Category 4 //
Email Security
July 2012
© 2012 Cloud Security Alliance
All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance Security as a Service Implementation Guidance at http://www.cloudsecurityalliance.org, subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Security as a Service Implementation Guidance Version 1.0 (2012).
Contents
1 Introduction 6
1.1 Intended Audience 6
1.2 Scope 6
2 Requirements Addressed 8
2.1 Business Value 8
2.1.1 Leveraging Message Aggregation 8
2.1.2 Rapid Response 8
2.1.3 On Demand Provisioning 9
2.1.4 Advanced Skillset 9
2.2 Key Challenges in Migration of E-Mail to the Cloud 9
2.2.1 Data Security and Protection 9
2.2.2 Regulatory Compliance 9
2.2.3 Data Residency 9
2.3 Solutions Roadmap 10
2.3.1 Standards Based 10
2.3.2 Malware and Spam Protection 10
2.3.3 Identity and Encryption 11
2.3.4 Secure Access 11
2.3.5 Integration with Data Asset Protection Systems 11
2.3.6 Records Retention/Data Destruction 11
2.3.7 System Management and Logging 12
3 Implementation Considerations and Concerns 13
3.1 Considerations 13
3.1.1 Multi-tenancy 13
3.1.2 Portability 13
3.1.3 Programmatic Access 13
3.1.4 Self Service 13
3.1.5 Client Controls 13
3.1.6 Management and Monitoring 14
3.1.7 Integration 14
3.2 Concerns 14
3.2.1 Data Security 14
3.2.2 Regulatory Compliance 14
3.2.3 Data Residency 14
3.2.4 Identity 15
3.2.5 Logging 15
3.2.6 Communications 15
4 Implementation 16
4.1 Architecture Overview 16
4.1.1 Fully Outsourced Email Implementation 17
4.1.2 Email Security Cloud Augmentation to Premise Enterprise Implementations 17
4.2 Guidance and Implementation steps 19
4.2.1 Client Security 19
4.2.2 Submission End-Point, the Mail Submission Agent 20
4.2.3 Mail Delivery Agent 20
4.2.4 Mail Transfer Agent 21
4.2.5 Mail Storage 21
1 Introduction
Electronic mail now plays a vital role in business interactions, among customers, partners and internal staff. It allows data and messages to be transferred easily between senders and receivers over the Internet or internal networks, allowing messages to be received, responded to, stored, forwarded and broadcast among recipients. These extensive capabilities have caused email to be widely adopted as the official communications method for many organizations. Also common for personal use, electronic mail is available thru a diverse number of compatible software clients, and also via web-browser.
Due its ubiquitous use, electronic mail is both the prime target of, and primary vehicle for, attacks, and must be protected on both ends: sending and receiving. Email service is a well-defined utility in the enterprise, and securing email in the cloud is similar to securing email in the enterprise. Email Security as a Service (SecaaS) has a few unique aspects, but most responses entail differences of degree, rather than instituting new methods of security.
Email security services come in two models: fully outsourced and enterprise augmentation. The first outsources the entire mailbox and user interface to a cloud provider (either in a single-tenant or multi-tenant model) and the second adds security processing to an existing enterprise email implementation. In a fully outsourced format, the service provider is responsible for monitoring all threats using email as a channel (spam, phishing, malware propagation, etc.) and for providing an email user interface (UI) and possibly assistance to an organization's end users. In the enterprise augmentation model, an existing on-premise email deployment is augmented by additional cloud-based services and functionalities.
This paper explores these common forms of usage and additional extended services (such as identity federation or data loss prevention), and describing best practices for evaluating, developing, installing and using cloud-based email security services.
1.1 Intended Audience
This paper discusses the topic of email security services from two perspectives: the designers of these services and the consumers or purchasers of email security services. Both sides need to be aware of and plan for key service features and how these features are used to mitigate threats to email security.
