What you will learn from this tip: Five specific Web-based e-mail risks and a design strategy for coping with them.
Like it or not Web-based e-mail is here to stay. As security practitioners, we've all weighed the pros and cons of allowing the use of Web-based e-mail services. Some of us are fortunate enough to have corporate policies in place that clearly

Requires Free Membership to View

dictate permissible activities and the types of controls that need to be in place. Others need to go with vague policies and a sense of what's best for their organization's business.

Here are five specific Web-based e-mail risks and a design strategy for coping with them.

1. Failure to secure Web-based e-mail sites.
Many organizations host Web-based e-mail sites for the convenience of their employees or constituents. Often, these sites are launched in response to an informal statement of need and done in a hasty fashion without adequate security planning. This often results in the use of a self-signed digital certificate or no certificate at all. Do yourself a favor -- take the time to obtain and install a digital certificate from a trusted source. Using this certificate to run SSL will not only provide users with a sense of security when using your site, but also ensures corporate data is protected while in transit between the server and Web client.

2. Inadequate policies regarding employee access to external Web-based e-mail.
There isn't an organization out there that doesn't have a segment of users clamoring for access to Web-based e-mail services like Hotmail, Gmail and Yahoo. Does your organization permit this type of access? You should consider the possibility of employees using Web-based e-mail as a covert channel for leaking confidential information. It's critical that you consider the risks inherent in providing Web-based e-mail access and weigh them against the convenience of allowing employees to access their personal e-mail at work.

3. Inadequate policies regarding Web-based access to corporate e-mail.
While reviewing your outgoing Web-based e-mail policy, spend some time examining your policy for inbound Web-based e-mail as well. Do you permit users to access their corporate e-mail accounts from remote sites over the Web? You need to balance the possibility of sensitive information leaving the controlled environment of your network against the business requirement for remote access to e-mail. Consider also that not providing Web-based e-mail access may drive employees to find more "creative" (and potentially more dangerous) solutions, such as forwarding all of their e-mail to an external account.

4. Bypassing corporate content filters.
If you're subject to requirements of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPPA) or other regulatory requirements that limit the types of communications your employees have with the outside world, you need to consider the legal impact of your decision to grant access to external Web-based e-mail services. All of the content controls that you place on your "official" e-mail servers may be rendered moot by an employee's ability to access Web-based e-mail.

5. Use of third-party e-mail services.
The Web-based e-mail question is made even more complex by the explosive growth of third-party ancillary services that revolve around e-mail. Some services, like Google Desktop Search, keep caches of Web pages accessed on the local system, including those accessed over a secure link. These caches may allow users of shared computers (in your office or at a hotel) to view the e-mail messages other users viewed over a Web-based link. Other services like Plaxo and Spoke index user e-mail and transmit some form of data (ranging from contact information to details of e-mail messages) to a remote server outside of organizational control. You need to consider the impact these services have on your e-mail security efforts. If the risks posed by these services outweigh the benefits, you may wish to implement technical controls (such as Active Directory group policy) to limit the ability of users to install software on their systems.

By this point, you've undoubtedly reached the conclusion that Web-based e-mail introduces a number of complex security issues. Some are high-level policy issues while others are technical controls that can enhance the security of your network. Be sure you've paid careful attention to each.


RELATED INFORMATION:
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.