PGP Blogs

Five Great Cloud Computing Security Resources
Wednesday, January 27th, 2010

There’s no shortage of words written about Cloud computing.  Even the topic of security and the Cloud yields over 28 million results on Google (13 million on Bing for those keeping score).  Given how important a topic securing Cloud computing is, how is one to cut through the clutter?  To help out, here are five of my favorite resources on Cloud Security:

1) Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing”

A comprehensive look at the most important areas of security in the Cloud, written by an esteemed group of security practitioners.

2) Jericho Forum “Cloud Cube Model”

A nice paper that “provides a framework for exploring in more detail the nature of different cloud formations and the issues that need answering to make them safe and secure places to work in.”

3) ENISA’s Cloud Computing Risk Assessment

A nice risk-oriented discussion of the cloud computing business model and technologies.

4) ISACA’s Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

A business-oriented view of cloud computing risks and governance imperitives.

5) Cloudsecurity.org and Securosis Blogs

Good, though infrequent, analysis in the Cloudsecurity.org blog.  Securosis commentary from former Gartner analyst and CSA Guidance editor Rich Mogull.

Filed under: Perspectives
Tags: cloud computing, Cloud Security Alliance
Comments: No Comments

How to Prevent People Peeking at your Gmail
Wednesday, January 20th, 2010

Google Gmail has become a phenomenally popular service, with a user base estimated in excess of 150 million.  In addition to its popularity with consumers, Gmail has been gaining ground as a service for commercial users as well. One notable instance is the City of Los Angeles, which is spending $7.25M to move 30,000 email users to the Gmail platform. As more organizations start to take a cloud-based approach to their IT computing services, the need for enterprise-managed security starts to become apparent.

Last week, Google announced that its Gmail service was the target of an attack and that certain users may have had their email accounts compromised. In recent days, there has been a lot of interest in how to improve email security, especially when such services are exposed to the Internet and subject to attack from anyone online.

Google took the first step and announced that it will make access via HTTPS the norm rather than the exception, which will help protect users from the hackers at the coffee shop sharing the Wi-Fi connection. For enterprise users, however, HTTPS is not enough, because there must be protection for the data itself.  The best approach to implementing strong security for email is the use of end-to-end encryption, such as with PGP® Desktop Email. The implementation of cryptography makes email services safe from interception by any party in between.

PGP Desktop Email protects email from the time it leaves the sender’s computer all the way until it reaches the recipient. Nobody in between can read or modify its contents. Some of the reasons that our customers choose PGP Desktop Email include:

• Support for Internet email services such as Gmail, as well as commercial platforms like Microsoft Exchange and Lotus Notes.
• Works with any standards-based email client because it operates like a network proxy. It doesn’t require installing plugins in the email client.
• Policy management and data recovery through deployment in conjunction with PGP Universal Server.
• Based on open standards, so users can securely exchange email to other implementations of OpenPGP software.
• Automatic support for the PGP Global Directory, which hosts a user’s public key to facilitate encrypted email exchange and signature validation.

Here’s how I use PGP® Desktop with Gmail.  I’m partial to Mozilla Thunderbird email client, but the process is similar when using other email clients.

Here’s my configuration in Mozilla Thunderbird.  Note that this is just plain vanilla stuff – PGP Desktop Email doesn’t change anything in the client.

With PGP Desktop Email, I created a profile that identifies my email account and lets me fine tune some additional security settings. In lieu of this step, there’s also an option for using a wizard that automatically configures settings the first time the user accesses email.

Looks like my new user (pgpdesktopuser@gmail.com) received a new encrypted message.  Since I published my test user’s key in the PGP Global Directory, PGP Desktop Email automatically looked up the key to use.

Suppose that I’m migrating from Thunderbird to Microsoft Outlook.  I don’t have to change anything in PGP Desktop Email, all I have to do is fire up my Outlook client.  The encryption is transparent to the email client.

That’s it in a nutshell. In summary, PGP Desktop Email is an easy way to provide strong security for hosted email services such as Gmail. PGP Desktop Email takes the risk out of using a cloud-based service by ensuring that data stays private all the way until it reaches the intended recipient.

PGP Desktop Email complements Gmail nicely through its POP/IMAP interface, and can be used both standalone (for home users and small offices) as well as with PGP Universal Server for large scale deployments.

