Security Manager's Journal: Move to hosted email opens new vulnerabilities
Migration to a new email platform wouldn't alter any of the security settings, our manager was assured. Wrong!
Computerworld - I took somebody's word for something, and I didn't subsequently check it out to my own satisfaction. Result: big trouble. Lesson: always verify.
I learned that lesson last week, when one of my security analysts notified me that our data loss prevention (DLP) tool had detected an incident involving some source code leakage. When we initially set up our DLP rule for such events, we got a lot of false positives, so we partnered with engineering, which provided us with strings of characters (commented out in the code) that would indicate the leakage of our most sensitive source code -- the algorithmic portions of the code that sets our products apart.
The trigger for this particular event was a senior software engineer in India sending a snippet of code from his corporate Microsoft Exchange email account to his personal Gmail account. When confronted, the engineer told us that he had set up a rule to auto-forward all of his corporate email to his personal account. He did this, he said, because he hasn't been issued a corporate laptop and he wanted to work from home.
There were other options, but he didn't know about them. He was unaware, for example, that he could access his corporate email from home via Outlook Web Access (OWA), or that he could access some applications via the corporate clientless SSL VPN portal.
Tip of the Iceberg?
This was all interesting, but it begged a question: Why was it even possible to auto-forward to an external account?
And now to my failure to verify. We recently migrated from an on-premises Microsoft Exchange environment to Microsoft's Office 365 hosted Exchange. During the architecture review, I was assured that all of our security settings, including the one preventing auto-forwarding, would migrate to the hosted environment. So much for assurances. Now I was worried. Email is probably our No. 1 repository of sensitive data, including sales forecasts, customer and personnel data, prerelease financial information and, of course, source code.
To rectify the oversight, I initiated an audit of the Office 365 deployment, and we uncovered several other configuration differences from the previous Exchange deployment. For one thing, the deployment was supporting POP and IMAP, enabling employees to use third-party email clients and apps that could give them email access from mobile devices while bypassing Microsoft ActiveSync and the security policy that we apply to mobile devices to enforce the use of device passwords, enable device timeout and support remote wiping.
Another discovery was that employees could use the Microsoft Outlook application on any PC, on or off the corporate network. When Exchange was on-premises, the only way a remote user could access corporate email was via VPN. This increase in availability is bad, because once email is pulled down to a client, it remains there, even after the user exits Outlook. Using OWA is preferable, since it's browser-based; once the browser is closed, all email is removed (as long as the user clears the cache and any temp files).
What will help? Mobile device management might, and we hope to deploy that next year. Then there's the use of machine certificates, which can be issued to corporate PCs for validating authorization to access the Outlook client. We could do that while still providing some flexibility related to OWA and mobile devices, via ActiveSync. We've also spoken to Microsoft about this, and we'll be investigating our options with Office 365 a bit further.
One thing's certain: The email team's never-ending list of action items just got a good deal longer.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!