Is full email encryption the solution to Exchange security?

"You have to encrypt Exchange email in transit" many experts claim. If you don't, they say that you're out of compliance and your business is at risk.

When looking at the known data breaches, an online clearinghouse of information on electronic security breaches, you won't read much about rogue insiders or external hackers gaining access to sensitive email in transit. Information almost always covers email exposure at the host level. Sensitive email messages are usually compromised when passwords are cracked, missing patches are exploited and sensitive information is recovered off a lost or stolen mobile device. You'll also see breach stories about unprotected email that was being sent accidentally, potentially exposing the entire system.

The question remains: Do you automatically encrypt every Exchange email -- just in case? That's a hard sell. It's also hard to do if any of the email is sent to more than a handful of third parties. Encrypting everything internally is one thing; implementing the technologies to encrypt email to and from third parties is another beast altogether.

Those writing security and privacy laws and regulations would disagree. The mantra is that everything is at risk. Those law writers often state that sensitive information protected by encryption is exempt from any compliance requirements, but fail to talk about the real risks. Based on what I've seen, the real information risks have little to do with data in transit. But that doesn't mean that email in transit is not at risk.

Anyone can download the free Cain & Abel password cracker/network analyzer tool to capture email passwords within minutes on ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level When to use a self-signed certificate with Exchange Server 2007 Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Microsoft Exchange Server security dos and don'ts Email Encryption When to use a self-signed certificate with Exchange Server 2007 Enabling encryption with digital certificates on BlackBerry devices How to protect an Exchange journaling mailbox from email spoofing Using Exchange Server journaling as an email-archiving solution Deploying ISA Server as a firewall for Exchange Server mobile devices How to set up an SSL certificate to encrypt OWA and ActiveSync traffic SecureZip improves encryption for Microsoft Outlook A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Zip and encrypt Microsoft Outlook email attachments Microsoft Outlook email encryption simplified Email Compliance Exchange Insider e-zine Create a journal rule in Exchange 2007 to secure journaling mailboxes Set up messaging records management (MRM) in Exchange Server 2007 Exchange event sink scripting error when configuring email disclaimer Email archiving and e-discovery best practices for Microsoft Exchange How to set up email disclaimers on a single, back-end Exchange server How to set up Exchange 2007 message classifications Exchange Server email compliance guide Exchange Server 2007 journaling tutorial How to set up Exchange Server 2007 transport rules Email Compliance Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary email bankruptcy  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the network. The same can be done when Exchange users communicate via an unsecured wireless network.

The fact is, information at rest is much more vulnerable than information in transit. Rather than capturing a snapshot in time of a relatively small number of email communication sessions, the real payoff for attackers is to go after email as it lies dormant -- typically behind a weak password, a Windows or Exchange server with a missing patch or on a mobile device such as a laptop or BlackBerry with no real security controls.

Instead of focusing solely on encrypting every email message that enters or leaves the building, take look at the bigger picture. Focus the highest payoff tasks first -- the most urgent weaknesses on your most important systems. Make sure you pay attention to the security basics that are often taken for granted. You'll likely find that things such as weak access controls, patch management, content filtering, data retention, contingency planning and mobile security are a much higher priority than encrypting email in transit.

Once you have everything down and your Exchange environment continually turns up clean in vulnerability assessments and audits, it may then make sense to take things to the next level with encryption. That is, if you can find a way to get your business partners on board, without breaking your business processes and ticking off your users .

If you look at the information you have and how it's processed, you may end up learning that only a handful of messages sent on any given day are at a higher risk than others. If that's the case, consider encrypting those server-to-server email sessions using SSL/TLS in Exchange. You may also consider a third-party solution such as those offered by vendors like PGP or MessageLabs. These solutions let you create rules and automate the email-encryption process when certain content or recipients are discovered in outbound messages.

I recently came across a situation in which an IT director was chomping at the bit to implement this type of security control in the Exchange environment, but couldn't get the business managers to outline the specific business rules and criteria. Nothing was done about it, even though a risk was uncovered. Be sure to get all the right people, especially executive management, on board when trying to implement new security controls and measures.

If you decide to encrypt Exchange email, focus on information security and business risks, rather than just approaching it from a compliance perspective. People often get those priorities mixed up. Make it clear to management that encryption doesn't equal 100% security. Sure, it beefs things up, but there's almost always a hacking tool, an inexperienced user or weak business process waiting to negate its benefits.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.