For more information about using PGP Desktop with Gmail, see the information on the PGP Customer Support site.

Filed under: Perspectives

Comments: No Comments

IBM Announces Lotus Protector for Mail Encryption
Monday, January 18th, 2010

Bryan Gillson – Director, Business Development

At Lotusphere® 2010 today, Kevin Cavanaugh – Lotus Software’s Vice President of Messaging and Collaboration – announced a new addition to the IBM® Lotus® Protector product line created in partnership with PGP Corporation: Lotus Protector for Mail Encryption.

Lotus and PGP Corporation designed Lotus Protector for Mail Encryption to seamlessly extend Lotus Notes integrated email encryption to a wide variety of different recipient types. By leveraging gateway email technology from PGP Universal™ Server and the proxy technology from PGP Desktop Email, Lotus Notes users with Protector for Mail Encryption can send a single email that gets secured regardless of the recipients’ location and encryption technology – whether they’re internal or external; secure messages with Notes, OpenPGP, or S/MIME; or use no encryption technology at all.

Additionally, the Lotus Protector for Mail Encryption Server can be extended to manage members of PGP Corporation’s product family, including PGP® Whole Disk Encryption, PGP® NetShare, or PGP® Portable. This gives Lotus customers an easy way to protect data outside of the Domino environment, from laptop computers, to network drives, to removable devices, without needing to install an additional server.

But the benefit isn’t all to Lotus customers. The Lotus Protector for Mail Encryption Server and Client truly extend the ecosystem for PGP Corporation’s customers. Since the products are fully compatible with PGP™ Universal Server and PGP® Desktop’s key discovery protocols, they enable full end-to-end encryption to even more email recipients.

Lotus Protector for Mail Encryption is a Lotus product, so you won’t be hearing much about it on pgp.com. However, more information can be found on ibm.com and around the web as more information gets released.

Arthur Fontaine, Senior Product Manager for Protector Security Products, said “We’re very pleased to be able to create a relationship with PGP Corporation, a market leader and innovator for the benefit of our Lotus Notes base.”

We are very proud of our relationship with Lotus and the ongoing collaboration that brought this product to life. This partnership brings together one of the most trusted brands in security with one of the most trusted brands in collaboration. All of our customers should benefit.

Filed under: Ecosystem, Perspectives
Tags: IBM, Lotus, Lotus Protector for Mail Encryption
Comments: No Comments

PGP Desktop 10.0 Shipping
Friday, January 15th, 2010

I’m very pleased to announced that PGP Desktop 10.0 is now shipping.

All customers with current subscription licenses or maintenance will receive this upgrade free of charge. It is also available for purchase by new customers on the PGP webstore. PGP Desktop 10.0 brings all of the features you’ve come to expect to Mac OS 10.6 (Snow Leopard) including support for Boot Camp, Windows 7 (32 & 64 bit), and for the first time Whole Disk Encryption support to Linux (Red Hat and Ubuntu).

What else is new?  In summary:

• Encrypt/Sign button for Microsoft Outlook
• Faster encryption and decryption
• Installation localization for French and Spanish
• Safeguards against boot disk corruption
• Support for Boot Camp

This also marks the termination of the PGP Desktop 10.0 beta program. I’d like to thank the hundreds of you who contributed to this program and helping us make PGP Desktop 10.0 the best release ever.

All 30 day beta licenses will be honored for the full 30 days from the time the license was issued. At that point the beta will cease working unless a non-beta (commercial) license is provided. Disks that have been Whole Disk Encrypted using the PGP Desktop 10.0 beta will decrypt when the beta license expires.

Filed under: PGP Betas, Perspectives
Tags: Mac OS 10.6, Red Hat, Snow Leopard, Ubuntu
Comments: 3

Key Management and Cloud Computing
Wednesday, January 6th, 2010

There’s been a great deal of talk going on about cloud computing. The benefits are clear, because organizations realize that the network is an extension of their data center and that they can avoid many of the scalability and capacity problems of the past. The fundamentals of the concept are compelling and real.

Yet there is still a great deal of trepidation, especially when it comes to security. That’s because that the concept of cloud computing needed to be tested first.   The first generation of cloud computing services addressed whether the infrastructure made sense.  Was it possible to build the types of services with the quality and reliability of an in-house application?

