Locking Down E-Mail With Security Services
Three years ago, eliminating spam and viruses from e-mail meant installing an e-mail security gateway at the perimeter. Today, that’s no longer true.
Companies are increasingly moving their office processes and systems to the cloud, and e-mail is leading the way. By 2022, 60 percent of workers will be using a cloud-based office system, such as e-mail, up from 8 percent in 2013, according to business-intelligence firm Gartner.
When an e-mail server is replaced by a cloud service, it no longer makes sense to attempt to do security at the perimeter, but companies still need the additional security, says Paul Judge, chief research officer and vice president at security firm Barracuda Networks
“Even though the e-mail is no longer in-house, the problems are still there,” Judge says. “Spam needs to be filtered out. Viruses still need to be blocked. And you still need to be able to monitor and filter outbound messages.”
Securing e-mail is a necessity for any company. When companies do kill-chain analysis, looking at all the steps that an attacker must accomplish to attain his goals inside the defender’s network, defending e-mail becomes even more important, says Andrew Jaquith, chief technology officer and senior vice president of cloud strategy at SilverSky, an e-mail-security service.
“If you interrupt any step in the sequence of the kill chain, you can stop essentially a major incident in progress,” Jaquith says. “And the beginning of any attack is almost always e-mail.”
Any e-mail security service has to account for three main corporate concerns, he adds: the actual security of messaging traffic, complying with any regulations, and dealing with the trend toward mobile and remote access to e-mail services. Most companies should judge their e-mail security services on those three characteristics, he says.
The basics of any cloud e-mail security service are stopping spam and malware from reaching the user’s device. The average American worker sends or receives 80 e-mails a day, about 5 percent of which are considered risky from a compliance and security standpoint, Jaquith says.
[‘Cloud security’ needn’t be an oxymoron. Here’s how to get it right. See Secure The Cloud.]
A solid e-mail service generally includes anti-spam and anti-malware technologies, but companies may want the integrated reporting and additional services provided by a focused cloud-based service, he says.
Expanding beyond those basics — to more advanced threat protection, such as styming targeted attacks — is increasingly important. As e-mail security services grow their collection of customers, they also improve the data with which they can analyze incoming e-mail and detect even single anomalies that indicate an attack, says Scott Harrell, vice president of product management at network and security company Cisco. A cloud service quickly applies lessons learned in attacks on one customer to protecting others.
“We see somewhere around 15 billion Web transactions a day,” he says. “We have a lot of data in-house already and have a very good idea of what is a good link versus what is a bad link, and what is a good e-mail and what is malicious.”
A trio of other add-on services are becoming important as well. E-mail archiving for compliance, e-discovery for legal and risk management, and data-loss prevention technologies can, in most cases, easily be added through an e-mail security service. In the past, such services may have been housed in different appliances behind the firewall, but having them all in once place for e-mail has enormous benefits, says Orlando Scott-Cowley, a global security expert with e-mail-security provider Mimecast.
“Integrating different types of data into a single archive gives you vastly more efficiencies than having five different archives with five different types of data — you can respond to e-discovery requests far quicker, for example,” he says. “But when you start looking at that data and derive things like business intelligence from it, having it all in one place makes a lot more sense, and you can get a lot more information on what your business is up to.”
Mining e-mail for information, however, does run counter to another trend. New information about the extent to which the U.S. National Security Agency and other intelligence agencies are collecting data online has made some companies nervous, and many are looking into encrypting their data held by cloud providers for additional protection against hackers and nation-state actors. Yet encrypting e-mail in the cloud is not a simple matter. Issues with key management and the ability to search e-mail messages — necessary for e-discovery and DLP — will delay adoption until practical solutions are found, SilverSky’s Jaquith says.
“Encryption at rest is a hard thing because when you encrypt it at rest, it makes it hard to search ,and it makes it hard to process,” he says. “Companies want access to their e-mail for a variety of business reasons, and they don’t want encryption that severely impacts performance.”
Companies in specific verticals will make the trade-offs between preserving functionality and enhancing the security of their e-mail, but most companies will have to rely on their security service provider to protect their e-mail for now.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.