg)
HPE Data Security – SecureMailSummary
21
![Page 22: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/22.jpg)
Value of HPE SecureMail
Simple, Native User Experience – Just Like Regular Email
• Outlook, iPhone, iPad, Android, Blackberry, Web
HPE Stateless Key Management Architecture• No key or message store to manage
• Low operational and infrastructure costs
Single HP IBE Solution for All Use Cases• Internal and external protection and compliance
• Single technology (HP IBE, 100% push, message format)
DLP, AV / AS, Archive, eDiscovery Support• Full content scanning, filtering, and supervisory control
Outlook, Exchange, Windows AD Support• Global Address List, Distribution Lists, Contacts
• AD Authentication, AD Groups
![Page 23: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/23.jpg)
Competitor Category &
Strategy
Key Weaknesses Key Strengths Replacement
Examples/Wins
• Weak.
• Brand based sell.
• Bundled with other
products
• PGP – keys and certificates
• Cloud solution is Echoworx
• Multiple delivery methods
• No innovation from Symantec
• Brand
• Legacy PGP base
• Symantec Channel
• Major Global Bank based
in HK/UK, Global Credit
Card Brand, Major Wall
St Bank.
• Weak
• Brand based sell
• Bundled with other
products.
• IronPort Encryption Appliance EOL
• Migrating customers to CRES
• Mobile solution – no central policy
management
• Brand
• IronPort Appliance for
email routing is solid.
• CISCO Channel
• Top US Health Insurer,
Major US Global
Investment Bank, Top 10
US Payment Processor
• Strong
• Consolidation play
vs Best of breed,
cloud play.
• Mid market focus
• SKI – per message keys
• Cloud only
• Poor mobile experience
• Full service cloud
email management
including encryption
• Major US Investment
Fund Management Firm
• Top 10 US Bank
• Weak in enterprise,
strong in SMB
Healthcare
• Service play
• Best Method of Delivery means
inconsistent user experience
• ZixOne - No Data on the Device
• Integrated with Google
Apps
• Reseller channel
• Mostly cloud impact
• Some Cloud users moved
to Zix, then back to
Voltage after a few
months.
Voltage SecureMail Competitors
![Page 24: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/24.jpg)
HPE Data Security – SecureMail Add-onApplication Edition
24
![Page 25: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/25.jpg)
Application Edition
• Protect email that is sent and received by applications & websites
• Data is at risk even in your network – protects internal & inbound email
• Protect email off the backbone – minimize changes to mail flow
• Web Services API enables simple, fast, and low cost integration
![Page 26: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/26.jpg)
Application Edition
Employees
HP SecureMail
Server
Application
Corporate Network
Before
After
Example Use Cases
Internal Approval Workflows
Inbound Web Form Submissions
Provisioning Credentials
Password Reset Messages
Fax to Email
Scheduled Reports
Enterprise Collaboration Tools
Enterprise Private Social Networks
SMTP
![Page 27: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/27.jpg)
HPE Data Security – SecureMailBackup Slides
27
![Page 28: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/28.jpg)
HPE IBE: Key Generation
Public KeyEmail + Public Params
Private KeyEmail + Master Secret
HPE
SecureMail
Key Server
HSM*
* Optional
Public Parameters
P=1564585547321
Master Secret
S=1872361923616378
![Page 29: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/29.jpg)
HPE IBE: Key Expiration and Rotation
• Keys are automatically rotated weekly
• What happens if Bob loses his private key?
• Key Server generates any required key on the fly
• How are emails accessed for eDiscovery?
• On-the-fly key generation provides auditor access
e-mail address weekly nonce
|| week = 252
![Page 30: HPE Secure Mail - 敦新科技DAWNING … Securemail...HPE IBE: Flexible Authentication •Key generation is independent of authentication •Authentication can be dynamically changed](https://reader033.vdocuments.us/reader033/viewer/2022051321/5b05ffd37f8b9ad1768c332b/html5/thumbnails/30.jpg)
Flexible Deployment Options
HPE SecureMail can be deployed
• In the cloud, on-premise, hybrid
• For public clouds (e.g., Office365)
Solutions can be migrated* from
• On-premise Cloud
• Cloud On-premise
• . . . with no loss of data
* May depend on selected licensing option
HPE Security Voltage