PGP Blogs

We are, of course, very pleased to announce the acquisition of TC TrustCenter and its US parent company, Chosen Security. You can read the details and view a short presentation describing the reasons for this acquisition here. I didn’t want to let the week pass, however, without offering a personal perspective on why PGP Corporation needs to have a position in the trust services market and why we chose TC TrustCenter as our way of providing these services.

When we started PGP Corporation seven years ago we were focused on building the most robust and easiest to use encryption solutions in the world. We had watched the first generation of PKI companies approach this problem from the direction of offering “trusted communications” and concluded the market and users in particular weren’t ready for that approach.

In 2002, enterprises and individuals had data privacy issues they needed resolved, but they needed them resolved quickly and within the context of the then existent communications infrastructure. That infrastructure was not yet ready to support a new, heavy-duty layer of security infrastructure. It would have been similar to building a 100-floor steel and glass skyscraper directly atop a three-story brownstone.  So, we instead PGP Corporation focused on applications that protect data in motion and at rest and integrated them into a single, comprehensive management platform.

Fast forward to 2010 and the world and the approach to data protection has evolved. While enterprises are now spending more than ever to protect their networks, it’s commonly understood that network security technology is not keeping pace with the threats now aimed at those networks. The cost of data breaches continues rise even though most forms of electronic communication have some form of security either built in or layered atop them. Nearly all of these security approaches depend upon keys and certificates that are used either to encrypt the content or guarantee the identity of the sender and/or receiver.

The problem is that there are now so many of these certificates in use for so many different purposes that it has become nearly impossible for an enterprise to effectively manage them all, let alone determine which are current and valid.  This problem will only get worse as the world’s hacker community begins to exploit the weaknesses in the current certificate generation, distribution and management systems. We’ve already seen attempts to insert “bandit keys” into corporate key chains to allow hackers to read encrypted email. We can expect exploits such as this one to multiply in the coming years.  For this reason, we decided last year that PGP Corporation would need to extend its encryption and security product line to include trust services so that our customers can use our products with confidence while communicating with the broadest range of customers, partners, and regulators globally.

We chose TC Trust Center as our path to market for two reasons. First, they bring unprecedented breadth and depth of experience to the trust services market. Their executive team has dozens of years of experience in the space and a proven track record of building successful security businesses.

Second, the way they have designed and built their products is completely consistent with PGP Corporation’s worldview. TC TrustCenter’s platform enables secure electronic transactions across individuals, servers, and mobile devices.

Today’s announcement, of course, is just the beginning. In the coming months we’ll be telling you about our vision of how combining trust services with the PGP® Encryption Platform will allow us to build solutions to address threats that are just now emerging. With hackers stockpiling Zero Day threats, and more applications and data moving into the cloud, these new security solutions will be required business enablers of the cloud migration plans for many enterprises. With the combined offerings of PGP Corporation, Chosen Security and TC TrustCenter, we will address threats aimed directly at IT infrastructure as well as the increasing number of threats now targeting endpoint devices . These trusted offerings will not only build confidence in the infrastructure of an organization, they will build confidence to withstand threats to data as it moves in and out of an organization.

We are very excited by the opportunities that combining our two companies and technologies offers us. I extend my welcome to my new TC TrustCenter and Chosen Security colleagues to the PGP Corporation family.

There’s no shortage of words written about Cloud computing.  Even the topic of security and the Cloud yields over 28 million results on Google (13 million on Bing for those keeping score).  Given how important a topic securing Cloud computing is, how is one to cut through the clutter?  To help out, here are five of my favorite resources on Cloud Security:

1) Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing”

A comprehensive look at the most important areas of security in the Cloud, written by an esteemed group of security practitioners.

2) Jericho Forum “Cloud Cube Model”

A nice paper that “provides a framework for exploring in more detail the nature of different cloud formations and the issues that need answering to make them safe and secure places to work in.”

3) ENISA’s Cloud Computing Risk Assessment

A nice risk-oriented discussion of the cloud computing business model and technologies.

4) ISACA’s Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

A business-oriented view of cloud computing risks and governance imperitives.

5) Cloudsecurity.org and Securosis Blogs

Good, though infrequent, analysis in the Cloudsecurity.org blog.  Securosis commentary from former Gartner analyst and CSA Guidance editor Rich Mogull.

