The best approach to securing Exchange and maintaining a secure messaging environment over time often depends on...
the size of the organization.
I've written about Exchange security considerations for small businesses, but what about larger enterprises such as corporations and government agencies with thousands of end users? Their business email security needs are as unique as those of smaller organizations, and they're often more difficult to create and preserve.
Technical and financial resources are almost always present in larger organizations. This is beneficial in terms of minimizing perceived risks; however, it can create a façade and a false sense of security that can be just as detrimental as it is to smaller organizations with little to no resources.
Here are some Exchange security challenges and considerations that large enterprises face on a daily basis:
Complexity in Exchange environments
Network -- and even political -- complexity can overwhelm even the best of IT and security teams.
Can you honestly say that you know exactly where sensitive information is housed in your Exchange environment and how it's accessed and used? Are all of your servers, message stores and end users accounted for? Apparently, many IT pros don't know what's where. Is management on board with support for policy enforcement?
This begs the question: How many people do you need to really manage your Exchange environment? The answer is however many it takes to perform the proper security functions to the point that risks are reasonably minimized -- assuming outside forces (people) don't get in the way.
You'll likely have dedicated Exchange admins, perhaps even resources dedicated to specific functions, such as system maintenance, monitoring and alerting. Most importantly, you'll have an ally in management that helps see things through at the highest levels.
Business email compliance
Larger enterprises are often held to a higher standard in terms of compliance and audit reporting. A higher level of scrutiny means they must keep up with more people, tools and paperwork.
Increased IT governance also necessitates ongoing security testing, including testing the actual Exchange environment. Even the best vulnerability assessment and penetration testing programs have their weaknesses in this context. I often see Exchange servers and all the corresponding elements -- remote end users, backups and related cloud services -- ignored because they're presumably secure. Don't ignore anything because it's "just an email system" or because things appear to be okay after a high-level audit.
Exchange is one of the most critical systems to the business, so it needs a higher level of care. This means testing your server OS, Exchange, OWA and any other moving parts at least biannually, if not quarterly or more often, depending on your unique requirements.
What happens when a breach occurs? Large businesses often have a documented plan and a dedicated team of people -- or at least the contacts and financial resources to call on an outside incident response firm when needed. Even so, you don't want to wait for a third party to tell you about the incident. If you don't have the proper visibility and tools, such as In-Plane Switching, data loss prevention and security information and event management to detect and report on security events, such events can be a nightmare to manage. And it'll be bad for your job and career if you're not careful.
As with smaller organizations, there are some core things you need to do to ensure your enterprise-scale Exchange system is in check:
1. Determine where the risks are located via technical and operational security reviews that include Exchange within the scope.
2. Address these risks using proper security controls.
What truly sets a larger Exchange environment apart is complexity. Be sure you have that under control at all times. When you and your team don't have the political backing and don't properly address messaging risks in certain areas, such as content filtering and mobile device use, you can get into trouble.
If your large enterprise uses Microsoft Exchange -- on-premises or in the cloud -- your business email security needs likely are unique. Do what you can to get -- and keep -- management on board, users aware and complexity in check. Otherwise, any positive factors you have going for your Exchange security program can be negated. And that can introduce unnecessary and persistent risks.
Exchange security considerations for small businesses
Should you perform a security self-assessment?
Third-party security tools to thwart Exchange breaches