Docstoc

B2B Gateways

Document Sample
B2B Gateways Powered By Docstoc
					B2B Gateways
            A proposal for Wisconsin
          collaboration on secure Internet
                       E-mail




1/21/04            Secure Internet Email Gateways--   1
                      HIPAA COW Conference
B2B Gateways
          Why do we need secure Email?




1/21/04         Secure Internet Email Gateways--   2
                   HIPAA COW Conference
B2B Gateways
          Why do we need secure Internet E-mail?
• E-mail is rapid, efficient, documented
  communication
• Integral part of the business fabric
• Some E-mails are sensitive
• Internet E-mail exposed
• HIPAA impermissible
  disclosure

1/21/04              Secure Internet Email Gateways--   3
                        HIPAA COW Conference
B2B Gateways
          What are the business requirements?
•   Encryption
•   B2B vs B2C
•   E-mail system integration
•   Simplicity of use
•   Business rule enforcement
•   Allow virus, spam and content filtering
•   Record management

1/21/04            Secure Internet Email Gateways--   4
                      HIPAA COW Conference
B2B Gateways
            What are the business requirements?
• Collaboration
• Choice
• Future requirements
     –    Authentication
     –    Digital signatures (AB755)
     –    Proof of receipt
     –    Nonrepudiation


1/21/04                 Secure Internet Email Gateways--   5
                           HIPAA COW Conference
B2B Gateways
            A solid technology base exists
• Public Key Infrastructure (PKI)
   – it works
   – addresses all requirements
• Secure Multipurpose Internet Mail Extensions (S/MIME)
   – supported by major E-mail systems
   – predicted long term solution
   – Standard for WI State agencies
• SSL/TLS (Secure Socket Layer/Transport Layer Security)
   – supported by major E-mail systems


1/21/04            Secure Internet Email Gateways--        6
                      HIPAA COW Conference
B2B Gateways
                 The Achilles heel of PKI…
• Administration of keys
     –    Confusing for users
     –    Burdensome for technical staff
     –    Revocations, expirations
     –    Trust




1/21/04               Secure Internet Email Gateways--   7
                         HIPAA COW Conference
B2B Gateways
              Pretty Good Privacy (PGP)
•   Alternative to S/MIME
•   Uses some aspects of PKI
•   Requires plug-ins to e-mail clients (Outlook, etc)
•   Pros and Cons
     –    Does not require a certificate authority+
     –    Key management burden on users in larger orgs-
     –    S/MIME most widely compatible-
     –    S/MIME support in most email clients-
     –    Less transparent to end user than S/MIME-

1/21/04                 Secure Internet Email Gateways--   8
                           HIPAA COW Conference
B2B Gateways
          Four Kinds of Secure E-mail
•   Desktop-to-Desktop
•   Gateway-to-Gateway
•   Secure Web Mail
•   HTML Attachment




1/21/04        Secure Internet Email Gateways--   9
                  HIPAA COW Conference
B2B Gateways
              Desktop-to-Desktop (End-to-End)
 Client
 Decrypts                                               Client
                         E-mail                         encrypts
                         client


                                                  Internet           ...

                    Interior
                    Firewall                                 Exterior
                                                             Firewall

     E-mail                                                        S/MIME
     server                                     Exterior
                                                Firewall           PGP

1/21/04              Secure Internet Email Gateways--                       10
                        HIPAA COW Conference
B2B Gateways
               Desktop-to-Desktop
•   Need only major E-mail software (+)
•   Zillions of keys (-)
•   Keys on desktops (-)
•   Users control decryption (-)
•   Can’t check virus or filter
    content on encrypted messages (-)



1/21/04          Secure Internet Email Gateways--   11
                    HIPAA COW Conference
B2B Gateways
          Gateway-to-Gateway encryption

•   Server-to-server
•   Domain-to-domain
•   Organization-to-organization
•   S/MIME or TLS




