This content is part of the Essential Guide: Secure email servers on Exchange, Office 365 or both
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do you need third-party email security tools?

Think you have a grip on email security? Ask these nine questions to determine if native security tools are enough or if you need a third-party tool.

Certain things in life simply run their course, including Exchange and email security options. Dating back to Exchange 2007, the messaging platform and underlying OS have had some robust, enterprise-ready security features. But as hackers become savvier, can you trust Microsoft to do everything well, especially when it comes to today's information risks?

If you don't feel like you have a good grip on email security, it's likely time for a change.

I'm a firm believer in using what you've got -- such as the security controls native to Exchange and Windows. But I also believe some things aren't meant to be. If you don't feel like you have a good grip on email security, it's likely time for a change. And there are plenty of third-party options for anti-malware, audit logging and event monitoring, as well as spam and content filtering and so on.

To the greatest extent possible, start with a clean slate for email security. Using what you know about the current state of your Exchange environment, ask yourself these nine questions to determine where things stand with your options for email security tools and whether it's time to move on.

Do you truly understand what's at risk?

This includes knowing who has access to what -- messages, public folder, calendars and even the servers. What are your security standards, especially around passwords, encryption and mobile access via ActiveSync? What do your specific policies dictate, and how do you enforce these policies? Odds are management is exempt from these requirements and very few people know about it. In addition, understand existing gaps where you need to completely secure your environment; include existing security vulnerabilities from third parties, as well as other areas only you know about.

Do you have the time to keep your environment under control?

Time is the scarcest resource of IT professionals, and it's easy to assume that the email system will just run itself. You can't look at it that way. You need to dedicate a certain amount of your day and week to its security, not to mention being able to jump in when emergencies arise. Are you managing your time in ways that allow you to do what's really necessary? Simply upgrading to a commercial, enterprise or third-party security tool can make a world of difference in the amount of time needed to do specific things involving security.

Are your built-in Exchange and Windows security controls helping or hindering larger messaging security goals?

The answer is probably the former, especially if you can take a fresh look. Your controls might not be enough to address security issues, so you might want to bring in an  outsider with an unbiased perspective to point out the less obvious security gotchas, workflow inefficiencies and the like, and recommend fixes.

How deeply ingrained are HR and legal in your messaging environment?

How good are these departments at complying with state and federal laws, including legal holds on email? What about e-discovery -- is that a smooth or a haphazard process? Who's really running the show? You're setting yourself up to fail if you don't have the right email security tools, especially when it comes to governance and compliance.

What are your mobile plans?

If your organization is like most, anything goes with elementary ActiveSync controls when you're trying to harness all of an organization's mobile systems. That's not scalable. There's a handful of amazing mobile device management products that might help you address this issue once and for all.

Will outsourcing make your job easier?

If you do it properly, outsourcing IT almost always makes an admin's job easier. You won't be able to have a completely hands-off approach, nor should you, but cutting 50% or more of the time it takes to update, administer and oversee your Exchange security can make a difference.

How resilient would your environment be to a third-party service provider slip-up or cloud service outage?

By playing devil's advocate, you need to be prepared for outages like those we've seen with Google, Amazon, Windows Azure and other cloud players. Enterprises don't want an unsecure environment that never goes down, and they also don't want a secure email environment that goes down often. There needs to be a balance.

Do the revelations about the National Security Agency spying on corporations affect how you view third parties with access to critical business information systems? 

What does management and the legal department say about these revelations? They may not want to risk security breaches, so you'll need to build a good case for using third-party tools and services.

Do you have the money and ongoing support for the tools you want to use?

Budget constraints are enough to prevent most security-related issues, especially with email -- something that many assume is always under lock and key, yet always available. Even if you can procure them, converting to a new set of email security controls shouldn't always be your go-to option. The last thing you need is to spend all that time and money, only to find out soon afterward that support is getting yanked. Management may not understand what you're trying to do, but that's just as much your responsibility as it is theirs.

As hard as it is for IT pros to embrace change and give up a certain amount of control, sometimes that's just what's needed to minimize vulnerabilities and keep threats at bay.

Don't buy into the marketing hype from the email security vendors. Know what your enterprise needs, not what vendors tell you it needs. Every analyst, auditor and systems integrator has his opinion when it comes to email security tools. Until someone has seen how IT operates in your organization, is clear on the current political and cultural environment, and fully understands your information risks, email recommendations are as common and as valuable as table salt.

Step back and think about your options for email security tools. Even if your vulnerability scans and IT audits turn up clean, there's always room for improvement when managing security risks in Exchange.

About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

"Do the revelations about the National Security Agency spying on corporations affect how you view third parties?", YES YES YES
Hi searchexchange1,
Thanks for your feedback. With your reservations of using third-party security tools in light of the NSA revelations, what security tools do you use for your email? Is it something we didn't cover in our tip?
What email security tools does your enterprise use?
There are firewalls and encryption here and I'm sure they once made someone in the front office feel safe. Over time, more than a few bad lumps have made those folks feel a lot less secure.

Mostly, it's hardly worth the bother.... It's been proven for too often, then yet again, that dedicated hackers can bludgeon their way past all our security. And the NSA can just unlock the back door to access whatever they want.

All our walls and locks are there merely to keep out the most casual eavesdropper. Beyond that, our whack-a-mole approach to security is woefully inadequate.
Per NSA revelations, Public Cloud (Office 365) services have Back-door access.
We never consider that our email is secure. Between the hackers and the feds, we could save everyone a lot of time by just posting everything on Facebook.

When our communication is critical and must be kept private, we deliver it personally. We have found even paper to be more secure than email. Despite anything to the contrary on 24, it's quite hard to unshred a bag of documents. We've yet to find any email security that's as secure as that.
Further thoughts.... After all, this topic is worth some serious consideration.

Our firewalls and encryption must have once made someone in the front office feel safe. Over time, more than a few bad lumps have made everyone feel a lot less secure.

Mostly, security seems hardly worth the bother.... It's been proven over and over that dedicated hackers can bludgeon their way past our best security. And the NSA can just unlock the back door to access whatever they want.

Our walls and locks merely keep the most casual eavesdroppers at bay. Beyond that, our whack-a-mole approach to security is woefully inadequate.