Email Security & Management - The Next Generation
While email has become an integral part of business communications, enterprise email systems still remain largely vulnerable to various threats. These internal and external threats diminish the continuing viability and usefulness of email systems for business. In addition, regulatory compliance (e.g. Sarbanes Oxley and HIPPA acts) requiring proper audit and archival of all electronic communications add further complexities to corporate email security and content management. This paper highlights some of the most critical aspects of the next generation of email security solutions in relation to the current state-of-the-art.
Email is a quick, cheap and easy means of information exchange. This makes email a great business communication tool, but at the same time presents major challenges and security risks for businesses. More than 80% of email traffic consists of unwanted email (spam and virus), and discerning good from bad has become extremely difficult. Unwanted email is costing businesses $22 billion in lost productivity, and additional $10 billion in IT expenses each year. Unprotected corporate email systems result in loss of mission-critical data, lack of accountability and increased legal liability. In addition, email fraud (phishing), and lack of authentication cause further distrust among consumers towards online banking industry and disrupting $3.9 trillion global e-commerce market. Also, there are no credible means for archival and tracking of email for regulatory compliance and audit. Hence, there is a need for much more comprehensive approach to enhance email security, accountability and productivity.
Intelligent Email Filtering - Although many choices exist for anti-spam products, most are flawed due to their constrained approach. At the fundamental level, these work as "content-censoring" solutions - making autonomous decisions as to what should or should not go to user's in-box. Such "big-brother" approach is highly questionable in today's free world. At the technology level, the current solutions are based upon BINARY filtering - offering ONLY 2 possible options - e.g. spam or non-spam. However, what is junk for one person, may be useful for another, as the definition of junk is highly subjective. Also, the most of the content filtering technologies rely upon "BLACK-LISTING" - rejecting email from certain senders/IP addresses, or blocking certain words like "Viagra". Ironically, a legitimate email communication between a patient and his doctor/pharmacist may include the word "Viagra", which would be automatically filtered out as junk by most anti-spam products. In a recent case-study, an email containing the word "Bombay" was rejected by a popular anti-spam product, because it matched "bomb".
Current anti-spam products also make a flawed assumption that all un-solicited email is always un-desired. In reality, individual users may react differently to un-solicited marketing campaigns, depending upon their needs and relevance. For example, a home-owner looking to refinance his home-loan may welcome unsolicited email about low mortgage rates. Similarly, a travel agent may be interested in knowing about low airfares and vacation packages offered by other agencies.
These flaws lead to mis-identification of good email (also known as "false positives"). This could be potentially very damaging and expensive if an important email does not reach its recipient. That blocked email could be from a valuable customer, or may have significant financial or business consequences. Some of the recent research has indicated that the cost of "Lost Opportunities" from losing genuine emails, is significantly higher than the relief of stopping unwanted email.
The next generation of email filtering solutions should empower the enterprise policy-maker as well as the individual user to control what kind of email is "Wanted" or "Un-wanted". This can be achieved through POLYNOMIAL (multi-dimensional) filtering - thus providing UNLIMITED number of options to sort the email in various categories and sub-categories (as opposed to only 2 options with current approach of BINARY filtering). This offers FULL CONTROL, SUBJECTIVITY and CUSTOMIZATION at every level - from the enterprise all the way down to the individual level. Also, by Incorporating Artificial Intelligence and natural language analysis techniques, the overall email context can be determined. This context can be further matched with Corporate Policies and Individual Preferences to determine the relevance of each email to its recipient.
Risk Management - The current generation of email security solutions provide protection only from a limited number of external threats such as spam and virus, whereas businesses are increasingly facing a bigger treat from email communications originating from inside. Therefore, the next generation of email security solutions should help mitigate risks by preventing inappropriate and unauthorized email to be transmitted via a corporate network. At the very minimum, the following critical needs must be addressed:
Accountability - The next generation of email security solutions must focus on increasing the accountability and credibility of all business email communications. At the very minimum, the following critical needs must be addressed:
- Limit Legal Liability - In most cases the employer is held responsible for all the information transmitted on or from their systems. As a result, inappropriate emails can result in multi-million dollar penalties. Therefore, businesses must deploy email security systems that not only prevent pornographic content from reaching employee's inbox, but also prevent employees from sending indecent and libelous email (e.g. sexual harassment, offensive jokes) to fellow employees, or to others outside the company.
- Protect Confidential Information - Most confidentiality breaches occur from within the company. These breaches can be accidental, for instance by selecting a wrong contact in the "To:" field. However, confidentiality breaches can also be intentional. Whether it is by mistake or on purpose, the loss of confidential data has severe negative consequences for businesses. Therefore the next generation email security solutions must prevent inadvertent or deliberate disclosure of sensitive corporate information and intellectual property via email.
