However, many businesses choose to not deploy web mail due to perceived security risk of web based applications in general. More specifically, not wanting to increase the risk of exposing corporate mail systems to external threats. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring email infrastructures to their knees. With recent government legislation in countries such as the U.S., email confidentiality has become a growing concern. So, what approaches are there for deploying web mail systems in a secure manner? What are the options for web mail deployment? Understanding how web mail system work can help in deciding if web mail systems can be securely deployed.
Web Mail Security Goals
Most web mail systems are designed using a multi-tiered architecture. Usually, a web server serves as a reverse proxy to a backend email server that actually services the users mail requests. Most web mail systems use a separate database to store the mail versus the user authentication information. The main security issues for web mail are: Identity management, privacy, data integrity and availability.
Part of identity management is user authentication. User identity verification is important because without verifying the identity of sender or receiver identity theft can occur. Fortunately, many web mail systems support a wide range of authentication schemes. For example, web mail user authentication can be done using authentication protocols native to the mail server O/S or 3rd party authentication methods such RADIUS, LDAP or SecureID.
Privacy has to do with keeping information from unauthorized exposure. The primary method for ensuring privacy is the use of cryptography. Various cryptographic schemes are in use today. PGP and S/MIME, both widely implemented in the form of browser plug-ins and/or integration API, are widely used and well understood. Both PGP and S/MIME encrypt the message itself. SSL and IPSec encrypt at lower levels of session and network layers. SSL is the more widely used security protocol for basic web mail.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.