Novell Home

Secure Messaging, Part 3: Secure Online Delivery

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 17 Jan 2002
 

Version: GroupWise 6

E-mail security is a very hot topic for our readers these days. Security is on everyone's minds now, in the wake of the terrorist attacks of September 11 and the subsequent anthrax attacks through the United States Postal Service. To help us explain the complex issues surrounding e-mail security and secure online delivery of information, we turned to our e-mail security partners at Tovaris.

In this third article of a series about e-mail security, we explore the opportunities for delivering confidential data - invoices, account statements, customer information, and corporate communications - via secure e-mail.

Tovaris is our newest secure messaging partner. They are an e-mail privacy and security company located in Charlottesville, VA, and outside Washington, D.C. Their product suite, the Tovaris E-mail Security Solution™ (TESS), provides e-mail security capabilities to financial services firms, healthcare providers, legal firms, and government agencies.

Also in this series:

  • Secure Messaging, Part 1: The Challenges of E-mail Cryptography
  • Secure Messaging, Part 2: PKI-Enabled E-mail Security
  • Secure Messaging, Part 3: Secure Online Delivery
  • Secure Messaging, Part 4: Protecting Confidential Medical Information with a Turn-Key E-mail Security Solution
  • Secure Messaging, Part 5: Protecting Confidential Financial Information with a Turn-Key E-mail Security Solution
  • An Alternative Delivery Method for Sensitive Information

    Postal mail delivery of sensitive information has not been a topic of much discussion - or contingency planning - for enterprise information officers. As recent bioterrorism events prove, the United States Postal Service is vulnerable to attack and compromise, and significant disruption, in much the same way as the domestic air travel industry. Businesses that depend on the postal service can no longer take its reliability for granted.

    Enterprises need to consider their Internet infrastructure as an alternative delivery outlet for time-senisitve, mission-critical information, including account statements, bills, invoices, all types of customer information, and vital corporate communications.

    Debunking the Delivery Myths: Postal vs. Online

    Secure online delivery provides a private, trackable, efficient, and nearly instantaneous delivery mechanism for digital information. In this way, secure online delivery does for Internet-enabled users what the postal service does for "offline" recipients of paper documents and letters.

    Information delivered online in a strongly encrypted (secure) manner has distinct advantages over its postal counterparts, as is shown below in Table 1:

    Postal Delivery Online Delivery
    Significant postal, paper, and printing costs Tremendous postal, paper, and printing cost savings
    Delivery in days or weeks, can be delayed or disrupted Nearly instantaneous delivery to any recipient with Internet access
    Susceptible to biological and chemical agents Not susceptible to biological or chemical agents
    Can be read, copied, and altered while in transit Cannot be read, copied, or altered while in transit
    Can be destroyed by weather and physical mishandling Cannot be destroyed by weather or physical mishandling
    Messages cannot be delivered around problem areas, and are subject to significant disruption in service Messages can be delivered around problem areas on the Internet, with little or no disruption in service quality
    Does not increase overall customer satisfaction, not seen as more private or more efficient Increases overall customer satisfaction and loyalty, seen as more private and more efficient

    Table 1: Postal Delivery vs. Online Delivery

    Recipients must have Internet access and an e-mail address to receive messages and documents online. There is little threat that your business will be unable to communicate with a large percentage of your customers or partners, as Internet usage reaches unprecedented levels in the business and consumer arenas.

    Push & Pull: Approaches to Secure Online Delivery

    There are five approaches to delivering information online, shown below in Table 2:

    Approach Examples Secure?
    Insecure Push
    • Copy of latest redlined legal agreement, sent from lawyer to client
    • Current month's bill sent to subscriber
    • Confidential invoice sent to client
    NO
    Insecure Pull
    • Account information displayed on business Website
    • Large file placed on FTP site for download by client
    NO
    Secure Pull
    • Credit card information presented on secure bank Website
    • Sensitive document uploaded to secure FTP site for download by partner
    YES, with exceptions
    Secure Push
    • Secure, encrypted e-mail message sent to customer's familiar e-mail account, with sensitive information encrypted and attached
    YES, with exceptions
    Invite to View Securely
    • Simple push notification message and secure pull, with recipient authentication
    YES

    Table 2: Approaches to Secure Online Delivery

    Insecure Push

    Information is sent (or "pushed") via e-mail to a recipient, with no encryption or protection. Pushing information is desirable to most enterprises because it allows recipients to wait for their information as it becomes available, time-dependent, or important, but it severely jeopardizes the information being sent. Information pushed in an insecure fashion may be more convenient for the receiver, but is susceptible to attack by hackers and criminals and can be "sniffed" (read) as it travels across the Internet. Information via an insecure push method offers no assurances that it has not been modified in transit.

