The number of new Security as a Service products and services continues to grow at a rapid rate. There are cloud-based...
services for almost any security challenge, including firewalls, server configuration and identity management. These new services all trace their origins to the first Security as a Service product: email security. The security challenges this original cloud-based security service address still exist today. Hosted email security services make an excellent starting point for companies as they are relatively mature. In this tip, we'll examine the capabilities available with cloud-based email security services and also provide six email security best practices organizations should consider when evaluating email Security as a Service providers.
Email Security as a Service basics
Email Security as a Service can trace its humble roots back to the problem of filtering spam. This unpopular task is just as important today as back when Internet email started gaining popularity. Most security professionals underrate the importance of filtering their inbound email because it is not considered a sexy security technology. However, it should be their top priority as many attackers have turned to email as their preferred weapon because of the reduction of remotely executable vulnerabilities.
Inbound email filtering is an ideal function for Security as a Service since it is simple to setup as an email forwarder. It would be impossible for a lone email administrator to keep up with the constantly evolving landscape of threats. These services filter email by using complex lexical analysis and sender reputations that are much more advanced than the simple filters older email security technologies employed. The inbound email filters of cloud-based security services can provide anti-phishing, anti-fraud and antivirus for a simple monthly fee.
Email security best practice #1: Security as a Service provider should guard access to your data
One of the risks organizations need to consider when using inbound email security services is that all of the organization's email communications will be processed through a third party. This risk is present in any type of Security as a Service but it could be amplified with a cloud-based email security service, depending on the amount and type of communications flowing through email. The company providing the inbound email filtering should be able to provide detailed documentation on the procedures used to protect this information, keep it separate from other customers and limit exposure to their employees.
Email security best practice #2: Avoid vendor lock-in
There are many email security technologies available as cloud-based services to help a company achieve regulatory compliance, including encryption, archiving and data loss prevention (DLP). These technologies are well suited to cloud environments and can be used together for a cumulative effect. For example, a cloud-based DLP service can scan outbound email for HIPAA-regulated medical information or Sarbanes-Oxley regulated financial information. It would normally just block this information to prevent unauthorized disclosure but could automatically encrypt the message if bundled with an encryption service. Cloud-based services are particularly attractive because they can take the difficulty out of key management and provide a continually updated lexicon for DLP.
Archiving is another good fit for email Security as a Service products and services. Companies needing to maintain large volumes of messages will be drawn to the flexibility of cloud-based storage services, which can be an easy way to enforce data retention policies and meet e-discovery requirements. Some services provide indexed archives that are tamper-proof and will speed any litigation-based queries.
However, there are two potential problems to consider with these services. First, it may be very difficult to migrate away from them in the future. There is no standard format for email archives or customized DLP rule-sets, turning any conversions to another provider into labor intensive projects. Also, the provider may own the encryption keys, causing a reconfiguration of all encrypted email traffic. That is why it's critical to investigate these portability issues up front with your provider and agree upon formats and the costs of returning the data at the end of a contract.
Email security best practice #3: Monitor service utilization
The other potential problem is not monitoring the amount of storage in use once email is archived into a cloud-based system. The charges for storage of these messages start out low at the start of the agreement but can increase quickly. It becomes easy for administrators to forget about the service as they shift their focus to other hot projects. The costs could quickly get out of control and the archive could become unwieldy, hampering investigations and creating liability instead of limiting it. It's important to do a cost analysis of a fully utilized system and to monitor utilization closely to avoid cost overruns.
Email security best practice #4: Evaluate physical controls and data location
It can be far too easy to forget about the physical location of data when utilizing email Security as a Service products and services. Remember there is a data center somewhere that is housing your organization's most confidential information and competitive secrets. This data center should have physical controls such as fire protection, an uninterruptible power supply (UPS), redundant power circuits, and card access control systems. Organizations should review a provider's disaster recovery and business continuity plans before entering into any agreements.
There is another issue organizations often overlook when entering into a cloud-services agreement that could seriously impact how email is stored, transferred and secured. Don't forget that the geographical location of the data center can change, along with the specific laws around data retention, and data breach notification requirements; a change in jurisdiction could even restrict data transfers. This issue gets far more complicated if the data center is located outside of the United States. It's very important to know where the email will be stored so any legal impacts can be understood.
Email security best practice #5: Don't enter into long-term service contracts
A growing trend is blended attacks. Attackers are not relying on infected email attachments as much as they have in the past because email defenses such as antivirus and heuristics have dramatically improved. Email messages now include spoofed messages that appear to come from legitimate companies with links to the intended malicious payload. Web and email threats have started to converge, which creates the need to link Web and email security products together. A combined product may also cost less while providing more comprehensive protection. Some cloud-based email security services may not offer flexibility in the contract to allow for adding new types of protection or moving to a new product with integrated capabilities. Contracts should not be for long periods of time as security threats and defenses are always evolving. It's important to not get locked into a single service without options.
Email security best practice #6: Get out of the email security business
Email Security as a Service offers the same benefits all cloud-computing platforms provide, including reduced hardware requirements and scalability without major capital investment. There is another advantage with email security services that doesn't get as much hype: reduced bandwidth. The email security service provider can process the spam and fend off malicious attacks while the customer only processes legitimate messages. With all of the other advantages of email Security as a Service products and services, a best practice may be to get out of the email security business to focus on more critical security projects.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.