Internet Changes Everything

Strategic Security: Developing a Secure E-Mail Strategy

Strategic Security: Developing a Secure E-Mail Strategy - Security - Network Computing

Message encryption, along with other measures, should be a critical part of your overall security strategy. But poor planning could leave your organization compliant and yet still unprotected. Here's how to choose the right combination of encryption and protection technologies to suit your needs.


Introduction
Encryption Options
Stop Viruses, Can Spam
Securing Mobile Devices

Oct 26, 2006 - By Christopher Beers

As an IT manager, your professional life is a balancing act in which you weigh the needs of your department against the reality of your budget. The range of potential purchases that makes up your budget proposal includes “critical” products, as well as not-so-urgent pet projects. Before you finalize next year’s capital budget, better be sure you’ve included funds for e-mail encryption in addition to virus scanning and content filtering.

E-mail security encompasses a wide variety of initiatives that attempt to reduce risk to employees, IT networks, intellectual property and customers. Recent legislation has forced businesses to implement various e-mail security initiatives that might not have been deployed voluntarily. Although virus scan-ning is old hat to most IT shops and content filtering is becoming just as common, encryption–a broad topic that is often overlooked by small businesses–is becoming increasingly important, especially given the rise of Wi-Fi hot spots and the use of handheld devices, such as Treos and BlackBerrys. The three types of e-mail encryption–boundary, staging server and end-to-end–offer varying levels of security. The type of encryption that makes sense for your company will depend on the kind of business you’re in and the type of content you need to lock down.

Bolt Down Your Email

Nearly half of 149 IT decision-makers for North American small companies surveyed by Forrester Research said they plan to spend capital in 2006 to secure e-mail. They’ll focus their capital on securing e-mail at the gateway, concentrating on spam, viruses and regulatory compliance. This trend is likely to continue and will probably increase in the coming years as companies realize the importance of e-mail security to their overall security strategy.

So which combination of encryption and protection is right for you? There’s no single answer. It’s safe to say, however, that a blind drive to meet bare-minimum compliance standards is a poor method for choosing an encryption-security solution–such a strategy could leave your organization compliant but still insecure.

Encryption Options

A variety of technologies have emerged in the encryption field. Boundary, or gateway, products attempt to encrypt e-mail before it leaves the corporate network. This method seems to have the most traction given its ease of implementation compared with that of other technologies. Staging-server encryption captures and stores secure e-mail locally on the network for remote users to retrieve over secure Web portals. Finally, end-to-end encryption offers the most secure scenario, encrypting the message immediately after the user clicks the Send button (see “Encryption Models,” right).

Large-scale deployments of completely secure e-mail are seen mostly in military, financial, health-care and government organizations. And growing businesses are more likely to deploy secure e-mail solutions for specific departments, such as finance, accounting and HR, according to Gartner. These highly secure e-mail systems are expensive, costing $20,000 to $200,000 for a 2,500-user installation, on top of the cost of an existing e-mail platform, Gartner estimates.

» Boundary Encryption

Boundary solutions work well for communications within the corporate network, but may not work for external e-mail, particularly to general consumers. In the boundary model of e-mail encryption, secure relationships are established with the boundary servers of both partner entities. This is typically a manual process, though it’s possible to configure some devices to automatically attempt to deliver the e-mail securely, and then fall back to normal mode if secure channels are unavailable. When a secure connection can be established, all e-mail sent between the two gateway servers is encrypted, which means when the data is most vulnerable, it has already been encrypted as it passes over the Internet. In this model, e-mail transiting within your corporate e-mail infrastructure is not encrypted.

Companies with encryption products in this arena include IronPort, Tumbleweed and Voltage Security. These vendors provide devices that serve as a barrier, residing on the edge of the network, filtering all incoming and outgoing messages for spam, malware and phishing.

