Originally published 5/3/01 on searchSecurity.com.
Fred Avolio, Avolio Consulting, Inc.
I stated the obvious in a recent searchSecurity column entitled “ E-mail security: Defending the server.” The #1 Internet application is e-mail. We all have it. Many of us require it for business. And those who do, must get to e-mail when on the outside of the physical perimeter of the enterprise.
We need to access it from home, customer sites, hotels and airports… from anywhere at anytime. The question before us is not whether we should allow it. The question is how to allow it with an eye toward maximizing security.
I previously discussed e-mail vulnerabilities. Without reiterating too much, I will quickly list them:
There are basically three ways corporations are allowing access to corporate e-mail. They differ according to ease of use, as well as potential vulnerabilities:
Of course, the user must have a computer. For the road-warrior, that means carrying it around. But, there are many companies that do not want to invest in notebook computers for travelers, and travelers who don’t want to carry the extra three to eight pounds.
Careful consideration should be made of what services are allowed through the firewall to the VPN. For many, however, this is the method of choice offering the potential for good security along with access to additional services — virtually an extension of the enterprise desktop.
This may seem like a good idea. It doesn’t require direct Internet access to the internal network. The e-mail is accessible from anywhere. But this solution is not very attractive from a security viewpoint. Corporate e-mail is unprotected after it leaves the corporate gateway. While sent, while stored on the outside e-mail server and when being read, it may be vulnerable to disclosure (and modification).
One potentially good solution to these concerns is to use an outside secure web-based e-mail service. Providers exist with solutions that are free or inexpensive. These include ZixMail (http://www.zixit.com/), Ensuredmail (http://www.ensuredmail.com/), HushMail (http://www.hushmail.com/) and Disappearing, Inc. (http://www.disappearing.com/).
This has all the benefits previously mentioned about Web-based e-mail access — ubiquity being the main one — without requiring the storage of e-mail on someone else’s e-mail system. There are some potential hidden dangers. The implementation must ensure that the connection is terminated after a short time. We don’t want someone forgetting to “log out” and leaving his e-mail system open to a passerby at Denver International Airport, do we? Further, we must keep in mind that we are allowing access from the Internet all the way into critical systems. Is that a hole we are comfortable with? We could tighten this solution up through the use of “air gap” technology from companies like Whale Communications ( http://www.whalecommunications.com/) and Spearhead Technologies ( http://www.sphd.com/). [DISCLOSURE: Avolio Consulting sometimes does consulting work for Whale Communications.]
What solution is best? Well… it depends. Each has benefits, each
has vulnerabilities, so each must be secured. PC access to e-mail
must be protected by securely configured firewall and VPN software.
Outside e-mail accounts should never be used, unless they are e-mail
services that provide secure e-mail storage and communication.
Browser connection directly to a corporate e-mail server system must
be done very carefully through a tightly configured firewall, or with
special purpose “air gap” solutions. In any event, no one is going to
give up access to e-mail. If done properly, there is a solution to
meet most requirements.
##