15 May 2008
Search the site
Home
About Us
Contact Us
Sitemap
 
 
  News & Events Room News & Events Room
  Defence Defence
  Homeland Security Homeland Security
  Civil Aviation Civil Aviation
  Products And Services Products And Services
  Reference Library Reference Library
 
 

SAFEmail - Protective Marking Suite


Labelling, Protective Marking and Release Control for Secure Messaging

The SAFEmail Protective Marking Suite comprises two powerful components to safeguard the transmission of sensitive information over a messaging network. SAFEmail will automatically apply a default label to each email and allow users to override the default if required; alternatively SAFEmail allows users to explicitly add a label to their email. SAFEmail Protective Marking Suite prevents unauthorised users from accessing restricted or confidential information. SAFEmail, for example, could be deployed to prevent emails labelled as “Company Confidential” going outside the company, similarly it could prevent an email marked as “Secret – Treasury Only” going to the Department of Health.

The Business Requirement
Originally inspired by use within Defence and Intelligence organisations, many government and commercial organisations are now using Protective Marking or Security Labels to control access to their sensitive information. The principles of Protective Marking require that all sensitive material is categorised at one of a number of levels. Distribution of information can then be controlled in a way that prevents leakage or “spillage” of information to unauthorised parties. Despite email becoming a ubiquitous tool for business and government, it has also become the vehicle for the majority of unauthorised information leaks.

The majority of email security breaches are accidental, often emails are sent in error to the wrong recipient as a genuine mistake. There is a clear and present requirement to close this gap and prevent inadvertent email addressing. Beyond the need to plug the accidental breach, there is a more serious need to classify information and manage the flow of that information around organisational and inter-organisational networks in order to protect national security, commercial advantages or individual privacy. This institutional need to improve security requires a means of adding protective marking to emails in a way that is readable by humans and technology, clients and servers.

Solution capability
The SAFEmail Protective Marking Suite comprises two main components: SAFEmail Labeller and SAFEmail Capability Checker.

SAFEmail Labeller
Is an extension to Microsoft Outlook that adds a Protective Mark or Security Label to the email message. SAFEmail Labeller is fully configurable (by administrators) and offers the following capabilities.

  • Multi-dimensional labels. SAFEmail allows the administrator to create simple single dimensional labels, for example; SECRET or COMPANY CONFIDENTIAL. It also allows the administrator to create additional dimensions or qualifiers to the first label, thus it is possible to create SECRET/INVESTIGATIONS style of labels.
  • Configurable labels and descriptors. This means that administrators can create labels that reflect the terminology in their organisation. One organisation may, for example, use a range of labels TOP SECRET, SECRET, RESTRICTED, UNCLASSIFIED, whereas another may use SECRET, COMPANY CONFIDENTIAL, PERSONAL, UNRESTRICTED. All configuration details are stored in XML format.
  • Configurable label placing: SAFEmail labeller can be configured to write the security label to any or all of the following locations: First Line of Text (FLOT), Subject Line, SMTP Header, S/Mime-ESS Header or P1 Envelope label. In addition, on reading a labelled message, SAFEmail Labeller, displays the label on a “button” at the bottom of the message window. This latter feature ensures that the label is always displayed and visible as the reader scrolls down the text.
  • Standards conformance. SAFEmail Labeller, stores the security label in a number of industry standard formats and locations. This means that the label can be read by all other security enforcing engines, such as Mail-guards and Firewalls. This additional interoperability, not only gives “security in depth” when combined with SAFEmail Can-Send Checker, but it also allows an organisation to monitor deliberate security breaches.
  • Internationalisation. All text strings, whether they are labels, descriptions or help files are held in separate resource files and thus can be translated as required.
  • Message Disclaimer Text. The product can be configured to insert a text string at the end of the message.

