One of the Best ways to Secure Messaging Infrastructure is to Leverage the Power of the Corporate Directory
Information Technology in the current economy is about doing more with less—efficiency and optimization are the rule in IT projects for 2011 and driving technology trends like cloud computing and virtualization initiatives. Securing the IT infrastructure is a cost that does not contribute to a firm’s competitive advantage; however, optimization is about lowering the cost for securing the IT infrastructure.
Email is one of the most prevalent means of communication within businesses and between firms and their customers. It’s the focus of much attention: anti-spam, anti-virus, encryption and DLP. All these technologies are layered onto the messaging infrastructure to provide security at a high cost. One of the best ways to optimize security for the messaging infrastructure is to leverage the power of something already deployed—the corporate directory.
The corporate directory contains information vital to the operation of the email environment—email addresses, email server addresses and employee names, however, it is also a source of information that can be used for higher value security applications. In this column, I’ve addressed how companies can make the corporate directory information available to email security applications in the right manner that will allow enterprises to realize and deliver substantial efficiency gains and measurable improvement of the ROI of the messaging security infrastructure. I’ve specifically addressed directory-driven email security, email acceptance at the Internet Gateway, email routing in large organizations, compliance policy controls, authentication and authorization, the secure deployment of directories and the quantifiable ROI.
Directory-driven Email Security
At its core, the directory contains information relevant to the messaging security infrastructure in the following areas:
• Controlling message acceptance
• Routing mail accurately and efficiently
• Regulatory compliance
• Enforcing internal content policy controls
• Authenticating users
Email Acceptance at the Internet Gateway
The directory contains information vital to detecting and preventing various forms of external attacks. It contains the list of valid email addresses for the organization and therefore is the source of information for the detection of dictionary attacks and directory harvesting attacks. When an anti-spam solution at the Internet gateway is able to determine what addresses are valid and invalid, it is able to make decisions on when a particular sender on the Internet is attempting to either deliver spam by using a dictionary of usernames or is perpetrating a directory harvest attack where successes and failures of email addresses are collected in order to build a mailing list of valid addresses that can then be sold to bulk email senders. Additionally, efficiencies are gained when validating recipient email addresses at the very edge of the network, because the organization is no longer responsible for generating the bounced email messages to return to senders, the Internet host that is attempting to deliver mail is responsible for the delivery status notification that gets returned to the sender.
Email Routing in Large Organizations
In larger firms, the directory is the source of information where email accounts live. An email backbone that routes email internally, when it has access to that information can make more intelligent routing decisions on where to route email via the most efficient path. The email backbone is also the routing infrastructure for email-enabled applications, such as CRM, ERP, monitoring applications, and notification applications.
Compliance Policy Controls
The email backbone, because it is internal to the organization and sees all internal and external email that makes it through Internet gateway security filtering, is the logical place to deploy DLP filtering and other content based controls, whether for regulatory policy or internal acceptable use policy. For example, the email backbone is where most financial services firms make policy decisions regarding their regulated and unregulated employees. The directory contains the information regarding who is regulated and unregulated and who is responsible for monitoring communication and what must be archived or encrypted. Concrete examples include information like a person’s department, their supervisor, security level, and even information such as verification that they have signed the company’s privacy and email policies.
Authentication and Authorization
The directory contains authentication information that is relevant to security. It may be a simple as the credentials needed for users to authenticate to a spam quarantine. It may include more specialized information like encryption keys or certificates needed for encryption and decryption.
Secure Deployment of Directories
The efficiency gains gained by leveraging directories is clear, however, the directory must be deployed in a secure manner—merely pointing email security solutions to the corporate directory servers is the wrong way to deploy directory driven security. The applications could swamp the corporate directory infrastructure that is not designed for the kinds of queries that the applications will make. In most cases the corporate directory is itself not designed with the access controls to permit secure access to the information contained in the directory. A parallel directory infrastructure synchronized with the corporate directory is most common. For the Internet gateway applications, the directory infrastructure queried should be in a data DMZ with access limited to specific machines, and over authenticated, secure (TLS/SSL) connections. The attributes in the directory server need to be indexed correctly and with access controls that restrict what can be searched and how (for example, disable the ability to do wildcard queries). Partial one-way replication is also a way to restrict what information is accessible in the Internet gateway to only what is needed which prevents the ability for external attackers to inject bogus information into the internal corporate directory.
In summary, when the directory infrastructure is leveraged by the email security infrastructure, various efficiencies translate to lower costs for the email, email security, and compliance infrastructures including: reducing email traffic, selective archival and encryption of messages, rather than archiving or encrypting everything, fewer mail servers deployed because system loads and email volumes are lowered.