Section 2 provides an executive level overview of email security services and delivery methodologies, and shows how security threats are mitigated in a cloud based service versus a traditional self-hosted solution. Section 3 presents considerations and concerns that should be part of any conversation regarding the use of Email Security as a Service. Section 4 is a highly technical discussion of typical architectures and the implementation of Email SecaaS using best practices as defined by the industry today, and Section 5 provides lists of both references and useful links to supplement this information
1.2 Scope
This paper discusses the use of services to mitigate email threats arising from viruses, phishing, spam, denial of service and operational disruptions. A key feature to be addressed is the integration of these security features with an identity system to ensure proper authenticity of messages and service users. Other features covered are email digital signatures, encryption, email archival services, threat detection and prevention services and data loss prevention (DLP).
The scope of this document includes secure implementation of electronic mail services on cloud architectures, including:
· Common electronic mail components,
· Electronic mail architecture protection,
· Common electronic mail threats,
· Peer authentication,
· General security on electronic mail servers,
· Electronic mail message standards,
· Electronic mail encryption and digital signature,
· Electronic mail server operation system and application security,
· Electronic mail content inspection and filtering,
· Securing mail clients, and
· Electronic mail data protection and availability assurance techniques.
2 Requirements Addressed
Email is a primary mechanism by which information is created and exchanged in an organization. Email services and email protection services are largely commoditized so all solutions, cloud based or non-cloud based, follow a similar model.
Cloud based vendors may be able to provide organizations with compelling value propositions for fully outsourced email, or for security augmentation services for in house enterprise email implementations. One major advantage to cloud based security is that large vendors can view the aggregated traffic from many organizations, and thereby have early indications and insights into new types of malware and spam floods. This benefit is not available to a single tenant outsourced or single enterprise implementation, which will have to respond after being affected, or await alerts from other sources.
2.1 Business Value
Cloud based vendors offer organizations many methods of securing email services using specialized skills and tools. Organizations utilizing Email SecaaS offerings can:
· Obtain early response to new forms of malware or spam floods, because their vendor’s multi-tenant model allows them access to message traffic across multiple organizations.
· Receive rapid deployment of new configurations and updated filtering algorithms because the vendor is able deploy changes which apply to all clients.
· Utilize on-demand provisioning for increasing or decreasing usage, thereby eliminating the need for excess capacity for seasonal or unusual events.
· Utilize the specialized skills and techniques that vendors have developed without investing training and expense in a non-core competency.
2.1.1 Leveraging Message Aggregation
When considering cloud based services, it is often a concern that the multi-tenant model presents risks to data protection. However, with email traffic filtering, this multi-tenant model increases the power of the solution. A vendor is able to correlate message traffic trends and data across multiple sources for many organizations. This provides the vendor with tremendous insight into current threats and intelligence about changing threat models.
This capability is simply not available to an organization that operates an enterprise email system in a single tenant manner. A single tenant or completely in house enterprise email system will never be as effective unless it is augmented with services utilizing a multitenant model.
2.1.2 Rapid Response
The email threat landscape changes rapidly as malware writers and spam operators change tactics to evade filter systems. This arms race results in a need to rapidly deploy new techniques and configurations. Cloud based vendors provide rapid response because they only have to deploy changes once to their infrastructure to provide improvements for many clients. In this way an organization can take advantage of a cloud based vendor’s ability to test and deploy new solutions versus having to investigate, test and deploy the changes individually. This removes the latency many email systems experience in response to changes in threats.
2.1.3 On Demand Provisioning
Email is a key organizational asset and must be available quickly for new users. This usually means an organization must build in excess capacity in anticipation of future demands. There always is a significant amount of underutilized capacity at any one time, which increases costs. Further, a failure to properly predict future demand will leave an organization with an unstable email system which limits the effectiveness of a key business asset.
