Closing the gate

Akonix’ Peter Shaw, CipherTrust’s Aaron Kuehn and Forrester’s Natalie Lambert on why companies need to take a fresh look at their messaging security and compliance systems.

With an increasing amount of critical enterprise information being transferred through electronic communications such as e-mail, web-mail and instant messaging systems, companies need to take a fresh look at their messaging security and compliance systems to ensure they’re not leaving themselves open to security or compliance risks. But what are the issues, and what do they need to consider in greater detail? Business Management asked the experts to find out.

Peter Shaw, Chief Executive of Akonix, is a veteran CEO with experience in the graphics, personal computer, UNIX, internet (software, hardware and systems) and enterprise software industries. Shaw is also experienced in the fields of mergers and acquisitions and venture capital financing, and has led several successful turnaround situations.

Aaron Kuehn is currently the Director of Compliance Solutions at CipherTrust. In this role, he provides product strategy, sales, and technical guidance to advance CipherTrust's compliance and encryption solutions in the marketplace. He also acts as a worldwide subject matter expert on CipherTrust's homegrown and partner encryption solutions.

Natalie Lambert is an analyst on Forrester's Security team. Her primary focus is on client security – including technologies like antivirus, anti-spyware, personal firewalls, host IPS and patch management – e-mail security and anti-spam. She also tracks the SMB security market as well as security market trends in enterprises and SMBs.

BMUS. A greater focus on regulatory compliance in recent years has meant the security and availability of electronic communications has never been more important. What challenges do companies face in terms of security and compliance?
PS. As organizations adopt and embrace new communications media in their pursuit of competitive advantage and productivity improvement, they must also recognize that each improvement or benefit carries with it a corresponding new liability. The liabilities carried by new electronic communications evolve and change as each new innovation is adopted, but at their foundation, they haven’t changed much since companies began putting telephones on desks. These liabilities include the legal responsibility for inappropriate use by employees, the risk of proprietary knowledge being transferred out of the company, and the need to comply with law and regulation governing communication between ‘insiders’ and ‘outsiders’.

For many companies, the first challenge is to simply recognize and accept that they most likely have all forms of electronic communication being used by employees over the corporate network. Today, all forms of electronic communication are subject to regulatory compliance, whether or not they are officially sanctioned for use by the company. Everyone recognizes e-mail as a form of electronic communication, but for many companies that is where it stops. Electronic communications also include instant messaging, VoIP and Peer-to-Peer (P2P). Since these forms of electronic communication have the same security and compliance requirements as e-mail, companies need to understand this and implement the same kind of protection.

AK. Many organizations are telling us that their biggest challenge is figuring out where to start. They are setting out with good intent, to protect their data and to comply with government regulations. There are dozens of new regulations, and many are vaguely worded. It is challenging to stay current with the ones that are relevant to an organization. In addition, many regulations must be interpreted as to their applicability to IT.

On the flip side, companies’ data is scattered, and their communications protocols are diverse and not always well controlled. Beyond the more traditional locking down of data stores, companies must be aware of how and where their data is travelling. They must be very aware of what data they are collecting from customers and partners, and how that data is being duplicated and transported via electronic means. Just because it is safe when it is first collected, this does not ensure its safety within the corporate borders and over other electronic channels within and outside the company. Empowering employees with new communications tools also raises the risk of the tools being used in an inappropriate manner.

Added up, it can be a daunting task for a company to achieve regulatory compliance and guard their enterprise data from inappropriate outside exposure.

NL. In terms of e-mail security, viruses and spam are still the top two issues – making sure that only legitimate, safe messages reach corporate inboxes. In terms of compliance, it’s really a matter of making sure that proprietary confidential information stays within the organization, and only goes to people who are allowed to have access to that information. It’s also about ensuring that acceptable use policies are followed.

And it’s not just about e-mail – in some sectors, messaging security has a much wider scope. For instance, sending confidential information via instant messaging is becoming a real security issue that needs to be monitored, especially in industries such as financial services.

BMUS. Recent analyst reports suggest that as much as 75 percent of most companies’ intellectual property is contained in the messages and attachments they send through their systems. Why does this require a new approach to security?
AK. Users are as empowered as they have ever been. They can use standard corporate e-mail, chat/IM systems, web-mail, weblogs, P2P and many other forms of collaboration. In many cases, these tools are brought in from the outside, and only belatedly addressed by the organization. In many cases, the central control is also outside the company.

This calls for highly capable tools for guarding the points of egress. Companies do need to lock down data access internally, as much as possible. However, they can address the entire organization from central control points, with good firewall rules and gateway products that control the content flowing in and out of the organization. Most notably, they must have tools that are capable of deep inspection of the data that is flowing within each of the permitted collaborative environments, making decisions about whether that data should be allowed to continue, and protecting it appropriately if so.

NL. Traditionally, companies have just scanned for inbound viruses, worms and spam. The new approach, however, requires you to actually examine the message for either keywords or attachments. Compliance requirements have also meant the importance of scanning outbound messages has increased. More and more intellectual property is contained in electronic messages, and once these messages leave the organization you have zero control over them. As a result, encryption approaches are becoming increasingly popular as a means to secure this intellectual property.

