As they stand today, the architectures of SMTP and other e-mail protocols are sorely lacking, mainly because of a dearth of baked-in security. Unlike Web sites, where vendors use SSL certificates and domains to authenticate themselves, there exists no universally deployed standard for doing the same thing with e-mail. It's still the Wild West out there.
One way those loose protocols work to our advantage, however, is the ease with which e-mail security services can be deployed. Simply change a DNS MX record, and all your mail will flow through a cloud-based service before being relayed to your server. Damage from outages is mitigated by the underlying protocols, which will automatically queue messages and retry missed connections, and the MX records themselves support multiple layers of redundancy to keep the mail flowing.
Current investments in security software and mail servers need not be tossed out the window, either. Rather, their life spans are extended significantly. A recent Trend Micro customer survey showed that 15% to 20% of its customers had experienced network outages or other problems caused by malicious payloads or the sheer volume of inbound e-mail. Using a hosted service means the vast majority of damaging and wasteful content is filtered before it even hits your network, letting you keep your existing hardware longer --sure to go over well in this economy. Finally, some vendors offer feature parity between their locally deployed security software and their cloud-based services, so there's no reason to lower your expectations on the level of control you have over your e-mail security.
Today, e-mail security threats generally fall into one of two categories: Either bad stuff is coming in, or good stuff is leaking out.
On the inbound side, not only has the volume of bad stuff increased dramatically over the past decade, but so has the variety. The Messaging Anti-Abuse Working Group estimated that 72% of e-mail was spam in the fourth quarter of 2005. By 2008, spam was consistently above 90%. We've heard estimates from vendors placing the volume today at above 95%.
As for what's being thrown at us, it's not just run-of-the-mill commercial spam--yes, "buy our pills" still remains a lucrative business for those willing to incur the wrath of the Internet and, increasingly, law enforcement. We're also dealing with malicious attachments; random noise as spammers attempt to devalue and disrupt learning-based protection systems; direct mail connections from botnet-controlled endpoints; and URL-based attacks leveraging browser exploits or promiscuous users to execute malicious code without ever e-mailing a file. There's seemingly no end to the badness.
Of course, these threats sap your productivity and waste your bandwidth. Increasingly, though, organizations are considering more than just the threats coming in; they're concerned about the data that's leaving as well.
DLP On The Cheap
If you're not yet ready--or in a financial position--to implement a full internal data loss prevention system, look to your e-mail vendor. Outbound filtering is quickly becoming a must-offer service option to remain competitive in this market. Objectionable-content filtering is closely aligned with data loss prevention.
Outbound controls typically include at least some form of basic DLP, such as blocking credit card patterns or Social Security numbers. If you expect to implement full DLP functionality within your e-mail security budget, however, be prepared to open your wallet a bit wider.
Vendors we spoke with report that the customers purchasing content-filtering technologies tend to be large organizations, those with stringent legal or contractual obligations for data security, and simply those with mature information security initiatives that have moved on to focus on data leakage issues as opposed to the simple annoyance of spam or the threat of inbound malware.
One caveat: Tread carefully if a vendor tries to sell you on e-mail whitelisting techniques. While positive security models do provide stronger defenses and are a much more promising long-term solution to malware than desktop antivirus, they simply don't apply to e-mail. Think about it: E-mail works for the business because we receive messages from new, different people all the time. While whitelisted applications on a desktop are easily hashed and validated as legitimate, it's impossible to perfectly validate an incoming e-mail as being from the person it claims to be from. Therefore, it will be impossible to implement positive-security models in e-mail. Show the door to any vendor selling that particular brand of snake oil.
Note that whitelisting isn't the same as technologies that use reputation of a particular e-mail address as one scoring metric.
Don't Forget Your Keys
In our recent InformationWeek Analytics Data Encryption Survey of 499 business technology professionals, we asked about the encryption now implemented in respondents' organizations, and what they plan to add within the next 12 to 24 months. Overall, e-mail/communication system encryption, such as PGP and S/MIME, came in fourth, behind SSL or IPSec VPNs, file systems, and backup media--and ahead of mobile device, full disk, and database encryption.
Now, we're fans of encryption being deployed as widely as possible, but be aware that encrypting e-mail can mean different things to different vendors. It's important to know what's being offered. First, forced transport layer security encryption is, technically, encryption for e-mail. That said, it encrypts only one mail-server-to-mail-server connection. The receiving mail server may be simply turning around and sending e-mail elsewhere on an unencrypted link.
This feature will be attractive to companies interested in only a perfunctory level of compliance with e-mail encryption requirements. State privacy laws may be a motivator here. After all, once a message leaves your mail server, the thinking goes, it's not your fault if the receiving mail server mishandles the e-mail, right?
Only if you don't care about security best practices and defense in depth.
The proper solution--and one that is becoming a popular add-on service from many vendors--is to automatically encrypt the message content or attachment using a standard encryption engine, and rely on some other out-of-band method for transmitting key information. While this approach can have a significant impact on usability, it does guarantee that e-mail leaving your organization won't be easily sniffed somewhere along the way. Additionally, many software-as-a-service offerings provide alternate decryption engines, such as a Web site-based service or mail-client plug-in, to minimize the inevitable trouble when a last-minute important file can't be accessed. Understand, though, that pricing will vary from vendor to vendor. Most offer encryption as an add-on, but comparing plans may be difficult as the price per seat for the feature may be rolled into a flat rate, or it may be licensed on a per-recipient or per-sender basis.
The Reliability Factor
We've explained that hosted e-mail security makes a good first choice for SaaS deployments, because of the underlying SMTP protocol's resiliency. But it's worth noting that outages can and do happen. The question isn't if the system will go down, but how often and for how long. To cover your bases, determine how the vendor responds to incidents and what kind of service-level guarantees you can get, at what added cost.
We touch on SLAs in our chart on p. 38, but never forget that a guarantee is only as valuable as its teeth are sharp. The cost to your business of an outage is significantly greater than the prorated value of downtime taken from your service payments. Look for vendors that take their SLAs seriously, not only by offering high-uptime claims, but by backing up those claims with consequences severe enough that you know outages will hit the vendor in the only place that motivates any company--its bottom line. Look also for e-mail security service providers that go out of their way to meet their customers' needs with high service guarantees, named technical account managers, and well-defined escalation procedures. And while there are many advantages to bundling a number of related services, don't be afraid to ask for just the items you need. For example, even a pure IP-reputation-based system will generally prevent greater than 75% of your inbound mail server connections, even with no other intelligent scanning. The point is, from a pure bandwidth and load perspective, even the most basic service will extend the life span of existing mail infrastructure.
Jordan Wiens is a Dark Reading and InformationWeek Analytics contributor and full-time security researcher who has spent 10 years in the information security industry. He can be reached at firstname.lastname@example.org.
Read our full Dark Reading e-mail security services Tech Center report at informationweek.com/dr/email