Messaging and Collaboration: Security Challenges and Solutions
By Ryan McGee
Senior Product Manager - Security, Microsoft Corporation
See other Viewpoint articles.
The typical business work force today is both mobile and collaborative. Workers have complex access requirements to individual, team, corporate, and partner data. They need to access and share this data both locally and remotely, sometimes from unsecured locations and devices such as an airport Internet kiosk. Instant messaging, e-mail, remote access, and Internet access are business-critical tools, so any service interruptions are detrimental to productivity. However, implementing a messaging and collaboration infrastructure increases security needs.
The four major threats to a secure messaging and collaboration infrastructure include:
Malware. Today, many viruses and worms are designed to rapidly infect millions of computer systems across the world using the Internet, e-mail, and instant messaging.
Spam. Businesses are being overwhelmed with unsolicited e-mail that is sapping network resources and flooding e-mail inboxes. Spam is not only a threat to corporate productivity, but it has become a common carrier for malicious code. As a result, the messaging infrastructure is a critical focal point for businesses in the fight against malicious software.
Unauthorized Network Access. Security procedures and policies that are adequate to protect LAN data can be ineffective when the network is opened to outsiders for messaging and collaboration. In addition, hackers are now using more sophisticated application-layer attacks.
Unauthorized Data Access. Businesses are increasingly concerned with sensitive information leaking outside of the business through the messaging and collaboration infrastructure.
Messaging and Collaboration Infrastructure Protection
These threats use an array of attack vectors that require the establishment of multiple layers of protection. Together, the use of multiple layers of protection and multiple technologies form Microsoft’s defense-in-depth strategy. To help simplify security management and to enhance performance, Microsoft also recommends that the solution be integrated into the business infrastructure.
Defense-in-depth is considered a security best practice. This is the use of multiple security technologies at multiple points in the network to help reduce the overall probability that attacks can exploit business-critical resources or that information can be leaked outside the business. In messaging and collaboration environments, defense-in-depth helps administrators ensure that malicious code or activities can be stopped at multiple checkpoints within the infrastructure. This decreases the likelihood that a single threat can slip through.
Multiple Layers of Protection
To create in-depth messaging and collaboration defenses, businesses can protect themselves at three points in the infrastructure: the network edge, on servers, and with the information itself. The network edge plays two roles; to secure access and to protect the network from internal and external threats.
Secure Access. Messaging and collaboration defenses must stop unauthorized access to the network, applications, and corporate data. This layer of protection must secure access to internal servers against all kinds of malicious access, including application and network-based attacks that seek to uncover and exploit messaging and collaboration systems and services.
In order to exploit messaging and collaboration servers, hackers first have to find them. Therefore, businesses need to implement technologies that prevent hackers from discovering infrastructure servers. For example, with Microsoft Exchange Server, many businesses provide remote access through Microsoft Office Outlook Web Access (OWA). Businesses can incorporate a security layer like Microsoft Internet Security and Acceleration (ISA) Server 2006 between the OWA server and the network edge, eliminating direct OWA access to the Internet and potential threats. This additional layer helps limit a hacker’s ability to locate machines and probe them for vulnerabilities, and provides another point at which users can be authenticated and traffic can be scanned.
Edge Protection. Antivirus and anti-spam protections should both be applied either off-network via hosted services or at the network edge. This layer of prevention not only helps keep viruses and spam from reaching end users, it also significantly reduces the overall traffic flowing to e-mail servers. This helps ensure that bandwidth and server resources are used only for business-critical communications. Understanding that each business has unique needs, Microsoft offers both a hosted service solution -- Microsoft Exchange Hosted Services -- and software solutions -- Exchange Intelligent Message Filter and Microsoft Antigen for SMTP Gateways.
Server Protection. Security threats can attack from both inside and outside the network as well as through authorized computers. For example, an employee can unintentionally copy a virus infected file to a secure machine from a USB key. Antivirus protection is essential for front-end and back-end e-mail servers. Although gateway protection helps eliminate a majority of threats, placing antivirus software such as Microsoft Antigen for Exchange on messaging and collaboration servers themselves provides an additional line of defense, and it helps contain internal incidents that never reach the gateway.
Information Protection. Protecting digital information is a difficult and ongoing task. Typically, businesses secure digital information by using perimeter-based security methods. Firewalls can limit access to the network, and Access Control Lists (ACLs) can restrict access to specific data. In addition, businesses can use encryption and authentication technologies and products to help secure messaging while in transit and to help ensure that the intended recipients are the first to open the messages.
