In a previous article, I discussed the general security considerations you should incorporate into Microsoft Office 365 (O365) rollout plans.
Here I would like to provide more detail regarding how you can protect your intellectual property and other sensitive data that is sent and received using O365 Exchange Online (Outlook).
As companies move more of their critical data processing to the cloud, it has become important to not only prevent malicious content from entering your network, but also have the ability to control and safeguard sensitive data while in transit.
For example, your existing email security governance model may currently focus on protecting against malicious data coming into your organization (data ingress). However, with increasing compliance requirements, such as the European Union’s General Data Protection Regulation (GDPR), organizations need to support more advanced use cases, such as protecting against regulated and sensitive data being sent to outside parties – all while continuing to meet regulatory-driven data retention requirements.
To meet these new challenges, you will need to upskill existing resources, deploy new tools, such as a secure email gateway, or optimize the policies and rules of existing ones, and update processes and procedures. Here are three recommendations to get you there.
1) Protect Your Users from Inbound Emails with Malicious Intent
According to the 2018 Trustwave Global Security Report, the percentage of inbound email spam has fallen from 85 percent to 39 percent over the past 10 years. However, the percentage of malware containing spam has risen from 1.7 percent to 25 percent over the same period.
The report identifies common threats, including business email compromise, spear phishing and ransomware. Since email is a primary vector for these threats, it is a great place for you to focus.
Malicious content can exist in multiple forms, including email attachment. According to the Global Security Report, over 90 percent of email malware is distributed in attached archive files, such as .zip. Embedded links are another way to direct a user’s browser to a malicious site.
Ducking email-based malicious content requires security solutions to interrogate all content, including attachments, and analyze it using various techniques to determine if it contains malicious content. A similar process is used for malicious link protection.
A secure email gateway (SEG) will replace the embedded link (URL) with a temporary one that directs the subsequent web traffic to an analysis engine. If the analysis classifies the link as malicious, the link will be blocked. We’ll talk more in depth about SEGs later.
2) Shield Your Sensitive Data from Being Inappropriately Sent via Email
To accomplish this, an email security solution with data loss prevention (DLP) functionality would analyze the body of a message and all attachments for the presence of sensitive data, such as personally identifiable information (PII) or credit card numbers.
Another consideration is encryption. The DLP analysis engine assumes that data is provided in cleartext. In other words, since encrypted data cannot be directly analyzed, email security and DLP solutions offer limited value if message content is not first decrypted.
Office 365 Message Encryption (OME) is Microsoft’s approach to protecting emails by combining email encryption and rights management. OME, like other email security solutions, provides your users full end-to-end confidentiality of the entire message, including attachments, using either vendor-provided or customer-supplied keys.
OME and other Microsoft data protection services, such as Azure Information Protection (AIP) and O365 Data Loss Prevention (DLP) are based on Microsoft’s Rights Management Service (RMS). RMS is a cloud-based service that utilizes encryption, identity, and authorization policies to protect email and files across multiple devices – phones, tablets and PCs.
One of the many benefits of OME and RMS is that information is protected both inside and outside your organization because the applied encryption remains with the data, even when it leaves your organization’s boundaries. Another important benefit of integrating encryption with an email security solution is the ability to classify sensitive content and apply appropriate protective policies.
Without the ability to interrogate encrypted content limits your email security policy to either deny or allow all encrypted content. Being able to classify content enables organization to deploy granular access control policies based on a least-privilege and right-to-know security principles. Otherwise, the only option is to either allow or deny all encrypted content.
Due to the likely impact to productivity associated with a deny-all policy for encrypted email content, most organizations are forced to implement an overly permissive ruleset. Although permissive rules may help productivity, they do little to prevent against data theft by trusted insiders. In fact, a malicious insider would be able to hide the unauthorized transmittal of sensitive data using the very tools that are in place to prevent this type of breach from happening in the first place. All due to lack of visibility into encrypted payloads.
In addition to Microsoft’s native email security tools, you can also turn to other third-party email encryption tools, such as Trustwave’s own Secure Email Gateway (SEG).
The Trustwave SEG helps protect Microsoft and non-Microsoft email platforms and supports both an RMS-based and a proprietary-based encryption method to transparently protect email content. The RMS integration allows SEG to identify and protect sensitive data that was not properly encrypted before sending via email. This is accomplished by integrating with the RMS protection process that authorizes SEG to obtain the appropriate RMS encryption keys and, depending on policy, ensure that sensitive data is transparently ciphered before it is sent via email.
3) Archive and Retain Email to Meet Regulatory Requirements
Although this article has focused on more advanced threat prevention and data leakage use cases, organizations must also ensure they continue to meet regulatory requirements, such as data residency, data retention, e-discovery and breach notifications. Understanding which data is important to you and how it flows throughout the create, read, update, delete (CRUD) data lifecycle enables you to design appropriate data controls to security and compliance requirements.
A simple approach is to first map your organization’s data flows and document how they support operational processes. Combined with a corporate data catalog and data classification/taxonomy, you can implement the right controls to meet data residency and e-discovery requirements.
This approach also improves your ability to notify the appropriate authorities in case of a data breach, detailing both cost and impact. And, finally, it optimizes (aka reduces) data retention costs since you’ll obtain a good understanding of what data exists, where it is stored and how it is transmitted and processed.
This information can be used to design an approach to data resiliency that mitigates risks associated with ransomware and regulatory fines associated for not adequately protecting PII or other regulated data. It is also possible to reduce data retention (backup) costs by deciding if content is to be kept, deleted or offloaded to lower-cost storage. This type of granular control, without negatively impacting productivity, is only feasible if a complete data flow map is available and a properly tuned email security gateway is deployed.
So, there you have it. Migrating to O365 – or any cloud-based email solution for that matter – is an ideal opportunity for you to consider additional investments to your organization’s email security program.
If you are considering Microsoft solutions to close these gaps, a good place to start is the O365 Service Description for Exchange Online, which provides a detailed matrix comparing feature availability across the various Office 365 licensing options.
Thad Mann is global practice manager for data protection at Trustwave.