1/21/04          Secure Internet Email Gateways--   12
                    HIPAA COW Conference
S/MIME Gateways
               S/MIME Gateway-to-Gateway

                                 E-mail                         Exterior
                                 client                         Firewall

                                                                                 E-mail
                                  Encryption/             Internet         . . . server
                                  Decryption
                            Interior                                       Secure
                            Firewall                                       Messaging
                                                                           Gateway

     E-mail Filtering,             Secure
     server anti-virus,            Messaging            Exterior
             archiving,            Gateway              Firewall
             etc services

1/21/04                      Secure Internet Email Gateways--                    13
                                HIPAA COW Conference
B2B Gateways
          Transport Layer Security (TLS 1.0)

• Improved Secure Socket Layer (SSL 3.0)
• Operates at the transport layer between
  TCP/IP and applications like HTTP (web
  pages) or SMTP* (E-mail between servers)
• Uses PKI to encrypt the session (rather than
  the message)
*SMTP = Simple Mail Transfer Protocol


1/21/04            Secure Internet Email Gateways--   14
                      HIPAA COW Conference
TLS Gateways
                   TLS Gateway-to-Gateway

                                 E-mail                         Exterior
                                 client                         Firewall

                                                                                 E-mail
                                  Encryption/                              . . . server
                                  Decryption
                            Interior                      Internet         Secure
                            Firewall                                       Messaging
                                                                           Gateway

     E-mail Filtering,             Secure
     server anti-virus,            Messaging            Exterior
             archiving,            Gateway              Firewall
             etc services

1/21/04                      Secure Internet Email Gateways--                    15
                                HIPAA COW Conference
B2B Gateways
     S/MIME Gateway-to-Gateway

•   Many fewer keys (+)
•   Simple for users (+)
•   Messages decrypted within the organization (+)
•   E-mails stored on organization’s servers (+)
•   Virus checking and content filtering (+)
•   Applications can use gateways for messaging (+)
• Trust at the organizational level (+-)


1/21/04            Secure Internet Email Gateways--   16
                      HIPAA COW Conference
 B2B Gateways
           TLS Gateway-to-Gateway

• Excellent for internal server-to-server links (+)
• Supported by major E-mail servers (eg Exchange) (+)
• Inadequate where E-mail relayed thru non-secure
  servers (-)
• Concern where orgs use outsourced mail relays for
  spam or virus filtering, etc (-)
• Sender and receiver must trust relay organizations (-)



 1/21/04             Secure Internet Email Gateways--   17
                        HIPAA COW Conference
    B2B Gateways
               Secure Web Mail

                   E-mail
                   client


                                            Internet          ...

              Interior
              Firewall                                 Exterior
                                                       Firewall

     E-mail          Web Mail
     server          Server               Exterior
                                          Firewall


1/21/04        Secure Internet Email Gateways--                     18
                  HIPAA COW Conference
B2B Gateways
                   Secure Web Mail

                       E-mail
                       client
              1- send
              E-mail                            Internet          ...
              as usual
                   Interior
                   Firewall                                Exterior
                                                           Firewall

     E-mail              Web Mail
     server              Server               Exterior
                                              Firewall


1/21/04            Secure Internet Email Gateways--                     19
                      HIPAA COW Conference
B2B Gateways
                    Secure Web Mail

                        E-mail
                        client
              1- send      2- set clue
              E-mail       and                   Internet          ...
              as usual     password
                   Interior
                   Firewall                                 Exterior
                                                            Firewall

     E-mail               Web Mail
     server               Server               Exterior
                                               Firewall


1/21/04             Secure Internet Email Gateways--                     20
                       HIPAA COW Conference
B2B Gateways
                    Secure Web Mail
                                                   3- send
                                                   E-mail
                        E-mail
                                                   with url
                        client
              1- send      2- set clue
              E-mail       and                   Internet          ...
              as usual     password
                   Interior
                   Firewall                                 Exterior
                                                            Firewall

     E-mail               Web Mail
     server               Server               Exterior
                                               Firewall


1/21/04             Secure Internet Email Gateways--                     21
                       HIPAA COW Conference
B2B Gateways
               Secure Web Mail
                                   4-Sender
                                   provides clue
                   E-mail          and passphrase
                   client


                                            Internet          ...

