Changing to The No-PPAP World

...
MASAKO YANO

In October 2021, HENNGE has substantially updated its core product, "HENNGE One", which is the SaaS authentication platform.
What can we do with the newly added features of the HENNGE One? Hideki Saito-san of the West Japan Sales Section gave us some insights.


So, the HENNGE One is substantially upgraded! What are the new features?
Yes, that's right! There are three newly added features, which are, (1) No-PPAP support, (2) measures against targeted attacks, and (3) enhanced security for remote working.
They are all timely issues. What triggered these updates?
The biggest trigger was that we wanted to support the emerging needs due to the Covid-19 pandemic. As the Covid-19 spread, many companies made their employees work remotely and started to utilize the SaaS. In the meantime, such companies have been struggling with the challenges unique to the cloud environment and HENNGE wanted to resolve such challenges.
So, please tell us about the first new feature, the "HENNGE Secure Download", no-PPAP support.
First, I will explain what the issues are with the PPAP. PPAP is the security method which is to send an email with ZIP files locked with passwords and to send the password by a separate email.
...
It is a very common secure file transmission method utilized by various companies and administrative organizations. What are the problems?
It is not effective from the security point of view. The attachments and passwords are sent by the same communication route (emails), which means that hackers can easily access both of them. Also, zipped files cannot be scanned for virus infections and therefore they may carry malware.
PPAP takes extra work as well. And users may forget to send the second email with passwords or may fail to receive the second email with passwords, passwords must be input each time when opening the files, and so on.
Yes, that is problematic as well. In November 2020, Minister for Digital Transformation at the time, Mr. Takuya Hirai, mentioned that Japanese ministries and agencies would stop utilizing the PPAP, and since then, there is a trend of abandoning the PPAP in both private and public sectors.
How can the new feature of the HENNGE One enable us to stop utilizing the PPAP?
To put it simply, we have developed a system which allows only those who are designated as the destinations of the emails to download the files. It also enables us to utilize different transmission paths for files and passwords and virus scan for files.
Please explain the transmission flow.
When files are attached to an email and the email is sent, the attached files are temporarily stored in the cloud storage automatically and users at the destination receive a text message and the link to download the files. And when the users at the destination clicks on the link, an authentication page will show up. The users will confirm their own email addresses and click the OK button. Then an authentication code will be sent to the users and the users will be able to download the files.
...
I see, it feels safer for sure since the email text, attachments, and authentication codes are transmitted by different routes! And we are already familiar with the two-factor authentication as we shop on-line, so it is user friendly.
The authentication codes arrive only to the email addresses which are designated as the destination in the email, so even if any third party gains access to the email and clicks on the link, the code will never arrive to such a third party. And the users must go through the authentication process for the first time but it will not be necessary from the second time. Thus, it is not cumbersome to use.
There are also methods to utilize an external cloud storage system instead of PPAP, such as the Box or the Dropbox.
Yes, there are. However, if we utilize an external storage, senders must click on the link every time in order to look for the files which were sent in the past. Also, when there is an audit, an auditor may click on the link included in a particular email which was chosen but the link may be already expired and the information may not be available to the auditor.
By utilizing the "HENNGE Secure Download", attachments remain in the "sent" box of the email system and in the mail data which is archived; thus, files can be searched and accessed easily.
So, the benefits of PPAP still remain! Next, please explain about the 2nd feature, which is the "HENNGE Cloud Protection", to counter targeted attacks.
Targeted attacks mean sending emails which contain malware to specific companies and organizations with a purpose of stealing their confidential information.
We hear about companies suffering from unauthorized access to their systems and their customer information being stolen.
According to the research conducted by TOKYO SHOKO RESEARCH, LTD., among 103 cases of information leakage and losses which took place at publicly listed companies in Japan in 2020, about a half of them were due to virus infections and unauthorized accesses.
That is a lot. Then sharing files safely without utilizing the PPAP does not mean much if the data is stolen from the company's system by unauthorized accesses. How does the "HENNGE Cloud Protection" prevent targeted attacks?
Most targeted attacks utilize emails, so by linking with the Microsoft 365 Outlook, we make sure that there are no suspicious files or links included in the emails.
How do we make sure exactly?
Prior to receiving emails, it can be checked whether there is any suspicious behavior which may be triggered by clicking the attachments by sandboxing. The sender's history can be also checked to see if such sender has any history of sending malware in the past, and only emails which are confirmed to be safe will be received. As the solution is configured in such a manner that it works with the Microsoft 365 API, it can also check if there is any suspicious link in the calendar or in the tasks, or if the transfer setting of Outlook is altered.
Further, the solution is also capable of ensuring if the Microsoft 365 IDs and passwords are leaked to outside or not.
...
It is very reassuring with various check functions. Aren't such security functions provided by Microsoft 365 as well?
Yes, they are. But sandboxing and behavior check will require additional subscription with Microsoft and it will be a large amount of investment for companies. "HENNGE Cloud Protection" provides only necessary features with low cost.
It seems that the "HENNGE Cloud Protection" is the exact service required by many companies! And the third functionality, I understand, is the enhanced security measures for remote working.
Yes. As remote working becomes common, many companies have started to introduce access control measures, such as to issue digital certificates to laptops and smartphones and only such terminals with the certificates can access the companies' cloud service.
But such control must be complicated as not all of their operational applications support such certificates.
Yes, exactly. That is why the "HENNGE Lock Plus" is useful since it enables the multi-factor authentication (MFA) for applications which do not support the mechanism.
If all the authentications of various applications are centralized by the "HENNGE Lock Plus", there will be no need for passwords which are generally required by the MFA and device certificates.
...
So, it enables and accelerates safe remote working!
Now I understand all the three new features very well. What kind of service do you think the "HENNGE One" will be to our enterprise customers?
Honestly, I don't know since the "HENNGE One" keeps evolving.
The workstyle and needs of enterprises will keep changing. We will make sure that the "HENNGE One" will keep up with such change and remain as a useful service to our enterprise customers, leveraging our technology.
So, it is the "Liberation of Technology" indeed, which is HENNGE's corporate slogan, to change the world for better by making our original and cutting-edge technology available! We will keep promoting the "HENNGE One" so that more enterprises will utilize them and make most of its benefits. Thank you very much for all your inputs today.
...
MASAKO YANO