As the Internet and e-mail communications have become the lifeblood of many organizations in recent years, security risks have developed into a vulnerable front in the battlefield of business.
Fast, easy access to digital information and the lightening-speed exchange of mission-critical communications can weaken overall business security by increasing the possibility of hacking, viruses, spam and the misuse of corporate information. Consequently, protecting information in the e-world has become a major battle for companies, Internet Service Providers, and Application Service Providers.
The Enemy at the Gateway
According to the International Computer Security Association (ICSA), more than 80 percent of computer viruses enter an enterprise or service provider environment through e-mail, causing thousands of dollars in lost data and productivity time. Typically this is the result of inadequate security measures that leave a business’s network vulnerable to attacks. While there are numerous solutions available today that can help protect an organization from these potential threats, many businesses are unsure what to look for as they build or refine their messaging infrastructures.
One challenge is that with new standards emerging as quickly as messaging technology is evolving, it is difficult to know how to best protect your system now and into the future. Another difficulty has been that many of the solutions available in the past have been costly and cumbersome to deploy. Until recently, system administrators have had to rely on a varied assortment of software patches to handle each security threat. In the case of some viruses, such as the “I Love You,” “Melissa” or the “Anna Kournikova” virus, applications were created in response to the threats after they had already contaminated thousands of systems. Now many network administrators are looking for more proactive defenses against these devastating viruses.
One of the main factors involved in the vulnerability of Internet and e-mail systems is that many traditional public domain and commercial e-mail applications run on general-purpose operating systems. Designed to support a wide array of applications, these operating systems provide a many services and open a great many ports. Each of these services and ports is a potential security hole rendering the server vulnerable to attack.
Additionally, general-purpose systems, usually UNIX or Windows NT, are so prevalent in the marketplace that most hackers are familiar with their security flaws. Consequently, hackers find it easy to discover and exploit the system’s weaknesses on a massive scale and how to easily get into a server, grant themselves root privileges and cause damage to the system
There are many components to look for when building a messaging infrastructure that will not only efficiently manage data, but more importantly will keep the system secure. Considerations such as user authentication, session and content encryption, and virus and spam protection are important to factor into your decision. Also, the type of system you choose can determine the success or failure of your security efforts.
There are two main methods of message deployment: software running on a general-purpose server or a purpose-built messaging solution. Internet messaging appliances are emerging as the hacker-proof answer to the increasingly complex problem of securing Internet messaging. Because these purpose-built solutions are optimized for messaging, unnecessary ports are not left open as in the case of general-purpose servers running messaging software. As a result, there are no gaping holes where hackers can gain access to the system.
Another main advantage of an Internet messaging appliances is that they are designed as closed systems. They support only messaging protocols such as Simple Mail Transport Protocol (SMTP), the messaging language used for server-to-server connections and Post Office Protocol (POP) or Internet Messaging Access Protocol (IMAP), the messaging languages for server-to-client connections.
An administrator has another defense through an appliance’s integrated content filtering mechanism. By using content filtering, companies can enforce mail by setting corporate policies to monitor and filter both inbound and outbound messages. Content filtering detects key words in the message body or header and allows administrators to have messages be re-routed to another mailbox, sent back to the sender or deleted.
User Authentication is an important feature to consider when selecting the right messaging security solution. An Internet-based e-mail system should support well-known proprietary and emerging standards-based authentication methods to ensure that each user logging on is legitimate. Ideally, the e-mail system you choose should work with the authentication method that already exists on your network. This saves you the hassle and expense of installing another authentication mechanism over an existing one.
Also, consider future authentication standards when selecting a messaging system that will provide the security your organization needs. Lightweight Directory Access Protocol (LDAP) is a directory service specification with security and authentication features considered to be the emerging standard. Deploying a messaging infrastructure that will support eventual migration to LDAP will pay off by saving you time, money and effort in the future.
Access control list (ACL) support is another important user authentication security feature that should be included in a secure messaging system. ACL allows administrators and users to create shared folders, a helpful tool for business collaborations. Users can give permission for others to read, write, edit or delete items in the folder. They can also easily post information to the folder or deny access to ensure privacy. Make sure your system supports IMAP4, the protocol that provides the capability for ACL in addition to many other features such as server-based message storage and message header viewing.
