BNP Paribas

Email protection secures external communications and simplifies processes to deliver a competitive advantage

• Customer Profile: Financial services; operates in 85 countries; 150,500 employees
• Goals: Secure email with business partners & customers; defend customer trust and data; ensure regulatory compliance; maximize ease of use
• Solution: PGP Universal™ Gateway Email secures email communications; PGP Universal™ Server provides central policy & key management
• Deployment: Successful integration with Lotus Notes®
• Alternatives: Tool that encrypted communications into a file attached to email
• Benefits: Compatibility with business partners' email encryption solutions; transparent to users

BNP Paribas chose PGP Universal Gateway Email to encrypt email communications with financial services partners and customers.

BNP Paribas has one of the most extensive international banking networks in the world, offering retail banking, asset management and services, and corporate and investment banking in more than 85 countries. The company has 150,500 employees, including 118,700 in Europe, 14,800 in North America, and 5,700 in Asia.

The Challenge

Three years ago, business units within BNP Paribas began expressing the need to exchange information securely with business partners. Those partners, which include financial services firms and regulatory institutions such as central banks, use encrypted email for communications and asked BNP Paribas to adopt the same kind of solution. Protecting email communications with email encryption protects customer data entrusted to financial institutions from the risk and consequence of a data breach.

Comply with security and privacy regulations. In addition to protecting data exchanged with other financial institutions and banks, BNP Paribas also must comply with security and privacy regulations in the 85 countries in which it conducts business. Encrypting email would assist those compliance efforts and enhance it enterprise data protection .
Teams from the Risk and Security Expertise organization, part of the IT department at BNP Paribas, tackled the challenge of implementing a solution that would secure email communications between the company and its business partners and customers. Led by Stéphane Detruiseux, the Risk and Security Expertise organization includes Stéphane Lebrère's Technical Solutions and Standards team, which selects, deploys, and supports security products.

Gain competitive advantage. Detruiseux viewed the ability to encrypt email as a competitive advantage. "If we can offer a solution for sending sensitive information that is encrypted and another bank can't, it's a competitive advantage," he says. "Our partners asked for comprehensive email encryption because they lost prospective customers when they couldn't compete." Furthermore, using encrypted email could help simplify existing processes such as fax communications, thereby reducing costs and increasing the speed of business.

The Solution

The ability to offer a flexible to meet the demanding enterprise data protection needs of customers was critical. Detruiseux and Lebrère wanted an email encryption solution that would be compatible with the technology used by BNP Paribas's business partners. To control operational costs they also needed a solution that would simplify key management and be transparent to users while integrating with the company's existing Lotus Notes system. A team led by Detruiseux and Lebrère identified over 1000 potential pilot users within BNP Paribas. After testing several solutions, the team selected PGP Universal Gateway Email, centrally managed by PGP Universal™ Server.

Compatible with partners' technology. During the testing phase of the project, Detruiseux and Lebrère learned that many of their partners used encryption solutions based on the OpenPGP encryption standard. "It was really more efficient and simpler to adopt the same technology our partners use," Detruiseux says. Lebrère adds, "When we tested different solutions, we found that if the majority of partners' solutions were compatible with the OpenPGP protocol, then all those exchanges were automatic. We didn't need to send public keys or receive and install public keys. Compatibility with our partners' technology and the simplicity of key management were the primary reasons we chose PGP Universal Gateway Email."

Support for S/MIME. The company also needed to exchange email with approximately half of its partners that used the S/MIME email encryption standard. PGP Universal Gateway Email, which supports the two globally adopted email encryption standards, OpenPGP and S/MIME, provided that capability. PGP Universal Gateway Email enables end-users to self-administer their preferred email encryption methods, freeing administrators and reducing potential setup costs.

Transparent to users. As Detruiseux and Lebrère looked for a new email encryption solution, their main concern was to protect communication over the Internet. "We weren't looking to install something on every person's workstation," Lebrère says. "Instead, we wanted something that was totally transparent to the end user." Before PGP Universal Gateway Email, BNP Paribas used a tool that encrypted communications into a file and attached the file to an email. To decrypt the attachment, the recipient also needed to receive a password. "The tool wasn't easy to use on a daily basis, and it forced you to include an attachment, even if it was only text," Lebrère explains. PGP Universal Gateway Email provided what they were looking for: a solution to secure communications between organizations at the email gateway.

Integration with Lotus Notes. BNP Paribas uses Lotus Notes encryption for internal emails but found its built-in encryption capabilities unsuitable for external communication. PGP Universal Gateway Email fit perfectly to fill this void, allowing the bank to seamlessly protect communications and leverage their existing IT investments.
The organization's architecture uses IronPort content filter to redirect the message to PGP Universal Gateway Email for encryption based on confidential content policy. When BNP Paribas users receive email, the IronPort device detects whether the email is encrypted and routes those messages to PGP Universal Gateway Email for decryption. "The users don't notice any of these processes - they are just sending their emails," says Lebrère.

Ability to set encryption policy. In addition to confidential content policy, some business units require the ability to encrypt messages according to the recipient domain. PGP Universal Gateway Email provides the ability to set email encryption policy based on content, sender, recipient, and other message details that identify confidential information.
Understanding of the business. Detruiseux and Lebrère met with PGP executives prior to choosing an email encryption solution. They learned that PGP Corporation understood the need to create encryption solutions that were flexible enough to accommodate the security needs of a wide range of businesses. "The complexity of integrating encryption technology into the infrastructure of a global bank such as BNP Paribas is not as easy as setting up a secure messaging system for a university or a home office. It was very helpful for us to know that PGP Corporation, from staff to executives, understood our business needs and objectives," Lebrère says.

The Results

BNP Paribas has received positive feedback from partners about PGP Universal Gateway Email from the beginning. "External partners have sent and received encrypted messages without any problems," Detruiseux says.

Transparent operation. User adoption of the PGP Universal Gateway Email solution is strong . "The main factor for our success was to integrate the technology with the existing email architecture without adding any software to individual workstations or requiring users to launch any new applications," Lebrère says.

Support from PGP® Global Partner. At the beginning of the email encryption project, BNP Paribas received assistance from, Hermitage Solutions, a PGP® Gold Partner. "Hermitage Solutions was very knowledgeable," Lebrère says, "and they are always available when we have a question."

Wider project scope. Reflecting on the experience of deploying enterprise data protection, Lebrère admits they initially had a narrow focus. "In the beginning, we thought it was only a security project, but it was really a combination of security and email message," Lebrère says. "Next time, we know to involve the email team earlier."

Summary

Lebrère is an advocate of email encryption.. "Our approach was to be as transparent as possible in introducing encryption because it's always difficult to ask people to launch another client to encrypt something. Instead, I would recommend putting a gateway in place. We're very satisfied with PGP Universal Gateway Email,." says Lebrère.

The focus on automating encryption seems to be paying off: Interest in email encryption is increasing throughout BNP Paribas. "We are communicating a lot internally about PGP Universal Gateway Email," Lebrère says. "Every week, we have more people interested in hearing about and evaluating the solution."

About Hermitage Solutions

Hermitage Solutions is a French company headquartered in Lyon. In the French-speaking markets of EMEA, Hermitage Solutions is an importer and distributor of innovative network and security solutions. Today, more than a third of the top 250 French companies have implemented solutions launched and distributed by Hermitage Solutions. Hermitage Solutions was founded in 1997 and has companies in France, Latvia, and Lithuania.