Certain things in life simply run their course, including Exchange and email security options. Dating back to Exchange 2007, the messaging platform and underlying OS have had some robust, enterprise-ready security features. But as hackers become savvier, can you trust Microsoft to do everything well, especially when it comes to today's information risks?
If you don't feel like you have a good grip on email security, it's likely time for a change.
I'm a firm believer in using what you've got -- such as the security controls native to Exchange and Windows. But I also believe some things aren't meant to be. If you don't feel like you have a good grip on email security, it's likely time for a change. And there are plenty of third-party options for anti-malware, audit logging and event monitoring, as well as spam and content filtering and so on.
To the greatest extent possible, start with a clean slate for email security. Using what you know about the current state of your Exchange environment, ask yourself these nine questions to determine where things stand with your options for email security tools and whether it's time to move on.
- Do you truly understand what's at risk? This includes knowing who has access to what -- messages, public folder, calendars and even the servers. What are your security standards, especially around passwords, encryption and mobile access via ActiveSync? What do your specific policies dictate, and how do you enforce these policies? Odds are management is exempt from these requirements and very few people know about it. In addition, understand existing gaps where you need to completely secure your environment; include existing security vulnerabilities from third parties, as well as other areas only you know about.
- Do you have the time to keep your environment under control? Time is the scarcest resource of IT professionals, and it's easy to assume that the email system will just run itself. You can't look at it that way. You need to dedicate a certain amount of your day and week to its security, not to mention being able to jump in when emergencies arise. Are you managing your time in ways that allow you to do what's really necessary? Simply upgrading to a commercial, enterprise or third-party security tool can make a world of difference in the amount of time needed to do specific things involving security.
- Are your built-in Exchange and Windows security controls helping or hindering larger messaging security goals? The answer is probably the former, especially if you can take a fresh look. Your controls might not be enough to address security issues, so you might want to bring in an outsider with an unbiased perspective to point out the less obvious security gotchas, workflow inefficiencies and the like, and recommend fixes.
- How deeply ingrained are HR and legal in your messaging environment? How good are these departments at complying with state and federal laws, including legal holds on email? What about e-discovery -- is that a smooth or a haphazard process? Who's really running the show? You're setting yourself up to fail if you don't have the right email security tools, especially when it comes to governance and compliance.
- What are your mobile plans? If your organization is like most, anything goes with elementary ActiveSync controls when you're trying to harness all of an organization's mobile systems. That's not scalable. There's a handful of amazing mobile device management products that might help you address this issue once and for all.
- Will outsourcing make your job easier? If you do it properly, outsourcing IT almost always makes an admin's job easier. You won't be able to have a completely hands-off approach, nor should you, but cutting 50% or more of the time it takes to update, administer and oversee your Exchange security can make a difference.
- How resilient would your environment be to a third-party service provider slip-up or cloud service outage? By playing devil's advocate, you need to be prepared for outages like those we've seen with Google, Amazon, Windows Azure and other cloud players. Enterprises don't want an unsecure environment that never goes down, and they also don't want a secure email environment that goes down often. There needs to be a balance.
- Do the revelations about the National Security Agency spying on corporations affect how you view third parties with access to critical business information systems? What does management and the legal department say about these revelations? They may not want to risk security breaches, so you'll need to build a good case for using third-party tools and services.
- Do you have the money and ongoing support for the tools you want to use? Budget constraints are enough to prevent most security-related issues, especially with email -- something that many assume is always under lock and key, yet always available. Even if you can procure them, converting to a new set of email security controls shouldn't always be your go-to option. The last thing you need is to spend all that time and money, only to find out soon afterward that support is getting yanked. Management may not understand what you're trying to do, but that's just as much your responsibility as it is theirs.
As hard as it is for IT pros to embrace change and give up a certain amount of control, sometimes that's just what's needed to minimize vulnerabilities and keep threats at bay.
Don't buy into the marketing hype from the email security vendors. Know what your enterprise needs, not what vendors tell you it needs. Every analyst, auditor and systems integrator has his opinion when it comes to email security tools. Until someone has seen how IT operates in your organization, is clear on the current political and cultural environment, and fully understands your information risks, email recommendations are as common and as valuable as table salt.
Step back and think about your options for email security tools. Even if your vulnerability
scans and IT audits turn up clean, there's always room for improvement when managing security risks
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
This was first published in February 2014