Corporate email systems are vital to the successful operation of a business. They can contain sensitive data which should never be exposed to outside parties and needs to be totally secure; whilst providing users with flexible access from a wide range of devices and locations.
Andrew Quinn and Nigel Robson, discuss the myriad of security, regulatory, and corporate compliance issues facing organisations today.
How can we ensure that our data is safe and accessible, and that our corporate image is presented in a consistent and defined manner?
2. Email and your Business
• Primary method of business
communications
• Stores critical business data
• One of the main sources of data leaks
• Your organisation’s identity
• Your electronic ambassador
3.
4. Protecting your Identity
•
•
•
•
Your domain is your identity on the internet
People recognise this and trust it
Its important to protect this asset
It’s incredibly easy to fake!
6. Protecting your Identity:
Sender Policy Framework (SPF)
• Allows receiving mail servers to check
domain identity via public records (DNS)
• Addresses of authorised mail servers added
to public DNS records
• If an email comes from an unlisted address
it’s a fake
• SPF is free to set up
• Make sure you can list everything that sends
emails from your domain!
8. Email is NOT Secure
• Email is NOT a secure communications
channel
• Emails can easily be intercepted, viewed,
altered and forwarded on
• Sensitive information should never be sent
via email unless security is enhanced
10. Email is NOT Secure:
Transport Layer Security (TLS)
TLS Encryption
11. Email is NOT Secure:
Transport Layer Security (TLS)
• Secures messages in transit
• Newer email systems support basic
functionality out of the box
• Some organisations will not do business
with you without it
• Can be configured for “best efforts” or
guaranteed security
13. Mobile Device Management (MDM)
• Majority of organisations allow employees to
access corporate email from mobile devices
• Emails contain sensitive data, which is stored
in memory, and usually not encrypted
• What happens if that device is lost or stolen?
• Approx. 300 mobiles stolen in London per
day
• Approx. 20,000 UK mobiles lost or stolen per
day
14. Mobile Device Management (MDM)
• MDM allows corporate devices to be
managed centrally
• Policies can be applied to all devices
independent of make and model
• Devices can be forced to be encrypted
• Devices can be remote wiped if required
• Microsoft Exchange provides basic MDM via
ActiveSync but more granular control can be
provided by other products
15. Journaling & Archiving
• Two phrases which are often mixed up
• Serve different purposes
• Archiving – moving data to alternate
storage for long term retention
• Journaling – keeping a separate,
immutable copy of messages sent &
received
18. Why Journal?
•
•
•
•
Compliance with retention policies
Provide an electronic paper trail
Prove what was said / agreed
Information cannot be lost when people
leave
19. Journaling Considerations
• If the email is modified in order to copy it
(e.g. silently add BCC address), it may not
stand up in court
• If end-users can access the “journal”, it is
an “archive”
• Access to journaled messages should be
audited
20. Data Loss Prevention
• Email is one of the largest sources of data
leaks
• Data leaks are usually accidental
• Once an email is sent, you can’t get it
back!
21. Data Loss Prevention
• Technology to manage the exposure of information
is built into the Microsoft platform
– Windows
– MS Office (Word, Excel, PowerPoint, Outlook,…)
– Exchange Server
• Lots of acronyms…
–
–
–
–
–
Rights Management Services (RMS)
Information Rights Management (IRM)
Message Classification
File Classification Infrastructure (FCI)
Data Loss Prevention (DLP)
22. Data Loss Prevention
• Add Classification
– Provides information
– Can be used for file
system security
• Apply Rights
Management
– Restricts data usage
even when you have
access
• Process can be
automated
23. Data Loss Prevention
Rights Management...
Classification...
So what does this do for us?
This is confidential.
Don’t distribute it!
Recipient blocks
Exchangecan't sending
Outlook warns open
blocks
26. Signature Management
Andrew Quinn - Executive Consultant: Infrastructure Technology
Office: 0845 094 094 5 | Mobile: 07710 374895 | Website: www.waterstons.com
Waterstons Limited. Registered in England and Wales No. 3818424
Our registered office is at Liddon House, Belmont Business Park, Durham, DH1 1TW
DISCLAIMER:
The information contained in this email is intended for the named recipient only. It may contain
confidential information. If you are not the intended recipient, you must not copy, distribute or
take any action in reliance on it. Please note that neither Waterstons Limited nor the sender
accepts any responsibility for viruses and it is your responsibility to scan attachments (if any).
telnet exch.demo.local 25ehlomail from:mike.waterston@waterstons.comrcpt to:administrator@demo.localdataFrom:Mike Waterston<mike.waterstons@waterstons.com>To:Administrator<administrator@demo.local>Subject:Go home!I'm declaring today a holiday. Everyone can go home..quit
Credit card number - sends approval to adminProfanity "holiday" - overrideIP address - override and report to adminResearch - Applies RMS template
Show Exclaimer Mail Disclaimers on dur-vmmail-01Show the following templates for a good idea of capabilities:WaterstonsStandard Email SignatureDisclaimersCompanies Act 1985Business Cards\SignaturesOrbit Illustration Business CardExclaimer ExternalLetterhead styleOutgoing Style 2Letterhead 1 – eSpiralxChange Letterhead