Increasingly, organizations are turning to Web-based email systems to provide users with platform-independent access to their email accounts, whether from public workstations or mobile devices. Webmail, however, creates significant enterprise security challenges because of shared public computing devices, user authentication issues and growing attacks such as cookie stealing and cross-site scripting.
Webmail architectures today consist of multiple layers of protection, often including a high-performance proxy server with secure access technology and encryption capabilities, intelligent analysis tools and an assortment of attack detection and blocking functions. These features can be integrated with webmail systems independently or delivered together as a comprehensive webmail security package.
Although user education is the foundation of every security policy, it is especially important to have technology that enforces each rule for webmail users. Policies can be delivered through an assortment of tools, including content filters at key traffic choke-points that can stop malware, spyware and spam. Because the majority of phishing attacks occur through email, the use of network scanners and IDSes to scan for infected code or malicious links that cross a network membrane can often prevent email-based attacks before they ever reach users.
Webmail allows traffic to flow through standard HTTP and HTTPS connections, rather than SMTP, making webmail a ripe target for botnets that use compromised machines to power their barrages of spam or virus-infected messages. A properly placed proxy, however, can encrypt messages, as well as identify and analyze webmail traffic, minimizing the chances of buffer overflows and denial-of-service attacks.
With no control over the endpoint, webmail system managers must take on the responsibility of ensuring that HTTP and HTTPS sessions time out or are terminated once the user logs out of the webmail application. It's also important that email credentials are not locally cached. Implementing these controls prevents the next person who launches the browser from using the back button or history list to view the previous user's webmail pages.
With webmail, attackers often use browser scripts to steal cookies, hijack sessions and obtain users' credentials. Though it's typically up to the user to apply security fixes, ensuring good patching practices will mitigate the opportunity for criminals to fraudulently authenticate to secured sites using stolen credentials.
There is, of course, no silver bullet for protecting Web-based email access through a browser interface. However, by integrating a few simple security measures into existing infrastructures, as well as providing users with information about the possible threats and vulnerabilities, organizations can deploy webmail in a way that addresses common risks.
About the author:
Sandra Kay Miller is a technical editor for Information Security magazine with 15 years of experience in developing and deploying leading edge technologies throughout the petroleum, manufacturing, luxury resort and software industries, and has been an analyst covering enterprise-class products for 10 years.
This was first published in May 2008