Security360 Preview: Building a Multi-layered Approach to E-mail Security

REDMOND, Wash. — Dec. 16, 2005 — As recently as 10 years ago, e-mail was just finding its way into everyday use across the corporate world. Today it is one of the most critical elements of any organization’s information infrastructure, and when e-mail goes down, the consequences can be severe. For large e-retailers, companies in financial services, government entities and other industries, a prolonged e-mail outage can cripple the ability to do business.

Unfortunately, that fact also makes e-mail a prime target for malicious hackers and electronic vandals. Many of today’s most malignant viruses and worms are distributed through e-mail and messaging systems. High-profile attacks can cost companies hundreds of thousands of dollars in downtime and clean-up costs, not to mention possible damage to the company’s reputation.

Beyond those obvious threats, the content of e-mails themselves can be dangerous for an organization if the system is used improperly or carelessly. Add to these internal challenges new pressures from the outside — such as new regulations making it imperative for large organizations to safeguard critical information contained in e-mail messages — and it’s clear that there is a strong need for organizations to increase e-mail security.



Mike Nash, Corporate Vice President, Security Technology Unit

During this month’s Security360 webcast, Corporate Vice President Mike Nash and Director of Product Management Amy Roberts of Microsoft’s Security Technology Unit will gather with security experts to discuss how organizations today must use a combination of software, services and processes to help protect their e-mail infrastructure, their network environments, and ultimately, their business.

This month’s guests include Jim McBee, author of the book “Exchange Server 2003 24seven” and a Microsoft Most Valuable Professional, along with Paul Robichaux of 3Sharp, also a Microsoft Most Valuable Professional. The show will also feature Frank Gillman, director of technology at Allen Matkins Leck Mallory, and Teney Takahashi, a security analyst with Radicati. From Microsoft, Joe Licari, director of Antigen Product Management and Dave Thompson, corporate vice president of the Exchange Server Product Group will also take part.

As always, the webcast will offer strategies and best practices for improving an organization’s readiness with regard to security issues, as well as a live Q&A session with the panelists featuring questions from the audience.

During the webcast, host Nash will discuss strategies to protect employee inboxes, including the latest antivirus software to help eliminate viruses already in the network that may be trying to hop from desktop to desktop via e-mail. He will also discuss how organizations can focus resources on areas that most directly impact business operations, while minimizing upfront capital investments, including hosted solutions such as offerings from FrontBridge Technologies, recently acquired by Microsoft, that can eliminate spam and viruses before they ever reach the network.

The panelists will add their own insight into these and other e-mail security-related topics, including how on-premise and managed services can work together as part of a “multi-layered” approach, the growing complexity of e-mail systems in general, and the threats posed by “phishing,” “pharming,” “spoofing” and denial of service attacks. They will also discuss ways that companies can protect e-mail content from accidental or inadvertent disclosure by using enterprise rights management policies and technologies, as well as other means.

According to Robichaux, that last issue forms one of three critical pillars of e-mail security. “The e-mail infrastructure revolves around a very simple acronym, CIA — confidentiality, integrity and availability,” he says. “Those three are interrelated, but all three of them have heavy applicability to e-mail systems.”

By Robichaux’s definition, confidentiality is simply keeping people away from information they shouldn’t have access to, and ensuring that confidential information is treated and maintained as such. Integrity equates to confidence in the data — that it is free of viruses or spam, and that information hasn’t been tampered with — while availability is simply the ability to access and use the system.

“Availability is key because if your system is not available, it doesn’t matter how secure it is. If you can’t use it, it doesn’t do you any good,” Robichaux says. “Most companies do the integrity piece pretty well, with a variety of virus scanners, third-party services and other tools on the market today. But there is still room for improvement as far as confidentiality and availability.”

According to McBee, availability may be mitigated for many organizations by outsourcing e-mail “hygiene” functions to third party providers, who are often much better equipped to deal with threats such as denial of service attacks while keeping the business up and running.

“The managed providers are large enough that they can have additional hardware that can allow them to scale and adapt to an e-mail storm where a virus or a worm has been released,” he says. “If instead of seeing 100 messages an hour, you’re seeing 10,000 messages an hour, that’s something that would overwhelm a low-end server that you purchased to handle your small organization, but the provider has the ability to scale to where they can handle surges in the current threat.”

As far as confidentiality, both panelists agree that organizations have a long way to go in how they deal with confidential information, and this will become a much bigger factor for many companies in terms of their approach to e-mail security. Already organizations such as hospitals face regulatory pressure regarding the content of their e-mails.

“Content inspection is important for both inbound and outbound messages,” McBee says. “In a hospital, for example, you don’t want a message that contains healthcare information to also contain information that would tie a condition or situation to a particular person. The content inspection system handles making sure that type of information doesn’t leak out, and this is going to become more and more important for many different types of organizations.”

Complicating matters is the fact that this is not just a technology issue, but one which also incorporates the ever-present factor of human error. McBee cites an example from his current book, where a salesman forwarded a pricing spreadsheet to a customer.

“The spreadsheet contained margin information confidential to the company, and the customer felt they were being overcharged in some areas,” he says. “The simple, inadvertent forwarding of proprietary information in e-mail led to the loss of a couple hundred thousand dollars.”

According to McBee, even though that incident was accidental, it’s the sort of thing that happens too often, whether intentionally or not. Therefore the emergence of enterprise rights management, he says, will be one of the main trends in e-mail security over the next three to five years.

“There are a lot of ERM solutions out there, but they are more the exception than the rule today,” he says. “I think that’s one of the most fascinating things that we’re going to see happening in the coming decade.”

This month’s live Security360 Webcast takes place Tuesday, Dec. 20. More details can be found at http://www.microsoft.com/events/series/mikenash.mspx.