Cryptzone Group AB (publ)
The Simple Encryption Platform
Technical Overview
Cryptzone Security Solutions
Technical Overview
February 2011
For technical questions email
support@cryptzone.com
Agenda
.........................................
• Simple Encryption Platform (SEP) – An introduction
• Product presentation
• Technical Presentation of Secured eFile, Secured eCollaboration,
Secured eMail and Secured eUSB
• Use cases for the Simple Encryption Platform
More resources
……………………………………..
Direct access to Crytpzone Group resource center
•
Webinars – http://www.cryptzone.com/resourcecenter/recorded_webinars.aspx
•
Demos / Workshops - http://www.cryptzone.com/resourcecenter/demos.aspx
•
Whitepapers – http://www.cryptzone.com/resourcecenter/whitepapers.aspx
•
Case Studies - http://www.cryptzone.com/resourcecenter/casestudies.aspx
•
Solution Guides - http://www.cryptzone.com/resourcecenter/solutionguides.aspx
•
Product Sheets - http://www.cryptzone.com/resourcecenter/product_sheets.aspx
•
Security as a Service - http://www.cryptzone.com/resourcecenter/saas.aspx
•
Software Manuals - http://www.cryptzone.com/library/#3
Elevator pitch
……………………………………..
Secured eUSB
Secured eCollaboration
Centrally managed USB encryption tool
Microsoft SharePoint File security & encryption
Secured eUSB makes it possible to convert a regular
USB flash drive into a secured USB flash drive with
strong security that users can safely travel with. The
central management console offers detailed content
reporting about every flash drive and the ability to
lock down or wipe the flash drive.
Secured eCollaboration is a file encryption & security
add-on to your existing Microsoft SharePoint®
deployment. It adds functionality which allows users
to encrypt documents and files right from within
SharePoint but also on the users desktop, USB flash
drives, portable hard drives , network drives, etc.
Secured eFile
Secured eMail
Centrally controlled file/folder security and encryption
Policy-controlled email encryption
Secured eFile enables the end user to secure any file
or folder and assign specific rights to it. The secured
data can be stored on any media and it is possible
for the end user to change the access rights of the file
and its copies at any time.
Secured eMail makes it possible for the end user to
send secured emails and attachment to anyone
directly from Outlook and Lotus Notes. The receiver
can open the secured email on any platform as Mac,
PC, iPhone, iPad, Blackberry, Symbian and Android.
SEP – Simple Encryption Platform
.........................................
See a video at http://www.cryptzone.com/demos/Simple_Encryption_Platform_Presentation/
Client Applications
Server
Management Console
Document Security
Global Object Synchronization:
Basic Management:
Policies
Role based administration
Licenses
User rights management
Shared Secrets
Secured
eFile
Secured
eCollaboration
……..……………………...….
Outbound Compliance
Encryption Keys
EPM Stealth Keys
Policy design and administration
Auditing and incident reporting
Passwords
Education management
Templates
Help Desk / Lost password Recovery
……..……………………...….
Standard SQL database platform
……..……………………...….
Secured
eMail
……..……………………...….
Endpoint Security
One way synchronization with directories:
Intellectual Property:
Active Directory
EPM - Enterprise Protection Method
Lotus Domino
Resource/ License Management
LDAP
DCR - Data Content Reporting
……..……………………...….
Secured
eUSB
.
Custom directory files
Existing infrastructure integration such as Microsoft RMS and content management solutions
Secured eFile – EPM
..........................................
Encrypt Network Files/Folders for automatic authentication
Best Practice
Features
•
•
Proactive management platform and intelligent
client synchronizes:
•
•
•
•
•
•
•
•
Security policies
Stealth encryption keys
User and system access rights
Password & helpdesk recovery passwords
Intuitive interface and workflows
Empowerment for internal/external users
Audit trail of all end user actions
Integration with Active Directory
Security Methodology
•
•
•
•
•
EPM (Enterprise Protection Method)
Document creator can add/remove access
rights
Manage access to documents – Manager,
Contributor and Reader levels
System access protection – one password
FIPS certified AES256 encryption algorithm
•
•
•
•
•
Regulatory Compliance – Sarbanes Oxley,
GLB Act, HIPAA HITECH, FTC Red Flag Rules
EPM Stealth Key Technology which allows
Automatic authentication & Key Management
End users can secure data and add access
rights to AD users and groups
Create Secured Groups that can collaborate
and share secured content without passwords
Secured file(s)/folder(s) can be placed on any
media or device including network shared
drives, FTP servers, DVDs, etc.
