Virtru Data Protection Gateway — Customer Hosted — deployment with Google Workspace and SEC 17a-4 compliance. A STAR based retrospective.
Well, the title is a metaphor what I’ve done here: built an end-to-end tutorial on deploying Virtru for SEC 17a-4 compliance. Why? Because I needed good documentation and felt that this knowledge needed to be available for others who may follow the same path.
This article is an introduction to a series of guides I have created that will exhaustively document my experience. While I hope you spend a moment reading this article, here are the chapters if you are ready to dive in:
- Virtru Customer Hosted Gateway Solution for SEC 17a-4
- Preparing the AWS Environment
- Housekeeping for AWS Instance Setup
- Setting up Amazon Linux with Docker and Webmin
- Validating Work and Setting Up Virtual Gateways
- Outbound Decryption Gateway on Port 9001
- Inbound Decryption Gateway on Port 9002
- Outbound Data Loss Protection (DLP) Gateway on Port 9003
- Configuring Logging and Environment Variables in Docker 🐳
- Adding DKIM Record — Almost Ready!
- Ensuring Deliverability and Validating Email Configuration
- Starting the Dockerized Virtru Gateways for the first time
- Configuring the Google Workspace Hosts, Routing, and Compliance Rules
- Deep Dive into Google Compliance Rules
- Quality Assurance of the Virtru Data Protection Gateway Solution
- Cheat Sheet.
Setting.
SEC Regulation 17a-4 requires preservation of communications. In cases of encrypted e-mail this can be somewhat tricky, as the preservation requires the content of the message saved in plain text. In this case an existing solution leveraging Smarsh and Smarsh’s Externally Hosted Encryption, but running into severe mail deliverability challenges. When unboxing this issue I quickly learned that the Externally Hosted Encryption was the main challenge. While it offered outbound encryption with plain text archiving, and inbound decryption with plain text archiving, it was severely limited by:
- Being a third-party solution from a company indirectly affiliated with Smarsh known as Intermedia
- Built on Microsoft 365/Azure and designed for Exchange Online
- Worked best with re-sold Microsoft 365 services.
- Worked reasonably well with your own Microsoft 365 or Exchange infrastructure.
- in the case of Google Workspace, it was necessary to Route all Outbound mail, by using the Change Route function, to a target host that was the Smarsh/Intermedia relay.
- the Intermedia relay had no support for DKIM signing, meaning all messages had to be unsigned otherwise delivery would fail.
When I saw this at first, I was distracted by journaling rules and copies of messages being sent to Smarsh. This is where a key understanding of what Routing means in mail systems came into play: every message from every affected user was passed from Google to Intermedia, analyzed by Rules to determine if encryption was necessary, and then handed over to final delivery.
In addition to inadequate support for today’s mail signing standards, every message relayed reported Successful delivery in Google’s E-Mail log because it was successfully handed over to Intermedia — making debugging and troubleshooting undeliverable messages an impossible task.
Task.
While my role — at least initially — was purely information security, I had noted that users were often complaining of undeliverable messages and the IT team would typically prove delivery with exasperation. It helped that I had worked with mail systems from the early 2000’s, so I knew this was irregular, and established that deliverability was an infosec issue. While I discovered early that DKIM was likely the issue, I was not quite prepared for the journey that this discovery would send me on.
Fast forward entire chapters, of what could be an entire book, and I land on today: the task was to implement the Virtru Encryption/Decryption solution with Data Protection Gateway that is Customer Hosted. My strategy for this deployment was to route as much mail directly from Google as possible, and relay the rest through gateways that my team could administer directly and with relative ease.
It’s worth noting that my initial strategy was to route all mail from Google. In the Alpha stage of the deployment, I tried it, and this is where I had to make one key decision: downgrade my strategy from “all” to “most” in order to keep Compliance Rules in Google Workspace linear and understandable by my successors.
Actions.
While this started off as a team effort, and original Alpha builds were done with extraordinary people doing amazing things, the world changed. I was left with a looming deadline, limited resources, and motivation to get this done.
This is where I put on my various hats and got busy, and it was many hats. I was a business analyst, CISO, encryption engineer, AWS Solutions Architect, AWS SysOps Administrator, mail server administrator, information security manager, information privacy manager, security administrator, Google Workspace administrator, quality assurance specialist, and probably a few others that I can’t quite think of at this point. Lots of hats.
While I do not want to understate the importance of the soft-skills, management, and strategy that were responsible for the success of this project, I think the technical work is what deserves the spot-light, so this is where the rubber meets the road. To execute this effectively I
- architected the solution for Outbound Decryption, Inbound Decryption, and Outbound Data Loss Protection (Encryption with Plain Text archive) using Virtru Customer Hosted Data Protection Gateway, Google Workspace, and Smarsh.
- reconfigured the Google Workspace environment from leveraging global Routing and Compliance rules to leverage Organization Units
- designed an Amazon Web Services VPC to support Linux instances for running the Docker-based gateways
- configured all networking elements including security groups, dns (both internal and external), routing rules, firewalls, and instances.
- configured Linux instances not just to run the Docker-apps, but to run in a manner that meets my personal standards for visibility and resiliency
- documented the technical work, prepared user guides, and trained users
- designed testing protocols and validated all conceivable scenarios
- validated the entire process end-to-end
- managed the transformation.
Results.
The outcomes fell into three buckets. From the business standpoint, mail is delivered with sender reputation in tact. Financially, the move saved money. The Smarsh Externally Hosted Encryption (Intermedia) solution was about twice as expensive as Virtru. Technically, major leap forward for mail deliverability and overall resiliency since the entire setup is well understood and under proactive management. In other words, 50% savings in costs, substantial (and in some cases infinite) improvements in support and troubleshooting capability, and 100% delivery rate up.