The recent devastating earthquakes in Haiti and Chile have highlighted the need for increased disaster preparedness in many aspects of our lives including engineering and construction, food and water, medical services and supplies, and many other of even our most basic human needs.  While these areas begin to recover, we are also reminded of the needs for businesses to prepare to deal with similar tragedies that could occur at any time.

While we at Puremail are focused on email and related services, disaster preparedness is critical for any business that relies on critical data and technologies.  In that light, we prepared a whitepaper discussing various traditional approaches to dealing with disasters and operational impacting events, as well as where we believe businesses are moving to achieve true disaster avoidance by decentralizing their information resources and applications by using cloud technologies.

Cloud Solutions Approach True Disaster Avoidance

Most of the email security solutions at present are sold as “products” requiring software/hardware purchase, installation, maintenance, updates, and ongoing I.T. overhead.  Traditional client and server software, and hardware “appliance” solutions reside inside the corporate firewall.  Rather than stopping threats before they travel down the access network, on-site solutions expose corporate email systems directly exposed to external threats and vulnerabilities.  Furthermore, they require higher access bandwidth (due to increased email traffic) and require increased processing hardware by sapping CPU cycles on servers that should be dedicated to business critical operations, thus severely impacting the system health, performance and integrity. On-site security systems add the burden of physical deployment, administration, resource utilization, updates, and product obsolescence that can overwhelm an I.T. staff and under-serve the enterprise as well as the end users.

Therefore, it is imperative that the next generation of email security solutions evolve into a managed service delivery model that requires no hardware or software to install or maintain and minimal I.T. overhead.  Such a hosted, “software-as-a-service” (SaaS) solution reside in the Internet “cloud”, and identifies, intercepts, and detains un-wanted email before it clogs corporate networks, servers or individual computers.  Based in the cloud, hosted solutions keep “bad” email away from mission critical infrastructure, the security and integrity of internal email systems is never compromised.

Continuing our discussion on Next Generation Email Security, today we will examine addressing accountability and improving productivity.

Accountability
Email security solutions must focus on increasing the accountability and credibility of all business email communications.  In this effort, the following four areas should be considered and addressed:

1. Audit – Track each inbound and outbound message, and provide extensive logs of message transport with time-stamp and other important data (sender, recipient, subject, etc.).
2. Archival – Secure external archival of inbound and outbound email offers the ultimate protection against accidental loss of important email.  External archival provides critical off-site redundancy in order to recover or continue operations in the event that the internal email systems are compromised (e.g. hardware failure, unintentional deletion of email, or deliberate foul-play). Archival must also include permanent storage on off-line storage devices and digital media (tapes, CD, DVD, etc.)
3. Regulatory Compliance – By offering secure and auditable message archival, the next generation email security systems are well positioned to facilitate regulatory compliance, discovery resolution, and other legal requirements. An effective email system’s policies should continually adapt to emerging and evolving compliance requirements, such as Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and other mandates. Even in situations where these regulatory requirements are not directly applicable; it is generally advisable to implement audit and secure archival of email, as a matter of “best practices”.
4. Independent 3rd-Party Certification – Add credibility to outbound email by verifying:
   • Sender Authentication – that the message did indeed originate from the said company (domain or IP address)
   • Content Cleansing – that the message has been scrubbed, and is free from virus, worms and other malicious content
   • Proof of mailing – that the message was sent and logged at an external server
   • Proof of delivery – that the message was received and logged at an external server

Productivity
After consideration of accountability, next generation of email security solutions should also increase work-place productivity by eliminating un-wanted, non-work related email.  However, this equates to much more than just filtering out unwanted communications, as the volume of “good” email can also become overwhelming.  Effective systems should strive to provide tools to more efficiently manage employee’s inbox.  Consider the following six areas when working to improve productivity through your email system.

1. Personalize Preferences – Sort messages into multiple categories (e.g. Health & Fitness, Finance & Investment, etc.) depending upon content and sender.
2. Prioritize – Manage email efficiently by organizing messages depending upon their importance (e.g. email from a client could be given higher priority, whereas a news-letter may have less priority).
3. Selective Delivery – Message routing to variety of individual email devices (e.g. email from a client could be routed to mobile-phone, whereas personal email could be routed to a yahoo account).
4. Prevent False-Positives – Reduce anxiety and time wasted in looking for good messages mistakenly identified as spam and thrown in the trashcan (quarantine).
5. Delivery Assurance – Screen outbound messages for common spam language, and suggest modifications to avoid being blocked by other spam-filters.
6. Monitor Non-Productive Usage – Prevent inappropriate usage of corporate email systems (e.g. for personal use, job-search).

As discussed in of the last installment on Next Generation Email Security that explored Intelligent Email Filtering, businesses face daily threats from unwanted email. However, proper email security does not end with merely filtering. Careful consideration should be given to the origin of threats, liability, how to protect confidential information, contain viruses, and monitoring communications.