PS. Typically, security has focused on protecting the data center. This implies a single repository of all the valuable data, when in fact, the truly valuable information is flowing through the company’s messaging system and exists in small pieces across potentially thousands of employee desktop and laptop systems. Additionally, messages and attachments are replicated, copied and archived so that the same ‘document’ exists identically in multiple places at the same time. This presents a challenge to companies’ ability to manage document retention and destruction, as it is impractical to destroy all copies of a specific electronic message, and it is nearly impossible to certify that any given message has not been modified after delivery or archival. A new approach to security must extend beyond the data center in order to protect the information where it actually resides. Message hygiene and compliance systems like ours provide a means of creating and managing an archival and retention system that will stand up to audit, protect companies’ intellectual assets and leverage the power of real-time communications.

BMUS. And what messaging solutions are emerging to ensure greater compliance, security and continuity?
NL. A lot of messaging security vendors either already have or are looking to add this functionality now. Hosted services such as Microsoft Frontbridge (now Microsoft Exchange Hosted Services) and Postini offer solutions that have anti-spam and anti-virus capabilities, as well as the ability to encrypt information and check what information is going in and out of the organization. Gateway solutions (CipherTrust, ProofPoint, IronPort, etc.) provide a similar service, sitting within the organization at the gateway and provide these same checks.

These solutions are great for monitoring what’s going in and out of the organization, but it’s also handy to have a mail store solution (from the likes of Symantec) that can monitor the messages being sent internally between co-workers. Such a solution can check for viruses that someone may have brought in, that the organization’s appropriate use policies are adhered to, and that information is going to the appropriate people within that organization.

AK. One category of solutions has evolved specifically to address compliance and prevent corporate data leakage. These have focused on detection, and the ability to examine data across the spectrum of protocols and storage. However, they have traditionally been more limited in their ability to control or prevent the incident, and modify or protect sensitive data. In order to bridge the gap, they have reached out to integrate with third-party solutions with strength in data control. Another category of solution has evolved from corporate messaging and communications security, bringing along the more robust capabilities to modify, quarantine, encrypt or otherwise affect data that is seen as non-compliant. Each type of solution has its strengths, and each continues to encroach on the others’ territory. We are moving toward a category of solutions that wraps comprehensive multi-protocol compliance and robust data control into a single package.

Where we have seen the greatest growth recently is in solutions that can leverage advanced detection techniques. Traditional compliance has been done with data ‘described’ to the system by administrators. For example, dictionaries of common words/phrases that indicate a compliance or security issue are used as detection triggers. Now solutions are moving toward more dynamic technologies that ‘learn’ a company’s data via scanning internal documents and data stores, and use the learned aspects of corporate data to scan data in motion and detect compliance or security issues.

The other critical area of advancement is in the ability for the solution to enable communication within the enterprise around compliance enforcement and remediation. Robust reporting, notification, education, and remediation are critical aspects of any compliance solution.

PS. Enterprise messaging solutions like those available from Microsoft, IBM Lotus, and others are a great first step toward greater compliance, security and continuity, but the use of public instant messaging and e-mail networks is so ingrained into employees’ daily lives now that IT departments cannot simply shut it down. For example, securities traders use Yahoo Messenger as a primary communications medium. Business process consultants use MSN Messenger as their primary client communication application. Customer support engineers use AOL Instant Messenger in their day-to-day roles. These examples of using the public IM and e-mail networks in innovative, productive ways are evidence that even the enterprise-class messaging platforms must co-exist with free, consumer-grade networks, and that IT departments must take responsibility for ensuring that the co-existence is secure, compliant and managed within the fabric of a comprehensive messaging strategy. The solution to the ‘co-existence’ challenge for electronic messaging is the deployment of best-of-breed products designed specifically to provide security and compliance for each type of messaging. An appliance for e-mail hygiene, an appliance for instant messaging and appliances for firewalls.

BMUS. What advice would you offer to companies looking to overhaul their approach?
NL. I’d advise them to look at the broader messaging space, and reiterate that we’ve now moved beyond just e-mail security and compliance; companies are now using multiple communication channels, and solutions should start to include IM, IP telephony, videoconferencing, and other channels of communication. As these technologies start to pick up in terms of adoption, companies will require a broader solution that really spans all the communications channels that an organization uses.

PS. Embrace the public networks and create co-existence of both the public networks and the enterprise messaging platforms! How often do you have the opportunity to take advantage of free applications that actually deliver value? AOL, Yahoo! and MSN provide reach to tens of millions of people, continually add value to their client software, and make enormous investment into network infrastructure. Employees are using those networks already, so the immediate task is to get that usage under control, make it safe, secure, and compliant, and enjoy the benefits offered by real-time communications.

The only practical way to do this is to look to companies that have a laser focus on messaging security and deeply understand the issues of providing security, compliance and manageability for messaging systems.

AK. Compliance is a journey, not a destination. Progress and intent do matter. Look to your areas of highest risk and greatest exposure, and look to your corporate secrets and your customer’s personal data as the crown jewels to be protected. That’s your starting point. Figure out your internal policies related to data ownership, access and transport. That’s your future goal. Don’t slow down to try to implement everything at once. Don’t be frozen by the fear of not planning for everything.