The fallout from Google’s announcement last week about their business in China continued on Thursday in a major policy address by Secretary of State Hillary Rodham Clinton. In a wide ranging speech in Washington, D.C. the Secretary again demanded the Chinese authorities conduct a full and transparent investigation of the cyber attacks outlined by Google.

Some analysts have called these attacks and their aftermath a day of reckoning; others a watershed in the development of a secure Internet. It may be one or both of those things, but my own belief is that it is also the day when the world finally grew up relative to the data breach phenomenon. Moving forward the world will come to understand that the Internet is not an inherently safe environment into which cyberattacks occasionally intrude.

Because the internet itself is a community much like that of a developing country, all shared data is at risk.   While this observation is true even in a developed society, the Internet does not come with security, rule of law, or other infrastructure to ensure that “responsible” behavior is the norm.  Those that share their information and data on the Internet truly do so at their own risk. The recent events highlighted by Google only demonsrates the magnitude and consequences of those risks.

These events also prove  that the Internet has become an inherently unsafe environment in which cyberattacks are the norm. To prevent these attacks from rendering the Internet useless for commerce and communications will require an unprecedented level of vigilance and willingness to engage nation states at the highest levels as Secretary Clinton has done.

I thought Mrs. Clinton summed up what is at stake here quite eloquently when she stated:

“Ultimately, this issue isn’t just about information freedom; it’s about what kind of world we’re going to inhabit. It’s about whether we live on a planet with one internet, one global community, and a common body of knowledge that unites and benefits us all. Or a fragmented planet in which access to information and opportunity is dependent on where you live and the whims of censors.”

When current foreign policy includes dialogue and diplomacy about the impact of data breaches, it’s undeniable that data security (or the more correctly, the lack thereof) has ceased to be under the sole purview of cybercriminals and information security officers.They have become an integral part of the fabric of international relations.  My advice is that we all become accustomed to this. It IS the new normal.

Google Gmail has become a phenomenally popular service, with a user base estimated in excess of 150 million.  In addition to its popularity with consumers, Gmail has been gaining ground as a service for commercial users as well. One notable instance is the City of Los Angeles, which is spending $7.25M to move 30,000 email users to the Gmail platform. As more organizations start to take a cloud-based approach to their IT computing services, the need for enterprise-managed security starts to become apparent.

Last week, Google announced that its Gmail service was the target of an attack and that certain users may have had their email accounts compromised. In recent days, there has been a lot of interest in how to improve email security, especially when such services are exposed to the Internet and subject to attack from anyone online.

Google took the first step and announced that it will make access via HTTPS the norm rather than the exception, which will help protect users from the hackers at the coffee shop sharing the Wi-Fi connection. For enterprise users, however, HTTPS is not enough, because there must be protection for the data itself.  The best approach to implementing strong security for email is the use of end-to-end encryption, such as with PGP® Desktop Email. The implementation of cryptography makes email services safe from interception by any party in between.

PGP Desktop Email protects email from the time it leaves the sender’s computer all the way until it reaches the recipient. Nobody in between can read or modify its contents. Some of the reasons that our customers choose PGP Desktop Email include:

• Support for Internet email services such as Gmail, as well as commercial platforms like Microsoft Exchange and Lotus Notes.
• Works with any standards-based email client because it operates like a network proxy. It doesn’t require installing plugins in the email client.
• Policy management and data recovery through deployment in conjunction with PGP Universal Server.
• Based on open standards, so users can securely exchange email to other implementations of OpenPGP software.
• Automatic support for the PGP Global Directory, which hosts a user’s public key to facilitate encrypted email exchange and signature validation.

Here’s how I use PGP® Desktop with Gmail.  I’m partial to Mozilla Thunderbird email client, but the process is similar when using other email clients.

Here’s my configuration in Mozilla Thunderbird.  Note that this is just plain vanilla stuff – PGP Desktop Email doesn’t change anything in the client.

With PGP Desktop Email, I created a profile that identifies my email account and lets me fine tune some additional security settings. In lieu of this step, there’s also an option for using a wizard that automatically configures settings the first time the user accesses email.

Looks like my new user (pgpdesktopuser@gmail.com) received a new encrypted message.  Since I published my test user’s key in the PGP Global Directory, PGP Desktop Email automatically looked up the key to use.

