Email Security – What Are The Issues?
In today’s electronic world, email is critical to any business being competitive. In most cases it now forms the backbone of most organisations’ day-to-day activities, and its use will continue to grow. According to the The Radicati Group’s study, “Microsoft Exchange and Outlook Analysis, 2005-2009,” the worldwide email market will grow from 1.2 billion mailboxes in 2005 to 1.8 billion mailboxes in 2009.
As email becomes more prevalent in the market, the importance of email security becomes more significant. In particular, the security implications associated with the management of email storage, policy enforcement, auditing, archiving and data recovery. Managing large, active stores of information takes time and effort in order to avoid failures – failures that will impact the users and therefore the business, undoubtedly leading to lost productivity. For secure and effective storage management, organisations must take a proactive approach and invest wisely in a comprehensive solution.
When considering a secure email storage management solution, a layered approach, combining both business processes and applications makes sense. By considering the service email provides to the business, email management can be broken down into a number of components: mail flow, storage, and user access – both at the server and user levels. Whilst each one of these components should be addressed separately, they must be viewed as part of a total security agenda.
Mail flow can encompass many aspects of an email system. However, the security of mail flow is for the large part focused around the auditing and tracking of mails into and out of the organisation. Monitoring the content and ensuring that any email that has been sent and received complies with business policy is fundamental. Proving who has sent or received email is a lawful requirement for many industries and email can often be used as evidence in fraud and human resource court cases.
Another key aspect of the management of mail flow security is the protection of the business from malicious or unlawful attacks. It is at the gateway into the mail system where a business must protect itself via a variety of methods including hardware and software protection systems, such as spam filters and virus scanners.
Storing of the actual email data includes physical storage, logical storage, archiving systems as well as backup and recovery solutions. The biggest security threat to any email storage system is the potential for mail data to be lost. Most organisations see this threat as existing in the datacentre and spend many millions of pounds on securing it. In fact, the threat is most likely to come from lost or stolen hardware, such as laptops containing offline email files. When you consider that the number of employees working remotely is growing, including those who only work away from the office periodically, email security on laptops becomes more significant. Providing a managed method of archiving and controlling this data is therefore essential.
When it comes to archiving, organisations should take a two-pronged approach, to reduce the risk and retain corporate knowledge. Firstly, users should be frequently educated about email retention policies. In addition, an archiving solution should enable administrators to remove items from users’ mailboxes based on administrator-configured options such as the age or size of a message. Administrators should be able to control, retain and backup the email files, by consolidating the information stored in email files whilst ensuring that users are prevented from simply creating new emails.
Organisations must plan for the inevitable request to recover data from backups and archives. For the most critical users, such as company executives, many administrators have turned to slow, expensive brick-level backups to provide quick restoration of data to a select few. However, with the onslaught of regulations dictating email retention policies, organisations need to have a comprehensive recovery plan for their entire organisation. For example, Bank of America was fined $10 million USD in March 2004 when it failed to turn over messaging data to the U.S. Security and Exchange Commission (SEC) in a timely manner (currently interpreted as only 36 to 72 hours). Faced with this challenge, the traditional method of restoring lorry loads of backup tapes to find all the communications that fit specific criteria is extremely time consuming, and not entirely accurate.
An email recovery solution must allow for individual, message-level items, including; messages, appointments, tasks, contacts, and attachments to be quickly restored from regular backups and information stores without setting up a dedicated recovery server.
A large risk to email data within the enterprise is unlawful access to highly sensitive mailbox information. Without a method to both secure and audit this access, there can be no guarantee that data is in fact secured. This can be any link in a lengthy chain, all the way from the administrator resetting, and therefore knowing, the CEO’s password through to proving that some other party had access to his/her mail account. Authentication and mailbox data security are both constant battles that need to be monitored closely to ensure that the critical data contained within the email system is available only to those for whom it’s intended.
The email client is another threat to the security of a business’s mail system. It is here that often the greatest threat to the businesses is found. With the increased viability of email access via the internet, another level of process and control needs to be addressed. Although secure when implemented properly the potential for people to illegally access this information is much higher. Consequently, organisations must focus their attentions to not only addressing the immediate security threats of the standard mail client from viruses and the like, they also need to invest in strategies for the control of access to mail data via the internet.
Of this ever expanding email market Radicati reports that Microsoft’s Exchange server currently commands a 33% market share of the in-house messaging software market. This is up from 31% in 2003 and expected to reach 39% by 2009. With the release of Microsoft’s Exchange 2003 we have now seen a more secure and manageable mail system. However, creating any secure email environment that can be managed efficiently and proactively requires a solution that addresses all of the issues, without exception. As with Exchange, this will usually involve the use of third party add-ons. Only then can a business be confident in its knowledge that the security of its email system is not being compromised.