Corporate email systems are vital to the successful operation of a business. They can contain sensitive data which should never be exposed to outside parties and needs to be totally secure; whilst providing users with flexible access from a wide range of devices and locations. Andrew Quinn and Nigel Robson, discuss the myriad of security, regulatory, and corporate compliance issues facing organisations today. How can we ensure that our data is safe and accessible, and that our corporate image is presented in a consistent and defined manner?

1. Messaging: Protecting your
Data and your Reputation
Andrew Quinn & Nigel Robson
1/11/2013

2. Email and your Business
• Primary method of business
communications
• Stores critical business data
• One of the main sources of data leaks
• Your organisation’s identity
• Your electronic ambassador

4. Protecting your Identity
•
•
•
•
Your domain is your identity on the internet
People recognise this and trust it
Its important to protect this asset
It’s incredibly easy to fake!

5. Sender Spoofing Demo

6. Protecting your Identity:
Sender Policy Framework (SPF)
• Allows receiving mail servers to check
domain identity via public records (DNS)
• Addresses of authorised mail servers added
to public DNS records
• If an email comes from an unlisted address
it’s a fake
• SPF is free to set up
• Make sure you can list everything that sends
emails from your domain!

7. Protecting your Identity:
Sender Policy Framework (SPF)

8. Email is NOT Secure
• Email is NOT a secure communications
channel
• Emails can easily be intercepted, viewed,
altered and forwarded on
• Sensitive information should never be sent
via email unless security is enhanced

9. Email Capture Demo

10. Email is NOT Secure:
Transport Layer Security (TLS)
TLS Encryption

11. Email is NOT Secure:
Transport Layer Security (TLS)
• Secures messages in transit
• Newer email systems support basic
functionality out of the box
• Some organisations will not do business
with you without it
• Can be configured for “best efforts” or
guaranteed security

12. A Familiar Story?

13. Mobile Device Management (MDM)
• Majority of organisations allow employees to
access corporate email from mobile devices
• Emails contain sensitive data, which is stored
in memory, and usually not encrypted
• What happens if that device is lost or stolen?
• Approx. 300 mobiles stolen in London per
day
• Approx. 20,000 UK mobiles lost or stolen per
day

14. Mobile Device Management (MDM)
• MDM allows corporate devices to be
managed centrally
• Policies can be applied to all devices
independent of make and model
• Devices can be forced to be encrypted
• Devices can be remote wiped if required
• Microsoft Exchange provides basic MDM via
ActiveSync but more granular control can be
provided by other products

15. Journaling & Archiving
• Two phrases which are often mixed up
• Serve different purposes
• Archiving – moving data to alternate
storage for long term retention
• Journaling – keeping a separate,
immutable copy of messages sent &
received

16. Journaling & Archiving

17. Why Archive?
•
•
•
•
Reduce storage costs
Improve scalability
Provide longer-term storage to users
Eliminate a reliance on PST files

18. Why Journal?
•
•
•
•
Compliance with retention policies
Provide an electronic paper trail
Prove what was said / agreed
Information cannot be lost when people
leave

19. Journaling Considerations
• If the email is modified in order to copy it
(e.g. silently add BCC address), it may not
stand up in court
• If end-users can access the “journal”, it is
an “archive”
• Access to journaled messages should be
audited

20. Data Loss Prevention
• Email is one of the largest sources of data
leaks
• Data leaks are usually accidental
• Once an email is sent, you can’t get it
back!

21. Data Loss Prevention
• Technology to manage the exposure of information
is built into the Microsoft platform
– Windows
– MS Office (Word, Excel, PowerPoint, Outlook,…)
– Exchange Server
• Lots of acronyms…
–
–
–
–
–
Rights Management Services (RMS)
Information Rights Management (IRM)
Message Classification
File Classification Infrastructure (FCI)
Data Loss Prevention (DLP)

22. Data Loss Prevention
• Add Classification
– Provides information
– Can be used for file
system security
• Apply Rights
Management
– Restricts data usage
even when you have
access
• Process can be
automated

23. Data Loss Prevention
Rights Management...
Classification...
So what does this do for us?
This is confidential.
Don’t distribute it!
Recipient blocks
Exchangecan't sending
Outlook warns open
blocks

24. Data Loss Prevention Demo

25. Branding
•
•
•
•
Present a consistent corporate image
Provide contact details
Support marketing campaigns
Comply with legal requirements

26. Signature Management
Andrew Quinn - Executive Consultant: Infrastructure Technology
Office: 0845 094 094 5 | Mobile: 07710 374895 | Website: www.waterstons.com
Waterstons Limited. Registered in England and Wales No. 3818424
Our registered office is at Liddon House, Belmont Business Park, Durham, DH1 1TW
DISCLAIMER:
The information contained in this email is intended for the named recipient only. It may contain
confidential information. If you are not the intended recipient, you must not copy, distribute or
take any action in reliance on it. Please note that neither Waterstons Limited nor the sender
accepts any responsibility for viruses and it is your responsibility to scan attachments (if any).

27. Email Branding Demo

28. Q&A
Coming up…
Messaging: Harnessing the Cloud
15th November 2013