The current generation of email security solutions provide protection generally only from a limited number of external threats such as spam and virus, whereas businesses are increasingly facing a treats from email communications originating internally. Therefore, the next generation of email security solutions should help mitigate these risks by preventing inappropriate and unauthorized email to be transmitted via a corporate network. At the very minimum, the following critical needs must be addressed:

Limit Legal Liability
In most cases the employer is held responsible for all the information transmitted on or from their systems. As a result, inappropriate emails can result in multi-million dollar penalties. Therefore, businesses must deploy email security systems that not only prevent pornographic content from reaching employee’s inbox, but also prevent employees from sending indecent and libelous email (e.g. sexual harassment, offensive jokes) to fellow employees, or to others outside the company.

Protect Confidential Information
Most confidentiality breaches occur from within the company. These breaches can be accidental, for instance by selecting a wrong contact in the “To:” field. However, confidentiality breaches can also be intentional. Whether it is by mistake or on purpose, the loss of confidential data has severe negative consequences for businesses. Therefore, the next generation email security solutions must prevent inadvertent or deliberate disclosure of sensitive corporate information and intellectual property via email.

Prevent Virus Outbreaks
While current email filters scan and detect incoming email for virus, the individual computers may still get infected by means of other virus carriers (e.g. USB/Flashdrives, CDs), and internet-borne threats (e.g. software downloads, spyware, etc.). These infected computers, in turn, spread virus via outbound email, and even launch spam and phishing attacks. Such outbound threats present major legal liability, and the risk of getting a company black-listed. As such, next generation email security solutions must scrub each outgoing email message, and prevent internal computers from inadvertently spreading virus to others inside and outside the network.

Monitor Suspicious Communications
Businesses must also implement a documented email security policy and automated systems to screen inbound and outbound email communications with undesirable entities that might have ulterior motives (e.g. competition, head-hunters). And, in the event of a questionable activity, alert appropriate supervisor. The practice of email monitoring could also be of help in a court of law, since it shows that the company is serious about preventing offensive messages and unlawful use of the email system.

In today’s business environment, email is a quick, cheap, and easy means of information exchange, but at the same time it presents major challenges and security risks for businesses. More than 80% of email traffic consists of unwanted email (spam, phishing, and virus), and discerning good from bad has become extremely difficult. Unwanted email is costing businesses billions of dollars in IT expenditures annually, which does not even account for indirect productivity losses. Unprotected corporate email systems result in loss of mission-critical data, lack of accountability, and increased legal liability. In addition, regulatory compliance (e.g. Sarbanes Oxley and HIPPA acts) requiring proper audit and archival of all electronic communications adds further complexities. Over the next several weeks some of the most critical aspects of email security and policy will be examined, including filtering, risk management, accountability, and productivity, particularly in consideration of existing versus next-generation solutions.

Intelligent Email Filtering
Although many choices exist for anti-spam products, most are flawed due to their constrained approach. At the fundamental level, these work as “content-censoring” solutions – making autonomous decisions as to what should or should not go to user’s in-box. This effectiveness of this approach is questionable. At the technology level, the current solutions are based upon BINARY filtering – offering ONLY 2 possible options (e.g. spam or non-spam). However, what is junk for one person, may be useful for another, as the definition of junk is highly subjective. Also, most of the content filtering technologies rely upon “BLACK-LISTING” – rejecting email from certain senders, or blocking certain words like “Viagra”. Ironically, a legitimate email communication between a patient and his doctor/pharmacist may include the word “Viagra”, which would be automatically filtered out as junk by most anti-spam products. In a recent case-study, an email containing the word “Bombay” was rejected by a popular anti-spam product, because it matched “bomb”.

Current anti-spam products also make a flawed assumption that all un-solicited email is always un-desired. In reality, individual users may react differently to un-solicited marketing campaigns, depending upon their needs and relevance. For example, a home-owner looking to refinance his home-loan may welcome unsolicited email about low mortgage rates. Similarly, a travel agent may be interested in knowing about low airfares and vacation packages offered by other agencies.  These flaws lead to mis-identification of good email (also known as “false positives”). This could be potentially damaging and expensive if an important email does not reach its recipient. That blocked email could be from a valuable customer, or may have significant financial or business consequences. Shockingly, recent research has indicated that the cost of “Lost Opportunities” from losing genuine emails, is significantly higher than the relief of stopping unwanted email.

The next generation of email filtering solutions should empower the enterprise policy-maker as well as the individual user to control what kind of email is “Wanted” or “Un-wanted”. This can be achieved through POLYNOMIAL (multi-dimensional) filtering – thus providing UNLIMITED number of options to sort the email in various categories and sub-categories (as opposed to only 2 options with current approach of BINARY filtering). This offers FULL CONTROL, SUBJECTIVITY and CUSTOMIZATION at every level – from the enterprise all the way down to the individual level. Also, by incorporating Artificial Intelligence and natural language analysis techniques, the overall email context can be determined. This context can be further matched with corporate policies and individual preferences to determine the relevance of each email to its recipient.

Our next publication will continue the examination of email security by managing the risks of email threats and limiting liability.