Connectid Mail - Technical Whitepaper
Download our technical whitepaper in PDF
Connectid Mail offers you help to comply with the new regulations regarding the requirements to be able to share sensitive data encrypted when shared over mail as part of the General Data Protection Regulation (GDPR). Connectid Mail provides you with a simple way to share sensitive data over email with end-to-end encryption, consent management, One Time Passwords, and a full audit log.
2. What does Connectid Mail provide?
Connectid Mail is an Outlook Add-in to share and request confidential data to/from your connections in a secured manner. It avoids mail attachment which is not a secure way of data sharing. However, you are still doing all the operations from within outlook. It is also giving you the option for sending large files (up to 100MB) to overcome the limitation of mail attachment.
It is following state of art security and encryption policy to manage your data and taking proper consent before sharing or receiving customer data.
3. Connectid Mail architecture
3.1. Connectid Mail Plugin
Users of Connectid Mail will have separate Azure blob storage placed in the Western European Region of Microsoft Azure, completely secure and managed by Microsoft.
3.2. Accessing the Add-in
Users will be able to access the application with a valid Office 365 or other Microsoft accounts (outlook.com, live.com, hotmail.com). The authorization follows the Microsoft OAuth2 process to access any features of the Add-in.
3.3. The Backend API and Portal
The backend API and admin portal are hosted in Azure Cloud. Blob Storage is used to keep the files for a temporary period. Azure SQL is used to keep the related information.
A high-level diagram
4. How Connectid Mail works
Please refer to the Installation Guide for detailed installation steps.
4.1. Start Connectid Mail (The illustration is based on the web version of Connectid Mail)
Connectid Mail is activated when starting a new mail and pressing the Connectid Mail icon.
4.2. Share Data through Connectid Mail
When the Connectid Mail user wants to Share data, press the “Share Data” button. This choice is followed by two options:
- Allow the receiver to view data only or
- Allow the receiver (external user) to download data (this choice will trigger a consent from the receiver (external user), that they acknowledge they become data owner and understand the responsibility.
- The receiver (external user) will be prompted for an OTP before opening the link, to ensure it is ONLY the intended receiver opening the data.
- For additional security, you can also enable multi-factor authentication by sending the OTP to the receiver’s mobile phone.
- The receiver (external user) can ask for permission to download the shared data in View-Only mode. This will trigger a request flow.
- All actions will be logged.
- Data shared to a receiver (external user) will only be stored (and available) for 7 days.
- You can view the file inside the viewer max 30 MB of file. A larger file may not be possible to view directly.
4.3. Request Data through Connectid Mail
When the Connectid Mail user wants to Request data from an external user press the “Request Data” button. This choice is followed by one option (all data requests will prompt a consent form with the receiver when providing data stating that data is given freely and can be used according to the company’s policies):
- Name the data that needs to be requested
- Chose the format of data to be requested. Options are:
- Short txt format (I.e. social security number, account number, passport number)
- Long txt format (I.e. Sensitive information about health or other) - no difference in the size of the filed (compared with the short txt format) – however, it is allowed to enter linefeed
- File format request (I,e, Passport image, board member info, other)
- The receiver (external user) will be prompted for an OTP before opening the link, to ensure it is ONLY the intended receiver entering the data.
- All actions will be logged.
- Data shared by the receiver (external user) will only be stored for a max of 32 days (or less, depending on the company policy, set in the Connectid Mail admin)
In both cases (Share data and Request data), the receiver gets a secure link to upload (or download) the data shared (or received). The transfer of data is following the encryption policy (Transport Layer Security, TLS 1.2) as well as the OTP process to access the link.
5. Connectid Mail Cloud Infrastructure
Connectid Mail is a Cloud Hosted SaaS Application which is accessible from outlook mail client. The underlying services are hosted on Microsoft Azure Platform. Files are stored in BLOB storage with an encryption algorithm using RSA2048 security key.
Connectid Mail is fully maintained and managed by Azure Cloud which has 90+ Compliance certifications including 50 specifics for certain global regions and countries, such as the US, the European Union, Germany, Japan, the United Kingdom, India and China. The certification includes CIS Benchmark, ISO 2700, 20000, 22301, 270017, 270018, C5, GDPR, FSA and more.
6. Security and Privacy
Connectid Mail has a secure by design approach for network, data, and management. Data inside the application are kept privately and only authorized persons from the organization can view the data.
Access to any data is protected by Microsoft Office 365 Access Control Service.
The security is maintained in different levels of data transactions.
6.1. Data encrypted in transit
Connectid Mail is using encryption during transit with asymmetric certificate encryption on both the transport layer (https) and the database connection (different certificates). This is combined with an OTP which is prompted from the user. Encryption in transit is mandatory for Connectid Mail traffic, requires authentication and is not publicly accessible. Connectid Mail website portal is encrypted with TLS 1,2 (Transport Layer Security).
6.2. Data encryption at rest
Connectid Mail uses ‘always encrypt protocol’ for the data. Connectid Mail provides granular encryption of all data and centralized key management from an Azure key vault. Connectid Mail encryption algorithms operate on block lengths of 2048 bits. All customers' data are kept in Azure private blob storage.
6.3. Encryption key
The Encryption Key (single key) is managed by Azure Key Vault and maintains the highest level of Encryption Key supported by Azure, with an RSA 2048 key size.
