We've come a long way with information security over the past decade. But look at the latest research and you'd think organizations have hit a plateau. Some organizations focus solely on Exchange without looking at the bigger picture. They may be minimizing some of their messaging risks, but it's likely not good enough for overall network security. And those risks can potentially lead to a serious data breach.
Even if you believe your Exchange environment is locked down relatively well, now is the time to think about how you can layer on new or better security controls to further refine what you have in place. The technologies needed to help solve these security problems are already at your disposal. In fact, you may already have many of them available on your network.
Using one or more of the following Exchange and network-related security controls can protect most organizations against potential data breaches, but these security controls are often missing. But by creating a layered security approach with more than one these options, admins can bolster the resiliency of a messaging environment against threats.
- Basic audit logging and event monitoring. A quick option for implementing this is in your organization is to outsource it.
- Intrusion prevention systems. These can either be standalone or technology built into the firewall. You could also include security information and event management for proactive blocking, alerting and correlation.
- Malware protection. This kind of protection can be found in the cloud (e.g., for external email content filtering), at the network perimeter and on Exchange servers. In many enterprises, malware protection at the desktop level and mobile device level is woefully inadequate. Using malware protection from a big name company doesn't automatically equate to high-quality protection.
- Reasonably strong domain password policies. This is a seemingly obvious option, however this vulnerability is everywhere. Executive users who are exempt from other compensating controls, such as intruder lockout, unencrypted laptops and a slew of mobile devices with zero security, often make this worse.
- Multifactor authentication. This security measure can help organizations eliminate password vulnerabilities.
- Data loss prevention. Use data loss prevention to monitor what's on the network.
Whether you host Exchange internally or in the cloud, here are some measured steps you need to take to build a layered security approach.
- Determine your messaging security requirements both internally within the business (e.g. what IT, internal audit and management need) and externally to meet customer, business partner or audit/compliance demands.
- Understand how your Exchange environment is currently at risk. Many people throw technologies and policies at perceived problems. These technologies may look good on paper, but in reality, they may not cut it in your organization. You can't secure what you don't acknowledge. Going down this path without fully understanding how things are at risk in your specific situation is going to be a waste of time, and more so, a waste of money.
- Based on what you find out in the previous steps, work with your team to devise a prioritized approach to lock things down in and around Exchange -- both inside and outside the network. See how your messaging focused security controls can integrate with other technologies you already have in place on your network. Revisit what's working and look at how the new setup is minimizing security risks. You'll likely find that you need to tweak certain areas, including removing existing security controls and adding new ones you had not yet thought to add.
The fact that you're thinking about improving the security of a messaging environment puts you well ahead of the curve. Don't take Exchange and its functionality for granted within the business -- it's arguably your most critical application. Using a layered security approach can help protect against any threats or potential data breaches. The more secure your messaging environment becomes, the more secure your overall business will be.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
This is part three in a series about how admins can learn from recent data breaches to protect Exchange. Part one covered common causes of data breaches and how to recognize them. Part two looked at phishing attacks and why these attacks cause data breaches.