In-House Vs. Hosted Email Security. 10 Reasons Why Your Email is More Secure in a Hosted Environment

Similar documents
Application Security in the Software Development Lifecycle

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Internet threats: steps to security for your small business

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Top Four Considerations for Securing Microsoft SharePoint

Data Management Policies. Sage ERP Online

Outbound Security and Content Compliance in Today s Enterprise, 2005

A GUIDE TO SECURITY AND PRIVACY IN A HOSTED EXCHANGE ENVIRONMENT TECHNICAL DOCUMENT

PCI DSS COMPLIANCE DATA

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security. Secure Encryption: Protect Communication with Personal Certificates. An IceWarp White Paper. October

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

A Decision Maker s Guide to Securing an IT Infrastructure

10 easy steps to secure your retail network

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Cyber Security: Beginners Guide to Firewalls

End-user Security Analytics Strengthens Protection with ArcSight

Proven LANDesk Solutions

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

AVG AntiVirus. How does this benefit you?

ELECTRONIC INFORMATION SECURITY A.R.

SECURITY IN A HOSTED EXCHANGE ENVIRONMENT

INSTANT MESSAGING SECURITY

Top tips for improved network security

Network & Information Security Policy

Building A Secure Microsoft Exchange Continuity Appliance

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

MESSAGING SECURITY GATEWAY. Detect attacks before they enter your network

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Stable and Secure Network Infrastructure Benchmarks

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

The Evolving Threat Landscape and New Best Practices for SSL

Firewalls Overview and Best Practices. White Paper

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Achieving PCI Compliance Using F5 Products

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

GoodData Corporation Security White Paper

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Getting a Secure Intranet

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

NATIONAL CYBER SECURITY AWARENESS MONTH

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

What Do You Mean My Cloud Data Isn t Secure?

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Cisco Advanced Services for Network Security

Guide to Vulnerability Management for Small Companies

Security for NG9-1-1 SYSTEMS

V1.4. Spambrella Continuity SaaS. August 2

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SANS Top 20 Critical Controls for Effective Cyber Defense

Why Encryption is Essential to the Safety of Your Business

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

Nine Steps to Smart Security for Small Businesses

RSS Cloud Solution COMMON QUESTIONS

Migration Project Plan for Cisco Cloud Security

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

security in the cloud White Paper Series

Symantec Brightmail Gateway Real-time protection backed by the largest investment in security infrastructure

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Network Security Policy

Guideline on Auditing and Log Management

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Responsible Access and Use of Information Technology Resources and Services Policy

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Passing PCI Compliance How to Address the Application Security Mandates

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

How To Protect Your Data From Being Hacked

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Enterprise K12 Network Security Policy

Integrated Threat & Security Management.

Best Practices for PCI DSS V3.0 Network Security Compliance

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Payment Card Industry Data Security Standard

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Transcription:

In-House Vs. Hosted Email Security 10 Reasons Why Your Email is More Secure in a Hosted Environment

Introduction Software as a Service (SaaS) has quickly become the standard delivery model for critical business IT software and services. Business customers realize many benefits by leveraging SaaS services. The On-Demand model of SaaS infrastructure provides benefits to the customer by lowering their overall costs, while increasing flexibility, reliability, and overall solution security. However, as new businesses begin to evaluate SaaS software and services, many still have concerns about security, fearing that hosting their critical business applications and data with a SaaS provider will expose them to greater risk and loss of control. This concern is particularly acute for businesses messaging and collaboration needs around email and instant messaging. As business email is now a primary method of inter- and intra-corporate communications, including the exchange of sensitive financial data and intellectual property, businesses are growing increasingly concerned about the need for secured email and messaging services. Microsoft Exchange is the leading business email and collaboration solution for the small, up to the large, business markets, and this whitepaper compares the security of Microsoft Exchange Services deployed in-house versus a hosted model with SaaS service providers. By choosing Intermedia as their Hosted Exchange SaaS Solution Provider, businesses can achieve email and total messaging security, as well as a piece of mind, by leveraging Intermedia s infrastructure and experience with running a secured messaging platform 2

