Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/12/2014
08:58 AM
50%
50%

Locking Down E-Mail With Security Services

Companies are increasingly looking to the cloud for services to encrypt, back up, and archive their e-mail to protect from accidental leakage and intentional disruption

Three years ago, eliminating spam and viruses from e-mail meant installing an e-mail security gateway at the perimeter. Today, that's no longer true.

Companies are increasingly moving their office processes and systems to the cloud, and e-mail is leading the way. By 2022, 60 percent of workers will be using a cloud-based office system, such as e-mail, up from 8 percent in 2013, according to business-intelligence firm Gartner.

When an e-mail server is replaced by a cloud service, it no longer makes sense to attempt to do security at the perimeter, but companies still need the additional security, says Paul Judge, chief research officer and vice president at security firm Barracuda Networks

"Even though the e-mail is no longer in-house, the problems are still there," Judge says. "Spam needs to be filtered out. Viruses still need to be blocked. And you still need to be able to monitor and filter outbound messages."

Securing e-mail is a necessity for any company. When companies do kill-chain analysis, looking at all the steps that an attacker must accomplish to attain his goals inside the defender's network, defending e-mail becomes even more important, says Andrew Jaquith, chief technology officer and senior vice president of cloud strategy at SilverSky, an e-mail-security service.

"If you interrupt any step in the sequence of the kill chain, you can stop essentially a major incident in progress," Jaquith says. "And the beginning of any attack is almost always e-mail."

Any e-mail security service has to account for three main corporate concerns, he adds: the actual security of messaging traffic, complying with any regulations, and dealing with the trend toward mobile and remote access to e-mail services. Most companies should judge their e-mail security services on those three characteristics, he says.

The basics of any cloud e-mail security service are stopping spam and malware from reaching the user's device. The average American worker sends or receives 80 e-mails a day, about 5 percent of which are considered risky from a compliance and security standpoint, Jaquith says.

['Cloud security' needn't be an oxymoron. Here's how to get it right. See Secure The Cloud.]

A solid e-mail service generally includes anti-spam and anti-malware technologies, but companies may want the integrated reporting and additional services provided by a focused cloud-based service, he says.

Expanding beyond those basics -- to more advanced threat protection, such as styming targeted attacks -- is increasingly important. As e-mail security services grow their collection of customers, they also improve the data with which they can analyze incoming e-mail and detect even single anomalies that indicate an attack, says Scott Harrell, vice president of product management at network and security company Cisco. A cloud service quickly applies lessons learned in attacks on one customer to protecting others.

"We see somewhere around 15 billion Web transactions a day," he says. "We have a lot of data in-house already and have a very good idea of what is a good link versus what is a bad link, and what is a good e-mail and what is malicious."

A trio of other add-on services are becoming important as well. E-mail archiving for compliance, e-discovery for legal and risk management, and data-loss prevention technologies can, in most cases, easily be added through an e-mail security service. In the past, such services may have been housed in different appliances behind the firewall, but having them all in once place for e-mail has enormous benefits, says Orlando Scott-Cowley, a global security expert with e-mail-security provider Mimecast.

"Integrating different types of data into a single archive gives you vastly more efficiencies than having five different archives with five different types of data -- you can respond to e-discovery requests far quicker, for example," he says. "But when you start looking at that data and derive things like business intelligence from it, having it all in one place makes a lot more sense, and you can get a lot more information on what your business is up to."

Mining e-mail for information, however, does run counter to another trend. New information about the extent to which the U.S. National Security Agency and other intelligence agencies are collecting data online has made some companies nervous, and many are looking into encrypting their data held by cloud providers for additional protection against hackers and nation-state actors. Yet encrypting e-mail in the cloud is not a simple matter. Issues with key management and the ability to search e-mail messages -- necessary for e-discovery and DLP -- will delay adoption until practical solutions are found, SilverSky's Jaquith says.

"Encryption at rest is a hard thing because when you encrypt it at rest, it makes it hard to search ,and it makes it hard to process," he says. "Companies want access to their e-mail for a variety of business reasons, and they don't want encryption that severely impacts performance."

Companies in specific verticals will make the trade-offs between preserving functionality and enhancing the security of their e-mail, but most companies will have to rely on their security service provider to protect their e-mail for now.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/23/2014 | 1:17:12 PM
re: Locking Down E-Mail With Security Services
remember two-factor ID and biometric ID are solving the wrong problem. the problem is un-authorized programming , i.e. virus in your computer. once you are infected, "pwned" -- the word security is meaningless. the hacker can use your credentials to submit transactions without your knowlege -- while you are logged on.

UEFI is a huge step in the right direction, -- but -- still --- just a patch. the real issue is in preventing un-authorized updates to your os.
Beck
50%
50%
Beck,
User Rank: Apprentice
2/17/2014 | 8:38:15 PM
re: Locking Down E-Mail With Security Services
This is really great info, as I've seen a lot of security companies lately advertising cloud solutions. Something that might be helpful to note that I noticed you didn't address in your article, is two factor authentication. You're absolutely right that the first step should be securing email and I think one of the best ways to do that is enabling 2fa. I've used google authenticator in the past and though I do think it's necessary, it's a ux disaster. Having to enter an OTP every time I want to log on is exhausting and unsafe, considering it's in-band. I've tested out some other out-of-band solutions and I like one called Toopher which uses your phone to authenticate you and can do so automatically when the GPS says it's home. I use it on my LastPass account and if I could have it on my Gmail too, I'd be ecstatic.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.