7. Virus Scanning
The files for Connectid Mail are stored in the BLOB storage in Azure. Those are protected by the security and threat protection system offered by Microsoft. In addition to that, another security layer is incorporated by scanning the file before sending it to BLOB Storage. It is internally using CalmAV server to identify the virus files using the standard definition of virus files of CalmAV. When users try to upload a file then that file is scanned by the virus scanner before saving it to BLOB. If the virus is detected, then it is not added to BLOB and user is notified about that. Users can upload up to 100 MB of a file using Connectid Mail outlook add-in or through TrustedLink.
8. Connectid Mail Azure B2C Integration
As part of the continuous improvement, from version 220.127.116.11 Connectid Mail Implemented the integration of the Azure B2C platform to make it more robust and user friendly as well as make it available to a larger group of users.
A single user can use it for his/her personal use as well as a part of the company. It has now extended feature to see where the user belongs and what is the role in different companies.
The invitation process is introduced so that adding members become easier than before and only after confirmation from the user new member is added to a company. A conceptual diagram is shown in the figure below related to membership.
The user of the application will have a better login experience as well as have the option to choose a company to do his operation. On the other hand, the existing restriction of members not being able to join other companies is waived and a company cannot invite consultants, contractual employees to their space to make them become a part of the same system.
Connectid Mail is a scalable application using the features and functionalities of Microsoft Azure. It is flexible to increase its capacity based on resource requirements.
- Regions for storage: Current datacentre is in Amsterdam, Netherlands, West Europe Region.
- Scale Units: The application can be upscaled on an on-demand basis when necessary.
10. Delivery and continuous updates
At Safe Online, we are dedicated to continuously improve Connectid Mail with new improved functionality.
We are constantly monitoring development in regulations relevant for privacy, e.g., GDPR and related regulations in countries both inside and outside the EU to ensure the product is compatible with local policies.
The team of Connectid Mail always keep on eyes on those policies and regulation and make sure the application compatible with those policies and updates.
Changes and feature updates are deployed first in a staging environment and verified by a closed group of users and testers. Only when internal testing and the group of testers has approved changes and features updates, these are published in the production version. Customers are also notified of the upcoming updates.
11. Compatible Mail solutions
Connectid Mail is an add-in to Microsoft Outlook. Before installation, please make sure you are installing the add-in to one of the following Microsoft products:
- Outlook 2013 or later for Windows
- Outlook 2016 or later for Mac
- Outlook on the web for Office 365
Connectid Mail is purchased as an online Outlook Add-in which is compatible both for outlook OWA and Desktop Clients. It requires the below browser version to run from the web:
- Internet Explorer 11, Edge
- Latest versions of Safari
- Latest version of Chrome
- Latest version of Firefox
- Outlook 2013 or later for Windows
- Outlook 2016 or later for Mac
12. Connectid Mail Security
12.1. Data Retention policy
The data shared with customers are kept only for seven days. All requested customer data are kept in the Azure private blob for a maximum of 32 days. However, the company can reduce the number of days data are kept as necessary.
After 32 days data are automatically deleted. The following figure shows the running cycles of the delete operation of customer data.
Figure 1: Configured scheduler for deleting data at rest
Figure 2: Delete logs of the number of files deleted for each operation
A Company Admin of Connectid Mail can see the audit log from the administration page to identify which file is deleted and which files are available with creation date and deletion date.
13. Privacy by design
When you entrust your data and the data of your requesters to Connectid Mail you and your requesters remain the sole owner of this data: you retain the rights, title, and interest in the data you store in Connectid Mail. The data you store in Connectid Mail is “your data and the data of your users.”
It is with this clarity of principle that we ensure that we maintain your privacy and operate our online services with certain key principles:
- We use your data only to provide you with the online services you have paid for, including purposes compatible with providing those services.
- We do not mine your personal data for any purpose.
- We tell you where your data resides, only you have access.
- Access to your data is limited to only those you give access to and share with.
In addition, we have privacy controls to allow you to configure exactly who has access to what within your organization. Strict controls and design elements that prevent mingling of your data with that of other organizations using Connectid Mail and from Connectid Mail datacentre staff having access to your data.
14. Privacy by default
In addition to service-level capabilities, Connectid Mail enables you to collaborate and share data without compromising security and privacy. It is providing the distinct ability to control information sharing.
- Data will be encrypted with an RSA 2048-bit encryption key and only accessible to your company.
- Rights Management in Connectid Mail—Allows administrators to specify access permissions to data storage to get the organizational data.
- Privacy controls for One Time Passwords — Connectid Mail provides verification functionality that has a number of privacy controls. This can be adjusted by the system admin on the setup page.
Privacy controls for new system users are always set to highest privacy setting by default. This setting can only be edited by the system admin for security purposes. One example is that a system user by default only has access to their own folder. Shared folder access can only be given by the administrator. Another is that a system user cannot see the data of a requester in the email body, only in the folder option where the sensitive data resides.
15. Auditing and retention policies
By using Connectid Mail auditing policies, all events will automatically be logged on your users, including Saving, deleting, and editing data. The audit log is enabled as part of an information management policy, administrators can view the audit data. The system administrator can use these reports for internal or external audits.
For business, legal, or regulatory reasons, Connectid Mail retain e-mails sender and receiver, related to the requests.:
- Automatic retention policy for requests and sent Items.
The retention period for data collected is 32 days by default. But can be lowered by the company admin. For sent items, it is 7 days. After this, only the logs will remain.
Please find more help in our videos: Watch here.