copyright © 2005 janusnet pty ltd unclassified official information in email – managing the risk...
TRANSCRIPT
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Official information in email – managing the risk of leakage
● Reduce risk via protective markings● Simplify email security for end-users● Whole of Government approach
Neville JonesNovember 2005
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Concept
● PSM rules for email● Keep ICT Security Simple for users● make email system do the hard stuff● get more value out of email system
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
In the beginning there was...
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Official email
● Email as channel– big – useful
● Risks for Government
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Email security difficult for users
● Message path hell● Email policy hell● Users are not routing experts!● Users are not security experts!
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Message path hell
ISPPrivate
Individual
(Remote)
Officer
Wireless
(Wireless)
Officer
firewall
YourAgency
Officer
Privatenetwork
PartnerAgency
Officer Officer
Internet
PartnerAgency
CorporateNetwork
Officer
Fax
gateway
PSTN
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Email security can be simpler
● Let email system do the work!● Enforce policy at email components● Use principles of PSM● How to put protective markings in
emails?
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Protective markings for email
RFC2822 MESSAGE
RFC2822 BODY
RFC2822 HEADER
MIME BODY(s)
MIME ATTACHMENT(s)
Message-ID: <[email protected]>Date: Wed, 230 Nov 2005 9:28:09 +1100From: "Jane Doe" <[email protected]>User-Agent: Microsoft OutlookX-Accept-Language: en-us, enX-Protective-Marking: [VER=2005.6, NS=gov.au, SEC=UNCLASSIFIED, [email protected]]MIME-Version: 1.0To: "Smith, John" <[email protected]>Subject: Hello World [SEC=UNCLASSIFIED]Content-Type: text/plain;
charset=ISO-8859-1;format=flowed
Content-Transfer-Encoding: 7bit
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Creating the marking
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Real world problem
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Risk management implementation
● Email client enablement● Encryption invoked by classification
level● End user doesn't have to click
“Encrypt”
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Wide scope of application
● Client side rules● Gateway flow control● Gateway encryption/decryption● Official email register● Archive management● Web headers
Copyright © 2005 janusNET Pty LtdUNCLASSIFIED
Gateway flow control
● Major area of Government activity● DSD / ACSI33 & AGIMO● Sending ● Receiving● Agency adoption