Secure Web Based Mail Services
by Keith Pasley - CISSP - Tuesday, 27 January 2004.
What do field sales people, home teleworkers, medical personnel, and any one working remotely from a central site have in common? A need for up to the minute information. One of the most successful models for using the Internet for business is the information dissemination model. One of the most common method for business communication today is email. Email can be sent/received in many ways; pagers, cell phones, and the like. However, one email communication option that holds promise for increased and more timely information flow is web based email systems.

However, many businesses choose to not deploy web mail due to perceived security risk of web based applications in general. More specifically, not wanting to increase the risk of exposing corporate mail systems to external threats. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring email infrastructures to their knees. With recent government legislation in countries such as the U.S., email confidentiality has become a growing concern. So, what approaches are there for deploying web mail systems in a secure manner? What are the options for web mail deployment? Understanding how web mail system work can help in deciding if web mail systems can be securely deployed.

Web Mail Security Goals

Most web mail systems are designed using a multi-tiered architecture. Usually, a web server serves as a reverse proxy to a backend email server that actually services the users mail requests. Most web mail systems use a separate database to store the mail versus the user authentication information. The main security issues for web mail are: Identity management, privacy, data integrity and availability.

Part of identity management is user authentication. User identity verification is important because without verifying the identity of sender or receiver identity theft can occur. Fortunately, many web mail systems support a wide range of authentication schemes. For example, web mail user authentication can be done using authentication protocols native to the mail server O/S or 3rd party authentication methods such RADIUS, LDAP or SecureID.

Privacy has to do with keeping information from unauthorized exposure. The primary method for ensuring privacy is the use of cryptography. Various cryptographic schemes are in use today. PGP and S/MIME, both widely implemented in the form of browser plug-ins and/or integration API, are widely used and well understood. Both PGP and S/MIME encrypt the message itself. SSL and IPSec encrypt at lower levels of session and network layers. SSL is the more widely used security protocol for basic web mail.

Data integrity has to do with protection from unauthorized modification of email. Data integrity can be preserved by cryptographic techniques such as hashing and signing of messages. PGP and S/MIME provide the facility of digitally signing messages in such a way that tampering with the data will result in missed matched message hash results.

Availability involves ensuring that the web mail system is as accessible as possible. The use of redundant servers, load balancing and fail over, and server clustering are all common ways to increase the probability that the web mail system will be available at the right time. An added plus to redundancy is continuous availability even during maintenance windows.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th