More important, to address compliance issues, these devices also can provide encryption using a variety of technologies, including PGP, S/MIME and TLS (Transport Layer Security). TLS adoption continues to rise, and it’s likely to remain the preferred method through 2009. This is due to its popularity, acceptance and maturity as a secure transport. PGP (Pretty Good Privacy) is a free technology developed by the company of the same name and is effective and easy to use. It’s a public-key technology; servers share their public key and encrypt the message with a private key. Using the public key found and managed by Internet keyservers, receiving e-mail servers can decrypt messages. S/MIME (Secure/Multipurpose Internet Mail Extension) is similar to PGP. Encryption products operating at the boundary are best-suited for small companies that send sensitive data from one corporate entity to another. This solution gives them the most bang for the buck and secures e-mail where it’s most vulnerable.

» Staging-Server Encryption

Staging servers are used to store sensitive e-mail that can be retrieved later by the recipient on your secure network. If a user sends an e-mail to a domain that’s listed as secure by your outbound security filters, it’s routed to a server on your network. E-mail is then sent to the recipient notifying him that he has received a secure message. To read the message, the recipient must log into the secure server, usually using a secure Web portal, to view and respond to the message. This solution can be implemented using gateway devices or can be configured in certain software applications: PostX and Tumbleweed offer good products in this arena. For companies, such as banks, HR firms or credit-card companies, that want to notify customers their attention is needed–for instance, to ascertain that a transaction took place–this method works well.

There are some disadvantages to staging-server encryption, however. If end users correspond often with external recipients, each of those recipients will be forced to maintain yet another in-box and sent-mail box. And forgotten-password resolution for occasional users and automated password recovery must be well-thought-out to prevent additional work and unauthorized access.

» End-to-End Encryption

End-to-end encryption does what its name suggests: Data is encrypted by the sender and remains so until decrypted by the recipient. Typically, software agents are deployed that let users send encrypted mail by pressing a “Secure Send” button. There are products from PGP, Voltage Security and others that work with all major desktop clients. End-to-end encryption is suitable for environments–such as finance, accounting and HR– in which sensitive information must be kept secret and transmitted securely.

End-to-end encryption can be configured per user, per department or enterprisewide. It typically works using public-key encryption, with end users storing their public keys on servers that anyone can access–most frequently on servers maintained by the Massachusetts Institute of Technology or PGP. When a user sends an e-mail message, it’s immediately encrypted using the recipient’s public key found on key servers located on the Internet. Once the message is received, the recipient uses a private key to decrypt and view the message. This technology is getting easier to install and implement, but to encrypt a message, the recipient’s public key is required, so if a recipient doesn’t have one (and most don’t) e-mail messages sent to that recipient will not be encrypted. There is, of course, a mechanism by which users are notified whether their e-mail was sent securely.

Stop Viruses, Can Spam

Eliminating virus threats from e-mail is a two-fold process. First, you must prevent viruses from entering your e-mail infrastructure by using software or hardware. Then, you must ensure your solution is updating its virus-definition files–year-old definition files are useless. And it’s not sufficient to simply deploy protection that scans incoming e-mail for viruses; you must prevent users from spreading the infection among internal e-mail servers as well as to computers outside your IT networks. Second, each desktop computer must have virus-scanning software that searches e-mail attachments to remove the threat of infection.

McAfee, Symantec, Trend Micro and other security vendors all offer add-on software that downloads regular updates to ensure you have the latest signatures for current viruses. You also can replace your inbound gateway e-mail servers with an appliance capable of removing virus content from e-mail. IronPort, Sonicwall and Symantec offer e-mail security in hardware devices that do more than virus scanning; these appliances also find potential malicious content.

As we mentioned last November, legislation such as the CAN-SPAM Act of 2003 has not led to a decrease in the amount of spam a typical end user receives (see “Spam Filters: Still Sick of Spam”). Content-filtering software, however, can reduce the number of spam and phishing messages that make their way to e-mail in-boxes. Our Network Computing Barracuda spam filter tagged 86.7 percent of all our mail as spam earlier this year–that’s 7,348,391 messages. That ratio was relatively unchanged from testing we did in October 2005 and May 2004. (Barracuda won Network Computing’s 2005 Well-Connected Award in the Antispam Tool category.)

