Many in IT feel some nostalgia for the days of network simplicity. Back in the '90s, you had a basic Exchange Server...
or two, or you simply had Microsoft Mail running on Windows NT. Your messaging environment may have been rudimentary, but that was the nice thing about it: It wasn't complex and it got the job done. As for security -- what security? The only semblance of security on our minds back then was user passwords.
Fast forward to today's complex messaging environments. In many cases, they're too complex and no single person understands how everything works. The environments are intricately tied in with Active Directory. Sometimes, I'll even see integration with data loss prevention (DLP) and related technologies to enhance messaging security. But passwords are still often the most common level of security afforded to one of the most critical applications in enterprises. If this applies to you, it may be time to beef up the resiliency of your Exchange environment.
Once you've decided that you need to look into third-party email security tools, there are two main categories of Exchange security tools to consider. These tools can help protect against malware, spam, denial-of-service (DoS) attacks, data loss and hacking expeditions.
On-premises email security tools
The first category involves on-premises tools, which involve software that's installed on your servers and appliances and sits at your network perimeter. These tools provide the control many IT professionals desire, but the downside is you're responsible for fixing them when they don't work.
Consider these important factors with on-premises security tools.
Fully understand your risks. Will an in-house tool be enough to ward off real threats? Even if your server and network-based tools can catch spam, malware or DoS attacks, can you afford to have them enter your network in the first place? Think about Internet bandwidth as well as network and server utilization -- will you have enough to withstand an attack? What about your current data backups? Will you end up with malware on a backup because of real-time backups and your archiving or e-discovery policies?
Be mindful of your time. Time is your scarcest resource as an IT pro. Do you have enough of it to take on another project, tool or business function? What will you have to give up to find the necessary time for the new tool? It's easy to say you can handle new email security tools now, but you won't really know until it's fully deployed. Network size and complexity certainly play a part in this, and so does management support.
Know your budget. Do you have the money for on-premises tools? Cloud-based services may be less expensive to initially deploy. Their ongoing costs are competitive as well. You need to know how the budget looks for next year and beyond.
You can also look at what trade rag reviews say about the product you're considering. Talk to your colleagues in the industry as well. Direct discussions with vendor references will help you determine, likely better than anything else, whether the security tools you're looking at for your organization are a good fit.
Cloud-based email security tools
The second category involves cloud-based tools. Third-party application and managed service providers run these tools, which sit between your in-house messaging environment and outsiders communicating with you.
Cloud-based email security tools are great for shielding your network from phishing, malware-laced emails and direct hacking attacks. In the event your Exchange server or Internet connection goes offline, these tools can also queue up your messages so they don't get lost in the shuffle.
There are important factors to consider with cloud-based email security tools:
Know the level of protection you have. In other words, are the tools protecting against what you've determined to be threats, vulnerabilities and risks to your Exchange environment? Malicious attachments and links, DLP, content filtering and DoS protection will likely be high on your list.
Check on outbound protection. Does the service provide outbound protection if one of your systems is hacked and is wreaking havoc on others outside your network? Will you be okay with sensitive information reaching your DLP systems outside your realm of control?
Know who monitors the tools. Will the cloud provider monitor everything, or is that function still yours? I prefer to let someone else take care of monitoring, but the decision is up to you.
Learn the provider's reporting habits. Can it deliver messaging security reports that have some substance that management will understand and appreciate?
Read the service-level agreement (SLA) fine print. What does the provider's SLA actually say? It's possible they may not guarantee security. Make sure your expectations and management's expectations are set. Uptime promises may not be good enough, either. Read the fine print beyond what the marketing slicks and sales weasels promise.
Make sure the tools work for legal and compliance. Will the service pass muster with your legal counsel and compliance officer? Get these people involved and let them guide you through the many legal and compliance issues associated with cloud-based technologies, including data ownership, jurisdiction and privacy.
Certain messaging security tools may be a hybrid of on-premises and cloud-based options, which may help strike a better balance of control and risk. Some of these tools might be available with Office 365 and other hosted Exchange options.
An information risk assessment is the only reasonable way to find out which email security tools will work best. Know your environment, understand your risks and put the right Exchange tools into place. If you take the time and do it correctly, your Exchange system will be much more secure and likely easier to manage, just like in the good ole days.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.