SAFEmail Capability Checker
This is a further extension to Microsoft Outlook that works in conjunction with SAFEmail Labeller to create a simple but powerful security capability. By maintaining a set of capability data and the Capability Checker supports the following capabilities:

  • Immediate Response. After an email has been labelled (whether automatically or by default) and just as the user has pressed “Send” the Capability Checker sends off a series of queries to check whether the intended message recipients are authorised to receive the message based upon its security label. This Immediate Response capability gives the sender immediate feedback and allows them to correct the addressing as needed. Immediate Response avoids the delays, (sometimes hours) of server only solutions. Ergonomically this is a much more efficient way to control email security.
  • Mistaken Addressing. How often have you inadvertently sent an email to the wrong recipient? Automatic address completion makes it so easy to add the wrong “Steve” or “Lucy” to an email and before you realise the strategy for closing down a remote branch office, has been sent to a friend from the football club, who works for the local newspaper! With every email labelled by default as INTERNAL CONFIDENTIAL an email addressed outside the organisation would be stopped at your desktop for correct re-addressing.
  • Auditable Override Capability: Certain users may be given (by administration) authority to override the capability checker and in-effect say “I understand the policy, but in this instance the message must be sent”. Any manual override is recorded for later audit.
  • Fraud Detection. When used in conjunction with a server based compliance engine the Capability checker will trap deliberate fraud. The Capability checker prevents (as in the previous point) sending sensitive emails in error. The only way around the process is to deliberately mis-label an email. Thus when a server side compliance content checker detects a security breach, it is obvious that the sender must have deliberately downgraded the message in order to release the information.
  • On Receipt Checker. The Capability Checker can optionally be configured to perform a security check to ensure that the reader has sufficient security permissions to read the inbound message. This principle of multiple checking or “Strength in Depth” is a practice used in our other markets of Defence and Intelligence.
  • Directory Integration. The Capability Checker uses LDAP (Lightweight Directory Access Protocol) to search for recipient clearance or capability information prior to releasing the messaging. Most directory servers, including Active Directory, LDAP and X.500 support and thus Capability Checker can be deployed across many environments. Capability data can also be stored in a local cache to support off-line working.
  • Simple Configuration.  The Capability Checker has an administrator interface that contains a simple to configure the logic within the product.


Benefits
Boldon James’ SAFEmail Protective Marking Suite is a Commercial/Civil version of a product already deployed in large volumes to Defence and Intelligence operations around the world. It is proven in large deployments in the most rigorous of situations.  In summary the main benefits of the Protective Marking Suite are as follows: 

  • Prevents inadvertent mailing of sensitive information.
  • Assists in tracking the sources of deliberate fraud.
  • Fully interoperable with standards based and proprietary solutions.
  • Interworks with all known commercial server based compliance gateways.
  • Maximum flexibility to support specific or national labelling systems.
  • Commercial off the Shelf (COTS) components throughout and as such is simple to implement and deploy.
  • Powerful configuration capabilities to support the widest range of labelling schemes.
  • Default settings to minimise end user disturbance.

Optional Extensions
The SAFEmail Protective Marking Suite is part of the SAFEmail product range and integrates with the following Microsoft Outlook based solutions.
SAFEmail Security: A powerful S/Mime security subsystem, offering signatures and encryption. The SAFEmail security subsystem also supports signed security labels (detecting any change) as well as non-repudiation of receipt and delivery.
MasterKey Plus: An LDAP Address book, that seamlessly integrates an external LDAP directory into Outlook and makes the directory appear as another GAL (Global Address List), with full searching and graphical display capabilities.
e-Tracker: An Inbox Management tool that correlates READ and DELIVERY reports from Sent emails and gives an intuitive display to identify non-reads or delivery errors. e-Tracker is used in many organisations to support assured delivery capabilities.
SIM: A hardened Chat solution, offering labelled, secure, auditable and persistent chat room conversations. The Boldon James SIM product based upon Microsoft Live Communications Server (LCS) is easily integrated with the MMHS by simple Outlook Toolbar buttons.
 
 
© Boldon James Ltd. All Rights reserved. Terms of use | Privacy Policy