In the face of external email-borne attacks, email security should reflect the three basic aspects of security: confidentiality, integrity and availability, says Peter Stephenson.
This month we take a deep dive into email security. Looking at the products we have this year in contrast to last year's bunch we found that the new functionality is remarkable for its innovation and convergence with other, similar product types. Briefly, email gateways are more comprehensive than ever before and this is a big benefit to users.
The players this year are a mix of old and new. The old standbys, mellowed and matured by experience, have come up with some interesting new wrinkles on old themes. To reverse a metaphor, this is new wine in old bottles, surely a good thing if the vintner knows what it's doing.
Old school email security was pretty much encrypt to outgoing email and stop the phishing attacks. Occasionally we would see non-repudiation and there were some specialized products that did things such as destroy outbound messages after some period of time. A lot of that functionality moved into data leakage protection and now, ironically, some DLP functionality is moving into email security gateways.
A good place to start is to get a bit of a handle on what we mean by email security, then. For that we referred to a paper called "Email Security Threats," written for SANS Reading Room by Pam Cocca. Ms. Cocca tells us that email security should reflect the three basic aspects of security: confidentiality, integrity and availability. She tells us that confidentiality means that email "...is protected from unauthorized access." Integrity means that "...it has not be modified or destroyed by an unauthorized individual." And, availability means "...ensuring that mail servers remain online and able to service the user community." We think Cocca is on the right track and we will use her definitions as our straw-man. (Incidentally, we recommend her paper which can be found with a simple Google search).
While this month's products do not particularly address availability, they certainly address the other two. And, if we reverse Ms. Cocca's availability definition a bit to reflect keeping our systems online and available in the face of external email-borne attacks, she's right on target. So, let's look at each of these criteria in the context of selecting a product to secure your email communications channel.
Confidentiality is simple...on the surface. We have seen email encryption for some years now, but in the face of inbound threats we have a new problem: unintended data exfiltration. We usually look to DLP systems for that, but why not look to our email gateway? Why not, indeed? And that is what at least one of this month's products does. So, to address confidentiality we should look for encryption - which needs to be easy to use and as transparent to the user as possible, including the users on both ends of the message - and we should look at how we might benefit from having some DLP functionality built in. How much, of course, is up to you and what tools you have currently deployed.
Attachments also can pose a confidentially issue. For that we tend to use something such as DropBox secured with some form of encryption, such as nCrypted Cloud. Some of this month's products address that requirement directly as well, adding both security and convenience to the mix.
Integrity is an extension, functionally, of confidentiality. By that we mean that achieving confidentiality in the ways we describe may very well address integrity as well. For example, if I encrypt an email and I ensure its integrity by applying a hash, tampering - decrypting attempts - may reflect in the hash. There are other ways to address integrity and it is important that you examine the product for some form of protection in this area.
Finally, we come to availability. We do not want inbound email-borne malware to affect our internal systems. To some degree, this also impacts integrity since databases may be altered by mail-borne malware attacks. One of the important - and traditional - functions of an email security gateway is thwarting these attacks, which may be the result of some form of phishing or infected (html) email. This aspect - the most important functionality traditionally and still extremely important - is critical to a good email security product and you should look carefully at how the tool accomplishes this protection as well as how effective it is.
So, that takes us to the end of our ramblings and to the succinct analysis by our lab. There are good products - old and new - in this batch and we commend them to you for your perusal. The group is small but, we believe, rather elite. On with the show!
