The threats and problems posed by email in large and complex organizations are of a different type and scale of magnitude from the email problems that such organizations first solved with an email ‘point product’ some years previously.
When organizations encounter their first problems with managing e-policy-based email, they typically buy such a product to solve that problem.
As the use of email grows in both volume and sophistication, organizations have tended in the past to acquire additional point products. These point products handle a range of functionality, including anti-virus, boundary email, internal email filtering, URL blocking, anti-spam and secure email.
For large, complex organizations the management and integration of these point products is at best difficult, and at worst impossible. This exposes the organization to security risks, organizational confusion, performance problems, administration difficulties and a lack of management information.
Secure Content Point Products
The position in which most organizations find themselves is that they have deployed what are usually termed 'point products' to help fix their email security problems, and until recently this was largely the only option.
These products were designed to be simple and quick to install -- the prime driver for this being the wish to 'plug' the virus threat hole from email, web and attachments. Most organizations deployed one or two servers in the first instance, simply to filter inbound/outbound email and web traffic.
During the last few years, email volume and web traffic have dramatically increased. This growth is predicted to continue. IDC estimates that 31 billion emails will be sent each day in 2002, and that this daily volume will exceed 60 billion by 2006. Similarly, the need to apply more in-depth policy enforcement to compensate for the ever-increasing threats encountered daily has grown. Point products are now deployed at multiple gateways and also across many internal mail servers (e.g. Microsoft Exchange and Lotus Domino).
Point products are largely designed to be implemented in very specific areas. The control is from a management interface that has a one-to-one relationship with the server. So, the more servers (internal email or boundary SMTP gateway) you need to deploy, the more points of control you need to manage. Every single channel (e.g. new user, network or policy, etc.) has to be manually replicated individually across all the servers, which can prove to be labor-intensive and very slow.
Broadly speaking, there are no access control rights in point products. Therefore, if you have the login rights to the server, then you can make changes; conversely, without access rights, you can do nothing. Modern companies need the ability to give granular access rights in accordance with the person's role and responsibilities. For example, network planners might need merely to view usage profiles and statistics, while security staff might need to make policy changes and view selected queues. In addition, different business units might need the ability to monitor and control their own domains.
The way that most point products are built means that they need to be run by highly trained technical staff. As time moves on, it becomes obvious that the business requires a variety of people to access the systems. Therefore, the management and control needs to be made simpler, easier to understand and to manage. In addition, there is a growing need for the ability to control and report across the wider organization and to archive emails where necessary.
Most large organizations have anti-virus, firewall and content filtering point products in place. There are many good products available to address each problem, but over time this approach has evolved into a much broader management issue. Given the distribution of server technology, the demands of increased traffic on networks and the absence of accurate reporting on messaging traffic, the point product approach is too difficult to manage and deploy to deliver the methodology required to ensure both enterprise-wide content security and maximum performance of resources. What is now needed by larger, complex, distributed enterprises is a more holistic approach to managing and securing electronic communications.
In very large, mature, global enterprises, it is not unusual to have to support a heterogeneous IT infrastructure with a mixture of Windows NT/2000 and Unix platforms. Each platform poses its own distinctive email threats.
Another issue with which people have been faced is encrypted secure messaging. This can prove to be a real problem, unless a gateway solution has been deployed to scan messages as well as manage encryption of emails. Today organizations either turn a blind eye and allow encrypted messages in, or block them all out. The latter introduces more management overhead to release messages on an individual basis, and the former leaves a considerable hole in security policy.
A further point to consider is that of multiple gateways with point products. Many organizations struggle to keep consistency on the rule set applied across those point products. It is vitally important for an organization that has a corporate policy on email and web usage to be able to enforce the policy across all points of entry on the network.
As the problems of performance, scalability, redundancy and new threats have grown, most organizations have simply thrown more hardware and software at the issues as a 'quick fix.' At Clearswift, we often refer to this as 'band-aid' security control, or merely fire fighting the damage as it appears. Large companies are now being forced to take a step back and look at how they can manage these important issues more efficiently and cost effectively.
We see the following trends emerging in organizations that continue to allow 'band-aid' tactical security products and techniques to be deployed:
- Large numbers of staff are required to update, manage and control fairly routine changes in e-policy.
- Performance problems (throughput) result in large volumes of software and hardware being implemented.
- Perceived business value of e-security is undermined because it is, at best, very difficult to generate any meaningful management information from existing point products.
- Adequate/increased security policy is overlooked because day-to-day implementation and control is difficult to administer.
- Large security gaps result when central company e-policy is not implemented consistently across dispersed organizations.
- There are security holes where corporate e-policy is switched off or ignored because it impacts on performance of email and web traffic.
- Internal wrangles arise about ownership and administration of security policy. IT owns the hardware and software and generally has to make changes, while security owns policy and ensures it is enforced, but lacks the IT skills to do this. In the background, the human resources department usually also wants a say in how this process is administered.
- There is a temptation to use inappropriate software management tools to try to control the point products.
Pervasive Implementation of Email Policy
A major issue to address is the pervasive implementation of policy. For the enterprise, the point product approach falls short in two ways. First, the applications themselves are not designed for distributed implementation: changing policy in the complex organization means physical interruption to multiple servers in multiple locations. This means time, cost and plenty of room for error. Secondly, the different technologies require different methods of management: there is no single way of implementing cross-organizational policies -- whether for interception, transport, content types or encryption -- that ensures consistency, speed and accuracy.
Email and web have ceased to be merely communications protocols. For many employees they are the essence of work -- if email breaks down, so does the enterprise. The increases in email volume, web pages and electronic transactions show that commercial and government organizations are now totally dependent on the ability to send, receive, archive and retrieve electronic content for their minute-by-minute operations. At the same time, these organizations are coming under increasing legislative and social pressure to ensure a clean, safe digital environment for employees, customers and shareholders. The demands for 24/7 throughput, immediate access and secure communications have been at odds - and the enterprise has to resolve that conflict.
Securing Content - Enforcing Policy - Mastering Complexity
What large, complex organizations need is a single point of control for the replication, distribution and enforcement of all messaging policies across the enterprise. This same single control point should also enable the integration and management of content filtering and encryption engines at the boundary, internally and for web access.
There should be no limitation on the number of protocols that can be supported -- or the number of machines within protocols. There cannot be any limitations on how the individual machines, protocols, system elements, users and administrators can be distributed. Similarly, enterprises need no limits on the amount of information that can be collected and summarized across and within protocols about users, system elements and operational parameters.
The management, deployment and administration of the policy and encryption engines must appear to the user as a seamless whole -- as must the integration and interworking of other key software and hardware investments made by companies.
Paul Rutherford is chief marketing officer for Clearswift (www.clearswift.com).