Share data with customers and partners
•
•
•
•
Free Reader
Self-Extracting option
Recovery password and Help Desk tools
All secured data is automatically compressed
Secured eCollaboration
Secure Documents with automatic authentication
 What is Secured eCollaboration
-
SEP Management Console
SEP Server
SEP Client
Add-in to Share Point
 Centrally managed by SEP, integrated
with Active Directory & SharePoint
 Enterprise Protection Method
-

Automatic authentication
Automatic K ey management
Client based document rights management
Help Desk/Lost password recovery
Automatic upload of encrypted files
 Regulatory Compliance – HIPAA HiTECH,
SOX, GLB Act, FTC’s Red Flag Rules
 Simple to use – one click encryption
 There’s a icon added that shows it’s
encrypted - Sharing Access – double
click to open
 User work flow doesn’t change
 Supports full “versioning”
 Supports “check-in/check-out”
Secured eCollaboration - EPM
….........................................
Secure Microsoft Documents with automatic authentication
Best Practice
Features
•
•
Proactive management platform and intelligent
client synchronizes:
•
•
•
•
•
•
•
•
Security policies
Stealth encryption keys
User and system access rights
Password & helpdesk recovery passwords
Intuitive interface and workflows
Empowerment for internal/external users
Audit trail of all end user actions
Integration with Active Directory
Security Methodology
•
•
•
•
•
EPM (Enterprise Protection Method)
Document creator can add/remove access
rights
Manage access to documents – Manager,
Contributor and Reader levels
System access protection – one password
FIPS certified AES256 encryption algorithm
•
•
•
•
•
•
•
•
Regulatory Compliance – Sarbanes Oxley,
GLB Act, HIPAA HITECH, FTC Red Flag Rules
User work flow doesn’t change
Simple to use – one click encryption
Supports full “versioning”, “checkin”, &
“checkout”
Document icon shown visually as encrypted
Secure documents can travel and rest secured
on any media or device including network
shared drives, FTP servers, DVDs, etc.
EPM Stealth Key Technology and Automatic
authentication/Key management
End users can secure data and add access
rights to AD users and groups
Share data with customers and partners
• Free Reader
• Self-Extracting option
Cliff Notes on Secured eMail
Proven market leader!
 Simply press “send secured” button in Outlook or
Lotus Notes or automatic encryption thru custom
policy control – Secured eControl
 Send to anybody in the world regardless of their
email client, OWA, or web service – Yahoo Mail/
Google Mail
 Recipient can view emails with client application,
browser or portable device; iPhone, iPad, Android
device, Symbian device, PDA.
 Centrally managed by SEP, integrated with
Microsoft Active Directory
Centralized control of:
- User access rights
- Password and security policies
- Customized templates
- Secured Groups
 Enterprise Protection Method
- Automatic authentication
- Automatic Key management
- Manage Group Access Right using AD Infrastructure
 Global Objects Synchronization
- Proactive server management
- Intelligent SEP Client sync real time change state
- Controls access rights & encryption key management
 Global Communications service.
- In-house web service to allow all user to read & reply
to all encrypted emails.
- Customize template interface to your exact requirements
 Strong Encryption
- AES 256 bit – FIPS 140-2 Certified Methodology
What is Global Communications?
What does it do for my organization?




Global Communications is in-house service that you can customize
to look exactly how you want the service to look like!
Global Communications is a fool-proof method of delivering
encrypted emails for any type of user, any client, any device!
Global Communications can control how long you want to
offer the delivery of the encrypted email!
Secured eMail and our Global Communications functionality
doesn’t impact your Microsoft Exchange Server or Domino nor
require additional network infrastructure to support the web
service!
Secured eMail
.........................................
