Secure E-Mail Access

Published: 2012-02-07
Last Updated: 2012-02-07 02:18:33 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Recently attacks by the "not so sophisticated persistent threat" focused on e-mail security. In many cases, e-mail credentials were either brute forced, or retrieved from compromised databases (in some of these cases, password re-use was a contributing factor).

During Wednesday's threat update webcast, I would like to do a segment focusing on e-mail security, and was wondering what our readers do to secure e-mail. Some of the challenges I see:

- the use of "cloud based" e-mail services like gmail.
- mobile access to e-mail
- access to e-mail from multiple devices 
- e-mail encryption and authentication (PGP/S-Mime)
- e-mail forwarding security (if someone has e-mail forwarded to a personal e-mail address)

Please let me know if you have any novel ideas to address these problems that I should cover, or if you would like me to cover any additional questions.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: email php smime
10 comment(s)


Hi Johannes,

there are several provider of business class secure email.
Voltage, PGP/Symantec, CISCO are the most popular in the US. But these solutions are normally based on some proprietary technology like ibe or the envelopes from cisco. PGP does not really manage to solve the most important challenges: simplicity for the users.

In europe the requirements are a little bit more complex, so the market is completely different. There are some german products like Zertificon which are where strong with their appliances. But the leader seems to be Totemo from switzerland. They have a so called internal encryption which works really nice with cloud based services like Office 365 and offers the most simplicity and security with the possibility of central dataflow control.

best regards
First off, as I see it, the very nature of email is insecure and should always be handled as thus. Email security in itself is an oxymoron.

If you are concerned about documents being leaked there should be a policy in place that they never be transmitted via email. Of course, if certain documents absolutely need to be transmitted, there are always things you can do like password protected and encrypted archives but that's more on a file level than an email level.

In short, have a policy users will be able to abide by and enforce it.
Zix is very good and provides simplicity for the users.
I do not have any expirence with zix. are they better than PGP or the europeans?
I cannot speak to the European solutions. I can say that after in-depth comparison of Voltage, PGP/Symantec, CISCO, McAfee, ProofPoint, and Zix; Zix came out on top as the best fit.

A secondary issue to cloud email, but a significant one for government organizations in particular, is historical accessibility to meet legal requirements, for public disclosure and other purposes.
Although I'm guessing that you would like to focus on the technology side of e-mail security, my organization's biggest challenges are political. As such, we are largely relegated to dealing with e-mail security issues reactively.

IDP/IDS (Juniper) and SPAM filtering (Proofpoint) of OUTBOUND traffic, as well as monitoring e-mail web interface logs (IIS) have been critical for my organization in detecting compromises, and we have also used our web proxy to help mitigate those compromises.

On the [slightly] proactive side, we have a reasonable password change/complexity policy in effect, and audit our system directory monthly for inactive user accounts.
Please comment on novel encrypted email solution from CryptoHeaven
I'm using lastpass and yubikey to get new passwords generated and to save them securely on the hashed server at lastpass,
yubikey is my last step in authentication for all accounts online or to logon to a machine.
Some of my machines have both a hardware password and a software password.
Hardware password is on the mother boards of the laptops and cannot be deleted by any means you may think of,
Lose it and you're in deep doo-doo,
you will have to contact the manufacturer for a master password for hardware and you have to convince them that you really own the machine.

Keep your passwords from others,
They are like the combination to your banks' vault.
What about Totema ? EU solution which address all end-to-end encryption's issues.

Diary Archives