SecaaS Implementation Guidance Category 4 // Email Security

SecaaS Implementation Guidance

Category 4 // Email Security

September 2012

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

? 2012 Cloud Security Alliance

All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance Security as a Service Implementation Guidance at , subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Security as a Service Implementation Guidance Version 1.0 (2012).

? Copyright 2012, Cloud Security Alliance. All rights reserved.

2

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

Contents

Foreword ....................................................................................................................................................................5 Letter from the Co-Chairs...........................................................................................................................................6 Acknowledgments ......................................................................................................................................................7 1.0 Introduction..........................................................................................................................................................8

1.1 Intended Audience ...........................................................................................................................................8 1.2 Scope ................................................................................................................................................................9 2.0 Requirements Addressed .................................................................................................................................. 10 2.1 Business Value ............................................................................................................................................... 10

2.1.1 Leveraging Message Aggregation........................................................................................................... 10 2.1.2 Rapid Response ...................................................................................................................................... 11 2.1.3 On Demand Provisioning ........................................................................................................................ 11 2.1.4 Advanced Skillset .................................................................................................................................... 11 2.2 Key Challenges in Migration of E-Mail to the Cloud...................................................................................... 11 2.2.1 Data Security and Protection.................................................................................................................. 11 2.2.2 Regulatory Compliance........................................................................................................................... 12 2.2.3 Data Residency ....................................................................................................................................... 12 2.2.4 Unauthorized Disclosure ........................................................................................................................ 12 2.3 Solutions Roadmap........................................................................................................................................ 12 2.3.1 Standards-Based..................................................................................................................................... 13 2.3.2 Malware and Spam Protection............................................................................................................... 13 2.3.3 Identity and Encryption .......................................................................................................................... 13 2.3.4 Secure Access ......................................................................................................................................... 14 2.3.5 Integration with Data Asset Protection Systems.................................................................................... 14 2.3.6 Records Retention/Data Destruction ..................................................................................................... 14 2.3.7 System Management and Logging ......................................................................................................... 14 3.0 Implementation Considerations and Concerns................................................................................................. 15 3.1 Considerations............................................................................................................................................... 15 3.1.1 Multi-Tenancy......................................................................................................................................... 15 3.1.2 Portability ............................................................................................................................................... 15

? Copyright 2012, Cloud Security Alliance. All rights reserved.

3

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

3.1.3 Programmatic Access ............................................................................................................................. 15 3.1.4 Self-Service ............................................................................................................................................. 15 3.1.5 Client Controls ........................................................................................................................................ 16 3.1.6 Management and Monitoring ................................................................................................................ 16 3.1.7 Integration .............................................................................................................................................. 16 3.2 Concerns ........................................................................................................................................................ 16 3.2.1 Data Security .......................................................................................................................................... 16 3.2.2 Regulatory Compliance........................................................................................................................... 17 3.2.3 Data Disclosure ....................................................................................................................................... 17 3.2.4 Data Residency ....................................................................................................................................... 17 3.2.5 Identity ................................................................................................................................................... 18 3.2.6 Logging.................................................................................................................................................... 18 3.2.7 Communications..................................................................................................................................... 18 4.0 Architecture and Implementation Steps ........................................................................................................... 19 4.1 Architecture Overview................................................................................................................................... 19 4.1.1 Fully Outsourced Email Implementation................................................................................................ 20 4.1.2 Email Security Cloud Augmentation to Premise Enterprise Implementations ...................................... 20 4.2 Guidance and Implementation Steps ............................................................................................................ 22 4.2.1 Client Security......................................................................................................................................... 22 4.2.2 Administration........................................................................................................................................ 23 4.2.3 Submission End-Point, the Mail Submission Agent................................................................................ 23 4.2.4 Mail Delivery Agent ................................................................................................................................ 23 4.2.5 Mail Transfer Agent ................................................................................................................................ 24 4.2.6 Mail Storage............................................................................................................................................ 24

? Copyright 2012, Cloud Security Alliance. All rights reserved.

4

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

Foreword

Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes. We are reaching the point where computing functions as a utility, promising innovations yet unimagined. The major roadblock to full adoption of Cloud Computing has been concern regarding the security and privacy of information.

Much work has been done regarding the security of the cloud and data within it, but until now, there have been no best practices to follow when developing or assessing security services in an elastic cloud model--a model that scales as client requirements change.