I think we’re turning the corner on the first generation and that’s why people are talking about security.  We’ve moved past whether the concept is feasible.  Now we need to know if it’s practical and safe. The second generation of cloud computing applications will test whether a good security model can take shape to alleviate customer concerns that stand in the way of mainstream adoption.

One thing that we’ve learned from the past is that although encryption is a good thing, there’s a lot of ways to do it poorly. Today, many organizations struggle from rash decisions to deploy encryption without thinking about all of the aspects of management.  The ongoing requirements to track, manage and safely recover encryption keys can pose formidable challenges as administrators struggle with the growing burden.

Now that we’ve turned our eyes towards the cloud, we have a rare opportunity to take a step back and envision how we could do security right in the first place. Companies can build out an ideal environment with data protection considerations built in before going live.

When we look at both the internal deployment of encryption and the cloud security model, although the situations are different, the solution to both problems is the same. In the first, the pain manifested from a proliferation of key management tools that led to unforeseen operational costs and internal complexity. Applying a strategy of enterprise key management to eliminate duplicity and simplify the administrative model of encryption keys leads to both a more efficient and less costly environment.

The same approach should be at the forefront of cloud security. It’s clear that encryption and identity is essential to the cloud security model – there’s network transport security (SSL/TLS), data integrity (digital signature), data privacy (encryption) along with the challenge of ensuring that only the right people have access to data (authentication). In order to get the key material lined up for sustained operations, organizations should consider the requirements for proper key management before putting these technologies in place.

Having had the experience of what poor key management feels like, organizations should do the right thing with their cloud strategy and make sure that they ask the right questions to their cloud service providers. It isn’t really about whether or not the service has encryption or not.  The better question is whether there is the proper key management in place to administer the security for all of the cloud initiatives to come.

Filed under: Perspectives

Comments: No Comments

PGP Desktop for Snow Leopard Beta-2
Monday, January 4th, 2010

On behalf of PGP Corporation, I’d like to thank everyone that has participated in the beta test of our latest product, PGP Desktop 10.0 PGP Whole Disk Encryption for Apple® Mac OS X.

Thanks to your input we’ve identified a number of issues that have been fixed in the latest build (Beta-2) which is now available at the beta site.  If you choose to download and install Beta-2, you will be given the option to also obtain and apply a new evaluation license which is valid for 60 days.

We appreciate any and all feedback from you: bugs, problems, suggestions, and improvements. Submit those here.

Filed under: PGP Betas, Perspectives

Comments: 3

Sharing Data in an Unsecure World-Portable Encryption for Microsoft Windows 7
Wednesday, December 16th, 2009

These days you don’t need to wait for holiday sales to buy the tiniest, highest capacity USB thumb drive you can find. A 2GB USB drive sells for under $10 in the US, and works great to put family pictures, your favorite music (yes, the 80s were a good era) and oh yeah, the customer files you need to share with Bob at the audit firm. There’s only one problem: these drives tend to get lost easily, or as what often happens with most people, you just can’t remember where you put it. If that happens, you have now put out confidential company data (and possibly personal data) free for all to see, out into the world. This can very quickly turn into an organizational nightmare when it turns out that the drive was indeed lost, and now your organization has to inform investors, its customers, and just about everybody else about this loss. A look at the latest data breach headlines show that loss of USB drives and CDs/DVDs is unfortunately, still very much a reality. From the financial damage to the emotional damage data loss can cause, it’s no wonder Information Technology (IT) security officers lay awake at night wondering how to secure data that is entering, residing, and leaving USB drives and CDs/DVDs.

As you get ready with your Windows 7 upgrades, it is essential to think about your device and media protection strategy.

The good news is, with PGP Portable, you can instantly secure any removable device or optical media, and we mean any. No need to invest in costly encrypted USB drives with their own asset management consoles, and no need to worry about cross-platform issues with native Windows solutions.

Simply right click, and convert any USB drive (or folder) into an encrypted container, drag and drop files, and share the drive. With PGP Portable, there’s no need to install any software to access data on the PGP Portable-enabled drive. So now you can encrypt the USB drive lying in your office drawer, drop files into it (just like a regular drive), and drop it in the office mail for Bob at the audit firm.

Call Bob and give him the passphrase you used (using a secure method). Bob then inserts the drive into his Windows PC (or a Mac!), enters the passphrase you gave him, and reads or modifies the files as he wishes.

Yes, it is just that easy.

