Microsoft Solution Case Study

Enhancing on-premises decryption

solution with Microsoft Azure services

Solution Name: DecryptNaBox “With Microsoft Azure services, our customers can now Partner: Zeva Website: www.decryptnabox.com use DecryptNaBox on an as-needed basis to handle Country or region: United States investigations and avoid making a large investment in

Company profile infrastructure.” Zeva enables organizations to access Sam Andoni, Founder, Zeva encrypted email for investigations and security scanning. Though email is increasingly important to Supporting Microsoft software and services governments and companies, it hampers an organization’s  Microsoft Azure Key Vault ability to inspect documents for security or compliance.  Microsoft Exchange Server 2013 DecryptNaBox solves this problem by enabling access to  Microsoft Windows Server 2012 R2  Microsoft SQL Server 2014 encrypted email while preserving the integrity of the

organization’s public key infrastructure. DecryptNaBox facilitates “We found a way to decrypt eDiscovery, audits, mobile access to encrypted emails, and without exposing the private key of antivirus scanning, enabling companies to secure their emails the user, which was a huge security improvement.” while maintaining the ability to inspect them when necessary.

Lifting the covers off encrypted email address. After an email is encrypted, Sam Andoni, Founder, Zeva Unencrypted data is always at risk of being applications that deliver security and

made public, as was made painfully compliance by analyzing email content can

obvious with the public release of emails no longer access the email. Antivirus scans from the Sony Corp in late 2014. With each aren’t possible, and encrypted emails new incident of confidential corporate won’t show up in search results or information being made public, companies eDiscovery queries. Today, organizations can no longer delay implementing email often forgo implementing encryption to encryption, whether through a traditional preserve their ability to inspect email for public key infrastructure (PKI) or personal investigations or security. identity verification (PIV) using smart cards. Zeva is helping government agencies and However, when organizations are corporations solve these issues and move considering email encryption, they must forward with encryption programs with its consider the implications for their security groundbreaking DecryptNaBox solution. and compliance procedures. Encryption DecryptNaBox enables organizations to causes many problems that are not easy to access the content of encrypted emails

while keeping each user’s private key key is sent over the network. Email is Azure. It uses the Azure Key Vault service, protected. The technology even works with decrypted by the DecryptNaBox client which enables companies to store hardware-based encryption, such as smart while keys are decrypted within the CA by encryption keys in HSMs certified to FIPS cards. the DecryptNaBox server. The server can 140-2 Level 2 standards. “With Microsoft be a physical server at the organization’s Azure services, our customers can now use Creating a new technology data center or hosted by the PKI service DecryptNaBox on an as-needed basis to Zeva got its original ideas for the provider. handle investigations and avoid making a DecryptNaBox technology from an email large investment in infrastructure,” says migration tool that Microsoft released to Solving the government’s problems Andoni. facilitate adoption of Exchange 5.5. When DecryptNaBox solves several problems for security teams understood that they could government agencies. “Federal regulations Making decryption mobile use SecTool to decrypt and encrypt large make it very difficult to get possession of The growing adoption of hardware-based amounts of Exchange data quickly and an employee’s private key, which slows encryption using PIV poses significant easily, the SecTool became one of the most down investigations,” says David Spannare, challenges for mobile users. Mobile popular tools in the security business. Program Management Director at Zeva. devices generally cannot host hardware However, after Microsoft moved to new file “The other problem was responding to keys or access smart-card readers. While formats with the release of Office 2007, Freedom of Information Act requests, solutions are available that use derived SecTool no longer worked. which required searching across all emails credentials to allow , they for specific keywords. It wouldn’t be do not address the needs of organizations Many organizations had come to depend possible to get every employee’s private with Medium Hardware Assurance policies, on SecTool, including many large key with current policies.” By allowing the which is becoming more prevalent. The departments within the US government. private key to remain inside the CA, MobileDecrypt client works with mobile Zeva had contacts within these government DecryptNaBox solve these problems, device management (MDM) solutions to organizations and within Microsoft and saw enabling fast large-scale investigations. enable mobile devices to read decrypted the opportunity to build a replacement. “We email without accessing user private keys. started from scratch to build a tool to help Another problem government MobileDecrypt can be integrated into an companies with eDiscovery of encrypted organizations face is the implementation MDM solution and works on any device email,” says Sam Andoni, founder of Zeva. of Homeland Security Presidential supported by that solution. “We found a way to decrypt emails without Directive 12 (HSPD-12), which calls for all exposing the private key of the user, which government agencies to use a common Enabling encryption for everyone was a huge security improvement.” The hardware-based ID for access to The demand for email encryption— technology, which is the basis of computers and buildings. “When you use a especially with the latest PIV technology DecryptNaBox, has multiple patents hardware-based private key for encryption, that provides the best security—is pending, and has been approved for use by the key has to remain on the hardware. growing, but the complexities it creates the US Government and meets FIPS 140-2 Now you have to give someone a copy of are slowing or preventing Level 3 standards. the smart card to do an investigation that implementations. DecryptNaBox solves the requires decrypting email, which isn’t problem of accessing encrypted emails DecryptNaBox works by taking advantage feasible and is delaying implementation of within the organization for eDiscovery, of the way email messages are encrypted in the directive,” says Andoni. DecryptNaBox audits, antivirus, data leakage, mobile Microsoft Exchange. Exchange uses a keeps the private keys within an HSM so access, and many other uses. The new message session key to encrypt and decrypt this is not an issue. Azure-based options mean any individual messages. The message session organization can easily take advantage of key is encrypted and decrypted with the Reaching beyond government this solution without making significant user’s private key from the organization’s Organizations that want to protect infrastructure investments, enabling more public key infrastructure (PKI) certificate proprietary information face the same organizations to implement the protection authority (CA). Rather than providing the email encryption issues as the government. they require. private key to use for encryption, Many Fortune 100 companies are using DecryptNaBox pulls the message session DecryptNaBox today to facilitate the use of key from each message and decrypts it encrypted email. But small companies within a hardware security module (HSM) need these capabilities as well, though that acts as an extension to the certificate they have struggled to justify the expense authority. of on-premises servers and HSMs.

With DecryptNaBox, private keys never To better address the needs of its leave the certificate authority. They stay customers, Zeva has released a version of within the HSM. Only the message session DecryptNaBox that runs on Microsoft

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Document published May 2015