The importance of email and email security Email has clearly become the dominant form of business communication. Businesses exchange tens of millions of emails each day, many containing intellectual property such as product designs, business models, financial data, pricing strategies, supplier agreements, customer information, or employee HR data. Globally, there were more than 700 million business email users in 2006 and this is expected to climb to over 900 million by 2010. It is estimated the average business user sends and receives between 500 and 600 non-spam emails per week 1. In a recent King Research survey of mid-market IT professionals responsible for messaging systems, 96 percent of respondents said email is important or extremely important and has a significant negative impact on business operations when not available. Today email is commonly used for communication and collaboration between both internal and external contacts, used for file sharing, resource scheduling, contact management, and is the focal point of collaborative projects for organizations within virtually every industry. With the large volume of messages containing sensitive business and even personal information from every corner of an organization, it is not surprising that up to 75% of a company s intellectual property resides in email data stores. This is particularly true for knowledge-based and service organizations. These intangible assets that embody patents, trademarks, databases, organizational techniques, and employees knowledge, experience and relationships represents some two-thirds of the value of America s large businesses. In addition to businesses desire to protect the important and confidential information they store in email, industry and government regulations, including HIPAA and Sarbanes Oxley, place external and legal requirements on email security. A recent US study found companies estimate nearly 1 in 5 outgoing emails (19%) contained content that poses a legal, financial or regulatory risk. The most common form of non-compliant content is email that contains confidential or proprietary business information (30%) followed by adult, obscene, or potentially offensive content (25%) and personal healthcare, financial or identity data which may violate privacy and data protection regulations (20%) 2. The Seven Layers of Email Security The properties that make Microsoft Exchange a powerful communications and collaboration tool also make it vulnerable to different types of threats. A comprehensive security strategy protects against these important threats: Viruses and malware Attackers who use email as a conduit to invade corporate networks for the purposes of either stealing information, or taking control of computers for other illegal activities. Phishing Attackers who lure users into submitting personal or business information by convincing them they are interacting with a legitimate vendor or business partner, when they are in fact communicating with the attackers. Malicious employees & employee negligence Employees or ex-employees who inadvertently compromise sensitive business information, or worse, purposely try to access and/or steal privileged information. Corporate Espionage Attempts by competitors to gain an unfair advantage by accessing internal company information including product designs, launch plans or financial data. Hackers Internet pirates looking for valuable information that they can either use to illegally profit or sell on the black market. 1 The Radicati Group, End-User Study on Email Hygiene, Apr 2005 2 Consulting, Outbound Email and Content Security in Today s Enterprise, 2007. 3

To properly secure email against these threats, business must employ a multi-tiered security infrastructure across multiple layers: Layer 1: Physical Security Most small and medium businesses that host their own Microsoft Exchange servers do so out of a corporate office. Servers are typically kept in a server closest or computer area, often protected by just a single locked door. While businesses often feel more comfortable keeping servers within eye sight inside their own offices, their trust may be misplaced. Every year, thousands of businesses experience theft, burglary or trespass, resulting in the damage or loss of computer hardware and ultimately their email server. Layer 2: Logical Server Security Emails are only as secure as the servers they reside on. To properly secure Microsoft Exchange email, the Exchange servers must be properly secured. This complicated, continuous process includes: Proper Microsoft Windows server operating system installation and hardening configuration Prompt testing and application of important security patches and updates to the operating system Strict configuration of user and administrative accounts with roles and permissions Proactive monitoring of the servers and services for viruses, intrusions, and any unexpected behaviors such as DoS attacks and intrusion attempts. Unfortunately, most small and medium businesses do not have the necessary experience or resources to allocate towards these tasks, thus creating exploitable vulnerabilities that compromise the security of their email. Layer 3: Network Security Most hackers trying to attack corporate mail servers do so remotely through the Internet. They look for vulnerabilities in both the Exchange servers and network to gain unauthorized access to email and the valuable data it holds. To protect against such attacks, businesses must ensure that they have properly installed and configured firewalls, Intrusion Prevention and Detection Services, and proactive monitors, to allow only authorized traffic to and from their Exchange servers. Layer 4: Client Security While email resides on Exchange Servers, business users access their email through desktop and mobile clients including Microsoft Outlook, Outlook Express, Mozilla Thunderbird, Entourage, Apple Mail, and Outlook Web Access. Providing secure access for these clients to the Exchange server, both from within and outside of the office, requires setup and administration on both the client and server machines. Layer 5: Antivirus and Antispam In addition to trying to obtain content contained within emails, hackers often use email as a gateway into corporate networks. They do this by sending viruses and malware they hope will get installed on corporate desktops. From there, these programs can send sensitive information back to the hacker or allow the hacker to take control of the desktop for use in other attacks. While many small and medium businesses run desktop-based virus and spam scanners, they often do not do so at the network or server level, relying entirely on the end-user to ensure the security of the entire company. 4

