Hello, everyone. I am Gaurav Mittal. I am currently working with Thermo Fisher Scientific as a data science manager. Today, I'm going to present a talk on email attachment security. I'll see you next time. Thank you for joining my call. I would like to highlight a business scenario today. like most of the organizations, they are tend to send emails to their customers, having attachments. Now consider a scenario like where, it's an insurance organization. They are sending you a renter insurance document. Or when it comes to medical, industry, they are sending you medical receipts or some, some of your PII data as an attachment. Even today's world, some countries, they are sending e visa in your email as an attachment, which contains your passport information. All this information, they are very sensitive. It's your PII data, which, is prone to, phishing email fraud attack. And, how, what kind of risk, we have so few of the risk, as I have highlighted here. Like the most common, risk is like man in the middle attacks. What happens, the email server, what is sending the email, that is not very secure. And, in between there can be, it can be hacked. And your information, which is very sensitive, it can be, hacked by the hackers. Or, maybe there is not inadequate, there is not, encryption. proper encryption being utilized. there are no antivirus softwares installed. the emails when they are in transaction, it may be possible the authors, they can get unauthorized access. To the transmission they can go through The attachments and your information is prompt fraud now What is the solution for it how we can achieve it so we can overcome the frauds by implementing data security in data security world There are a few common terms like authorization Authentication is like, like only the users which is having appropriate access You They can log in and they can view, those, particular information. Authorization is like you are curbing the role access. So like only if you have some specific role, you can, avail this much of information. It depends on your role, like you can view the information content and the most commonly used is encryption. So in encryption, we, what we do, either we use the data masking or we, like encrypt the data using, key in AWS, there's a service like AWS KMS. So what happens like the plaintext it is being encrypted using a key and the customer at the receiving side is being provided a decrypt key to so that only the like reliable customer whom we want to send the information is having the key to decrypt and view the contents. So that's how we can secure it. Now the question is, okay, we have learned about the frauds. We have learned about data security, but how we can secure the email attachments. So in the email attachments, like the most common way is okay, you educate the users, you show the awareness, the organizations, they are installing antivirus softwares. But from our end, like when we are sending the emails to our customers, what we can do, we can use, the encryption at our end, which the most common technology is like data masking or password protection. In that case, like when the users, they are receiving the emails, they have to, type a password, then only they can view the content. Otherwise, even if the emails they are being forwarded to a wrong email, wrong person, he like that fraud guy cannot open the email. So your sensitive information is still secure. The other way what we can do is access control. So in the access control, we can actually control the time period for which this information, the attachment, what we are sending is accessible beyond that time period. Actually, this attachment just shows, okay, link is, does not exist. The validity is over coming to the implementation side. Okay. How we can actually implement it. The very simple solution, what I want to depict today is using PyMiniGip library. It's an open source library provided by, Python and the installation is also quite simple. Now, what happens PyMiniGip library, what it does, you have a file. When you use PyMiniGip library, it actually creates a folder which is a zipped folder and that zipped folder is when you try to unzip it, it will ask you a password. Now only the reliable person who is having the password can open it. So we are going to implement first layer of security using PyMiniGip library. So there is a method like compress, there are three arguments as I have shown below. Like you need to provide your source file destination then what is the destination file where you want to? Keep this zip file folder. What is the password you want to provide? So Password is something like you can keep Information which only dead person know like his date of birth or like last four digits of his cell number or something like that if you are going to apply this then this information only the person know and they can They can easily open the file Secondly, they are not going to reach back to you again and again asking, Hey, can you reset my password or something like that? It's an easy way to implement it. And the last argument is a level to what level you want to compress the file. So there is a zero to 10, 10 being the highest. Okay. we have learned about PyMiniJib library. Okay. This library can help in jibbing the, like in, creating a password for it. But if we are talking about AWS infrastructure, how we can do it. So in AWS Lambda, where you generally write the code, there is a way you can create a layer for this particular library. The installation is quite simple. this library you can install using pip command, it's a single line command. And when you install it in your local, You can attach it as a layer as I have shown in on the right hand side bottom part. So once you, in your Lambda, if you have to click on, like uploading a layer, which is, which will be a zip file archive. And when you upload it, you will be able to use the Pyminijip library in your source code. So we have talked about encryption, which is through Pyminijip library and in AWS Lambda function, we will create a layer. But how to make sure about access control. in S3 we have a concept S3 PD signed, URL. This pre-signed URL is basically, like if there are S3 objects, we want to provide access to some third person without changing the IM policy or providing any AWS credentials. There is a bypass route. You just provide that person a temporary access by generating a pre signed URL and you. And on this URL you can actually control. The validity for how long you are that person can access this particular object. to control the access, there are actually, three ways. like for example, if you are generating the signed URL through IAM instance profile, the URL will be valid for only six hours. If you are using AWS SDA service, which is security token service. The URL can be valid till 36 hours and the last the longest is like through IAM user The URL will be valid for seven working days. Like we can achieve several benefits out of it as I mentioned here Like it's completely secure. We are not sharing any AWS credentials. It's just a single URL And you decide whom you want to grant the access. Okay, you are sending it in your email. And the third user, they can, through this URL, you are granting the access. Okay, you can upload or you can download the file. This is how, pre signed URL email looks like. If you look this particular email, there is actually no attachment. Okay. And secondly, when, when you click on this particular, email link, it'll ask you a password. So that password only the person whom you, we are sending the email, only that person knows. And the last part is we are also actually controlling the access till how long this URL should be valid based on the way you are creating it, it can, it, the URL ranges from six hours to. Like seven working days though. So we have, protected the file using PI mini JIP, and we have, performed access control also to send the service to send the, like a file now this password protected file, we can use AWS SCS service, which is send email service and, send email service, it has some, like features. So you need to create a verified identity whom you are going to send email and to whom you want to send. Actually, those can be verified on unverified identities. So all the email addresses, then they need not to be verified, but there is one constraint in SES service, which is like only 40 emails per second. They can be sent. I would like to show you the final code in the final code. If you look, the first line I am using the PyMiniGip library, which is just going to compress a CSV file and I am providing password, compressed level, everything. Once this file is being compressed using PyMiniGip, I am going to generate a signed URL for it. And I am, using it through Im users. So I was having the option to put it for seven working days, which is what I've used here. And SES service, as I mentioned, it has a limit of 40, emails per second. So I, I thought okay, why not to, put one, second delay, in between each and every email. But it purely depends on your implementation, how you want to do it. But time. sleep we can use, in between sending the emails to make sure we are not, leaching the throttling limit of, SCS service. The final architecture will look like this here. it's completely built in AWS. There is a CSV file. Okay. Using PyMiniJib library, you have, encrypted it, a password. Okay. like a zip folder is there when you click on it, it will ask you a password. there is a pre signed URL. This pre signed URL is valid for a certain time limit. And through SCS service, I am going to send it to verified or unverified accounts. Now, the whole advantage of it is even, even today, if this, emails. They are being sent to wrong person. They won't be knowing like, what is the password for it? Only the reliable person, they know it. And secondly, we are also putting a time limit. Okay. That for this particular time, only this emails, they are valid. And the third, the most, important feature here is if I go back, see, if you look in the emails, there is no attachment. Okay. So from the Lambda function, when we have to send emails, The attachments, they take some time to attach, but here you are just, it's just a URL, what we are sending. So that transfer time has, significantly reduced and Lambda is pay as you go service. So we are actually saving some amount through our implementation also. So no attachments are there. this is all about me and, like I have written an article also on this particular topic. feel free to go through it. And, this is my Twitter, gautamM85 in case of any questions, anything, please feel free to reach out to me. Thank you.