email as it pertains to data security

I liked this article on the NYTimes site about email uses and abuses. How do you stop people from forwarding work email to a place they shouldn’t, such as web-based mail services?

Well, the answer is that you can’t, and you really don’t need to bother trying to do so. Where I work we block port 25 outbound except when from certain servers which have strict relaying settings. We also utilize SurfControl which cuts into web-based email services such as Gmail, Yahoo, Hotmail, Hushmail, etc. The problem is that I can still just find a service so obscure that the filters don’t catch it…such as my own mail server. Or I can just tunnel over something else and get there. But you still really can’t stop me from e-mailing a Gmail account any more than any other account unless a company has really no business communicating with the world outside its own walls.

So what do you do? In something like this, it helps to realize and accept that prevention is impossible. In that case, how to you mitigate, minimize, log, audit, and CYA without being a barrier to the company’s purpose?

1) Evaluate why your users would want to send email to their home-based email accounts, particular webmail. Most users are not malicious and are only trying to get work done in the easiest way they know how. Maybe they want to work from home. In that case, provide web-based access or, better yet, a full-featured way to connect to their work account from home without all the additional hoops of a VPN and such. People using Exchange have little excuse to not be using OWA and a nicely-featured web front end. Ask why the users are doing these things, and then provide them such easy and logical solutions so they don’t try to circumvent the process.

2) Obviously, log outgoing mail. If someone does keep trying to email out sensitive information, logs are necessary to track it. There should be one or two levels of logging. First, log all mail headers incoming and outgoing so that you can track activity. Second, such as in the article’s hospital example, filter and log data in mail that is leaving the network, for instance medical records and other personal information. Obviously the second level of logging is more intensive, and shouldn’t be bothered with unless the company has particular need.

3) Retain the ability to monitor employee email usage down to even reading their email. While this ability shouldn’t be exercised all that often (how many employees are happy about others reading their email, honestly? and how many unhappy employees are the productive employees?), the policy should keep this option open in the event of suspicious about a truly malicious user. Authorization should be limited to HR, a direct manager or two, or approved technical staff, with no party acting alone. This is easier in some organizations and more difficult in others that have different work/life balance expectations in employees. The more an organization is sympathetic to the converging role of technology at work in personal life (kinda like personal phone calls to the doctor), the less hands-on the policy should be. Some companies will actually need to have staff regularly reading actual emails for regulations complicancy, and that’s fine, too, when needed.

4) Block outgiong 25 and incoming 110 (and other common ports, like Gmail’s ports) to only authorized servers. This won’t stop people from web-based email or completely non-standard setups (I can tunnel it on any port I want, really), but at least a huge swath of people will be prevented from storing and sending email from their workstation mail client. Besides saving storage space and resources, no one needs to accidentally send out an email to a client from their PajamaMonkey69 email account at Yahoo. Also keep tight control on mail relay settings for those approved mail servers. Attempts should be logged and investigated, especially when originating internally.

5) Software policy should drastically limit user email clients to one (maybe two) approved email client applications. Make things as standard as possible. Manage that app properly.

6) Education. Education is not a panacea, but at least educate and teach employees how to use the tools given to them, and why circumventing them can put the company, themselves, and their clients at risk needlessly. This also should help draw out difficulties they may have with the tools and maybe expose why they circumvent policies in the first place.