The saga of the missing data continues as organizations think up ways to tie up loose ends around their security infrastructure, especially where there is sensitive, personal information involved.
Toronto-based ING Canada, a financial services firm with close to 7,000 employees, is banking on e-mail encryption to secure confidential data that’s sent out to external partners and customers.
But the company didn’t want any of the complicated and infrastructure-heavy solutions; it sought a simple and easy encryption tool with little or no maintenance requirement on the IT side, said Minaz Sarangi, vice-president of architecture, information risk management, ING Canada.
It was also important for the company that the new e-mail encryption mechanism would not require external partners to download any program, such as ActiveX, to view encrypted messages, Sarangi said.
After going through stringent evaluation, a product called Voltage SecureMail, from Palo Alto, Calif.-based Voltage Security Inc., won ING Canada’s favour. One of the product’s advantages over the others was that it’s built around identity-based encryption (IBE) technology, said Sarangi.
IBE is an encryption technique that uses a person’s unique identity, such as an e-mail address, as the person’s public key. As opposed to traditional PKI systems, IBE does not require third-party certificate to establish a person’s identity for confidential exchange of information.
Voltage’s SecureMail enables ING Canada to use a partner’s e-mail address to establish his or her identity as an ING-trusted e-mail recipient and allow secure e-mail communication with that partner, Sarangi said. While encryption, decryption and other mathematical processes may be going on behind the scenes, Sarangi said from the perspective of a user, the process is simple: An encrypted e-mail is sent out to a first-time recipient. To open the message, the recipient is asked to click on a URL that would direct the recipient to the Voltage server and facilitate the authentication process of identifying and creating an account.
From then on, succeeding e-mails between the authenticated recipient and the ING employee are encrypted and decrypted seamlessly.
“In traditional (PKI) systems, to do (confidential e-mail exchange) two parties would need to either talk ahead of time or I would need to find [the other person’s] public key — typically in the form of certificate — by looking in my own directory or [the person’s] company directory or some of the public directories out there. Then I would use that to send the person a message,” explained Wasim Ahmad, vice-president of marketing at Voltage Security.
ING’s requirements for simplicity and usability from its e-mail security solution were prescribed with the end-view of facilitating easier adoption of the same technology by other ING affiliates in the Americas region, Sarangi explained. The ING Group, headquartered in Amsterdam , enforces standardized security policies across its affiliates.
“There is an IRM (information risk management) Americas team that implements [security policies] across the region in a sustainable, standardized fashion, so that each country is not doing its own stuff or doing its own products,” he said. The adoption of Voltage’s SecureMail makes ING Canada the only affiliate within the ING Americas region to implement IBE-enabled e-mail security, according to Sarangi. He added he is confident other ING offices within the region would find the technology applicable to their own systems.
ING Canada’s SecureMail deployment has been provisioned for 7,000 users, but Sarangi said the company is initially setting up the tool for about 2,000 users, leaving plenty of room for future additions without having to renegotiate the license.
The provisioning of SecureMail users is enabled through ING’s existing Tivoli Identity and Access Management system, said Sarangi. The system provides the level of privilege for every user and therefore determines whether a specific employee requires e-mail authentication, he added.
“Not everybody (in the company) gets confidential information. (For instance) if you’re a legal person, your messages are encrypted, or if you’re an IT guy, who might not be sending confidential information, you don’t need encryption,” explained the ING executive.
ING Canada finalized the licensing agreement with Voltage last December and expects the system to be fully operational by the end of this month.
In addition to e-mail encryption, IBE is also used in other applications where there is requirement for securing data files, said Matt Pauker, one of Voltage’s co-founders. He said Mitsubishi, one of Voltage’s clients, plans to incorporate IBE into the secured storage network application that it’s currently developing.