1. Insert any USB drive. Select the USB drive, right-click, and create a PGP Portable Disk

2. Create a passphrase. The image below shows creation of PGP Portable-protected folders (which can then be burned onto optical media for sharing)

3. To access the encrypted data, simply insert the USB drive or CD/DVD into any Windows or Mac OS X system. Enter the correct passphrase, and access the data!

Although there are some hardware and native software solutions that protect removable devices, they don’t always offer a complete solution. What’s nice about PGP Portable is that:

i)              Unlike the native BitLocker-To-Go on Windows 7, it protects USB drives and CDs/DVDs (yes, Blu-Ray too!!). So next time you’re distributing the latest revision of documents to partners or your field force, rest assured the data stays protected.

ii)             PGP Portable-enabled devices can be shared with Windows and Apple® Mac OS X users, without requiring any software installation to access the data.

iii)            There are no application windows you need to work with, or additional steps you need to take to access or modify these files. You work within the secure container just as you would with a regular USB drive, using your operating system’s native file explorer. You can also change the passphrase (provide you know the old one, of course).

iv)            It can be centrally managed. This ensures IT officers can enforce their corporate security policy automatically and easily.

v)             My favorite: it is software based. Which means you can secure any USB drive. Personally, I find carrying and using a specialized encrypted USB drive to be expensive and cumbersome.

Filed under: Perspectives
Tags: Data Breach, Data sharing, PGP Portable, Windows 7
Comments: No Comments

Data Protection on the Social Networking Platforms
Tuesday, December 8th, 2009

Doug McLean – Blogmeister

So why does an information security company care whether you use Facebook or Outlook to communicate? The answer is that PGP Corporation is committed to protecting our customers’ data regardless of where it is and what device it is on. Giving up email or migrating to a hybrid email/social networking platform does not absolve individuals and enterprises from protecting the confidential information contained in their messages, status updates and tweets.

In fact, it complicates the situation in that there is clearly a class of information you will never want resident on any platform over which you don’t have complete control. This need for secure communications, particularly in the case of the social networking platforms (SNP), will lead to private Twitter groups (Flocks?), identity verified Facebook groups, and user encrypted message archives.  NOW this gets interesting.

There has been any number of stories in the press recently about how to “protect yourself” on Facebook and the other SNPs.  Most of them, unfortunately reduce to:

A: Be suspicious

B: Don’t give our your password to anyone

Facebook, LinkedIn and the other social networking platforms do have pages of security “tips” that also fall into these same two categories.

There have also been numerous stories like this one detailing a few of the social networking platform’s security vulnerabilities. So, it’s clear that those of us that use the them for personal and/or professional purposes have reason to be concerned about the new threat models the SNPs may enable.

I do, in fact, believe that the ability for the social networking platforms to become mainstream communications channels will be severely limited if the security issues inherent in their use are not addressed up front. The good news for both the SNP providers and their users is that these platforms are relatively clean sheets of paper when it comes to deploying secure communications services. So they have an opportunity to build security deeply into their architectures rather than layering it over existing infrastructure as we’re now doing with legacy email, chat, and other technologies.

In the meantime I do have one other recommendation for anyone intending to store files on the social networking platforms or even pass files through them to other repositories. Please, PLEASE encrypt them if you have any need to protect them. If you use our encryption, PGP Desktop has a feature that makes this extremely easy and allows you to encrypt a file to either a key or a simple passphrase.

PGP Zip is available from the File–>New menu of any PGP Desktop application. When selected it opens the window shown below. Simply drag the files you intend to store or transmit through Facebook or SNP and click on the SECURITY button.

PGP Zip File Selector

You are then presented with a choice of encrypting the selected files to a PGP key or a passphrase (below). If you just archiving the files I strongly recommend using your own key. If you’re placing the files on a repository in the cloud for someone else, use their public key if they have one. Alternatively, you can just use a passphrase, but if you want to protect the files against a brute force attack, please use one that is at least nine characters in length and contains numbers and a special character or two like #, *, or %.

PGP Zip Security Selector

Once you hit the “Save” button, PGP Desktop will both encrypt and compress the files and directories designated. You can then use one of the current file transfer applications to send the resulting PGP Zip file up to Facebook or any other cloud based repository knowing that it’s safe from prying eyes.