Secured eMail – End Point Security for eMail Encryption
Best Practice
Features
•
•
Proactive management platform and intelligent
client synchronizes:
•
•
•
•
•
•
•
•
Security policies
Stealth encryption keys
User and system access rights
Password & helpdesk recovery passwords
Intuitive interface and workflows
Empowerment for internal/external users
Audit trail of all end user actions
Integration with Active Directory
Security Methodology
•
•
•
•
System SKG Patented encryption technology
Strongest methodology available
•
Automatic authentication – key management
•
System generates dynamic one-time keys for each
content element
System access protection – one password
FIPS certified AES256 encryption algorithm
•
•
•
•
•
•
Regulatory Compliance – Sarbanes Oxley,
GLB Act, HIPAA HITECH, FTC Red Flag Rules
Fully integrated into Microsoft Outlook and Lotus
Notes
End to End messaging – virtual channel
Send to anyone capability – any client app or
web based email
•
Receivers can download a full Reader and reply
back secured for free
•
Receivers can activate a Reader Lite with zero
footprint
Ease of use – Press “Send secured”
or Send with Secured eControl policy
Centralized policy based email encryption
Archive encrypted and compressed
Secured eUSB
........................................
eUSB – Encrypts ANY USB flash drive in the market today!
Best Practice
Features
•
•
•
Proactive management platform and intelligent
client synchronizes:
•
•
•
•
•
•
•
•
Security policies
Stealth encryption keys
User and system access rights
Password & helpdesk recovery passwords
Intuitive interface and workflows – no training
Audit trail of all end user actions
Lost flash drive – Kill Pill support
Integration with Active Directory
Security Methodology
•
•
•
•
•
EPM (Enterprise Protection Method)
FIPS certified AES256 encryption algorithm
Brute force protection and Automatic Data
Compression up to 5:1
Zero Footprint Deployment
Enforced synchronization of portable device
•
•
•
•
•
•
•
•
Distributed or Zero Footprint Deployment
Regulatory Compliance – Sarbanes Oxley,
GLB Act, HIPAA HITECH, FTC Red Flag Rules
Security Policy – whole drive or partial encryption
Security Policy based enforced encryption
Fastest encryption – 16 GB in one minute
Encryption .exe is portable, use on any computer
in the world – no license required!
Secured workflow - work in a “secured
vault” – create, edit, delete
Unlimited Passwords
Help Desk Lost Password Recovery Support
DCR – Data Content Reporting
•
•
•
Inventory list of all secured USB flash drives &
what user that owns it
Monitor all content on every secured USB flash
drive in the organization by manufacturer
Automatic data audit reporting – by user,
access, actions and files
The Simple Encryption Platform
SEP
Secured eMail, Secured eFile and Secured eUSB
Components
From Small Businesses to Large Enterprises
.........................................
Standard components
•
SEP Server – Run as a service on the
main server.
•
SEP Management Console - .NET based
management application that can run
on the server or at any desktop. This
means it is possible to do management
from any location of choice.
•
Client Distribution package – Contains
the MSI generator that will create the
MSI package.
•
SEP Client installation package –
Generated inside the SEP
Management Console.
Additional components
•
Secured eCollaboration solution - A
WSP add in that integrates into
SharePoint.
•
Secured eMail – For Lotus Notes there is
a Lotus Notes Deployment tool and
template editor.
•
Secured eUSB – All encrypted USB flash
drives have a Secured eUSB client that
operates the end user interface and
the connection to the SEP server.
Enterprise
Deployment Architecture Diagram
.........................................
Cryptzone deployment architecture diagram
Directory
Services
•
Storage – All data is stored in a SQL
database. The SEP server can connect
to any standard Microsoft SQL
database.
•
Directories - The SEP main server can
connect to ActiveDirectory and
SharePoint for user and group
management.
•
The SEP client can connect to the
central server using SSL or HTTPS.
•
Deployment and scaling instructions
can be found at
http://www.cryptzone.com/download
center/enterprise/
Microsoft SQL Server
Main company server
SEP Server,
SEP MC
Backup server
SEP Server,
SEP MC
Organization Network
Synchronized SEP Client
Clients using SEP
Installation and set up
From Small Businesses to Large Enterprises
.........................................
•
A standard installation takes 1-4 hours
depending on set up.
