Risk
2/12/2014
08:58 AM
Connect Directly
RSS
E-Mail
50%
50%

Locking Down E-Mail With Security Services

Companies are increasingly looking to the cloud for services to encrypt, back up, and archive their e-mail to protect from accidental leakage and intentional disruption

Three years ago, eliminating spam and viruses from e-mail meant installing an e-mail security gateway at the perimeter. Today, that's no longer true.

Companies are increasingly moving their office processes and systems to the cloud, and e-mail is leading the way. By 2022, 60 percent of workers will be using a cloud-based office system, such as e-mail, up from 8 percent in 2013, according to business-intelligence firm Gartner.

When an e-mail server is replaced by a cloud service, it no longer makes sense to attempt to do security at the perimeter, but companies still need the additional security, says Paul Judge, chief research officer and vice president at security firm Barracuda Networks

"Even though the e-mail is no longer in-house, the problems are still there," Judge says. "Spam needs to be filtered out. Viruses still need to be blocked. And you still need to be able to monitor and filter outbound messages."

Securing e-mail is a necessity for any company. When companies do kill-chain analysis, looking at all the steps that an attacker must accomplish to attain his goals inside the defender's network, defending e-mail becomes even more important, says Andrew Jaquith, chief technology officer and senior vice president of cloud strategy at SilverSky, an e-mail-security service.

"If you interrupt any step in the sequence of the kill chain, you can stop essentially a major incident in progress," Jaquith says. "And the beginning of any attack is almost always e-mail."

Any e-mail security service has to account for three main corporate concerns, he adds: the actual security of messaging traffic, complying with any regulations, and dealing with the trend toward mobile and remote access to e-mail services. Most companies should judge their e-mail security services on those three characteristics, he says.

The basics of any cloud e-mail security service are stopping spam and malware from reaching the user's device. The average American worker sends or receives 80 e-mails a day, about 5 percent of which are considered risky from a compliance and security standpoint, Jaquith says.

['Cloud security' needn't be an oxymoron. Here's how to get it right. See Secure The Cloud.]

A solid e-mail service generally includes anti-spam and anti-malware technologies, but companies may want the integrated reporting and additional services provided by a focused cloud-based service, he says.

Expanding beyond those basics -- to more advanced threat protection, such as styming targeted attacks -- is increasingly important. As e-mail security services grow their collection of customers, they also improve the data with which they can analyze incoming e-mail and detect even single anomalies that indicate an attack, says Scott Harrell, vice president of product management at network and security company Cisco. A cloud service quickly applies lessons learned in attacks on one customer to protecting others.

"We see somewhere around 15 billion Web transactions a day," he says. "We have a lot of data in-house already and have a very good idea of what is a good link versus what is a bad link, and what is a good e-mail and what is malicious."

A trio of other add-on services are becoming important as well. E-mail archiving for compliance, e-discovery for legal and risk management, and data-loss prevention technologies can, in most cases, easily be added through an e-mail security service. In the past, such services may have been housed in different appliances behind the firewall, but having them all in once place for e-mail has enormous benefits, says Orlando Scott-Cowley, a global security expert with e-mail-security provider Mimecast.

"Integrating different types of data into a single archive gives you vastly more efficiencies than having five different archives with five different types of data -- you can respond to e-discovery requests far quicker, for example," he says. "But when you start looking at that data and derive things like business intelligence from it, having it all in one place makes a lot more sense, and you can get a lot more information on what your business is up to."

Mining e-mail for information, however, does run counter to another trend. New information about the extent to which the U.S. National Security Agency and other intelligence agencies are collecting data online has made some companies nervous, and many are looking into encrypting their data held by cloud providers for additional protection against hackers and nation-state actors. Yet encrypting e-mail in the cloud is not a simple matter. Issues with key management and the ability to search e-mail messages -- necessary for e-discovery and DLP -- will delay adoption until practical solutions are found, SilverSky's Jaquith says.

"Encryption at rest is a hard thing because when you encrypt it at rest, it makes it hard to search ,and it makes it hard to process," he says. "Companies want access to their e-mail for a variety of business reasons, and they don't want encryption that severely impacts performance."

Companies in specific verticals will make the trade-offs between preserving functionality and enhancing the security of their e-mail, but most companies will have to rely on their security service provider to protect their e-mail for now.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/23/2014 | 1:17:12 PM
re: Locking Down E-Mail With Security Services
remember two-factor ID and biometric ID are solving the wrong problem. the problem is un-authorized programming , i.e. virus in your computer. once you are infected, "pwned" -- the word security is meaningless. the hacker can use your credentials to submit transactions without your knowlege -- while you are logged on.

UEFI is a huge step in the right direction, -- but -- still --- just a patch. the real issue is in preventing un-authorized updates to your os.
Beck
50%
50%
Beck,
User Rank: Apprentice
2/17/2014 | 8:38:15 PM
re: Locking Down E-Mail With Security Services
This is really great info, as I've seen a lot of security companies lately advertising cloud solutions. Something that might be helpful to note that I noticed you didn't address in your article, is two factor authentication. You're absolutely right that the first step should be securing email and I think one of the best ways to do that is enabling 2fa. I've used google authenticator in the past and though I do think it's necessary, it's a ux disaster. Having to enter an OTP every time I want to log on is exhausting and unsafe, considering it's in-band. I've tested out some other out-of-band solutions and I like one called Toopher which uses your phone to authenticate you and can do so automatically when the GPS says it's home. I use it on my LastPass account and if I could have it on my Gmail too, I'd be ecstatic.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.