Suppose that I’m migrating from Thunderbird to Microsoft Outlook.  I don’t have to change anything in PGP Desktop Email, all I have to do is fire up my Outlook client.  The encryption is transparent to the email client.

That’s it in a nutshell. In summary, PGP Desktop Email is an easy way to provide strong security for hosted email services such as Gmail. PGP Desktop Email takes the risk out of using a cloud-based service by ensuring that data stays private all the way until it reaches the intended recipient.

PGP Desktop Email complements Gmail nicely through its POP/IMAP interface, and can be used both standalone (for home users and small offices) as well as with PGP Universal Server for large scale deployments.

For more information about using PGP Desktop with Gmail, see the information on the PGP Customer Support site.

It was remarkable last week watching how a single cyber-attack has ignited a firestorm of global reaction. I’m referring, of course, to the “highly sophisticated and targeted attack” on Google and a few dozen other companies. While the common wisdom is that the attacks were initiated in China, it hardly matters. All enterprises of any size (including PGP Corporation) are under cyber-attack every hour of every day from a large number of bad actors both foreign and domestic.

While most of the news coverage has focused on speculation about the source of the attacks, the real news here is that a corporate entity is standing up to defend both corporate confidentiality and individual rights. This sort of attack has the potential to not only affect global commerce, but global conventions on what rights individuals inherently possess regardless of their citizenship.

First, let me acknowledge and applaud Google for taking a leadership position on this key issue. For a company like Google that makes its living providing consumer focused products and services, it takes no small measure of courage to threaten to abandon the largest consumer Internet market on earth.

Second, I have to point out that even if the facts eventually prove China was attempting to monitor the communications of their own citizens, this issue is in no way unique to China. In fact, the American government has shown enthusiastic willingness monitor its citizen’s communications.  Historically, governments, even very liberal governments, have had a hard time recognizing and respecting an individual’s right of privacy. Even the U.S. Constitution, with its enumeration of specific individual rights, contains no explicit right of privacy.

PGP Corporation was founded on the core belief that every citizen of each nation possesses an inherent right of private communication.  PGP Corporation’s founder Phil Zimmermann predicted 20 years ago that global governments would attempt to use the Internet to diminish our individual rights to privacy, and Phil nearly went to prison defending those rights.

Third, I believe that the political and economic ramifications of Google’s public statement and disclosure of the attack will echo for months, if not years. Western governments will be forced to respond both technically and diplomatically to avoid being perceived as weak in the face of a clear and present danger. Companies that have moved manufacturing and/or customer service operations to jurisdictions that refuse to recognize the fundamental rights of their employees who are citizens of those countries will come under increasing pressure to curtail their engagement in those regions. This issue is not going to go away quickly and I believe it will leave a very different set of international business practices and standards in its wake. It’s going to be fascinating to see how this plays out, particularly given how dependent western economies are upon Asian manufacturing and financial resources. The only thing I know for sure is that somewhere in the world Phil Zimmermann is smiling and thinking, “I knew this would happen!”

Bryan Gillson – Director, Business Development

At Lotusphere® 2010 today, Kevin Cavanaugh – Lotus Software’s Vice President of Messaging and Collaboration – announced a new addition to the IBM® Lotus® Protector product line created in partnership with PGP Corporation: Lotus Protector for Mail Encryption.

Lotus and PGP Corporation designed Lotus Protector for Mail Encryption to seamlessly extend Lotus Notes integrated email encryption to a wide variety of different recipient types. By leveraging gateway email technology from PGP Universal™ Server and the proxy technology from PGP Desktop Email, Lotus Notes users with Protector for Mail Encryption can send a single email that gets secured regardless of the recipients’ location and encryption technology – whether they’re internal or external; secure messages with Notes, OpenPGP, or S/MIME; or use no encryption technology at all.

Additionally, the Lotus Protector for Mail Encryption Server can be extended to manage members of PGP Corporation’s product family, including PGP® Whole Disk Encryption, PGP® NetShare, or PGP® Portable. This gives Lotus customers an easy way to protect data outside of the Domino environment, from laptop computers, to network drives, to removable devices, without needing to install an additional server.

But the benefit isn’t all to Lotus customers. The Lotus Protector for Mail Encryption Server and Client truly extend the ecosystem for PGP Corporation’s customers. Since the products are fully compatible with PGP™ Universal Server and PGP® Desktop’s key discovery protocols, they enable full end-to-end encryption to even more email recipients.

Lotus Protector for Mail Encryption is a Lotus product, so you won’t be hearing much about it on pgp.com. However, more information can be found on ibm.com and around the web as more information gets released.

Arthur Fontaine, Senior Product Manager for Protector Security Products, said “We’re very pleased to be able to create a relationship with PGP Corporation, a market leader and innovator for the benefit of our Lotus Notes base.”

We are very proud of our relationship with Lotus and the ongoing collaboration that brought this product to life. This partnership brings together one of the most trusted brands in security with one of the most trusted brands in collaboration. All of our customers should benefit.

I’m very pleased to announced that PGP Desktop 10.0 is now shipping.

All customers with current subscription licenses or maintenance will receive this upgrade free of charge. It is also available for purchase by new customers on the PGP webstore. PGP Desktop 10.0 brings all of the features you’ve come to expect to Mac OS 10.6 (Snow Leopard) including support for Boot Camp, Windows 7 (32 & 64 bit), and for the first time Whole Disk Encryption support to Linux (Red Hat and Ubuntu).

What else is new?  In summary:

• Encrypt/Sign button for Microsoft Outlook
• Faster encryption and decryption
• Installation localization for French and Spanish
• Safeguards against boot disk corruption
• Support for Boot Camp

This also marks the termination of the PGP Desktop 10.0 beta program. I’d like to thank the hundreds of you who contributed to this program and helping us make PGP Desktop 10.0 the best release ever.

All 30 day beta licenses will be honored for the full 30 days from the time the license was issued. At that point the beta will cease working unless a non-beta (commercial) license is provided. Disks that have been Whole Disk Encrypted using the PGP Desktop 10.0 beta will decrypt when the beta license expires.

The U.S. House of Representatives delivered an early Christmas present last month when it passed the Data Accountability and Trust Act (DATA). HR 2221, sponsored by Representative Bobby Rush (D-Il), is just about everything you’d want in a well-considered piece of legislation on such a complex topic. The bill not only protects consumers in that it requires nearly all businesses to take steps to protect personally identifiable information at rest and in motion, it also requires companies to publicly disclose any breaches of that data. HR 2221 singles out data brokers as a special class and requires they put processes in place to protect the information they maintain and submit to periodic audits to ensure they comply.

The DATA act also addresses a growing concern on the part of consumers by requiring that data brokers provide a method for individuals to prevent their personal information from being used for certain marketing purposes. Responsible consumer brand companies have long had access to far more information about us than they were comfortable using and adopted an informal code of conduct that constrained their use of that data. HR 2221 gives that code of conduct the force of law and applies to all companies involved in interstate commerce.

Besides providing extensive consumer protection, the DATA act also provides businesses a reasonable “safe harbor” by declaring loss of data that is “unusable, unreadable, or indecipherable” by the use of encryption or other technology not subject to the breach disclosure requirements. This bill also, of course, will unify the existing 47 state data breach bills now in effect. The fact that the DATA act has passed doesn’t make it law, however, as it now needs to be modified in committee to make it consistent with whatever bill the Senate passes (there are two under consideration).

Even when a federal bill does become law, it will not completely end the debate over various state laws that address issues on topics where the federal bill is silent. The primary example of this is the Massachusetts data protection act (201 CMR 17).  The Massachusetts law, set to take effect next March, specifies exactly what classes of data must be protected based on physical attributes, not just content.  It also specifies exactly what types of technology must be used to protect them. While the diligence of the Massachusetts legislators is laudable, history demonstrates that this type of prescriptive legislation that involves rapidly evolving technologies, generally creates as many problems as it solves. An excellent example of the issues being raised by 201 CMR 17 can be found on TechTarget’s SearchCompliance site.

The passage of HR 2221 will also have important implications internationally as it is likely to form the basis upon which the Federal Trade Commission will commence negotiations to create consistency in breach regulations with the European Union. As I’ve noted before, the EU continues to lead the way in enforcing some of the most stringent privacy regulations on the Internet. Continuing this trend, the UK’s Information Commissioner last week published a draft policy that, if adopted, will severely limit the ability of web sites to track user behavior. With regulators in the Euro zone moving ahead on their plans to provide even more privacy safeguards for their citizens, it’s critical that U.S. regulators finalize the data breach requirements so they can focus on some of the more current issues.

