Remote access to corporate e-mail is a critical function in many enterprises. But doing it securely is where the challenges lie, and, as always is the case, that means a combination of user awareness and effective technology.
To that end, vendors such as Symantec and Messageware are delivering services and third-party add-ons to tighten security at the endpoint, while other providers turn their attention to controlling the type of information allowed outside a companys LAN (local area network).
In a white paper titled “ISA Security Report: OWA Issues Undetected by ISA Server,” Messageware officials noted users of Microsofts Outlook Web Access can navigate away from an active session in a number ways without first logging off—leaving corporate e-mail exposed. This is a potential threat when users are logging on from a shared computer at, for example, conference kiosks, Internet cafes or university computer labs.
“In terms of people logging on and going to another URL without logging off, there is very little you can do in terms of endpoint security add-ons or in terms of policy if they are using a public terminal or a machine that is not under your control,” said Chenxi Wang, an analyst with Forrester Research.
Read more here about securing e-mail through the use of private domains.
“This problem is not unique to Web e-mail access; online banking faces the same problem,” Wang said. “What the online banking applications do is engineer a timeout: When there is no activity on the page for x number of seconds, the Web site will require the user to log back in. This approach can work for Web e-mail access as well.”
In fact, Messageware tries to address security for OWA by doing exactly that. While Internet Security and Acceleration Server, a firewall for Microsoft Exchange, offers some protection, ISA Server 2006—unlike previous versions—does not include an auto log-off feature that boots users off whenever they leave an active OWA session.
Messagewares NavGuard prevents users from navigating away from their OWA session without first prompting them to either logoff or return to their OWA session. Messageware also has TimeGuard, which sends prompts to users to log off or extend the session after a customizable period of time has passed with no activity. After another period of time has passed, the session will end and users will need to log on again to continue using OWA.
Symantecs answer to OWA security issues is Symantec On-Demand Protection for Outlook Web Access 3.0, which does a host integrity check when an endpoint tries to connect to a corporate network and encrypts data and deletes files once an OWA session is terminated.
Other security companies such as Websense and Secure Computing have outbound content filtering that blocks confidential data headed over the Web, Wang said.
“I believe corporations should have content filtering policies which monitor the Web e-mail channel,” she explained. “An effective policy could be such that if you are accessing corporate e-mail from a public/untrusted machine, the content filtering solution would prevent you from viewing e-mails with confidential or proprietary content. This content filtering solution can be installed at the edge of the corporate network, inspecting outgoing Web communications.”
Click here to read about e-mail fraud attacks targeting C-level executives.
Still, history has shown that technology is no match for an uneducated user. Sound corporate policies and education are key facets of any overall security strategy, said Mark Rotman, CEO of Messageware.
“Unfortunately, the larger the corporation and the more urgent the need, the less likely user training will actually inhibit or prohibit what would be common sense otherwise,” he said.
“So, this user education helps, but it cannot be the solution. … The technical solutions are there to reduce the risk or eliminate situations from occurring in the first place. Going with only [education or technology] is really not a full corporate strategy.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.