              Interior
              Firewall                                 Exterior
                                                       Firewall

     E-mail          Web Mail
     server          Server               Exterior
                                          Firewall


1/21/04        Secure Internet Email Gateways--                     22
                  HIPAA COW Conference
B2B Gateways                                       5-User
               Secure Web Mail                     accesses secure
                                   4-Sender        web-site
                                   provides clue
                   E-mail          and passphrase
                   client


                                            Internet          ...

              Interior
              Firewall                                 Exterior
                                                       Firewall

     E-mail          Web Mail                     SSL/TLS
     server          Server               Exterior
                                          Firewall


1/21/04        Secure Internet Email Gateways--                      23
                  HIPAA COW Conference
B2B Gateways
                     Secure Web Mail
•   Recipient uses browser (+-)
•   No user key management (+)
•   Send message management via E-mail system
    varies (+-)
•   Clue and passphrase management (-)
•   Message resides on sender’s server (+-)
•   Recipient can not virus scan or filter content (-)
•   Identification, proof of receipt, non-repudiation
    limited (-)
•   Good for B2C, 1:m, not m:n

1/21/04             Secure Internet Email Gateways--     24
                       HIPAA COW Conference
B2B Gateways
              HTML Attachment

                   E-mail
                   client

                 1-send E-                                    ...
                                            Internet
                 mail as
                 usual
                                                       Exterior
                                                       Firewall

     E-mail          Server
     server                               Exterior
                                          Firewall


1/21/04        Secure Internet Email Gateways--                     25
                  HIPAA COW Conference
B2B Gateways
              HTML Attachment
                                     2-Sender
                                     provides
                   E-mail            identifying info
                   client

                 1-send E-                                    ...
                                            Internet
                 mail as
                 usual
                                                       Exterior
                                                       Firewall

     E-mail          Appliance
     server                               Exterior
                                          Firewall


1/21/04        Secure Internet Email Gateways--                     26
                  HIPAA COW Conference
B2B Gateways
                      HTML Attachment
                                             2-Sender
                                             provides
                           E-mail            identifying info
                           client

                         1-send E-                               ...
                                                    Internet
                         mail as
                         usual
                                                                Exterior
                         Appliance                              Firewall


     E-mail   3-Appliance encrypts
     server   in HTML attachment
              and sends as normal E-            Exterior
              mail                              Firewall
1/21/04                Secure Internet Email Gateways--                    27
                          HIPAA COW Conference
B2B Gateways                                                  4-Java
                                                              authenticates,
                     HTML Attachment                          decrypts
                                            2-Sender
                                            provides
                          E-mail            identifying info
                          client

                        1-send E-                                     ...
                                                   Internet
                        mail as
                        usual

                         Appliance                            Exterior
                                                              Firewall

     E-mail   3-Appliance encrypts
     server                                      Exterior
              in HTML attachment
                                                 Firewall
              and sends as normal E-
              mail
1/21/04               Secure Internet Email Gateways--                         28
                         HIPAA COW Conference
B2B Gateways
                HTML Attachment
• Recipient only needs browser (+)
• Recipient and sender use E-mail system for
  message management (+)
• Proof of receipt sometimes supported (+)
• Senders can control message after receipt (+-)
• No virus checking or content filtering (-)




1/21/04          Secure Internet Email Gateways--   29
                    HIPAA COW Conference
B2B Gateways
      Why is S/MIME Gateway-to-Gateway best?
 •    S/MIME and PKI robust and ubiquitous
 •    Experts recommend it
 •    Eventual individual authentication
 •    E-mail system integration
 •    Workable interim solution
 •    Supports virus checking and content filtering
 •    Works between organizations
 •    Encrypts across E-mail relays
 •    Some products also support TLS Gateways and/or B2C
      (e.g. Secure Web Mail)


