By Stephen J. Bigelow, Senior Technology Writer
Email security is a critical concern for every executive and IT channel professional. As a major doorway into an organization, email is a principal means of proliferating malware and stealing sensitive information from the organization. This forces businesses to scan mail and attached content. In addition, email is subjected to scrutiny from regulators and litigators, and businesses are obligated to retain and locate even the most obscure messages in response to discovery requests. Solution providers can help clients strengthen their email security goals by understanding the common issues and mistakes, recognizing the tools and features, and providing solid advice on testing and management.
Understanding the goals of email security
Email is often perceived as an avenue of attack -- a common route for viruses, spyware and spam to attempt to enter the organization. In many cases, those who perpetrate such attacks intend to disrupt business operations, reduce productivity and abscond with confidential information that can lead to broader attacks or identity theft. While this vulnerability remains important, today's email security tools do an excellent job of scanning attachments for known malicious code, and regular employee training can curtail user behavior that often precipitates successful attacks (e.g., opening unknown attachments, responding to phishing scams or clicking malicious URLs).
The security threat posed by email is changing, and data leakage has become a new problem to contend with. One form of data leakage occurs when employees with bona fide access to data send email containing sensitive information out of the company. This may occur accidentally, but is increasingly common in corporate espionage; exploiting a target business's weaknesses from the inside.
Data leakage and corporate espionage have emerged in the past six months as a major issue for email security, said Steve Lubahn, vice president of sales and marketing at LockNet Inc., a security solution provider in LaCrosse, Wisc. Email security appliances and content filtering tools can help tackle this problem by incorporating outbound data leakage protection (DLP) features that can identify sensitive files and inspect message context for suspicious content, then report or block that activity.
Other experts see email security in terms of compliance and e-discovery. "Legal compliance and confidentiality [concerns] are just pounding organizations," said Allen Zuk, an independent IT risk management consultant formerly with GlassHouse Technologies. "Anything that is generated through a corporate email system is subject to scrutiny, legal review and compliance and can be used in any kind of legal process."
Messages and attachments must be retained for prescribed periods, remain protected against alteration or deletion during that time, be located in very short order to accommodate a discovery request, and then destroyed in a secure fashion (such as file shredding) once the retention period has expired. Encryption features maintain security by guarding message data at rest and in flight -- also protecting the client against stolen or misdirected data.
Many solution providers use compliance topics as a means of maintaining an ongoing dialogue with their clients, which can lead to supplemental business opportunities later on. "Don't just look for a widget to make the problem go away," said Mike Rothman, president and principal analyst at Security Incite, an independent analyst firm near Atlanta.
Email security mistakes and oversights
Solution providers are not always doing everything possible to position and properly protect their clients against email security threats. One issue that plagues client organizations is a lack of training around email security policies. Employees sometimes open attachments from unknown senders or click on links to websites that attempt to plant malware. Security policy lapses also extend to laptops, PDAs, smartphones and other mobile devices.
"The organization's eagerness to please its employees and give them the tools and the access they need opens the door for other [security] problems," Zuk said. Consequently, solution providers are becoming more involved in the policy, process and training aspects of each client's security posture.
Solution providers also face the problem of identifying and recommending an appropriate email security product for the client's environment, and then integrating that product without "breaking" something else. The extent of the solution provider's experience has a critical effect on successful email security deployments, particularly for complex projects such as multiple messaging systems being used together.
"I've worked [for] clients where they had three email systems," Zuk said. "You could conceivably be tackling one thing and completely overlook another, or create more headaches for another [email system]." While most organizations try to consolidate their infrastructures in the wake of mergers and acquisitions, a solution provider must have a clear picture of the client's environment and accommodate its nuances.
Generally speaking, an email security appliance is a dedicated network device that installs into the network infrastructure near the corporate firewall -- intercepting all email and scanning it for viruses, spyware and content-related threats such as phishing. Many enterprise-class security appliances provide additional features like intrusion detection/prevention, Web content filtering and traffic shaping. Solution providers must ensure that appliances have the network connectivity and processing power to keep pace with the client's daily email traffic demands. Otherwise, undersized appliances will bog down the email system and delay the timely delivery of messages.
Small environments can face serious retention and archiving issues when a business foregoes the use of in-house email servers (like Exchange) in favor of POP3 email accounts often supplied by ISPs. Since the client does not own that email server, their ability to back up, control and access messages is severely curtailed -- potentially resulting in serious business disruption, compliance violations or even litigation if the client cannot produce messages connected with an e-discovery request. To solution providers, the most important part of the email security deployment is providing clients with direct ownership and control of the messaging infrastructure in-house. Still, equipment can be installed on the client network to track usage and other attributes, helping to control email usage even when operated through an outside email server.
