Is management on the same page with you when it comes to a secure Exchange Server environment? I'm not referring
to just basic IT security controls or compliance checkboxes. I'm referring to the risks associated with email in the enterprise.
Higher-level audits and vulnerability scans paint a certain picture, yet they rarely tell the entire story. If expectations are not properly set and security testing is not done deeply enough, some of your most critical business information might be unnecessarily exposed within Exchange.
As much as we think of Exchange as a boring old email and calendaring system, it's likely one of the largest repositories of critical business assets on your network.
Practically every security best practices and data breach story starts and ends with the fact that you can't secure what you don't acknowledge. Information processed and housed in Exchange environments rarely gets the respect it deserves. I've heard a variation of "It's just email, there's nothing of value in it" a thousand times.
This mindset applies to traditional client/server and Outlook Web Access configurations, and it's even more prevalent with mobile computing. I come across many organizations that don't see a need to lock down their phones and tablets because, again, they think there's nothing of value on them.
Here's the interesting thing about organizations that say this: They've likely never performed an in-depth analysis of how secure Exchange Server is (or isn't) in their environment. They don't know what information flows where, how it's stored and so on. I suspect that if you were to follow the specifics of the big compliance regulations -- including HIPAA, GLBA and even PCI DSS -- you'd find that personally identifiable information is at risk in many ways.
The reality is that any given Exchange environment today stores, processes and facilitates access to an enormous amount of sensitive information that, in retrospect, many executives would reel at the exposure of, including:
- Email messages containing confidential business discussions
- Email attachments containing PII
- Shared folders containing unstructured files (PDFs, Word documents, zip files, etc.) and other types of sensitive information
It could even be argued that address books and calendars are at risk when Exchange is not properly secured.
As much as some think of Exchange as a boring old email and calendaring system, it's likely one of the largest repositories of critical business assets on your network. And while Microsoft has done a good job at making Exchange a resilient application, what comes out of the box can be made grossly insecure through day-to-day business processes, lack of time and resources or management's over-reliance on compliance status.
Based on what I see in my client assessments, many Exchange environments most often need attention in four particular areas:
- Patching -- including patches for Windows, Exchange, IIS and even third-party software such as Java and Adobe Reader)
- Passwords -- weak domain password policies that are still the bane of security's existence in many enterprises
- Access controls -- segmenting who has access to what
- System monitoring and alerting -- when security attacks, malware infections and data loss occurs
Executives may say that an Exchange environment is compliant with the regulation du jour. It's a convenient statement that sounds good to those who don't know enough to question it, but Exchange admins should know it's a risky way of doing business.
Many of these compliance-related assumptions stem from management believing there's nothing sensitive in their email as well as not fully understanding the threat or the complexity of the typical messaging system. Users are often disconnected as well, which facilitates information risks.
If you're going to maintain a compliant and secure Exchange Server, you have to get management on board with what's at stake. Your business has sensitive information in Exchange. Show management why this is the case. Your business is responsible when a breach or outage occurs, so explain it to management. The Privacy Rights Clearinghouse Chronology of Data Breaches is a good starting point. The Verizon Data Breach Investigations Report has even more details.
Maintaining a secure and compliant Exchange environment involves more than just the obvious. Make sure you, legal counsel and management are closely reviewing your own policies and business contracts to ensure you're actually doing what you say you're doing. You might be surprised at the things left undone. Help quantify what's being housed in Exchange and just how dependent the business is on it.
It's a delicate balance -- an organization doesn't want to say how critical Exchange is to its environment and then risk a breach that stems from Exchange. Still, something needs to change in the eyes of business executives. Once it does, you're in the best position to ensure your business goes from compliant to truly secure.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.