1/21/04              Secure Internet Email Gateways--      30
                        HIPAA COW Conference
B2B Gateways
          The Challenge: Interoperability




1/21/04          Secure Internet Email Gateways--   31
                    HIPAA COW Conference
B2B Gateways
          The Challenge: Interoperability




1/21/04          Secure Internet Email Gateways--   32
                    HIPAA COW Conference
B2B Gateways
           The Challenge: Interoperability

• Choice of vendors based on standards
• New Zealand SEE Mail initiative (40
    agencies)
• Massachusetts Health Data Consortium
• The Open Group (Unix, LDAP, CORBA,
    WAP)



1/21/04           Secure Internet Email Gateways--   33
                     HIPAA COW Conference
B2B Gateways
          SMG Gateway Message Profile

• Profile of S/MIME Version 3.1 Message
  Specification [MSG31]
• Standard message format
• Message processing conventions
• Simple mechanism for Domain Certificate
  exchange


1/21/04         Secure Internet Email Gateways--   34
                   HIPAA COW Conference
B2B Gateways
          S/MIME Gateway Product Certification
• Now certifying vendors
• www.opengroup.org/smg/cert/
• Certified Products
     –    Tumbleweed Email Firewall 6.0*
     –    Syntegra MMP 1.01*
     –    ZixCorp Zix VPM 2.3
     –    NetIQ Mail Marshall SMTP Secure 5.5

     * Also support TLS Gateway



1/21/04                Secure Internet Email Gateways--   35
                          HIPAA COW Conference
B2B Gateways
          Coexistence of SMG and TLS Gateways
• Products supporting TLS Gateways
     – Outlook Exchange
     – GroupWise
     – Lotus Notes?
• Products auto select TLS, SMG (or WebMail)?
• Products supporting TLS Gateways or SMG =
  Critical Mass of Interoperability?




1/21/04             Secure Internet Email Gateways--   36
                       HIPAA COW Conference
B2B Gateways
                     Auto Direct
          3rd Party Product




                             SMTP over TLS
                               Gateway




1/21/04        Secure Internet Email Gateways--   37
                  HIPAA COW Conference
B2B Gateways
             Wisconsin Government Action
• Consolidating E-mail of all agencies
• Oracle Collaboration Suite (OCS)
     – No native secure E-mail functionality
• Third party product RFP
• DHFS, Employee Trust Funds, WI Housing and
  Economic Development Authority (WHEDA)
  defined requirements



1/21/04               Secure Internet Email Gateways--   38
                         HIPAA COW Conference
B2B Gateways
          A Modest Proposal for HIPAA COW
Recommend Gateway approaches for secure Internet
  E-mail between health care organizations in WI
     – Preference for products supporting both SMG and
       gateway TLS?
     – Preference for SMG for new third party acquisitions
       and where E-mail relays are used?




1/21/04              Secure Internet Email Gateways--        39
                        HIPAA COW Conference
B2B Gateways
                     Willing to Pilot?
Current or planned users of
     – SMG-certified products?
     – Outlook or Groupwise or other products supporting
       gateway TLS?




1/21/04              Secure Internet Email Gateways--      40
                        HIPAA COW Conference
B2B Gateways Survey
 Name the products you are considering, plan to install or have installed
 Type          Considering       Plan to install Have installed      Would Pilot?
 Domain
 Gateway
 (SMG)
 TLS Gateway
 (SMTP over
 TLS)

 Webmail


 HTML
 Attachment

 Other



 Do you favor HIPAA COW endorsing use of products that support SMG or TLS
 gateway approaches (or both) for business-to-business secure Internet E-mail?
 Yes                 No                    Don’t
                                           Know

1/21/04                      Secure Internet Email Gateways--                       41
                                HIPAA COW Conference

				
DOCUMENT INFO