It will take some time to work out how the pending federal bill will impact some of regulations imposed by state regulators and how enterprises can best comply with the new requirements. Overall though, it was a very good month on the data protection front and we can only hope the Senate acts quickly to deliver the final bill for which Americans have been waiting so patiently.

One good way to tell if a topic has become mainstream is to monitor USA Today. So I wasn’t terribly surprised when I found the lead in the paper’s Money section on New Years Day to be focused on the latest trend in cybercrime. It seems that many cybercriminals, frustrated with the countermeasures put in place by larger banks and enterprises are now targeting smaller businesses that have adopted online banking as a way to save both money and and time.

As we all know cybercrooks like to target the weakest link in any system that might yield cash or cash equivalents. In this case, the miscreants have determined that the some of the systems banks use to support smaller businesses have material weaknesses that can be exploited. Specifically, the Automated Clearing House (ACH) systems and wire transfer systems have not kept pace with the threats they now face. As everyone’s favorite banking fraud analyst, Avivah Litan, points out, the controls for these to critical pieces of financial infrastructure are decades old and were designed with a completely different set of threats in mind.

Pretty much everything about this story is standard cybercrime stock. The attack starts with a spear phishing attack aimed at a small business, a trojan is planted via email or by a corrupted website, authentication credentials are then compromised and used to move funds from the target to the perpetrator’s (offshore) account.

The only thing that’s a little bit different about this story is the recommendation being made by the American Banker’s Association and the FBI to block the attack. Both are recommending small businesses use a dedicated desktop or laptop machine for all of their online banking that is never used for email or web browsing. While this approach would certainly work given what we know if this threat, I wonder how many small businesses can or want to set aside a dedicated online banking PC. And even if they did, just how are they supposed to get the information needed to execute those online transaction on and off that machine?

It seems to me that this might be a valid (if complicated) tactical approach, but that the real solution involves upgrading the core security in the ACH and wire transfer infrastructure to use current authentication and encryption technologies to secure both the transactions and the data they generate.

There’s been a great deal of talk going on about cloud computing. The benefits are clear, because organizations realize that the network is an extension of their data center and that they can avoid many of the scalability and capacity problems of the past. The fundamentals of the concept are compelling and real.

Yet there is still a great deal of trepidation, especially when it comes to security. That’s because that the concept of cloud computing needed to be tested first.   The first generation of cloud computing services addressed whether the infrastructure made sense.  Was it possible to build the types of services with the quality and reliability of an in-house application?

I think we’re turning the corner on the first generation and that’s why people are talking about security.  We’ve moved past whether the concept is feasible.  Now we need to know if it’s practical and safe. The second generation of cloud computing applications will test whether a good security model can take shape to alleviate customer concerns that stand in the way of mainstream adoption.

One thing that we’ve learned from the past is that although encryption is a good thing, there’s a lot of ways to do it poorly. Today, many organizations struggle from rash decisions to deploy encryption without thinking about all of the aspects of management.  The ongoing requirements to track, manage and safely recover encryption keys can pose formidable challenges as administrators struggle with the growing burden.

Now that we’ve turned our eyes towards the cloud, we have a rare opportunity to take a step back and envision how we could do security right in the first place. Companies can build out an ideal environment with data protection considerations built in before going live.

When we look at both the internal deployment of encryption and the cloud security model, although the situations are different, the solution to both problems is the same. In the first, the pain manifested from a proliferation of key management tools that led to unforeseen operational costs and internal complexity. Applying a strategy of enterprise key management to eliminate duplicity and simplify the administrative model of encryption keys leads to both a more efficient and less costly environment.

The same approach should be at the forefront of cloud security. It’s clear that encryption and identity is essential to the cloud security model – there’s network transport security (SSL/TLS), data integrity (digital signature), data privacy (encryption) along with the challenge of ensuring that only the right people have access to data (authentication). In order to get the key material lined up for sustained operations, organizations should consider the requirements for proper key management before putting these technologies in place.

Having had the experience of what poor key management feels like, organizations should do the right thing with their cloud strategy and make sure that they ask the right questions to their cloud service providers. It isn’t really about whether or not the service has encryption or not.  The better question is whether there is the proper key management in place to administer the security for all of the cloud initiatives to come.