Security considerations for Web-based mail

Computerworld - What do field salespeople, home teleworkers, medical personnel and anyone working remotely from a central site have in common? A need for up-to-the-minute information. One of the most successful models for using the Internet for business is the information-dissemination model.

One of the most common methods for this today is e-mail. E-mail can be sent and received in many ways: pagers, cell phones and the like. However, one e-mail communication option that holds promise for increased and more timely information flow is Web-based e-mail systems.
Many businesses don't deploy Web mail for fear of exposing corporate e-mail systems to external threats. With recent government legislation, e-mail confidentiality has become a growing concern. So, what approaches and options for deploying secure Web mail are there? Understanding how a Web-mail system works can help in deciding if such systems can be securely deployed at your company.
Security goals
Most Web-mail systems are designed using a multitiered architecture. Usually, a Web server works as a reverse proxy to a back-end e-mail server that actually services the users' mail requests. Most Web-mail systems use separate databases to store the mail and user-authentication information. The main security issues for Web mail are identity management, privacy, data integrity and availability.

• Identity management is the life cycle of creating, validating and revoking user-authentication information. Web-mail user authentication can be done using authentication protocols native to the mail-server operating system or third-party authentication methods such as Remote Authentication Dial-In User Service, Lightweight Directory Access Protocol or SecureID.


• Privacy has to do with keeping information from unauthorized exposure. The primary method for ensuring privacy is the use of cryptography. Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME), both widely implemented in the form of browser plug-ins and/or integration application programming interfaces, are well understood. PGP and S/MIME encrypt the message itself. Secure Sockets Layer (SSL) and IPsec encrypt communication at the protocol level. SSL is most common to Web mail.


• Data integrity is relevant to protection from unauthorized modification of e-mail. Data integrity can be preserved by cryptographic techniques such as hashing and signing of messages. PGP and S/MIME provide the facility for digitally signing messages so that tampering with the data will result in mismatched message-hash results.


• Availability involves ensuring that the Web-mail system remains as accessible as possible. The use of redundant servers, load balancing and fail-over, and server clustering are all common ways to increase the probability that the Web-mail system will be available at the right time. An added plus to redundancy is continuous availability even during maintenance windows.