What you will learn from this tip: Five specific Web-based e-mail risks and a design strategy for coping with them.
Like it or not Web-based e-mail is here to stay. As security practitioners, we've all weighed the pros and cons of allowing the use of Web-based e-mail services. Some of us are fortunate enough to have corporate policies in place that clearly dictate permissible activities and the types of controls that need to be in place. Others need to go with vague policies and a sense of what's best for their organization's business.
Here are five specific Web-based e-mail risks and a design strategy for coping with them.
1. Failure to secure Web-based e-mail sites.
Many organizations host Web-based e-mail sites for the convenience of their employees or constituents. Often, these sites are launched in response to an informal statement of need and done in a hasty fashion without adequate security planning. This often results in the use of a self-signed digital certificate or no certificate at all. Do yourself a favor -- take the time to obtain and install a digital certificate from a trusted source. Using this certificate to run SSL will not only provide users with a sense of security when using your site, but also ensures corporate data is protected while in transit between the server and Web client.
2. Inadequate policies regarding employee access to external Web-based e-mail.
There isn't an organization out there that doesn't have a segment of users clamoring for access to Web-based e-mail services like Hotmail, Gmail and Yahoo. Does your organization permit this type of access? You should consider the possibility of employees using Web-based e-mail as a covert channel for leaking confidential information. It's critical that you consider the risks inherent in providing Web-based e-mail access and weigh them against the convenience of allowing employees to access their personal e-mail at work.
3. Inadequate policies regarding Web-based access to corporate e-mail.
While reviewing your outgoing Web-based e-mail policy, spend some time examining your policy for inbound Web-based e-mail as well. Do you permit users to access their corporate e-mail accounts from remote sites over the Web? You need to balance the possibility of sensitive information leaving the controlled environment of your network against the business requirement for remote access to e-mail. Consider also that not providing Web-based e-mail access may drive employees to find more "creative" (and potentially more dangerous) solutions, such as forwarding all of their e-mail to an external account.
4. Bypassing corporate content filters.
If you're subject to requirements of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPPA) or other regulatory requirements that limit the types of communications your employees have with the outside world, you need to consider the legal impact of your decision to grant access to external Web-based e-mail services. All of the content controls that you place on your "official" e-mail servers may be rendered moot by an employee's ability to access Web-based e-mail.
5. Use of third-party e-mail services.
The Web-based e-mail question is made even more complex by the explosive growth of third-party ancillary services that revolve around e-mail. Some services, like Google Desktop Search, keep caches of Web pages accessed on the local system, including those accessed over a secure link. These caches may allow users of shared computers (in your office or at a hotel) to view the e-mail messages other users viewed over a Web-based link. Other services like Plaxo and Spoke index user e-mail and transmit some form of data (ranging from contact information to details of e-mail messages) to a remote server outside of organizational control. You need to consider the impact these services have on your e-mail security efforts. If the risks posed by these services outweigh the benefits, you may wish to implement technical controls (such as Active Directory group policy) to limit the ability of users to install software on their systems.
By this point, you've undoubtedly reached the conclusion that Web-based e-mail introduces a number of complex security issues. Some are high-level policy issues while others are technical controls that can enhance the security of your network. Be sure you've paid careful attention to each.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.