- Prevent Virus Outbreaks - While current email filters scan and detect incoming email for virus, the individual computers may still get infected by means of other virus carriers (e.g. floppy-disks, CDs), and internet-borne threats (e.g. software downloads, spyware, etc.). These infected computers, in turn, spread virus via outbound email, and even launch spam and phishing attacks. Such outbound threats present major legal liability, and the risk of getting a company black-listed forever. Therefore the next generation email security solutions must scrub each outgoing email message, and prevent internal computers from inadvertently spreading virus to others inside and outside the network.
- Monitor Suspicious Communications - Businesses must also implement email security policy and automated systems to screen inbound and outbound email communications with undesirable entities that might have ulterior motives (e.g. competition, head-hunters). And, in the event of a questionable activity, alert appropriate supervisor (possibly with a message copy). The practice of email monitoring could also be of help in a court of law, since it shows that the company is serious about preventing offensive messages and unlawful use of the email system.
Productivity - The next generation of email management solutions should also increase work-place productivity by eliminating un-wanted, non-work related email. In addition, as the volume of "good" email becomes overwhelming, they must provide better tools to efficiently manage employee's inbox. At the very minimum, the following critical needs must be addressed:
- Audit - Track each inbound and outbound message, and provide extensive logs of message transport with time-stamp and other important data (sender, recipient, subject, etc.)
- Archival - Secure external archival of inbound and outbound email offers the ultimate protection against accidental loss of important email - just in case the internal email systems are compromised (e.g. hardware failure, unintentional deletion of email, or deliberate foul-play). Archival must also include permanent storage on off-line storage devices and digital media (tapes, CD, DVD, etc.)
- Regulatory Compliance - By offering secure and auditable message archival, the next generation email security systems should facilitate regulatory compliance, discovery resolution and other legal requirements. They should also constantly adapt to newly emerging compliance requirements, such as Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and other mandates. Even in situations where these regulatory requirements are not directly applicable; it is generally advisable to implement audit and secure archival of email, as a matter of "best practices".
- Independent 3rd-Party Certification - Add credibility to outbound email by verifying:
- Sender Authentication - that the message did indeed originate from the said company (domain or IP address)
- Content Cleansing - that the message has been scrubbed, and is free from virus, worms and other malicious content
- Proof of mailing - that the message was sent and logged at an external server
- Proof of delivery - that the message was received and logged at an external server
"Outsourced" Delivery Model - Most of the email security solutions at present are sold as "products" requiring software/hardware purchase, installation, maintenance, updates, and ongoing I.T. overheads. Also, the traditional client and server software, and hardware "appliance" solutions reside inside the corporate firewall and don't go far enough. Such on-site (inside the perimeter) solutions make the corporate email systems directly exposed to external threats and vulnerabilities. They also drain internal computing resources (networks, computers), thus severely impacting the system health, performance and integrity. Their added burden of physical deployment, administration, resource utilization, updates, and product obsolescence can overwhelm the I.T. staff, and under-serve the enterprise as well as the end users.
- Personalize Preferences - sort messages into multiple categories (e.g. Health & Fitness, Finance & Investment, etc.) depending upon content and sender
- Prioritize - manage email efficiently by organizing messages depending upon their importance (e.g. email from a client could be given higher priority, whereas a news-letter may have less priority)
- Selective Delivery - message routing to variety of individual email devices (e.g. email from a client could be routed to mobile-phone, whereas personal email could be routed to a yahoo account)
- Prevent False-Positives - reduce anxiety and time wasted in looking for good messages mistakenly identified as spam and thrown in the trash-can (quarantine)
- Delivery Assurance - screen outbound messages for common spam language, and suggest modifications to avoid being blocked by other spam-filters
- Monitor Non-Productive Usage - prevent inappropriate usage of corporate email systems (e.g. for personal use, job-search)
Therefore, it is imperative that the next generation of email security solutions evolve into a managed service delivery model that requires no hardware or software to install or maintain; and absolutely zero I.T. overheads. Such a hosted, "software-as-a-service" solution resides on the Internet, and identifies, intercepts and detains un-wanted email before it clogs corporate networks, servers or individual computers. By keeping "bad" email away from mission critical infrastructure, the security and integrity of internal email systems is never compromised.
The next generation of email security solutions must go beyond spam and virus protection, and encompass a wide range of issues including risk management, policy enforcement, IP protection, authentication, tracking, secure archival and audit compliance. Also, an "Outsourced" managed service delivery model would enable businesses to focus on their core competence, rather than the distractions of defending their email systems against increasingly challenging and time-consuming threats.