RISK MANAGEMENT STRATEGIES
Remote e-mail access
Frederick Avolio
12.03.2003
Rating: -3.86- (out of 5)
I stated the obvious in a recent searchSecurity column entitled
E-mail security: Defending the server. The #1 Internet application
is e-mail. We all have it. Many of us require it for business. And
those who do, must get to e-mail when on the outside of the physical
perimeter of the enterprise.
We need to access it from home, customer sites, hotels and
airports... from anywhere at anytime. The question before us is not
whether we should allow it. The question is how to allow it with an
eye toward maximizing security.
Vulnerabilities
I previously discussed e-mail vulnerabilities. Without reiterating
too much, I will quickly list them:
[1] Eavesdropping. Anyone with access to the same network can "listen
in" on your transactions.
[2] Disclosure of confidential information. This could be by
eavesdropping or some other method. How do we ensure that
confidential e-mail is handled securely?
[3] Viruses and Trojan horses. You put controls in place on the
enterprise network. Can you extend that protection outside your
walls?
Methods for remote e-mail access
There are basically three ways corporations are allowing access to
corporate e-mail. They differ according to ease of use, as well as
potential vulnerabilities:
[1] A connection through a firewall to an inside e-mail server is
common. This is often over a virtual private network (VPN)
connection. This can be a fairly secure solution. It requires that
the teleworker's desktop computer or traveler's notebook PC be secure
as well -- no "automatic" login to the inside, with up-to-date
antivirus software, probably a PC-based intrusion detection system
(so-called "personal firewalls"), etc. The VPN protects the
connection from eavesdroppers, strong access control is possible, and
the user can easily access e-mail. Often, other network services can
be made available.
Of course, the user must have a computer. For the road-war
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
rior, that
means carrying it around. But, there are many companies that do not
want to invest in notebook computers for travelers, and travelers who
don't want to carry the extra three to eight pounds.
Careful consideration should be made of what services are allowed
through the firewall to the VPN. For many, however, this is the
method of choice offering the potential for good security along with
access to additional services -- virtually an extension of the
enterprise desktop.
[2] Some enterprises forward corporate e-mail to outside e-mail
accounts for user access. If the outside e-mail system is Web-based,
the user can read e-mail from anywhere there is an Internet
connection. This includes a growing number of hotels, airports and
private homes.
This may seem like a good idea. It doesn't require direct Internet
access to the internal network. The e-mail is accessible from
anywhere. But this solution is not very attractive from a security
viewpoint. Corporate e-mail is unprotected after it leaves the
corporate gateway. While sent, while stored on the outside e-mail
server and when being read, it may be vulnerable to disclosure (and
modification).
One potentially good solution to these concerns is to use an outside
secure Web-based e-mail service. Providers exist with solutions that
are free or inexpensive. These include ZixMail, Ensuredmail,
HushMail and Disappearing, Inc..
[3] To gain the benefit of the ubiquitous browser but avoid
forwarding e-mail to outside systems, many enterprises provide a Web
interface to an internal e-mail system. The user connects via a
browser to an SSL-enabled (SSL) Web page and, with the connection
encrypted, "logs in" to the e-mail system and reads his e-mail.
This has all the benefits previously mentioned about Web-based e-mail
access -- ubiquity being the main one -- without requiring the
storage of e-mail on someone else's e-mail system. There are some
potential hidden dangers. The implementation must ensure that the
connection is terminated after a short time. We don't want someone
forgetting to "log out" and leaving his e-mail system open to a
passerby at Denver International Airport, do we? Further, we must
keep in mind that we are allowing access from the Internet all the
way into critical systems. Is that a hole we are comfortable with? We
could tighten this solution up through the use of "air gap"
technology from companies like Whale Communications and Spearhead Technologies. [DISCLOSURE: Avolio Consulting sometimes does
consulting work for Whale Communications.]
Pretty good practices
What solution is best? Well... it depends. Each has benefits, each
has vulnerabilities, so each must be secured. PC access to e-mail
must be protected by securely configured firewall and VPN software.
Outside e-mail accounts should never be used, unless they are e-mail
services that provide secure e-mail storage and communication.
Browser connection directly to a corporate e-mail server system must
be done very carefully through a tightly configured firewall, or with
special purpose "air gap" solutions. In any event, no one is going to
give up access to e-mail. If done properly, there is a solution to
meet most requirements.
About the author
Fred Avolio is the president and founder of Avolio Consulting, Inc.,
a Maryland-based corporation specializing in computer and network
security and dedicated to improving the state of corporate and
Internet security through education and testing.
Related book
E-mail security: How to keep your electronic messages private
By Bruce Schneier
In this book, security expert Bruce Schneier shows you how to protect your privacy by sealing your messages in "electronic envelopes." The book shows how you can protect the financial information, contract negotiations or personal correspondence you entrust to public or private networks -? and it shows how this protection is available right now, with free or inexpensive software.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
