Email security is one of those things that most IT departments are not sure about how to do right. Right, is up to interpretation, though thorough is something that can be more easily attained. I will go over my Home Run approach to securing email in this post. As you may have guessed, the Home Run approach consists of 4 bases of security to cover, to further secure your network, other computers on the network, your client’s and friend’s networks, and of course, your intellectual property.
Rounding First Base
The first base you want to cover is a proative approach to securing your own computers and network against email security breaches from the outside. These vulnerabilities come in forms of SPAM, email viruses and Trojans, spyware and the gamut of email security issues your company needs to protect against for incoming email. This is likey already something you are already doing, however there are better ways than others to be more effective in your protection services and configurations.
This first, seemingly easy step, involves the simple implementation of an anti-virus software product that is comprehensive. By comprehensive I mean that you should use a product that has specific features relating to email, email programs, email communications and centralized management. There are several choices out there, but for more than 12 years, we have trusted Symantec’s products with great success. Simply installing a product is not enough, installing it right is key. Here is where interpretation standardizes.
Best practices dictate that your IT team be very thorough in configuring the myriad of options to appropriately protect each computer, for its role and utilization (desktop, laptop, server, pda’s etc) in the network. Never leave the configuration up to the end user…that’s rule number 1. Using the default configurations in place is a good way to complete a rollout in quick order, but you cant leave it this way for too long.
Rounding Second Base
Ok, so you now have your internal virus and protection services in place. This means that you have protected your computers from outside vulnerabilities for email and likely many other issues for web browsing, data infections, and more. It’s time to help these internal systems work more efficiently by enabling protection services outside f your network. This is protection against email laden vulnerabilities before hey actually hit your network and computer devices internally.
Turning to services like MXLogic, Postini and Symantec mail filtering services is one of the best defenses against email vulnerabilities. These services filter and scan your email before your network gets it, as well as before your clients and friends receive email from you. They scan email for SPAM and a complex array vulnerabilities before the email gets to your systems. Additionally, these services can be configured to scan the emails you send out as well. This further protects your clients against any security issues you may actually have internally that you may not be readily aware of.
Your Internet reputation is also very important. The last thing you want is to be put on a SPAM list. This means your email is being tagged as SPAM or having security issues associated with it. The services mentioned above, among dozens of other SPAM lists, can list your domain or even your mail server IP address in their lists. If this happens, your email will not get to its destination, and when a client knows you are on a SPAM list, it can hurt your business reputation as well as your reputation on the Internet as a whole.
Rounding Third Base
Protecting the edge of your network is usually a given for most companies. The edge refers to that point that is not considered your internal network, nor the public network, but is your responsibility to secure. For most companies, this edge is protected by a firewall device. If you are not familiar with what a firewall is and does, here’s a quick primer. The firewall is that swinging arm that prevents you from entering or exiting a parking garage. Unless you get a ticket, the arm will not raise and allow you to enter. Similarly, if you don’t pay for the parking, the arm will not raise to let you out. A firewall is that arm that governs what can enter your network, as well as leave it.
Configuring a firewall to effectively allow access to your internal systems from the outside is the standard. Consider the parking garage with multiple entrances and exits. Some may be active and others not. In firewall terms, these entrances and exists are called ports. Appropriately configuring your firewall to allow specific types of traffic into your network requires that certain ports be opened in the configuration. Similarly, allowing specific traffic to exit your network also requires that certain ports be opened. To summarize, firewalls must be configured to filter ingress and egress traffic, though most IT staffers will only configure the ingress portion.
Egress filtering, again, controlling what is allowed to exit your network, not only helps to protect against spreading vulnerabilities to others, but also helps to control what types of Internet services users are allowed to use. Services such as Internet mail, external file storage, music and radio services, etc. These services utilize ports to transmit their traffic, and by closing those ports, a user is not allowed or able to access them. With today’s technology and Internet programming capabilities, blocking ports is not always enough. Lets also not forget about VPNs, secure remote access and other roles a firewall can play. I’ll get into those in more detail in another post.
Heading Home
Well now your heading home and completing the home run approach. The last piece of this helps to protect intellectual property, improve employee efficiency and productivity, as well as security. As noted above, you can open and close ports on a firewall to help block or allow certain services, but today’s programming of Internet services happens over the familiar port 80 This port is the default for Internet browsing, so you can’t close it, unless your company doesn’t need or require Internet browsing at any level. So how do you filter content that is now user related? Another tool….
There are several mainstream Internet filtering services, plug-ins, software applications, and many with direct firewall integration. Applications such as Websense among many others, will actually filter websites and their content. you can block/allow anything from adult materials to shopping to Internet email services and music or streaming video. You can also filter for incoming/outoing file-types, such as executable programs, documents, ZIP files and more. Why is this all important?
Filtering what a user can access over the Internet, such as remote storage or email services, allow you to secure your intellectual property from unauthorized distribution. Increasing efficiency and productivity is also easily handled by limiting what users can/cannot do on the Internet while at work. If they can’t shop, chat with friends, do their banking, Facebook, etc. they will have more time to actually get their work done. More work getting done allows you to do more business…dollars make sense here!
One things you also must keep in mind is the overall work environment as well. Some companies may not have intellectual property they think is all that important if it was leaked, etc. Or, the employee environment has been loose enough over time, that drastic changes may affect employee moral. Just keep in mind, its your company, your clients and longevity that you are risking in the end. Acceptable use policies, to be discussed in another post, let your employees know what you expect of them and they can help to protect you and your business in the end.
Well, now that you know what the home run approach is, it’s time to consider what to implement and how; and this how we can help. If you need help assessing your options and approaches, and even the implementation, do not hesitate to contact me.