Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/12/2014
08:58 AM
50%
50%

Locking Down E-Mail With Security Services

Companies are increasingly looking to the cloud for services to encrypt, back up, and archive their e-mail to protect from accidental leakage and intentional disruption

Three years ago, eliminating spam and viruses from e-mail meant installing an e-mail security gateway at the perimeter. Today, that's no longer true.

Companies are increasingly moving their office processes and systems to the cloud, and e-mail is leading the way. By 2022, 60 percent of workers will be using a cloud-based office system, such as e-mail, up from 8 percent in 2013, according to business-intelligence firm Gartner.

When an e-mail server is replaced by a cloud service, it no longer makes sense to attempt to do security at the perimeter, but companies still need the additional security, says Paul Judge, chief research officer and vice president at security firm Barracuda Networks

"Even though the e-mail is no longer in-house, the problems are still there," Judge says. "Spam needs to be filtered out. Viruses still need to be blocked. And you still need to be able to monitor and filter outbound messages."

Securing e-mail is a necessity for any company. When companies do kill-chain analysis, looking at all the steps that an attacker must accomplish to attain his goals inside the defender's network, defending e-mail becomes even more important, says Andrew Jaquith, chief technology officer and senior vice president of cloud strategy at SilverSky, an e-mail-security service.

"If you interrupt any step in the sequence of the kill chain, you can stop essentially a major incident in progress," Jaquith says. "And the beginning of any attack is almost always e-mail."

Any e-mail security service has to account for three main corporate concerns, he adds: the actual security of messaging traffic, complying with any regulations, and dealing with the trend toward mobile and remote access to e-mail services. Most companies should judge their e-mail security services on those three characteristics, he says.

The basics of any cloud e-mail security service are stopping spam and malware from reaching the user's device. The average American worker sends or receives 80 e-mails a day, about 5 percent of which are considered risky from a compliance and security standpoint, Jaquith says.

['Cloud security' needn't be an oxymoron. Here's how to get it right. See Secure The Cloud.]

A solid e-mail service generally includes anti-spam and anti-malware technologies, but companies may want the integrated reporting and additional services provided by a focused cloud-based service, he says.

Expanding beyond those basics -- to more advanced threat protection, such as styming targeted attacks -- is increasingly important. As e-mail security services grow their collection of customers, they also improve the data with which they can analyze incoming e-mail and detect even single anomalies that indicate an attack, says Scott Harrell, vice president of product management at network and security company Cisco. A cloud service quickly applies lessons learned in attacks on one customer to protecting others.

"We see somewhere around 15 billion Web transactions a day," he says. "We have a lot of data in-house already and have a very good idea of what is a good link versus what is a bad link, and what is a good e-mail and what is malicious."

A trio of other add-on services are becoming important as well. E-mail archiving for compliance, e-discovery for legal and risk management, and data-loss prevention technologies can, in most cases, easily be added through an e-mail security service. In the past, such services may have been housed in different appliances behind the firewall, but having them all in once place for e-mail has enormous benefits, says Orlando Scott-Cowley, a global security expert with e-mail-security provider Mimecast.

"Integrating different types of data into a single archive gives you vastly more efficiencies than having five different archives with five different types of data -- you can respond to e-discovery requests far quicker, for example," he says. "But when you start looking at that data and derive things like business intelligence from it, having it all in one place makes a lot more sense, and you can get a lot more information on what your business is up to."

Mining e-mail for information, however, does run counter to another trend. New information about the extent to which the U.S. National Security Agency and other intelligence agencies are collecting data online has made some companies nervous, and many are looking into encrypting their data held by cloud providers for additional protection against hackers and nation-state actors. Yet encrypting e-mail in the cloud is not a simple matter. Issues with key management and the ability to search e-mail messages -- necessary for e-discovery and DLP -- will delay adoption until practical solutions are found, SilverSky's Jaquith says.

"Encryption at rest is a hard thing because when you encrypt it at rest, it makes it hard to search ,and it makes it hard to process," he says. "Companies want access to their e-mail for a variety of business reasons, and they don't want encryption that severely impacts performance."

Companies in specific verticals will make the trade-offs between preserving functionality and enhancing the security of their e-mail, but most companies will have to rely on their security service provider to protect their e-mail for now.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/23/2014 | 1:17:12 PM
re: Locking Down E-Mail With Security Services
remember two-factor ID and biometric ID are solving the wrong problem. the problem is un-authorized programming , i.e. virus in your computer. once you are infected, "pwned" -- the word security is meaningless. the hacker can use your credentials to submit transactions without your knowlege -- while you are logged on.

UEFI is a huge step in the right direction, -- but -- still --- just a patch. the real issue is in preventing un-authorized updates to your os.
Beck
50%
50%
Beck,
User Rank: Apprentice
2/17/2014 | 8:38:15 PM
re: Locking Down E-Mail With Security Services
This is really great info, as I've seen a lot of security companies lately advertising cloud solutions. Something that might be helpful to note that I noticed you didn't address in your article, is two factor authentication. You're absolutely right that the first step should be securing email and I think one of the best ways to do that is enabling 2fa. I've used google authenticator in the past and though I do think it's necessary, it's a ux disaster. Having to enter an OTP every time I want to log on is exhausting and unsafe, considering it's in-band. I've tested out some other out-of-band solutions and I like one called Toopher which uses your phone to authenticate you and can do so automatically when the GPS says it's home. I use it on my LastPass account and if I could have it on my Gmail too, I'd be ecstatic.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2019-17634
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could...