Andrea Danti - Fotolia

How to step up your Microsoft Exchange security game

Your Exchange environment is a key component in your organization's communication platform, so shouldn't protecting it get the highest priority?

Many people believe that information security is about the technology -- the bits and bytes -- that make up the network defense system. From one perspective, that's true. When it comes to Microsoft Exchange security -- or the network as a whole -- we couldn't survive long without firewalls, content filtering, malware protection and the like.

But information security is multifaceted; it's not just a single layer of technology. Information security is a broad and complex ecosystem of elements that must work in unison to maintain system resiliency and a secure email server.

The core principles of a solid information security program are both tangible and intangible. The following are familiar to most people but have been overlooked in many organizations:

  • Knowing what information is where;
  • If you want to ensure you have a secure email server that integrates with the overall information security program, you're going to have to step up your game.
    Assessing information risks;
  • Obtaining and maintaining support from management;
  • Enforcing policies through the necessary technologies;
  • Getting buy-in from users so they're motivated to do what's right; and
  • Developing an incident response program.

All of these areas impact Microsoft Exchange security on a daily basis. If you want to ensure you have a secure email server that integrates with the overall information security program, you're going to have to step up your game. Making such changes means that you're going to have to get out of your comfort zone; say what needs to be said and do what needs to be done. Some will hire an outsider to perform a security assessment and use that as leverage for gaining support and budget needed to make security improvements. However, just as many will pretend that security problems don't exist. Or, if they know what's creating risks, they're afraid to rock the boat with peers and management. In that case, the status quo will remain as will the security risks. In the end, you still have priorities that only you can address.

Start with the basics

The most important step to take is to measure the existing risks. Many organizations haven't even done that. Some don't want to acknowledge the risks because they represent work -- and change. Some don't know where to start. If that may be you, don't fret; it's simple to get started. Read and listen. Read about information security; not about the latest threats. That stuff is cool but you have to understand the security basics first. Listen to learn about information security. Attend webcasts, seminars and conferences. You'll get information to help you with your security goals and, just as importantly, you'll meet other people who can teach you things that would otherwise take years to learn on your own.

Take steps to shore up defenses

Once you have the risks prioritized, work on getting the right people to provide the backing necessary for resolving the risks or accepting them. Don't just ignore them. The last thing you want to be is low-hanging fruit for hackers but that's exactly what your Exchange environment and your business will be if you fall into the trap of security complacency. You have too much tied up in Exchange which is arguably your most critical enterprise application. Keep pushing for what's right to increase Microsoft Exchange security and prevent your organization from being an easy target.

Next Steps

Guide for Exchange administrators for securing email servers

Microsoft native tools can help protect your environment

Pinpoint the risks then implement policies to protect your organization

Dig Deeper on Exchange Server setup and troubleshooting