    Insecure Pull

    Information is retrieved directly from a website or other file transfer location with no encryption, either of the information or file itself or the connection between the recipient (the "puller") and the website (the location from which information is being "pulled"). Information pulled in an insecure manner is not only inconvenient for the receiver but also makes the information itself available to hackers and criminals that are able to intercept, read, copy, modify, and resend the information as it travels across the Internet.

    Secure Pull

    Information is retrieved directly from a website or other file transfer location with a secure connection between the recipient (the "puller") and the website (the location from which information is being "pulled"). The information is not subject to the existing virus scanning, policy checking, archiving, or anti spam services provided by the sending organization. This method provides the minimum acceptable level of security. It is not convenient or especially usable for the recipient, who is required to log in and retrieve his information from each sender, separately.

    Secure Push

    Information is sent (or "pushed") via e-mail to a recipient, with strong encryption. This delivery may be combined with a secure retrieval of information from a website or other file location. Pushing information securely is most desirable as it allows recipients to wait for their information while also protecting that information from tampering or theft. This method is not convenient or even feasible for the vast majority of e-mail users who are not already familiar with e-mail security tools.

    Invite to View Securely

    Information is sent via e-mail with a three step process: first, an e-mail notification message is sent to the recipient with a secure Web link, second, the recipient follows the secure link back to the sender's network to retrieve the message and its contents. A third step involves the recipient replying back to the original sender in a secure manner, allowing a secure conversation and closing the loop between sender and receiver.

    The notification message allows a "push" of information, while the secure pickup page ("pull") guarantees that the recipient is authenticated, the information is secured, and the delivery itself can be tracked.

    This "push and pull" approach enables a single recipient - who may use or subscribe to a number of services including credit cards, bank and brokerage accounts, and utilities - to conveniently receive statements from all of those services on a regular basis. With each of those accounts set to push securely to that person, he is able to retrieve all of his sensitive communications through a familiar e-mail inbox.

    Legacy-Enabling Your Secure Online Delivery System

    It is critical that your online delivery mechanism integrate easily with your existing legacy systems. No online delivery system should force you to re-engineer your system for creating information for delivery. Choose an online delivery system that is standards-compliant - based on X.509 and S/MIME security standards - does not require extensive or proprietary system development, and is extensible with future system development and features.

    Your legacy systems may output raw data into a formatting program for printing, which in turn feeds to a printing, labeling, postage, and direct mailing system. At whatever point information is put into a form that is usable to end recipients, you will need to connect your online delivery system which will accept these human-readable files for encryption, storage, and subsequent delivery. Also, files can be stored encrypted inside your own system while notification messages are sent out to recipients who return to your website to pull their information directly from you, securely.

    Summary

    Postal delivery of sensitive information is vulnerable to theft, disruption, and significant delays. Secure online delivery of information provides the speed, efficiency, and cost savings of the Internet, while preserving the convenience of offline postal delivery.

    The Tovaris E-mail Security Solution™ (TESS) enables organizations to deliver sensitive information online with its innovative "push and pull" online delivery feature. TESS is virtually transparent to end users, eliminates costly training and lengthy implementation times, and is extremely easy for system administrators to deploy and manage.

    The Tovaris E-mail Security Solution™ integrates seamlessly into an organization's existing legacy systems, relieving enterprises of the expense of installing and managing custom developed systems. Because TESS is standards-compliant, it can extend the capabilities of other existing and planned information security systems. Additionally, the Tovaris E-mail Security Solution? allows straightforward integration with server-based content scanning, virus checking and spam filtering solutions, allowing enterprises to effectively control their e-mail policies.

    For more information regarding the Tovaris Secure E-mail Solution™, contact Tovaris at1-866-TOVARIS (1-866-868-2747) or visit the company's website at www.tovaris.com.


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    © 2014 Novell