Encryption is a large part of a secure messaging environment because it scrambles data to keep information private. Messages sent in clear text format are susceptible to hackers who use “sniffing” techniques to steal proprietary data.
A secure messaging system should employ both session encryption that protects the Internet connection as well as content encryption that protects data on the desktop. In session encryption, Secure Socket Layer (SSL) protocol can be used to protect GUI-based end user and administrator sessions. However, few e-mail clients exist that can use it to protect administrative protocols. Secure Shell (SSH) protocol offers the necessary protection for these critical passwords outside the firewall.
Consequently, a secure Internet messaging deployment should support both SSL and SSH encryption protocols to provide maximum encryption security.
Content encryption and decryption occur at the user desktop to protect the content of messages. A secure Internet e-mail system should support content encryption protocols such as Pretty Good Privacy (PGP); Simple Mail Transfer Protocol (SMTP) and the STARTTLS extension to protect messages in transit; as well as and the emerging standard, secure multipurpose Internet mail extension (S/MIME). All three allow the sender and recipient to access encrypted messages and minimize the ability of hackers to read messages traveling over the Internet. (See graphic)
Virus and Spam Protection
Viruses and spam are the most widespread problems causing headaches for system administrators. Many viruses have the capability to bring down entire networks. To rebuild them, administrators must painstakingly reinstall the hard drive and operating system and restore all of the data from backup files. Many viruses also contain “Trojan horse” programs that remain dormant until a specified time when they infect the system.
Much of the time and effort administrators devote to virus threats is spent in trying to catch them before they spread throughout the system. According to a survey recently conducted by the Coalition for Networked Information (CNI), information technology personnel spend up to 11 hours per week locating virus-containing e-mail. A secure Internet messaging system should be able to reduce the time staff spends on tediously searching for viruses. It should have a powerful virus search engine with the capability to locate viruses at the server level before they enter end-user systems and create problems. Additionally, the messaging system should come equipped with custom scripts so that administrators can locate messages that fit certain profiles believed to contain viruses.
Spam can be equally damaging because it consumes disk space, ties up mail queues and, in the case of “denial of service” attacks, debilitates an entire system by bombarding it with hundreds of messages per second. CNI’s survey found administrators spend an average of eight hours per week monitoring e-mail systems for spam.
One of the advantages of a purpose-built messaging system is that it incorporates the ability to block e-mails from specified domains which are known to stage attacks. Also “denial of service” attacks are prevented by the system’s transfer agent. As a result, large amounts of incoming messages will not incapacitate the messaging system. Furthermore, a messaging system that utilizes a single copy message store can minimize the impact of spam attacks by ensuring messages going to more than one user are only written onto the disk once, saving valuable disk space.
In today’s messaging and communications environment, there is more to security than keeping the risks and threats at bay. Internet and e-mail security is a growing business, particularly for service providers looking to add security to their menu of services. Not only does a messaging system need to offer all of the right security features to protect valuable data, it needs to be flexible enough to administer security features as managed service offerings.
No matter what your needs are, easy administration is a consideration that should not be overlooked. A messaging system needs to be easy to install and should allow the flexibility to deploy security features from a data center or on the customer’s site.
Additionally, secure messaging environments should allow administrators to monitor messaging activity from a centralized location for the entire enterprise or service provider network. Detailed logging features also allow administrators to search for attempted break-ins. With these features, security becomes a workable part of the entire system network and an integral part of maximizing the power of Internet and e-mail communications.
Securing your Company’s Future
Protecting your organization’s precious data assets is not something to be taken lightly as Internet communication becomes more and more accessible. In the Information Age, data is mission-critical and protecting that resource can be the most important thing a company can do to ensure its success.
There are many factors to weigh and many things to consider in designing a messaging infrastructure that will offer the best defense against the security threats facing computer networks. However, armed with an understanding of the risks involved in Internet communications and the right information about the solutions that are available, enterprises and service providers can design a strong defense against attacks and threats. Most importantly, deploying the right messaging infrastructure gives users the confidence to use Internet messaging to its full potential.
Satish Ramachandran is the chairman and CEO of Mirapoint Inc., a messaging infrastructure company that incorporates the latest Internet and e-mail security technologies into its product offerings.