These methods help businesses to control access to sensitive data. However, recipients are still free to do whatever they want with the information they receive. After access is granted, no restrictions control what can be done with the data or where it can be sent. Perimeter-based security methods simply cannot enforce business rules that control how people use and distribute the data outside the perimeter or after the perimeter is penetrated.
As an essential part of an overall business security strategy, a solution for better information protection should provide the means to control how data is used and distributed beyond simple access control. It should offer protection for sensitive business information beyond the firewall and help ensure that data is protected and tamper-resistant. Windows Rights Management Services help provide this type of protection.
In addition to providing defensive layers throughout the network, a defense-in-depth strategy uses multiple technologies to uncover and prevent security threats. By not relying on a single technology to defend against an attack, businesses eliminate single points of failure in their overall security architecture.
In the case of antivirus protection, using scan engines from several vendors is useful, since each engine includes its own set of detection methods. Virus signatures are the most common detection method, and each engine vendor has a specific set of priorities and skills for creating new signatures. Each business also establishes particular timetables for releasing updates. Using more than one engine will effectively shorten update intervals, which lowers the overall window of exposure for emerging threats. In addition to signature files, antivirus engines also rely to a varying degree on vendor-proprietary heuristics or behavior-blocking technologies. A business using multiple engines can better protect itself against new threats. For example, if the threat is not detected by a signature file in one engine, it can be quickly detected by a signature or heuristics built into another engine. Exchange Hosted Services, Antigen for SMTP Gateways, and Antigen for Exchange all use multiple engines to help provide enhanced protection.
Other security solutions, like firewalls, also benefit from combining multiple security techniques. In the case of firewalls, setting different security configurations at various points in the network infrastructure can provide higher levels of protection. For example, at the network edge, configurations are set to determine yes/no access through protocol-level inspection, and in the perimeter network (the DMZ) or on the internal network, firewalls protecting specific applications use smart filtering configurations to further control and help eliminate malicious access. ISA Server inspects traffic at both the protocol and application layers.
Integration with Infrastructure
Security solutions need to be reliable and manageable to provide any level of protection. If IT administrators are consistently rebooting crashed servers, resetting configurations, or manually distributing updates, it severely undermines the protection businesses are looking for from security solutions.
One of the most important ways to ensure that security solutions perform optimally is to make certain that they are tightly integrated into the messaging and collaboration infrastructure. This integration allows security applications to focus on protection without doing redundant work for the messaging application. For example, if an antivirus solution integrates with the native Microsoft Windows SMTP stack, like Antigen for SMTP Gateways does, it does not need to employ a port 25 redirector and can simply do virus scanning rather than perform routing functions.
Tight integration also adds performance, availability, and manageability benefits to security solutions. Tightly integrated security solutions generally perform better, meaning that more traffic can be managed without affecting server performance.
Perhaps most critical to IT staff, integration enables easier management of security systems. With integrated systems, IT administrators can configure, deploy, update, report and monitor from fewer consoles. Integration with Active Directory removes a requirement to manage one or more separate directories. In the case of Microsoft Exchange Server, Microsoft Operations Manager is a key integration point that IT and mail administrators can use to provide centralized control.
The Microsoft messaging and collaboration security strategy focuses on defense-in-depth protection and infrastructure integration. However, Microsoft also takes into account that customers have varied security requirements and technology expertise. Therefore, Microsoft provides customers with flexible options for helping to secure their particular environments. The messaging and collaboration security products include Exchange Server 2003, Microsoft Office Live Communications Server 2005, SharePoint Products and Technologies, Antigen, Exchange Hosted Services, Internet Security and Acceleration Server 2006, and Windows Rights Management Services. To learn more about Microsoft security solutions for messaging and collaboration infrastructure, visit the Web site.
See the following resources for further information:
Exchange Security Guidance at http://www.microsoft.com/technet/prodtechnol/exchange/2003/security.mspx
Exchange Server 2007 beta at http://technet.microsoft.com/en-us/exchange/bb330843.aspx
SharePoint Portal Server 2003 evaluation at http://www.microsoft.com/technet/traincert/virtuallab/sharepoint.mspx
LCS 2005 evaluation at http://www.microsoft.com/office/livecomm/prodinfo/trial.mspx
Exchange Hosted Services, ISA Server, Antigen and Rights Management Services evaluations at http://www.microsoft.com/securemessaging