•
The solution comes with a Best Practice
Set up Wizard that is easy to follow. The
Best Practice policy are the most
commonly used policy among
Cryptzone customers. The wizard will
assist with set up of
–
–
–
–
–
–
–
•
AD connection and sync
Define Master Password
Define Admin Password
Select the main administrator
License management policy
Assign default policy to all users
Generate custom templates
Cryptzone Professional Service team
can assist organizations in the set up
process of the solution.
•
The configuration manual help
organizations to configure the pre
designed Best Practices policy to fit the
organizations requirements. The
configuration manual are available at
http://www.cryptzone.com/download
center/enterprise/
•
A special manual how to set up the
solution for external access using a
web service is available at
http://www.cryptzone.com/download
center/enterprise/
•
A special manual for Lotus Notes users
are available at
http://www.cryptzone.com/download
center/enterprise/
Redundancy and backup
No worries
.........................................
SQL Database
•
The core component of Simple
Encryption Platform is the database in
SQL. This means it is very important to
back up the database daily.
•
The database can easily be moved to
any location without any problems.
•
SEP Clients will not be affected if the
server where the SEP server
components is installed will go down or
fail. The SEP server and SEP
Management console can easily be
reinstalled and reconnected to the SQL
Database in less than 10 minutes.
Clients
•
If the SEP server goes down the SEP clients
will continue to function without any issues.
Lost functionality will be;
•
Policies can not be updated centrally
•
NEW encryption keys cannot be
synchronized.
•
Users cannot change access rights to
secured files/folders.
•
If a user secures a file/folder the user
cannot add access right to other
users.
•
USB memory sticks that has been
encrypted with Secured eUSB will
capture logs file locally until the SEP
server is up and running and will then
deliver the updated information.
•
Licenses cannot be moved or
changed.
Considerations
Storage and network utilization
.........................................
Enterprise Server
•
1 user profile will on average store up to 100 k
per user profile.
•
The network handshake between the
Management Server and the SEP Client or
agent, takes 8KB.
•
•
Desktop Client
•
SEP Client dynamically load and release
resources as needed, system resources used
will vary depending on tasks and licenses. In
passive mode the SEP monitor will use ~2700K
of memory and USB monitor around 980K.
CPU usage is negligible.
SEP Client and user agent have separate
polices updates, but will average on 0.4Kb –
1KB per policy depending on the information
it includes. Event takes approximately 0.4KB.
Sending an event to the Management Server
takes 1KB, not including the event file itself
(the log file).
•
In active mode during a user session the task
of securing a file will average around 8 MB for
SEP monitor and 4-10 MB SEMX Explorer. SEMX
can have a peak memory usage of 27 MB for
an operation and on a 2.4 Ghz system CPU
usage averages on 50% during intense
encryption operations.
SEP Client, Secured eUSB will store logs locally
until synchronized with the server. Size of logs
will vary depending on the number of
changes performed per action. Logs are
filtered and compressed before transferring to
SEP to minimize traffic and storage. A log file
for normal file usage will estimated on
average take 0.6 KB per completed action.
•
Opening additional secured folders will use 410 MB for each folder, so should a user
choose to have 10 active secured folders the
combined memory usage would be 40+ MB.
As folders are closed and the SEP Client is
logged out, memory usage will return to
passive mode. During a normal install disk
space usage is below 15MB for the SEP Client
and log file can be size restricted or disabled
depending on configuration.
Uninstallation
What to think about
.........................................
Encrypted data
•
•
•
Files and folders - All encrypted files
and folders needs to be unencrypted
before uninstalling the software.
USB Memory sticks - Encrypted USB
memory stick will continue to function
without the SEP Server. To uninstall the
solution from the USB memory stick,
unencrypt all data and then format the
stick.
Emails – If the organization needs easy
access to encrypted emails then the
archive function should be activated
when the software is installed. Then the
organization will have a centralized
storage of all sensitive data. The data
can be stored secured or unsecured.
SEP Server
•
Store and document Master password
and all Group passwords.
•
Backup and store the database for
future reference.
•
Store a set of the installation files and
manuals.
Support and documentation
With focus on professional support
.........................................
Support
•
Support calls available - 24/7/365.
