Risk
2/12/2014
08:58 AM
Connect Directly
RSS
E-Mail
50%
50%

Locking Down E-Mail With Security Services

Companies are increasingly looking to the cloud for services to encrypt, back up, and archive their e-mail to protect from accidental leakage and intentional disruption

Three years ago, eliminating spam and viruses from e-mail meant installing an e-mail security gateway at the perimeter. Today, that's no longer true.

Companies are increasingly moving their office processes and systems to the cloud, and e-mail is leading the way. By 2022, 60 percent of workers will be using a cloud-based office system, such as e-mail, up from 8 percent in 2013, according to business-intelligence firm Gartner.

When an e-mail server is replaced by a cloud service, it no longer makes sense to attempt to do security at the perimeter, but companies still need the additional security, says Paul Judge, chief research officer and vice president at security firm Barracuda Networks

"Even though the e-mail is no longer in-house, the problems are still there," Judge says. "Spam needs to be filtered out. Viruses still need to be blocked. And you still need to be able to monitor and filter outbound messages."

Securing e-mail is a necessity for any company. When companies do kill-chain analysis, looking at all the steps that an attacker must accomplish to attain his goals inside the defender's network, defending e-mail becomes even more important, says Andrew Jaquith, chief technology officer and senior vice president of cloud strategy at SilverSky, an e-mail-security service.

"If you interrupt any step in the sequence of the kill chain, you can stop essentially a major incident in progress," Jaquith says. "And the beginning of any attack is almost always e-mail."

Any e-mail security service has to account for three main corporate concerns, he adds: the actual security of messaging traffic, complying with any regulations, and dealing with the trend toward mobile and remote access to e-mail services. Most companies should judge their e-mail security services on those three characteristics, he says.

The basics of any cloud e-mail security service are stopping spam and malware from reaching the user's device. The average American worker sends or receives 80 e-mails a day, about 5 percent of which are considered risky from a compliance and security standpoint, Jaquith says.

['Cloud security' needn't be an oxymoron. Here's how to get it right. See Secure The Cloud.]

A solid e-mail service generally includes anti-spam and anti-malware technologies, but companies may want the integrated reporting and additional services provided by a focused cloud-based service, he says.

Expanding beyond those basics -- to more advanced threat protection, such as styming targeted attacks -- is increasingly important. As e-mail security services grow their collection of customers, they also improve the data with which they can analyze incoming e-mail and detect even single anomalies that indicate an attack, says Scott Harrell, vice president of product management at network and security company Cisco. A cloud service quickly applies lessons learned in attacks on one customer to protecting others.

"We see somewhere around 15 billion Web transactions a day," he says. "We have a lot of data in-house already and have a very good idea of what is a good link versus what is a bad link, and what is a good e-mail and what is malicious."

A trio of other add-on services are becoming important as well. E-mail archiving for compliance, e-discovery for legal and risk management, and data-loss prevention technologies can, in most cases, easily be added through an e-mail security service. In the past, such services may have been housed in different appliances behind the firewall, but having them all in once place for e-mail has enormous benefits, says Orlando Scott-Cowley, a global security expert with e-mail-security provider Mimecast.

"Integrating different types of data into a single archive gives you vastly more efficiencies than having five different archives with five different types of data -- you can respond to e-discovery requests far quicker, for example," he says. "But when you start looking at that data and derive things like business intelligence from it, having it all in one place makes a lot more sense, and you can get a lot more information on what your business is up to."

Mining e-mail for information, however, does run counter to another trend. New information about the extent to which the U.S. National Security Agency and other intelligence agencies are collecting data online has made some companies nervous, and many are looking into encrypting their data held by cloud providers for additional protection against hackers and nation-state actors. Yet encrypting e-mail in the cloud is not a simple matter. Issues with key management and the ability to search e-mail messages -- necessary for e-discovery and DLP -- will delay adoption until practical solutions are found, SilverSky's Jaquith says.

"Encryption at rest is a hard thing because when you encrypt it at rest, it makes it hard to search ,and it makes it hard to process," he says. "Companies want access to their e-mail for a variety of business reasons, and they don't want encryption that severely impacts performance."

Companies in specific verticals will make the trade-offs between preserving functionality and enhancing the security of their e-mail, but most companies will have to rely on their security service provider to protect their e-mail for now.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/23/2014 | 1:17:12 PM
re: Locking Down E-Mail With Security Services
remember two-factor ID and biometric ID are solving the wrong problem. the problem is un-authorized programming , i.e. virus in your computer. once you are infected, "pwned" -- the word security is meaningless. the hacker can use your credentials to submit transactions without your knowlege -- while you are logged on.

UEFI is a huge step in the right direction, -- but -- still --- just a patch. the real issue is in preventing un-authorized updates to your os.
Beck
50%
50%
Beck,
User Rank: Apprentice
2/17/2014 | 8:38:15 PM
re: Locking Down E-Mail With Security Services
This is really great info, as I've seen a lot of security companies lately advertising cloud solutions. Something that might be helpful to note that I noticed you didn't address in your article, is two factor authentication. You're absolutely right that the first step should be securing email and I think one of the best ways to do that is enabling 2fa. I've used google authenticator in the past and though I do think it's necessary, it's a ux disaster. Having to enter an OTP every time I want to log on is exhausting and unsafe, considering it's in-band. I've tested out some other out-of-band solutions and I like one called Toopher which uses your phone to authenticate you and can do so automatically when the GPS says it's home. I use it on my LastPass account and if I could have it on my Gmail too, I'd be ecstatic.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio