E-Mail In Peril
Ever-more-sophisticated e-mail attacks threaten to swamp this vital business tool. Can anyone throw us a lifeline?
STOP THAT DATA
Once the "how" is worked out, mail systems must decide which messages are to be encrypted. In the case of bank statements and medical data, that's simple. But the big trend here is that vendors are merging data leak protection, or DLP, functionality into their e-mail systems, letting IT establish rules to encrypt messages when the content warrants. Using DLP techniques, rules can be keywords and/or regular expressions. Some products even include the ability to fingerprint key data files, so the mail server can recognize them and either encrypt them or refuse to send the e-mail.
Of course, another option is to encrypt everything. All of the vendors we talked to support SMTP-Transfer Layer Security to encrypt the entire data connection between mail servers. The benefit of this approach is that it's seamless to users while protecting all data in transit. The downside is that IT can reliably count on SMTP-TLS working only with established partners. When encryption is essential, you must configure the mail server to refuse to send to servers that don't support SMTP-TLS.
Also, because SMTP-TLS protects mail only in transit between mail servers, messages are subject to interception if there are intermediate stops outside the control of either party, such as an ISP relay. Messages are in plain text when stored in the recipient's mailbox, so the receiving party needs to understand the risk if its mail server were to be compromised. This isn't to say SMTP-TLS isn't useful, but as with all types of security, it should be just one link in the chain.
Continue to the sidebar:
Our Take: Any Spam is too Much
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022