We can now, after this long intro, try to do a little test to see if we can really define a good method to determine how much to spend for security needs.
First of all we should try to define which process we want to consider. I opted for the Email systems because this is, generally speaking, a strongly neglected and misunderstood area of IT process.
While mail is widely used and accepted as a communication media worldwide there are a few implementations that consider email security as a whole process involving users, data, and business value. the usual consideration we find around email is:
- why our mailbox is so little
- spam is annoying
- it is not a big issue if we stay without email for a while
- ….
well we should try to understand what email system really is.
I will use a top down approach trying to highlight all the issues and references that could have an impact in business and in the security space.
Then we will try to understand what security approach and technologies would be more useful and we could discover some unexpected relationships.
Sending and E-mail
What means allowing someone to use email?
What is email impact to our business?
What is the value of this service?
And the value of the data processed?
Those are questions that we all should be able to answer when dealing with a mail systems. The choice we do will impact our business widely in terms of productivity and customer satisfaction so we should not underestimate this.
So first of all let’s try to define what we’re talking about.
Basically sending an e-mail is a process that allow a User A to send information to a User B.
From a user perspective this require to give some info to the email client in order to be able to allow the message to be correctly delivered.
the User A experience is based on 4 basic steps:
access to email client
bein able to put the destination address and the recipient address
add the info to the email
send the message
Accordingly the User B should be able to recieve the message, open it and read it. At the end B should also be able to eventually answer to the message.
Right at this level we can start doing some consideration around the email system:
Who can access this service?
Who should provide this service?
Could we allow multiple services?
Do we neeed to control the information sentrecieved?
Do we need to control sender and recipients?
Do we need to define devices allowed to send messages?
Do we need to define a perimeter to sendrecieve messages?
Do we need to define SLA related to this service?
…
of course answering those questions could open new subquestions, for example:
“Who can access this service?” should imply at least:
- can we recognize the users?
- what is the general knowledge of those users? do they need training?
- can we force an identification?
- can we log them?
- do we have to store the data sent?
- is there any legal implication?
- how we control unwanted access? is this a problem?
- ….
and for the other questions:
- can we provide it internally?
- Could we externalize the service?
- do we need to hold locally some data?
- are there any legal implication?
- ….
- Do we offer just one service (internal mail)?
- Do we allow the use also of personal email systems (Like Google, yahoo, Live…)?
- Can we implement control policy on any system?
- …
- Do we manage sensitive information?
- Is there any kind of communication that would be dangerous to be sent out by employee?
- Do we receive sensitive information with this media?
- how we control the trustworthiness of information received?
- is any legal implication?
- …
- do we need to impose limit to access the mail systems?
- do we need to prove our sender identity o the recipient?
- do we need to check if someone is sending message on behalf of someone else?
- …
- can we expose mail through a web-mail interface?
- can we allow mail being read on mobile devices?
- do those devices have to be company owned or could be of any kind?
- do we force a VPN connection to access email?
- …
- can anyone sendrecieve email?
- are any limitation for role or location?
- can we define subset of needs that require special care (ie. legal dept, HR, contracts…)?
- ….
- what are expected SLA expectation?
- can we define sla for the several aspects of the service as delivery time, storage, access, uptime…..?
- ….