Layer 6: Administration and Policy Security One of the biggest security gaps in corporate email is actually an internal threat, not external. Specifically, businesses are frequently victims of unauthorized access to email by employees or consultants who are authorized to administer the email servers. These employees abuse their administrative privileges to read access emails from the CEO, president, Human Resources, and other colleagues that may provide them access to sensitive or privileged information. Layer 7: Backup and Recovery Email security goes beyond protection from theft and unauthorized access to also include recovery of email in the case of Exchange server hardware or software failure. Not only is email a primary communications tool for most businesses knowledge workers, but it is only the primary data store and file manager for those workers. However, few small businesses perform regularly scheduled backups of their business email systems for quick restoration. Backup systems and storage media is expensive, and often small and medium businesses do not have the resources required to perform regularly scheduled backups, leaving their workers exposed in the case of catastrophic hardware or software failure. Intermedia Hosted Email Intermedia treats security as one its top priorities and works tirelessly to create and maintain the most secure infrastructure possible for its customers. Intermedia s philosophy is that security is not a one-time problem to fix; it requires ongoing dedication and attention and must be considered in everything the company does. To support this philosophy, Intermedia has a dedicated information security team whose full-time responsibility it is to secure and monitor the environment. Layer 1: Physical Security Intermedia hosts customers Exchange email within its four datacenters. These datacenters are physically separated from its corporate offices and physical access to them is strictly controlled and limited to only those people who need access. Each datacenter is controlled under Intermedia s SAS 70 Type II certification guidelines. Access to the servers is protected through a multiple-layered system of authentication measures such as access cards, biometrics, and pass codes. This system ensures that no unauthorized people can gain physical access to the servers and overall infrastructure (servers are only one part of this network, backups, storage, etc are all critical as well). Layer 2: Server Security Intermedia proactively monitors and manages its servers to ensure they are always properly secured. Its experienced team of Exchange administrators knows how to properly configure each server for maximum performance, without compromising security through open ports or misconfigured user and administrative permissions. Both the Windows and Exchange Server software are patched with the latest updates and fixes from Microsoft on a regular basis. Intermedia runs regular antivirus scans on each machine to ensure that no malicious software can access its customers emails as well as on their Mail Filter Gateways that scan all incoming mail before it even reaches the Exchange environment. These practices, combined with Intermedia s constant monitoring of its server environment, ensure that the servers hosting and managing your email are always as secure as possible. 5

Layer 3: Network Security Intermedia s network is well protected by a battery of fault-tolerant, brand name firewalls. Each firewall is configured to block unauthorized traffic from entering the network. Intermedia s policy of redundancy and fault-tolerance ensure that backup systems are immediately up and running if any one firewall fails. In addition to blocking traffic, Intermedia runs a system of intrusion detection and prevention software. Working in concert with the firewalls, these systems monitor the traffic flowing into the network, isolate suspicious traffic, and notify the Intermedia network management and security team of any potential danger. Layer 4: Client Security Intermedia uses secure sockets layer (SSL) connections to encrypt data sent between the Exchange servers and the mail client used to access emails. This secure connection protects the customers email as they travel between the mail client and the Exchange server, regardless of whether the client is in the office, home, or using a wireless or public Internet connection at a café or in the airport. Layer 5: Antivirus & Antispam As part its hosted Exchange 2007 email services, Intermedia includes antivirus and antispam filtering and protection. Each email that is sent and received by its customers is filtered through SpamStopper, Intermedia s proprietary filtering solution. Not only does this solution mitigate the risks of viruses, malware and phishing attacks, it also greatly reduces the volume of unwanted, emails thereby increasing employee productivity, efficiency, and overall performance. Layer 6: Administration Policy and Security Intermedia s Exchange environments are architected so that only mailbox owners and their designated delegates can access messages in a mailbox. Customers account administrators cannot access individual users email. Intermedia also protects businesses against inappropriate content sent or received by the company through its content filtering feature. Using living dictionaries, account administrators can choose to filter profane, ethnic, religious, and gender slurs, ensure compliance for HIPAA and other regulations, and block information such as social security and credit card numbers from being sent via email. Intermedia s simple action-based rules wizard can perform different actions on emails that are flagged by the filter including delete, quarantine, and forward a copy to an administrator or HR manager. Layer 7: Backup and Recovery Intermedia performs daily backups of its Exchange servers, and keeps backup files for seven days. This ensures that customers will always have their email, even in the event of catastrophic failure to the Exchange environment. Customers can also use backups to retrieve inadvertently deleted messages. Layer 8: Mail Encryption No matter how secure your email infrastructure may be, in-house or hosted, the reality is that email is most vulnerable when it travels over the public Internet from the sender s mail server, to the recipient s mail server. In that time, email travels over a number of open networks, routers and servers that hackers can exploit to read an email. This risk is greatly exacerbated by the fact that emails are composed and sent in cleartext, an unencrypted format that is readable by anyone who can access the data. 6

