This article is a re-edited version of "DX-compatible email security realized by new alternatives !? An extension of PPAP" published in the "Cyber Security Information Bureau" provided by Canon Marketing Japan.
Email is still one of the main tools of communication for many business people. Each company has its own rules and customs regarding the method of sending and receiving, and it is common to follow them. However, after the "PPAP problem" that swept the industry, the way it should be is about to change drastically. Takuya Hashida of Canon Marketing Japan Inc. will explain the background and essence of this problem and alternatives to PPAP.
Why is PPAP used in enterprises?
September 1, 2021, this day should be a day in the history of the IT industry in Japan. The Digital Agency, which was established to further boost the flow of DX (digital transformation), which is accelerating at a stretch in Japan, has taken the first step. With the remarks of Mr. Takuya Hirai, the first minister of the Digital Agency, the problem of email attachments became an industry trend in the second half of 2020 as the "PPAP problem", and it caused a lively debate.
First, let's review what PPAP means in the first place. As shown in Fig. 1, it is a "file sharing method for sending email attachments to recipients as ZIP files with passwords."
Figure 1: What is PPAP?
The original material is a song that has penetrated so much that it can be called a pandemic, but it is easy to remember because of its good puns. When an article published on a technology-related Web media was reprinted on a major portal site, many comments were received, and it was possible to hear that discussions were held among general users.
Figure 2: Common PPAP operation methods
"There are many companies that used the so-called PPAP method to send attachments. As shown in Figure 2, a decryption password is generated at the same time as ZIP encryption. Then, the attachment and password are sent separately. By doing so, the sender can double-check the destination. Even if the destination of the first mail is wrong, it is difficult to decrypt unless the second mail is sent. This method , By sending it separately, it played a role as a countermeasure against erroneous transmission, "Hashida emphasizes the significance of the method of sending passwords and attachments separately using ZIP encryption.
However, the business environment of business has changed significantly because time has passed since the method of sending and receiving attachments by PPAP was established. An increasing number of start-up companies and companies are replacing communication tools with business chat due to work style reforms. In addition, due to the dramatic improvement in the processing power of computers, it is easier than before to decrypt even files with complicated encryption.
In the midst of such changes in the environment, Minister Hirai mentioned earlier that he decided to throw a stone at the old-fashioned PPAP.
"At a regular press conference on November 17, 2020, Minister Hirai pointed out that PPAP is not appropriate considering the viewpoint of security measures and the convenience of the recipient, and mentioned that PPAP will be abolished by the central ministries and agencies. In addition, it was pointed out that ZIP conversion of any file is wasteful due to long-standing practice, as in "Hanko for the time being". Even local governments and private companies have begun to review PPAP, an act that should be called a custom, "says Hashida, who recalled the time when it was a major turning point.
What are the problems with PPAP?
PPAP has been listed as a spear ball these days, but have you properly grasped the problem? As shown in Figure 3, PPAP has four major problems.
Figure 3: Problems with PPAP
1) Increased workload
"PPAP, that is, sending and receiving files with ZIP encryption, has a certain workload for each sender and receiver. The sender has to encrypt the file and issue a password, and the recipient has to send the sent file. It takes time to decompress with the password sent separately each time. The time required for each time is not large, but if you stack up, that time cannot be overlooked, "says Hashida.
2) Convenience
"Now, office software has a lot of viewers, so if it is an unencrypted file, it can be viewed on a smartphone (hereinafter referred to as a smartphone) or tablet. However, if it is ZIP-encrypted, it can be viewed on a smartphone or a tablet. Some things cannot be viewed on a tablet. In addition to recent telework, depending on the type of business and occupation, external work may be the main task. In such cases, convenience is greatly impaired. " I mentioned it.
3) Risk of wiretapping
"In the case of sending mail by PPAP, the ZIP encrypted file and the password sending mail are sent by the same route. If there is a security measure on the sending route and it is eavesdropped, the ZIP encrypted file will also be the password. In this case, the attacker could decrypt the encrypted file with the stolen password. Sending it via the same route carries such a big risk. " Emphasizes that risk.
4) Abuse for malware attacks
"In recent years, it has become common to put malware into files. Once this file is encrypted, some antivirus software cannot detect the malware in the file. Of course, unless it is unzipped and opened. No damage will occur, but if you think that these files are sent to employees who do not have very high IT literacy, you will find that the security risk is extremely high, "says Hashida. Pointed out the security risk of the eye.
Three alternatives to PPAP
As mentioned above, the problems included in PPAP have been pointed out as the times change. However, PPAP should also have benefits. Also, for companies that have traditionally operated using the PPAP method, it may be easier to introduce alternatives that are an extension of PPAP rather than adopting a completely new method. Figure 4 shows a list of three alternatives. Hashida will explain each method in order.
Figure 4: PPAP alternatives Features of each
"There are three main alternatives to PPAP:" linking attachments for download, "" file exchange service, "and" online storage. "Each has its advantages, but the usage is different. It's a big hindrance. It's not a PPAP best practice because different companies have different file sharing policies, which can hurt convenience. "Hashida said that each alternative has its advantages and disadvantages. Point out.
Figure 5: Benefits of each PPAP alternative
"Fig. 5 compares the advantages of PPAP and the alternatives. Among the alternatives, the download linking method inherits the advantages of PPAP as it is, so the conventional method, which can be said to be the biggest barrier to migration, is greatly enlarged. There is no need to think about the confusion caused by changes and the need for education. In addition, it also serves as a countermeasure against erroneous transmissions, while allowing control by the administrator, which is in line with the recent trend of compliance-oriented era. Hashida explains the merits of making a download link.
Figure 6: New feature of GUARDIANWALL MailConvert on Cloud "Attachment download linking"
Canon Marketing Japan's mail security product "GUARDIAN WALL MailConvert on Cloud" has newly adopted this download linking method for its products. As shown in Fig. 6, it is said that it will be introduced in advance to the premium plan as a new function and will be applied to the basic plan in December.
By using this new function, when sending an email, the product automatically separates the "email body" and "attachment file" and uploads the attachment file to the cloud server. After that, the URL to download the file is automatically added to the body of the email and sent to the recipient. The recipient simply downloads the file from the link sent.
5 new features of GUARDIANWALL MailConvert on Cloud
The five points shown in Fig. 7 are the five points in this expansion. You can see at a glance that the security level has been improved without sacrificing the advantages of conventional PPAP.
Figure 7: Five new features of GUARDIANWALL MailConvert on Cloud
First, take a look at the schematic diagram of the transmission route in Fig. 8. Of the four problems mentioned above, the feature is that the transmission / reception routes for email and file sharing are separated in order to avoid the "risk of eavesdropping".
Figure 8: GUARDIANWALL MailConvert on Cloud transmission path
"Specifically, when the sender sends the attachment, the attachment is automatically separated and the recipient can download it with access with authentication. It is possible to separate the route of the mail body and the route of download. Because it can be done, the risk of eavesdropping can be greatly reduced. In addition, since file sharing is possible on the mail system, there is no need to prepare a new environment for file sharing. File sharing history is also included in addition to mail history. It is manageable, "explained its merits, and Hashida continued as follows.
Figure 9: Sender operation image in GUARDIANWALL MailConvert on Cloud
"As shown in Fig. 9, the sender can set the file disclosure range for each email address on the management screen after sending the email. The default setting is private, and it is set to be public for each email address after sending. It can be a powerful countermeasure against erroneous transmission. You can also check which recipient downloaded which file on the management screen. It cannot be said that it is a further countermeasure against erroneous transmission. Is it? "
However, even if this system is used, the trouble on the receiver side remains. This is because the recipient downloads via authentication, as shown in Figure 10. However, unlike PPAP, the disadvantage that the file is encrypted and the contents cannot be checked with antivirus software is eliminated. Given that access to important information is now commonplace through authentication, the same effort may not be significant in terms of being more secure to the recipient. Is it?
Figure 10: Recipient operation image in GUARDIANWALL MailConvert on Cloud
GUARDIANWALL MailConvert on Cloud can also enjoy great benefits for system administrators. Since this product is a cloud-based gateway product, it can be centrally managed at the company-wide level, and it is possible to flexibly change the operation method in response to changes in the internal organization. Nowadays, when business is required to have a sense of speed, many companies will change their organizational structure every quarter. With GUARDIANWALL MailConvert on Cloud, you can flexibly change the operation according to the sense of speed. As shown in Fig. 11, it is also possible to set the sharing method by default according to the file sharing policy of the customer.
Figure 11: Administrator operation image in GUARDIANWALL MailConvert on Cloud
“It's not uncommon for employees to make decisions on a case-by-case basis because each customer has a different file-sharing policy. However, the time it takes to make that decision can only hurt productivity. You can also check with the customer each time. Reducing such time leads to improvement in productivity. It is also possible to increase safety and productivity, which are often thought to not coexist in the past. , It's a benefit of this new feature, "Hashida said.
Achieve a more secure email environment by combining
As shown in Fig. 12, GUARDIANWALL MailConvert on Cloud can be combined with a filtering function (GUARDIANWALL MailFilter) and an archive function (GUARDIANWALL MailArchive) to comprehensively prevent information leakage from the inside. GUARDIANWALL MailFilter on Cloud provides filtering and delivery control functions.
Figure 12: GUARDIANWALL Mail Security Email environment enabled by linking 3 products
The filtering function checks the sender and destination, and performs keyword inspection and personal information inspection. In addition, the delivery control function can set hold, delay, deletion, etc. for emails that match the filtering. It will be possible to set rules such as passing the approval of the superior for highly confidential emails.
GUARDIANWALL MailArchive on Cloud provides a full searchable email archiving function. Information leakage can be expected to be suppressed by making employees aware that they are being monitored on a regular basis, not just for auditing in the event of an emergency. By combining these three products, it is possible to prevent information leaks caused by fraud and carelessness.
Figure 13: Security products for Microsoft 365
GUARDIANWALL also offers other products related to the PPAP issue. Outbound Security for Microsoft 365 introduced in Figure 13 is a security product that can be used as an add-in for Microsoft 365. For companies that use Microsoft 365 as an office suite, being able to deploy it in an add-in format would be an advantage because it can be used without major changes.
"Alternatives to the PPAP problem have different characteristics and compatible scenes. GUARDIAN WALL provided by Canon Marketing Japan has come to provide a balanced" automatic URL conversion of files "by expanding the functions. Also, by combining products, it is possible to take more comprehensive measures. For the "Shinka" of email security, please consider once what is the best solution for your company. Also, you can try out the products introduced this time for free, so please feel free to contact us. "Hashida concludes.
As mentioned earlier, there are no so-called best practices for the PPAP issue. However, due to the threat of malware that is getting worse year by year and the trend of emphasizing compliance, the damage to companies when a security incident occurs will only increase. There is an urgent need to deal with the PPAP problem. Given such circumstances, it may be a realistic option to realize download linking in products, which is an extension of conventional PPAP.
[Seminar video is being released] Explaining the PPAP problem! What is the secure file sending method proposed by GUARDIANWALL? * After clicking, the video will start.
■ Related sites
![Advantages of "Gravio" that can implement face / person recognition AI with no code [Archive distribution now]](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_6/2022/2/25/98ceaf1a66144152b81298720929e8e7.jpeg)