Address the high-risk areas in the near term by putting some specific tools and measures in place, to begin making incremental progress. Use tools that provide integration with your enterprise platforms, are based on standards, and that come from companies with lasting power, good technology vision, a solid customer base and a track record of innovation and progress. Set a plan for regular checkpoints wherein you will assess progress and adjust as necessary, or add more tools and measures. Consider the education and buy-in of your employees as the greatest keys to success, but don’t depend on them.

BMUS. The proliferation of instant messaging as a means of communication within the workplace also raises issues with regards to security and compliance. What impact is IM having on the enterprise, and how can its use be managed effectively?
PS. Instant messaging is proving to be a tremendous productivity tool in the enterprise. It provides more immediate response than e-mail; it’s great for working through problems and tasks; it allows employees to multi-task; and it enables presence – the ability to see whether someone is online and ready to receive your message or not. Indeed, instant messaging is the fastest growing communication tool of all time, outpacing even e-mail in its explosive growth period.

Managing IM effectively can be thought of as a hierarchy of needs – secure, comply, manage and extend. IM must first be secure, which provides the base of the pyramid. Once secured, then IM must comply with applicable law, external regulatory agencies, as well as internal corporate policies. Next, IM must be manageable. IT personnel need to be able to quickly add new users, set access and permissions and run reports to monitor usage. When you reach the top of the pyramid, you can extend. Companies that have addressed the three previous levels of the pyramid truly begin to see the possibilities of instant messaging and the value that can extend through IM into new innovations.

AK. Instant messaging is probably now second only to email as a critical tool for business communication. Many companies would simply be crippled without it, because of the rate of employee adoption and the networks of business relationships reinforced with IM. Like other communication tools, in many cases companies react belatedly to the development. They may simply communicate a policy regarding IM usage without enforcement, allow internal IM only or in other cases simply shut it off at the firewall. This amounts to selling the enterprise short.

Instant messaging faces the same issues of security and compliance that other business protocols face. IM channels are threatened by viruses, worms and spam. On the outbound side, IM can be a conduit for leakage of corporate and individual private data. In order to maintain the value, and minimize the risk, it must be controlled at the network and gateway levels. IM protocols can be restricted without being shut off, and the data can be subject to the same protective scanning and enforcement technologies, without depriving employees of a valuable business tool.

NL. There are multiple options for managing IM security. There’s the option of banning it altogether, which a lot of companies are doing at the moment; alternatively there’s the option of only allowing certain IM programs to be run. There’s also ways to monitor IM in terms of regulating the sending and receiving of certain keywords, attachments and links. Of these techniques, keyword monitoring is probably the most prevalent right now.

It’s definitely a corporate culture type of thing. Here at Forrester we use IM all the time, it’s an invaluable tool for us, so an outright ban doesn’t really make much sense. However, it‘s easy for them to monitor which solutions we use.

BMUS. Finally, the increase in mobile and remote workers adds an extra level of complexity. How can companies ensure messaging security outside of the traditional four walls of the office?
AK. Fortunately, the technologies that enable regulatory compliance and protect against corporate data exposure, go a long way to providing these protections in the mobile world as well. The access protocols used to provide remote information access, such as those used in corporate web-mail or e-mail delivery to a handheld device, contain built-in encryption or can be locked down with add-on encryption tools, with policy controlled by the enterprise.

Data at the end points can also be secured with any of several competitive policy and encryption tools that will lock down any part or all of a PC or laptop’s disks. As with communications security, these endpoint security and policy tools can be administered by the enterprise to mitigate the impact on end-users, and ensure that their activity adheres to the enterprise’s data protection initiatives. These tools act in concert with corporate messaging security and compliance, to protect data in flow and at the endpoints for remote users.

NL. Messaging security for mobile and remote workers has many aspects to it. When you’re sending messages from outside the office, your e-mails generally have to go through your corporate gateway solution anyway – even if you’re travelling, that e-mail won’t be set unless you’re logged into the VPN and it goes through either your hosted solution of your gateway solution. In this respect, security is enforced regardless. Where it becomes a problem is when companies allow the use of web-mail. Traditional messaging solutions don’t monitor web-mail – they’re monitoring the gateway, the hosted solution or the mail store – and so web-mail opens up a whole new can of worms. As a result, many companies are now banning the use of web-mail, so they’re actually implementing policies that restrict access to those websites.

PS. Any attempt to secure the network against e-mail and IM borne threats and liabilities that does not take into account the off-network use of laptops and home PCs is simply leaving gaping holes open in their security and compliance strategy. Like any type of security – network, server, physical, etc. – the existence of any holes at all means that the network may be compromised, and the entire investment has been wasted. Make sure the products used for messaging security include a component to manage mobile and remote workers, even when they are not connected to the corporate network. True market-leading security products will help companies stay ahead of the curve by providing messaging security even when mobile users are on a Wi-Fi connection in the local coffee shop, a convention center, airport or any other location where an internet connection is available.