Manage Learn to apply best practices and optimize your operations.

Webmail security: Best practices for data protection

Webmail has become a popular choice for enterprises looking to provide users with email access outside the office, but deployment of any Web-based email system presents a unique set of security challenges. In this Messaging Security School tip, Sandra Kay Miller explains various strategies that can solve authentication problems and prevent attacks involving cross-site scripting, buffer overflows and phishing. Security School

This tip is a portion of's Messaging Security School lesson, Counterintelligence strategies for thwarting email threats. Visit the lesson and school pages for additional learning resources, or visit our Security School Course Catalog to begin other lessons.

Increasingly, organizations are turning to Web-based email systems to provide users with platform-independent access to their email accounts, whether from public workstations or mobile devices. Webmail, however, creates significant enterprise security challenges because of shared public computing devices, user authentication issues and growing attacks such as cookie stealing and cross-site scripting.

Webmail architectures today consist of multiple layers of protection, often including a high-performance proxy server with secure access technology and encryption capabilities, intelligent analysis tools and an assortment of attack detection and blocking functions. These features can be integrated with webmail systems independently or delivered together as a comprehensive webmail security package.

Although user education is the foundation of every security policy, it is especially important to have technology that enforces each rule for webmail users. Policies can be delivered through an assortment of tools, including content filters at key traffic choke-points that can stop malware, spyware and spam. Because the majority of phishing attacks occur through email, the use of network scanners and IDSes to scan for infected code or malicious links that cross a network membrane can often prevent email-based attacks before they ever reach users.

Webmail allows traffic to flow through standard HTTP and HTTPS connections, rather than SMTP, making webmail a ripe target for botnets that use compromised machines to power their barrages of spam or virus-infected messages. A properly placed proxy, however, can encrypt messages, as well as identify and analyze webmail traffic, minimizing the chances of buffer overflows and denial-of-service attacks.

With no control over the endpoint, webmail system managers must take on the responsibility of ensuring that HTTP and HTTPS sessions time out or are terminated once the user logs out of the webmail application. It's also important that email credentials are not locally cached. Implementing these controls prevents the next person who launches the browser from using the back button or history list to view the previous user's webmail pages.

More from this lesson

Video: The insidious threat of spear phishing
In this video, special guest Mike Rothman of consulting firm Security Incite highlights the spear phishing phenomenon and offers guidance on what to do if your company becomes a victim.

Podcast: Fact or fiction -- Am I a bot or not?
Sandra Kay Miller debunks the untruths around email policy, user education and other efforts that can help mitigate bot dangers.

By setting up webmail services with features like encrypted logins and sessions, organizations can strengthen their browser-based access. However, some email clients now offer the ability to access webmail accounts through a common interface. Be certain that your webmail application has the capability to encrypt logins and SMTP-driven sessions that have been initiated by non-browser interfaces.

With webmail, attackers often use browser scripts to steal cookies, hijack sessions and obtain users' credentials. Though it's typically up to the user to apply security fixes, ensuring good patching practices will mitigate the opportunity for criminals to fraudulently authenticate to secured sites using stolen credentials.

Poorly patched browsers, combined with the increasing use of Javascript, Asynchronous JavaScript and XML (Ajax) and other advanced coding, enables complex automated attacks such as cross-site scripting, a hacker tactic that uses malicious links to steal information, and cross-site request forgeries, attacks that employ a user's identity to compromise a Web server. The new class of threats has forced organizations to turn to advanced security tools like Web application firewalls, which use a variety of methods to thwart malicious code that travels through legitimate network pathways. The WAFs can inspect all incoming and outgoing traffic at the application layer, examining the payloads of packets and providing better content-filtering capabilities than traditional packet-filtering firewalls.

There is, of course, no silver bullet for protecting Web-based email access through a browser interface. However, by integrating a few simple security measures into existing infrastructures, as well as providing users with information about the possible threats and vulnerabilities, organizations can deploy webmail in a way that addresses common risks.

About the author:
Sandra Kay Miller is a technical editor for Information Security magazine with 15 years of experience in developing and deploying leading edge technologies throughout the petroleum, manufacturing, luxury resort and software industries, and has been an analyst covering enterprise-class products for 10 years.

This was last published in May 2008

Dig Deeper on Web application and API security best practices