Cryptzone support is performed by
highly skilled Solution Engineers that will
contact customer within 24 hours for
personal support.
–
–
–
Phone UK: +44 800 680 0657
Phone USA/Canada: +1.888.533.6365
Phone Sweden: +46 (0)31 773 86 93
•
Customers can email support questions
to support@cryptzone.com or go to
www.cryptzone.com/support for more
help.
•
The Solution Engineers have access to
professional tools making it possible for
them to see customers screen and give
better support.
Cryptzone Professional Services team
offers special support, deployment,
educations etc. at a fee.
•
Documentation
•
Manuals and instructions can be
downloaded at
www.cryptzone.com/downloadcenter/enter
prise
•
For Whitepapers and more technical papers
go to
www.cryptzone.com/downloadcenter/enter
prise
•
FAQ and discussion forum are available at
http://support.cryptzone.com/
Use Cases for the
Simple Encryption Platform
Password Recovery
For Secured eMail
.........................................
No helpdesk necessary
•
•
Shared secret recovery – If the user
would need to remember a shared
secret created for a specific secured
contact the user can find this
information in their own client. The user
simply goes to settings and the secured
contact list. There they can display all
shared secrets ever created to a
secured contact.
Central Policy - If this is possible or not
can be defined by policy.
Password Recovery
For Secured eFile and Secured eUSB
.........................................
Password Recovery Wizard
•
•
•
•
Helpdesk user - The system comes with a
ready to go Helpdesk user that can
perform the Password Recovery task.
User message – Everywhere where an
end user needs to enter a password there
is a message informing about password
recovery. It is possible to centrally define
the information.
Recovery ticket – For every Secured file,
folder or USB there is a unique recovery
ticket.
Recover wizard - The system offers a
Recovery Wizard for helpdesk. The wizard
will tell the helpdesk personnel what user
that created the secured file, folder or
USB. This is to assist helpdesk to do a
security check of the person calling.
Restore of user profile
Nothing to worry about it is all automatic
.........................................
Issues
•
•
•
•
•
User profile in Citrix / Terminal server gets
damaged and needs to be recreated
User machine crashes and the data
cannot be restored
User have several machines
Windows crashes
Etc…
Solution
•
•
Global Object Synchronization –
Cryptzone has built a synchronization
concept where information like
policies, licenses, encryption keys, logs,
templates etc. are automatically
synchronized between Cryptzone
server and one or several clients. For
the IT department this means that a
recovery is fully automatic in case of
the issues to the right happens. All that
needs to be done is to reinstall the
client.
Encrypted emails, files and folders can
and will be backuped in the same
procedure as any other email, file or
folder.
Give licenses to end users
License management
.........................................
How to give license
•
Licensing for SEP is managed per user.
Each user is allowed to have the
software installed on several machines
and only 1 license will be used.
•
The SEP Management Console is used
to manage licenses. A license can be
added or removed from a user on the
fly.
•
The system comes with the ability to
manage licenses by policies. Example:
–
–
–
If user belongs to certain group the user will
receive a license automatically. If user is removed
from group the license will be removed.
A group can be a AD group, SharePoint group or
custom created group in the system.
System manager can give licenses to end users
manually.
An employee leaves
How to recover all information
.........................................
Data recovery
•
Encrypted USB sticks – All USB sticks can
be opened with the master password.
•
Secured files and folders – All secured
files and folders can be opened and
unencrypted with the master password.
•
Secured eMail – Simply log in as the user
to a profile and all secured emails can
be accessed. Another possibility is also
to use the archiving function where all
secured emails can be stored at central
location.
Lock down
•
Encrypted USB sticks – Can be lock
down using the Kill Pill Command in the
SEP Management Console
•
Secured files and folders – Will be
locked down automatically using AD
Disable or Delete command for an AD
account. It is also possible to remove
access by removing the user license.
•
Secured eMail – Will be locked down
automatically using AD Disable or
Delete command for an AD account. It
is also possible to remove access by
removing the user license
Cryptzone Group
(publ) AB
Global Headquarters:
Drakegatan 7, SE-412 50 Goteborg, Sweden
+46 31 776 86 00
www.cryptzone.com
support@cryptzone.com