The social networking platforms are wonderful tools for both personal and professional purposes. Besides helping us all to stay in touch with friends, family, colleagues and causes, they’re fun. They are not, however, secure communication services…yet. So, I’d urge caution and common sense in the information you share, store and transmit on them until such time as they do become more secure.

Filed under: Perspectives
Tags: Data Protection, Facebook, file encryption, LinkedIn, PGP Zip, Twitter
Comments: No Comments

Will Facebook Kill Email?
Tuesday, December 1st, 2009

Doug McLean – Blogmeister

I audited a class at the local college recently. In the final 5 minutes of the final class, the instructor asserted that, “…social media will kill email.” As one of the very early adopters of email and responsible for bringing a number of email technologies to market, I dismissed his claim as the ranting of a tired lecturer who allowed his mouth to get a beat or two ahead of his brain. In retrospect, however, I’ve concluded he may have had a point.

I have to admit I didn’t see his point until I read a headline recently indicating that 92% of global email traffic is now spam. The fact that most email is junk isn’t news as the percent of measured spam has been hovering around 90% for quite some time. The fact that spam has dominated the email landscape for so long is helping to drive some interesting user behaviors, however.  We’re starting to see reports that some users (mostly young) are giving up email entirely in favor of social media. While I think many email users will have problems doing this, it makes a certain amount of sense. We’re now even seeing reports of corporations migrating their communications infrastructure to the social networking platforms.

From a communications perspective, what Facebook, Twitter, and LinkedIn offer is a simple host based white list functionality. As you confirm “friends” or follow someone on Twitter, all you’re doing is building a list of sources from which you’ve agreed to consume status updates, Tweets, etc.

White lists have been around as an anti-spam technique since the dawn of spam. While they can be demonstrably effective, the approach has never achieved any real traction.  The reasons for this differ for individuals and enterprises. For individuals, until the advent of social media (and the chance to see what your high school classmates look like now), there was no compelling reason to build or maintain the requisite list. For enterprises, it’s simply impractical to isolate themselves from the serendipitous communication that is an integral part of running a business.

Social media platforms alter the equation for both individuals and enterprises.  In the case of individuals, most people have already learned that other than the email they receive from family, friends, and the companies with which they do business, there’s no real reason to read the rest of the email they receive. So using a social media platform for one-to-one or one-to-many communication doesn’t really change an individual’s communication behavior that much.

For enterprises, the situation is a little more complex in that a comprehensive white list necessarily is the aggregate of all their employees’ white lists. The tools to assemble and maintain such a list don’t exist yet, but they will and they’ll likely be provided by the same social media platforms that many enterprises now prevent their employees from using while at work.

And how will these enterprises deal with the daily communication requests from potential new customers, partners, employees, and vendors?  The same way they do today, with generic sales@, partner@, and staffing@ addresses with spam filters and junior staffers to review them for potentially serious business opportunities.

So will Facebook kill email?  I doubt it. As I noted a few weeks ago, successful information technologies rarely actually die. They tend to get subsumed by other technologies in the inevitable march of progress towards the “next big thing”.  Common examples include the transistor, mainframe computer, and almost every real innovation in programming languages.  A similar fate likely awaits email or at least email as we now think of it.

My personal belief is that email and the social media platforms will develop in ways such that in time they will become indistinguishable. To be clear, I think this may take a long time particularly given the rate at which email technologies now evolve.  However, I think we can expect the big email technology and service providers to add features such as correspondent status and geo-location and the social media platforms to enhance their message addressing, filing, archiving and search capabilities.

The question for those of us in the information security sector is how will we protect the communications flowing through the social media platforms? An even more pressing question for enterprises that allow their employees to use these platforms now is what are the threats and how do we address them? I’ll take up both of these issues next week.

Filed under: Perspectives
Tags: email, Facebook, LinkedIn, spam, Twitter, whitelist
Comments: No Comments

Conversation on Windows 7 BitLocker
Tuesday, November 24th, 2009

Tim Matthews – Senior Director Product Marketing

Last week I sat down to have a conversation with Kevin Beaver, CISSP and security consultant, on Windows 7 BitLocker. I came across and interesting post he wrote called BitLocker and Windows 7 – Things You Need to Consider. I thought he had some good points and wanted to find out more.

Play Podcast:
 

Filed under: Perspectives
Tags: BitLocker, Endpoint Data Protection, Windows 7
Comments: No Comments