Recipients and Third parties always receive a notification email when they have an Egress Switch Secure Email waiting for them.
Email Template to Recipients
This standard email template is enabled on all business accounts, and by default it directs first-time users to the Egress Switch web access. Any part of this template can be customised.
Customised Email Template
This example demonstrates a fully customised email template as part of the London Councils enterprise agreement. Text, layout, colours, links and graphics have been customised.
Microsoft Outlook Ribbon – Simple Add-in
The Egress Switch Outlook Add-in is fully customisable and can be configured to integrate with any type of business requirement. Security labels can be fully customised, with each containing a set of security principles that are applied to the encrypted data.
Simple Email Encryption
- Unclassified: Set as default to send a standard clear text email.
- Encrypt message and attachments: Select to secure the message body content and any attachments.
Additional options can be configured, such as the ability to preserve the message, display a security disclaimer, determine whether attachments can be extracted and define permitted recipients and types of information. This configuration is often used for initial deployment.
Government Protected Markings
This example shows three options associated with the new UK Government Protective Marking Scheme. As well as customisation of all logos and text, every label contains a set of security rights.
- Unclassified: Send a standard clear text email.
- Official: Encrypt the message body and any attachments but do not preserve security after successful recipient receipt.
- Official Sensitive: Encrypt the message body and any attachments, and preserve security if a message is forwarded or saved. A security disclaimer must be accepted before access is granted. A watermark is applied to the message body and any documents viewed in the browser. There are restrictions on cut, copy, save and print functions.
Automated Policy-Based Encryption
Email and file encryption can be automated based upon policy rules. Once a user presses Send, Switch will scan the message body, attachments and recipients. Based upon the data detected (e.g. keywords or regular expressions) the email can be seamlessly encrypted without any user intervention.
The example below shows how an email can be automatically encrypted based upon an Official marking found within the attached word document.
Rather than automatically encrypting emails, customisable prompts can also be displayed to aid user education. In the example below, a user has forgotten to encrypt and is about to send a word document containing a national insurance number.
In this case, a prompt is displayed to the user with only one option for them to select: Official Sensitive. You can decide to give the user a choice of labels at this point if you prefer.
Preventing Data Leaks
Switch can automatically encrypt or prompt a user to encrypt emails, but there may be instances where you want to prevent certain information from leaving your organisation altogether. This might be based upon the type of information being sent or the domains it is being sent to. For example, you might want to prevent all Official Sensitive information from being sent to any of the major ISPs.
This example shows how a user has been prevented from sending their email because an attached spreadsheet has been found.
Large File Transfer
You can create a policy to dictate the functionality of Egress Switch Large File Transfer (LFT), which is used to send large attachments with an email. Switch LFT will upload emails with large attachments to cloud based storage or an FTP server and then send the recipient an email with a link to the contents. It is possible to run policies against these attachments, in the same way as the policy-based decisions that have been outlined previously.
For example, when attaching a 100MB file, the Large File Transfer sidebar automatically appears and will contain the large file. You can also add files directly into this sidebar by selecting “Add File” or by dragging files directly into the sidebar.
It is also possible to modify the appearance and behaviour of Switch LFT in the Switch Client through the use of registry keys. You can obtain further information regarding this function from your Egress Technical Account Manager and the ‘Egress Switch Registry Keys and Values’ document.
Multiple Layer Authentication
Multiple layer authentication enables business administrators to define one or more additional authentication methods that are required to access sensitive information.
Policy may dictate that a single method of recipient authentication is not appropriate, or for enhanced end-user assurance, it may be desirable to enforce additional verification checks.
There are several ways to apply this:
- Sender adds additional authentication added at point of sending the email.
- Additional authentication derived from the information being sent. For example, Switch detects a date of birth and applies it as a level of authentication.
- Query an external data source, e.g. SQL database, a web service or CSV file for the extra level of authentication.
- Integration with third party delivery mechanism, such as SMS.
Outlook Web Access
When used in conjunction with an Egress Switch Gateway, Switch can support the encryption of email created within MS Outlook Web Access (OWA). You can customise OWA with server-side modifications, including the ability to add customisable classification labels to match those seen within the full Outlook client.
Figure 1: OWA customised drop-down menu
As well as encrypting emails, Switch can classify them by adding a customisable colour-coded header and footer. The sender can add this classification manually, but you can automate or prompt it based upon the email content. Upon pressing Send, the classification is appended as seen below
As well as picking out raw data from emails and attachments, the following string references can also be detected:
- Post Code
- National Insurance Number
- Sort Code
- Account Number
- Card Number
- General Medical Council Number
- NHS Number
- Passport Number
- Date of Birth
- IP Address
- Case Number
- Financial Services Reference Number
- Policy ID Number
- Patient Number
You can easily expand these dictionaries to include additional data formats or string references as required. Egress provide a default dictionary that contains commonly used words and expressions that other companies search for. To obtain a copy please contact your Egress Technical Account Manager.
Enforced And Opportunistic TLS Encryption
Switch Gateway supports policy-driven TLS encryption. When enabled in conjunction with Switch message encryption, TLS provides unrivalled policy and choice over end user encryption.
When TLS is enabled, Switch Gateway can be configured to send a request to the destination server and determine whether the server can receive TLS encrypted content. If Switch Gateway receives a valid response, content can be sent solely using TLS or using TLS and Switch message encryption. You can make exclusions for domains that may accept TLS but are not deemed secure and enforce Egress Switch message encryption.
In addition, Switch Gateway supports message splitting and take a single message and encrypt with the appropriate encryption method dependent on policy to each recipient domain.
Mobile apps and optimised web clients are available for iPhone / iPad, BlackBerry, Android and Windows Phone. They enable transparent access and creation of encrypted email. Alternatively, if you have a Switch Gateway server, Switch can seamlessly pick up on data sent from mobile devices, and encrypt or classify as appropriate.
Google Apps Integration
Switch can integrate into Cloud-based mail infrastructures such as Google Apps. A Chrome extension is available to provide a simplified user interface experience for business authors. The drop-down menu provided can be fully customised and allows for manual encryption and classification.
Alternatively, Switch Gateway can make policy-based decisions for the user and encrypt / classify as per security policy requirements on your account.