When the subject of email security is mentioned, the first thought that comes to mind is spam or more appropriately anti-spam.
Historically, messaging security solutions focused on protecting corporate networks from outside annoyances like spam, as well as messaging-based threats, such as viruses, phishing attempts, directory harvest attacks and other such external threats. This mentality of "keeping the bad stuff out" has allowed internally driven threats to go virtually unchecked. However, we always seem to think that firewalls and antivirus are all we need to "keep the good stuff in."
Vendors across the mail security space tout their effectiveness at spam detection and speed-to-market with anti-virus signatures. Both of these approaches are both completely reactive, as well as focused on the wrong direction of critical data flow. We must recognize that the scope of threats to email security includes the inside menace.
Beginning with the worldwide outbreak of computer worms in the 1990s (e.g. Melissa), administrators all over the globe have been forced to protect their internal networks and critical infrastructure (file servers, mail and servers, executives' workstations) to avoid infection. Even limited infection can completely paralyze the infrastructure of a company for hours or days and can be very expensive to remediate.
With the advent of rapidly spreading email worms, a new feature for protecting company IT assets had to be put in place. In addition to providing protection against infection, attention had to be turned to preventing further distribution of worms and viruses. Countries all over the world passed laws to hold those who did nothing to prevent the spread of worms and viruses liable.
Interestingly, in this same timeframe, the spam problem arose as well. Worm protection was no longer only necessary to protect companies from the spam flood, but it also became a requirement for ensuring that they did not become unintentional spam distributors. Once classified as a confirmed spam source, there is a high probability that a company's mail servers will be added to block lists. Such a listing can completely interrupt the email communication that is considered business critical by most enterprises.
The inside menace
Although in the past enterprises had to protect themselves against inbound data and also had to filter outbound data, threats were typically initiated from the outside.
According to recent statistics, however, 80 percent of all security issues are now initiated from the inside – meaning by employees and other trusted insiders. Such security issues cover a broad range of careless or criminal usage of data. The well-established email protection tools of today (virus and spam filters) do not take into consideration the reality of today's threat level.
Since email is the most important communication platform for enterprises, it is highly recommended that companies implement the newly developed technologies for monitoring and blocking malicious content, often referred to as data leakage or extrusion protection.
Because of this increasing insider threat, new legislation and regulations have also been developed in the last couple of years to govern the use of companies' data and communication infrastructure. Examples of such regulations include SOX, HIPAA, Basel II and companies' own acceptable use policies.
Due to the complexity of these regulations, and the fact that violations often result in large fines and penalties (not to mention significant indirect costs), companies need solutions that are designed to support compliance.
Such violations include illegally sending or publishing:
Confidential intellectual property – a company can easily lose its technical or market advantage.
Information that damages the reputation of the company, such as disparaging the competition publicly.
Inappropriate content such as pornographic material. This has a high potential in discrediting the brand of a company and bringing on harassment lawsuits.
Email security solutions today have to meet complex requirements. Different groups within companies, such as finance, engineering and sales, all have a variety of diverse needs. For example, information that is prohibited from being sent out by one department may need to be sent out by another – at least to certain recipients.
Securing this type of environment can only be achieved through solutions featuring a wide range of content analysis capabilities coupled with a very flexible and granular rule system. However, implementation of such automated solutions is only effective after companies diligently develop messaging policies and procedures that are appropriate for their organization. Only then can IT solutions be implemented to support established workflows while adequately securing messaging infrastructure.
- Carsten Dietrich is director of content security, IBM Internet Security Systems.