Email Security — The Weakest Link

With email now used as the primary tool for business communication, protecting the privacy and security of email messages is critical. Most organizations use email on a daily basis to transmit, store and share confidential information with remote offices, employees, partners, or customers. Unfortunately, with increasing frequency, email messages are being intercepted and read by persons other than the intended recipient. Though this intrusion is far from commonplace, email security is important for all industries that deal with confidential information daily, particularly the legal, medical and financial industries, where the disclosure of private, sensitive information could be disastrous.

As firewalls battle to secure the corporate perimeter, intruders are beginning to focus on what many consider the "weakest link" in network security, email. These intruders are targeting internal email systems, including Microsoft Exchange and Lotus Notes, to disrupt and violate corporate networks. These threats come in many forms: viruses, spam, offensive emails, and most importantly the corporate liability associated with content exposure. The two main approaches for securing your email and minimizing the risks of content exposure are: email security appliances and email encryption.

Email Security Appliances:

Security appliances are available to protect the email server from outside intruders. The appliance accepts all inbound email and validates the sending server (which also helps eliminate spam). The email server does not communicate directly with the Internet, but rather through the security appliance. This arrangement prevents hackers from accessing the email server directly through the Internet. Some email protection appliances also allow encrypted email transmission to remote offices, partners, or other corporate email systems. It also enables end-users to send and receive messages securely, using the mail client of their choice, including Microsoft Outlook and Outlook Express, and Netscape Messenger.

Leapfrog's approach to protecting email in-transit is its SecureMailSM platform. Leapfrog's SecureMail is offered in a cost effective monthly format to our clients, as an alternate approach to purchasing and managing email security appliances in-house. SecureMail also protects our clients' email systems from malicious Denial of Service attacks, viruses, worms and Spam.

For further information on appliance-based email security, refer to the website of: CipherTrust

Email Encryption Keys:

Another security solution is email encryption. Encryption is available to ensure that email is not read while in transit or read by anyone other than the intended recipient. Application plug-ins are available for popular email readers such as Microsoft Outlook that can encrypt messages sent to any recipient. Encryption requires that the recipient have access to a key to decode the message. This key is specific to you, the sender, and is used to decode messages you have sent as well as encode messages sent to you. This key is called a public key. A private key is used to encode messages that you send to other recipients. Although this solution is secure from prying eyes during transit, it does require that the recipient have the key to read the message. The text appears scrambled without the key. Public keys can be distributed using key servers on the Internet. Depending on the number of users that need email encryption, this solution can be expensive to implement.

For further information on email encryption, refer to the websites of PGP Corporation or Verisign.

Although no solution is completely secure, email security risks are more theoretical than practical when using an email security appliance or email encryption. Email security appliances protect email servers and email sent to partners and remote offices at the enterprise level. Email encryption protects email content at the individual user level. In industries with sensitive data transmitted through email, protection from intruders is a necessity.

This article originally appeared in the October, 2002 issue of FrogTalk.