Because cloud based vendors’ growth is the aggregated demand across many organizations, their growth predictions can be more precise and capacity can be reliably added in advance of demand. Organizations whose needs decrease can easily de-provision services and reduce costs. In this way, costs for a cloud based solution more accurately track the usage curve, making them easier to manage financially.
2.1.4 Advanced Skillset
For most organizations, the implementation and operation of an email system is a business need but not a core competency. For cloud based email and email security vendors, the email system is their core competency and therefore they are able to hire experts in the field and dedicate full time, trained staff to the problem.
In order to have the best trained engineers working on highly efficient email security solutions, an organization may need to turn to a specialized vendor. These vendors likely will be offering a cloud based, multitenant model for their service offerings. SecaaS vendors may offer the most effective solutions to address the email needs of an organization.
2.2 Key Challenges in Migration of E-Mail to the Cloud
2.2.1 Data Security and Protection
The cloud introduces a broad range of security threats, including the possibility of the cloud provider being hacked, the potential for malicious actions by a rogue employee of the cloud provider, and the intermingling of data in a compromised multi-tenant environment.
2.2.2 Regulatory Compliance
Enterprises are subject to an array of regulatory requirements including federal laws such as SOX, varying state data protection measures, The Patriot Act, international laws like the EU Data Protection Directive, and industry-specific regulations (HIPAA, GLBA and PCI DSS). There also are a number of good practices and standards (COSO, COBIT, NIST, ISO) that enterprises adhere to in order to best protect data.
2.2.3 Data Residency
Businesses that have an international presence are faced with the daunting task of complying with the multitude of growing privacy and data residency regulations. To comply, enterprises often pay cloud providers a premium to add costly infrastructure in each jurisdiction.
2.3 Solutions Roadmap
Email security addresses an organization’s needs to provide secure messaging systems for the exchange of information between personnel. Email SecaaS addresses many requirements for information security. These requirements include:
· The ability to send and receive email in standard formats and protocols,
· Prevention of malware infections via email,
· Removal of unwanted spam messages,
· Strong identification of email users,
· Securing clients and securing remote access to email,
· Integration with Data Loss Prevention tools,
· Retention of email records, and
· Mail management and logging.
Email security as a service is provided either as a completely outsourced email service or as specific solutions which augment an existing enterprise email implementation. In a fully outsourced implementation, the vendor provides both the email service and the security features in a single solution. In the enterprise add-on solution, an organization augments an in-house email implementation with security services from cloud based security vendors.
Using a cloud provider, an organization should be able to add or remove features or services in small increments on demand, using a single vendor or multiple vendors. This greatly increases flexibility and responsiveness to changing environments and demands.
2.3.1 Standards Based
In any implementation, the security vendor should use industry standard formats and protocols for messaging and message transmission. In particular, all industry standard email protocols have TLS/SSL (Transport Layer Security / Secure Sockets Layer) versions that allow the use of strong encryption to protect all traffic (mailbox passwords as well as message bodies). Vendors should use the encrypted forms of all email protocols for access to, and transmission of, email messages. These protocols should be configured with options which disallow known weak encryption algorithms (such as DES, or MD5 hashes) and options for strong user authentication.
Vendors should adopt operational methods which adhere to industry standards and best practices. Infrastructure should be deployed and built to pass strong physical security standards such as SSAE 16 (or the older SAS 70) so that the service foundations can be trusted. Further, guidance should be followed for the proper maintenance of services. This guidance can take the form of the COBIT, COSO, ISO 27000, CSA Guidance, or industry regulations such as HIPPA, Sarbanes Oxley and others.
2.3.2 Malware and Spam Protection
Malware and spam protection are the primary threats to the operation of an email system. Vendors provide a variety of solutions to mitigate these threats. Use of an in house or single tenant hosted email system limits the effectiveness of any solution. In a multi-tenant cloud based solution, the security provider is able to correlate message traffic across multiple organizations to get richer data regarding malware and spam floods, which in turn provides earlier detection with greater accuracy.