webmail: enterprise security disaster?

Hosted applications are revolutionising the world. The way forward is remotely hosted applications, accessible from anywhere. Or even locally hosted applications accessible from anywhere. There is a touch of hyperbole (and perhaps a bit of bandwagon-jumping) to this statement, although on balance Riskmonkey agrees. Riskmonkey.net is a devotee of Google Apps, web hosting in shared data centres, and yes - you've guessed it - wordpress. The bottom line is, there is no point doing something yourself is someone else can do it (or has already done it) much better and at a lower cost. RM is sat in a coffee shop on a Sunday afternoon typing into a web site hosted in Sheffield and using email hosted in the United States, using 3G provided by a German company's British subsidiary. Putting to one side for now the data protection issues (perhaps a subject for a future post), the security problem here is the word 'anywhere'.

My email, my web site, my documents - all accessible from any computer or mobile device anywhere in the world. Public library computer, airport lounge terminal, railway station hot-spot, android mobile or iPhone, hotel reception or space station(1) - no problem. Therein lies the problem.

man using webmail in cafe

When applications are available anywhere so is data, and the main culprit in most organisations is email. Specifically tools such as the rightly maligned Microsoft Outlook Web Access, but Google Apps carries exactly the same risk: as you no longer control the access device, any data accessed may be cached or downloaded to the local machine. Once there, you have no way of detecting it, controlling it, or removing it.

What can you do about it? Unfortunately, the answer is often not as much as you need to if you wish to adequately address the risk. High risk organisations - those with lots of personal data in circulation - should simply ban it outright or restrict it to use over a corporate VPN.

For others, assuming you are satisfied with the security of the application itself and the data in transit between the webmail interface and the supporting Microsoft Exchange server or mail server (and if you've implemented it, you ought to be!):

Here are our top 12 actions you can take to limit the risk of data being transferred to an uncontrolled local machine or network via your web based email solution:

  1. Restrict by IP address. If you know where people need access (and there is a static IP address for those locations) tie down access to pre-approved IP addresses
  2. Prohibit file download via webmail to any client on on the corporate network (if your solution allows for this)
  3. Provide staff with screens to restrict the field of vision from which data can be seen on a laptop monitor
  4. Prohibit access via known public access points (such as BT Openzone) and unsecured wifi connections
  5. Restrict access from aboard using IP address - not perfect, but if you're staff never go further abroad than the next county, they don't need access from Thailand or India.
  6. Provide preferred alternatives, such as controlled Blackberry devices
  7. Subject webmail to higher levels of monitoring and lower attachments limits
  8. Restrict access to webmail to users with a requirement for it. Outlook Web Access, for example, can be granted on an individual or AD-group basis.
  9. Establish an documented approval process for staff requesting access, including a requirement for staff  to sign to say they understand they are responsible for how they use the service
  10. Introduce mandatory training, for example a CBT, for staff using webmail. This could include all aspects of security - access in public areas, avoiding CCTV, risks of shoulder-surfing, not storing emails or attachments on the local machine, and not uploading files from the local machine.
  11. Keep detailed logs, including attempts to download files or large volumes of email, and let staff know logs and usage are closely monitored
  12. Remove access promptly when no longer required, and audit usage every 3 months to check it is being used. Remove the permission if it is not.

Some of the risks are non too obvious but still potential critical flaws. For example, if you monitor email traffic you may pick up on an email being sent with a suspect attachment, or at least have logs to refer to should you need to investigate an incident. However, you might not pick up an email with a data file being put in a 'drafts' folder in a users mailbox in the office, for later download from the drafts folder to a computer outside the control of the corporate network using webmail - just one easy way for malicious users to by-pass corporate network security and email monitoring controls to extract restricted data.

Even after all this though, there really is no security guarantee with remotely accessible email, unless accessed via a VPN solution such as Citrix -which means that Riskmonkey's preferred solution is still only allow access to email via approved devices.


(1) Riskmonkey has never actually a written a post from a space station, but would be happy to try if anyone is offering a free ride to the ISS.