One mission of the Cloud Security Alliance is to provide education on the uses of Cloud Computing to help secure all other forms of computing. To aid both cloud customers and cloud providers, the CSA SecaaS Working Group is providing Implementation Guidance for each category of Security as a Service, as delineated in the CSA's SecaaS Defined Categories of Service. Security as a Service was added, as Domain 14, to version 3 of the CSA Guidance.

Cloud Security Alliance SecaaS Implementation Guidance documents are available at .

We encourage you to download and review all of our flagship research at .

Best regards,

Jerry Archer Nils Puhlmann

Alan Boehme Paul Kurtz

The Cloud Security Alliance Board of Directors

Dave Cullinane Jim Reavis

? Copyright 2012, Cloud Security Alliance. All rights reserved.

5

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

Letter from the Co-Chairs

Security as a Service is a specialized area categorized two years ago as growing rapidly and in unbound patterns. Vendors were struggling. Consumers were struggling. Each offering had its own path. We felt it was urgent to address the needs and concerns common to the implementation of Security as a Service in its many forms.

The Defined Categories of Service helped clarify the functionalities expected from each Category. In this series, we hope to better define best practices in the design, development, assessment and implementation of today's offerings.

We want to thank all of the many contributors worldwide who have worked so hard to produce these papers providing guidance for best practices in Cloud Computing Security. Many have been with the Security as a Service Working Group since the beginning; many others joined in this effort. Each has spent countless hours considering, clarifying, writing and/or editing these papers. We hope they help move forward toward those unimagined innovations.

Sincerely, Kevin Fielder and Cameron Smith SecaaS Working Group Co-Chairs

? Copyright 2012, Cloud Security Alliance. All rights reserved.

6

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

Acknowledgments

Chair Mark Hahn, TCB Technologies, Inc.

Contributors Marcelo Carvalho, FATEC-SP Yael Nishry, Vaultive Yogesh Paliwal, Cisco Paul Pottorff, Faster Motion Adam Swidler, Google

Peer Reviewers Varun Badhwar, CipherCloud Dennis Dayman, Eloqua Tim O'Brien, Tata Steel Group Ron Poserina, Symantec

CSA Global Staff Luciano JR Santos, Research Director John Yeoh, Research Analyst Aaron Alva, Research Intern Vicki Hahn, Technical Writer/Editor Kendall Scoboria, Graphic Designer Evan Scoboria, Webmaster

? Copyright 2012, Cloud Security Alliance. All rights reserved.

7

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 4: Email Security

1.0 Introduction

Electronic mail now plays a vital role in business interactions among customers, partners and internal staff. It allows data and messages to be transferred easily between senders and receivers over the Internet or internal networks, allowing messages to be received, responded to, stored, forwarded and broadcast among recipients. These extensive capabilities have caused email to be widely adopted as the official communications method for many organizations. Also common for personal use, electronic mail is available thru a diverse number of compatible software clients, and also via web-browser.

Due to its ubiquitous use, electronic mail is both the prime target of, and primary vehicle for, attacks, and must be protected on both ends: sending and receiving. Email service is a well-defined utility in the enterprise, and securing email in the cloud is similar to securing email in the enterprise. Email Security as a Service (SecaaS) has a few unique aspects, but most responses entail differences of degree, rather than instituting new methods of security.

Email security services conform to one of two service models: fully outsourced and enterprise augmentation. The first service model outsources the entire mailbox and user interface to a cloud provider (either in a singletenant or multi-tenant model). The second service model adds security processing to an existing enterprise email implementation. In a fully outsourced model, the service provider is responsible for monitoring all threats using email as a channel (spam, phishing, malware propagation, etc.), and for providing an email user interface (UI) and possibly assistance to an organization's end users. In the enterprise augmentation model, an existing on-premise email deployment is augmented by additional cloud-based services and functionalities.

This paper explores both common forms of usage and additional extended services (such as identity federation and data loss prevention), and describing best practices for evaluating, developing, installing and using cloudbased email security services.

1.1 Intended Audience

Email security services are viewed from two perspectives: the providers of these services and the consumers or purchasers of email security services. Both sides need to be aware of and plan for key service features and how these features are used to mitigate threats to email security.

Section 2 provides an executive level overview of email security services and delivery methodologies, and shows how security threats are mitigated in a cloud-based service versus a traditional self-hosted solution. Section 3 presents considerations and concerns that should be part of any conversation regarding the use of Email Security as a Service. Section 4 is a technical discussion of typical architectures and the implementation of Email SecaaS using current best practices as defined by the industry. Section 5 provides lists of both references and useful links to supplement this information

? Copyright 2012, Cloud Security Alliance. All rights reserved.

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download