Suggestions to improve e-mail security

Question

I work for a lawyer company which has a lot of extremely sensitive data.

I would like to step up a notch on security. Especially when it comes to e-mail.

So I'd like a lot of recommendations, encryption, storing and similar. I already have some precautions, but it is better to generalize and better to ask for a lot of suggestions.

As many tips as possible please :)

Clients have: Windows XP coupled with Office 2007. We have an exchange server running 2003 as backend. I would rather not upgrade the OS, but other than that, I am very open to suggestions. Oh and another thing. Office 2007 is a must as well, can't change that one, as some of our company software relies on Word, Excel and Outlook.

Answer 1

What exactly are you trying to secure? The email in transit to other people? In that case, you'd want to use something like PGP to encrypt the message, since email is sent in the clear...your service provider could easily intercept email messages flying over their network (or anyone supplying a connection between you and the recipient). PGP will definitely give them more trouble than it's worth to decrypt the message. There should be plugins for Outlook to integrate it.

Are you trying to secure the storage of messages on your server? You'd want to take the usual precautions of making sure the server has all the latest patches, STRONG passwords, rotating password policy such that users have to change their passwords periodically with minimum 8 letters mixed case alphanumerics, probably on a thirty to ninety day cycle.

You have AV and malware scanners on the mail server, yes?

Are you worried about storage being taken? Governments like taking those if they think there's reason to examine it for something an employee has been doing. The only way to stop that is encryption of the storage volume. Here's where things get hairy because you need to have GOOD BACKUPS in place before screwing around with this...you can use something like NTFS's native encryption or truecrypt to encrypt the volume. This also means that if there's problems with data being corrupted, boot issues, etc...you're up a creek if you don't plan ahead and test, since you can't just boot up with a rescue disk and get to data for recovery! You may want to only have a partition set aside for storing data from the mail server, then encrypt that volume.

Again...TEST BACKUPS. We're talking about making changes to your mail server where if something goes wrong you could easily lose data.

Then that's another question...you are using a backup product that encrypts the tapes, right? Because all the security on the mail server means nothing if some punk can walk out with a tape to recover the data at home because you don't have it passworded and encrypted.

How far do you want to layer security? Because if you're running Outlook in a way that caches data, anyone that puts malware on the client system can read their email. Heck, taking over the boss's computer means they have access to whatever the boss has access to, encrypted or not.

You really need to identify the specific threats you're trying to guard against. Plan out how if you were an outsider you'd try to get whatever asset you're protecting. Then figure out how you'd be thwarted. Stealing client computers? Data backups? Sniffing traffic? Keystroke loggers? What accounts need to be protected?

Then take a deep breath and figure out how much it's going to COST in terms of money and in terms of convenience. Security often isn't the most convenient thing, and users will grow frustrated if they have to put up with things like decryption and encryption (and getting other people to USE the encryption) or having to store passwords or having multiple passwords. You need to find a balance between safety and convenience so that your users will work WITH you and not against you, because your security won't mean squat when users decide to work around your security measures when they're too irritated to follow procedures.

Answer 2

You can employ a Microsoft Public Key Infrastructure/Cert Authority for free if you are running a server OS like Win 2003 (which I see that you are if you are using Exchange). It integrates very well with Active Directory (if you are running that also). Users can grab certs from the CA and encrypt their e-mail with it on an as-needed basis. Exchanging encrypted e-mail within the same domain is no problem as the users will trust the CA inherently and have access to the public key for decryption. If you are sending encrypted e-mail outside the domain, you will need the receiving party's public key so you can encrypt e-mail sent to them with it. This ensures that they are the only recipient who can read it. The reverse is true for receiving encrypted e-mail from outside the domain. I am sorry I don't have any suggestions for secure storage of e-mail though...

Best Practices for Implementing a Microsoft PKI - http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx

Encrypting e-mail with Outlook 2007 (assumes your PKI is already set up) - http://office.microsoft.com/en-us/outlook/HP012305361033.aspx

Answer 3

If you aren't opposed to spending money. The PGP Universal server isn't a bad idea. We've been running it for years now. It also is doing well as a virtual for the past 8 months.

Answer 4

Lotus Notes is from security standpoint a very good product. You can have mail encrypted all the way to server disk, even administrator can't read user's mail.

It integrates to some extent with MS Office on Windows at least, is in some ways strange and ugly but it works quite ok and has wonderful replication options (think always backed up and everything available online if you want).

Answer 5

In terms of direct email security, the two 'standards' out there are a bit paradoxical. S/MIME has far better client support in your environment, but suffers from PKI issues. PGP is more widely usable trust-wise, but is (IMHO) clunky in an Outlook environment. This presumes the communication being performed is able to use either standard.

We've looked into S/MIME and run into the trust issue. We can't give everyone a certificate that chains to one of the certs in all browsers, we can't even come close to speculating about the merest possibility of affording something like that. By using our internal Active Directory rooted Certificate Authority we'd be able to at least secure e-mail between ourselves, just not with external entities with any grace. We have to ask the external entities to trust our Authority, and that's still a tricky proposition after all these years.

On the other hand S/MIME with an internal CA is free. We'd also be able to set defaults so that all mail sent is at least signed, and possibly even encrypted. With certificates in the Global Address List and the mailbox's Contact List for external entities, maintaining a keyring is a cinch for internal mail and Just Works. The Personal certificates are simply retrieved from the Tree, making key transport simpler. And Outlook Web Access includes the ability to do S/MIME (from IE) if the personal cert is installed on the home machine. It is by far the most convenient solution, too bad the trust issues hamstring it.

PGP or GPG have Outlook integration issues. Unless the big money products change this, there is no GAL integration. Keys have to be manually backed up and transported to new computing hardware. On the other hand, you don't have the PKI chaining issues you have with S/MIME, so it'll just work more places than S/MIME will.

Answer 6

I'd definitely take the above advice, as encrypting email will give you the best security bang - provided your users understand what it can and can't do.

Next I'd probably ditch Exchange 2003 for 2007. It's nice to finally get rid of Exchange's last lingering dependence on Public Folders. There are a couple of nice security benefits, like giving a user the ability to use OWA to remotely wipe their smartphone if it's lost/stolen.

Speaking of which, if smartphones are in use, I'd look to procedures/policies on them to really clamp down on security.