Most spam is now blocked at the boundary, before it reaches the messaging server, by devices such as Tumbleweed’s MailGate Email Firewall, which uses the company’s DAS (Dynamic Anti-Spam) technology, and IronPort’s C600 appliance with Symantec Brightmail Anti-Spam. You can also buy software that runs on a corporate mail platform to protect gateway server devices.

Today, the greater threat comes from spyware and phishing attacks rather than conventional spam. In extreme cases, instances of spyware, especially key loggers, can compromise a company’s intellectual property. Besides the increased risk of losing data when spyware is installed, it can be difficult and time-consuming to remove. And, productivity can suffer when employees spend company time fixing credit reports harmed during a phishing attack. So filtering only for spam is clearly not a wise choice.

One area of content filtering that doesn’t get enough attention is that of intellectual property in outbound e-mail. Nearly 50 percent of network security attacks come from within the so-called secure boundary of the corporate network, according to Deloitte’s 2006 Global Security Survey (see “Data Drain”). People have different incentives for accumulating corporate information illegally. They might be paid handsomely for stealing data, or they might simply take data because they can. We’ve all come across the end user who, knowing he’ll be leaving the company soon, decides to forward all e-mail in his in-box to his personal e-mail account. We’re also familiar with the more damaging scenario of the employee who takes all of her contacts–including valuable sales leads–with her to her next job. Creating an effective e-mail security policy that includes scanning outbound e-mail for sensitive content can help protect your corporate secrets and keep information from getting to where it shouldn’t. But content scanning is still not as accurate as virus scanning. False positives, mistuned policies and e-mail mistakenly held up as “potential” threats on outbound servers will cause business delays.

Policing Your Setup

Combating viruses, spyware and phishing attacks does not stop with the selection and implementation of one of these technologies. Your security policy must be clearly defined to match the sensitivity of your data, and it must be enforced; it must convey who owns e-mail and how it is used. Undesirable e-mail security scenarios can be avoided through awareness campaigns and personnel training. Make sure your end users log out of their Windows sessions when leaving their workstation to prevent unwanted browsing of their in-boxes. Work with HR to ensure that employees are aware that all corporate e-mail is the express property of the company, not the employee. Take measures to make sure passwords aren’t written down and placed on monitors or under keyboards. These sound like common-sense measures, but we all know how often these guidelines are ignored. Finally, be wary of visitors to your offices, and make sure they are chaperoned when appropriate. Based on these concepts, create e-mail education seminars for your users. Training your end users will allow them to police themselves.

One of the more deadly delusions in the IT world is that the systems administrator or security officer can somehow maintain control over the network and all the information in it. The fact is, though IT professionals create and enforce policy, end users’ actions ultimately dictate how technology is used in the enterprise.

Securing Mobile Devices

Many executives, managers and even IT personnel carry handheld devices so they’re never out of communication. These devices have consumer versions of software that handle e-mail synchronization using POP and even Microsoft Exchange. For better security, all enterprises must consider acquiring the enterprise software versions of these devices.

BlackBerry’s BES (BlackBerry Enterprise Server), for example, gives systems administrators the flexibility and control they desire while providing the encryption necessary to achieve compliance with federal and state mandates. BES offers the option of using AES (Advanced Encryption Standard) or Triple-DES (Data Encryption Standard) to encrypt data sent from the messaging server to the handset. Additionally, BES lets systems administrators make changes to end users’ handheld devices remotely. Devices can be entirely disabled, passwords can be changed and, in cases where the device is lost or stolen, data can be wiped from the device–all by remote administration.

If your corporation uses Treo devices, there are solutions for synchronizing e-mail over secure POP or Exchange synchronization, including third-party programs to send specially crafted text messages that will wipe the data from the device. Good Technologies offers a similar secure Exchange synchronization product for Palm OS and Windows Mobile users.
From Dark Reading (http://www.darkreading.com/document.asp?doc_id=109262&print=true)

Christopher T. Beers is an NWC contributing editor and manager of systems operations for a large broadband ISP, where he oversees daily operations of high-speed data and VOIP for the Northeast United States, including Solaris and Linux administration. Write to him at cbeers@nwc.com.

OCTOBER 30, 2006

November 1, 2006 at 09:24 PM in email | Permalink | Top of page | Blog Home