Intermedia s Secure Mail solution solves this problem by allowing business customers to encrypt the emails they send, whether the emails are sent to other employees or colleagues outside the company. Because Secure Mail encrypts the email into an unreadable format, a hacker could not read the email, or any of its attachments, even if they are able to intercept it. Layer 9: Legal Protection Even if your confidential emails reach their intended recipients without any internal or external security breaches, you cannot control what the recipients do with the information you have sent them. There are often legal liabilities associated with distributing confidential information. Intermedia solves this problem with its Legal Disclaimer solution. This solution enables companies to automatically insert a custom footer message at the bottom of each email sent from their employees to external mail addresses with a customized disclaimer. The solution eliminates the problem of employees forgetting to add in the disclaimer manually when sending confidential information. Layer 10: Security Validation While the security measures above sound thorough, it is important to measure that they are indeed providing adequate security for Intermedia s customers. To measure effectiveness of its security infrastructure, Intermedia conducts its own tests, and relies on third parties for validation. Security Assessment Testing Periodically, Intermedia conducts vulnerability scans on its hosted Exchange to measure its security and identify any potential holes. External Validation Intermedia uses two third-party sources to validate its security practices: SAS 70 certification and PCI compliance. The first is Intermedia s SAS 70 Type II audit. This rigorous audit and process, performed by third-party auditors, ensures that every element of Intermedia s business, from security and systems administration to finance and billing, is actually managed and controlled to the standards Intermedia promises its customers. The SAS 70 Type II certification, the higher of two levels of SAS 70 certification, is third-party validation that Intermedia s security practices adhere to the highest of industry standards. The second external validation is payment card industry (PCI) compliance. PCI compliance is reached when a company meets the guidelines set forth by the major credit card companies as a guideline to help organizations that process card payments, prevent credit card fraud, hacking and various other security issues. A company processing, storing, or transmitting credit card numbers must be PCI compliant or they risk losing the ability to process credit card payments. Intermedia is PCI compliant and has secured its site by VeriSign, the industry leader in security. With VeriSign securing our site, you can rest assured that any data you send to use through our Web site is 100% protected and private through the strongest SSL encryption available. 7

Conclusion Email is a powerful platform for communication and collaboration, especially in distributed environments. But with these benefits come serious inherit security risks that require ongoing attention. A comprehensive security strategy employs multiple layers of defense from the physical to the digital, and up to the process and policy layers of an email solution. Employing this comprehensive strategy is costly and time-consuming as both an initial investment and on an ongoing basis. Intermedia is a thought leader on email security and offers one of the most comprehensive and effective security programs for hosted business email, all included in the low monthly cost of its hosted Exchange offerings. To learn more about Intermedia s hosted Exchange solutions, please visit www.intermedia.net. 8

About Intermedia Intermedia is the leading provider of hosted Exchange to small and medium businesses. With eight years of experience, and more than 300,000 mailboxes under management, Intermedia has the expertise to deliver Exchange email and collaboration solutions that are as good, if not better and more secure than in house solutions. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information