Some solution providers may find themselves grappling with lethargy in the industry. "Folks are starting to take email security for granted," Rothman said. He noted that virtually every organization implements some form of email security, but the lack of daily problems or issues can cause clients (and solution providers) to grow complacent.
Email security testing
There is no single test or test suite that can ensure the proper operation of an email security system -- whether it's security software installed on a dedicated server or an email security appliance integrated into the client's network -- but there are some tactics that can help. First, understand the client's needs and the objectives of the email security platform. For example, some clients may be particularly concerned with message processing performance and its impact on the network. Others may be concerned with spam filtering accuracy, the ability to inspect and recover improperly marked messages (false positives) or archival capabilities to meet compliance needs.
Once client goals are understood, experts like Zuk suggest a proof-of-concept deployment through which you can demonstrate how key features meet requirements such as antivirus, antispam, content filtering, DLP and reporting and logging. It's also important to show a client how the email security product integrates into their current environment.
Email security tools should be updated frequently and tested regularly after deployment. This involves both patching and signature file updates, along with regular whitelist and blacklist tuning by the client or the solution provider. While there isn't much that a client can do in terms of direct testing, solution providers and many major manufacturers can assist in third-party security testing. Zuk said he usually recommends having a third-party assessment done on your email environment every six months, noting that Symantec, IBM, Protiviti, McAfee and other professional services organizations can step in.
There are other resources that can help. For example, Internet security firm Webroot provides a variety of reports on security topics, including Protecting Business Email. In addition, The Tolly Group publishes numerous independent reports on IT topics including messaging, and The Virus Bulletin covers news and articles on viruses and other malware.
Email management and channel business opportunities
Experts like Zuk identify two areas of concern in email security management. First, there is the development and maintenance of the policies that drive email security by selecting which traffic to act upon. Consequently, email security appliances must provide easy management that allows rapid scanning and retention policy development or adjustment, without overburdening the client's network by stopping and scanning every message. The second area of concern is storage and retention. Organizations are keeping more messages for longer periods, and this has led to explosive email storage growth, which may require additional storage capacity and data reduction technologies like data deduplication and compression.
Both aspects of email security management have opened managed services opportunities for solution providers. "If you've got good hands-on experience and knowledge of the products that are on the market that can help drive and support and manage email security … that's a tremendous area for growth," Zuk said, noting that businesses are always looking to outsource roles and operations that don't necessarily align with the main line of business. "Make sure you've got the appropriate SLAs in place."
Actual management time for email security should be fairly limited. A primary goal of email security products is to offer simplicity and aid consolidation, so the email security manager in an SMB/SME should expect to spend about one hour a week reviewing traffic logs and event reports. "If you're spending more than an hour per week between looking at logs and managing it, you probably need to reconsider the implementation," Lubahn said.
Ultimately, the dynamic nature of security threats can offer solution providers ample opportunities for supplemental revenue. Most small and midsized clients don't have the resources or in-house expertise to stay on top of new security threats or products. A knowledgeable provider can leverage new threats and product updates to maintain a dialogue with the client.
Future email security trends
Perhaps the biggest trend is consolidation within the email security industry itself. "From a solution provider standpoint, the line card is dramatically thinning," Rothman said, noting several high-profile mergers and acquisitions in both the security vendor and security services areas -- a trend that will likely continue into the foreseeable future. This puts enormous pressure on solution providers to identify vendors and recommend email security products that will remain viable and competitive after an acquisition occurs.
In terms of technologies, Software as a Service (SaaS) is currently offered by only the largest providers, because the infrastructure to support remote services can be daunting for small to midsized solution providers. Protection against malicious outbound traffic should continue to develop as vendors react to new and different attack modes. Content inspection and other "reputation-based" technologies are expected to evolve and improve. Email security products should also provide tighter integration with backup and data protection technologies, enabling client organizations to back up messaging systems more quickly and effectively.
Expect to see a tighter integration between data leakage protection and antivirus features. Today, these are often integrated separately and can burden the network with two independent scanning engines. Zuk expects that these features might eventually merge into a single engine that can handle both activities together. Network messaging convergence is another area of interest, bringing email, IM, mobile devices and other messaging platforms into a single converged product.
This was first published in September 2008