Email in security hot seat with rise of cloud, BYOD
Today's tech landscape makes for 'complex melting pot' of security challenges with once trusty, old email
July 24, 2012 — CSO — For most enterprises it is not enough to make sure their own email platform is secure. If their suppliers are not equally secure, they can be as vulnerable to criminal hackers and data leaks from human error as the weakest link in their supply chain.
The combination of a chain of usually small- to medium-size suppliers, the expansion of cloud-based email services and the Bring Your Own Device (BYOD) trend among workers has created what Richard Parris, writing for BCW, calls a "complex melting pot of security challenges surrounding the secure transfer of sensitive data via email."
By now, the advantages and risks of BYOD have been well documented. While it promotes convenience, collaboration and mobile productivity among employees, it is vulnerable to malicious applications, theft and simple carelessness -- employees storing corporate data in public cloud services that are not secure, so they can access it anytime.
Companies are increasingly aware of those risks. In May, IBM famously issued a new set of BYOD policies that, among other things, forbid employees to use a competitor's cloud service (no more Dropbox, no more Carbonite, iCloud, etc.), to forward corporate email to private accounts, to transmit unencrypted data, or to use Apple's personal assistant, Siri, due to fears that confidential information might be forwarded to Apple.
Jeanette Horan, IBM's chief information officer, told MIT's Technology Review that there was, "a tremendous lack of awareness [among employees] as to what constitutes a risk," including forwarding internal corporate emails to webmail inboxes, exposing sensitive company information to possible security breaches.
Many companies also require remote wiping capability on employee devices in case they are lost or stolen, plus communication encryption software. They also require employees not to use a single password for multiple sites, and some are forbidding passwords of a single word.
But Parris, who formerly held technical and sales management positions at Boeing Computer Services and founded Intercede, argues that securing email also requires identity management -- a system that creates a digital identity for employees and other third parties connected to an enterprise, which will then track, "who is sending which email and information to whom, when and protecting it in transit and at rest."
Even that will not ensure protection of the email, he said. "It must also be run on a secure platform that delivers tightly controlled policy to enforce data labeling, digital message signing, encryption and checking of the actual content."
Jeff Wilson, principal analyst for security at Infonetics, agrees that an email management platform would help, since "most people are getting email on [multiple] mobile devices that could be lost, stolen, or compromised."
But he noted a more basic problem for many companies: "They don't even have an accurate inventory of devices connecting to their network or a framework for building a security policy and buying appropriate security solutions."
Those who want to remain in the marketplace may not have a choice about confronting and correcting such vulnerabilities, however. Parris wrote that enterprises that supply high-security customers will have to comply with information security standards set by the Transglobal Secure Collaboration Program (TSCP) for the governments of the UK, the U.S. and NATO.
Those standards are backed by enterprises including Lockheed Martin, Thales, Raytheon, Cassidian and General Dynamics for the Signed and Encrypted Email Over The Internet (SEEOTI) initiative.
Since email is the primary method of information sharing, enterprises must keep it secure, "to protect intellectual property and to compete in the global business environment," Parris said.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.
Other stories by Taylor Armerding