Informazioni personali

Cerca nel blog

Translate

giovedì 21 luglio 2011

Risk and Security: how much to spend? first step:define the process - 005

We can now, after this long intro, try to do a little test to see if we can really define a good method to determine how much to spend for security needs.

First of all we should try to define which process we want to consider. I opted for the Email systems because this is, generally speaking, a strongly neglected and misunderstood  area of IT process.

While mail is widely used and accepted as a communication media worldwide there are a few implementations that consider email security as a whole process involving users, data, and business value. the usual consideration we find around email is:

  • why our mailbox is so little
  • spam is annoying
  • it is not a big issue if we stay without email for a while
  • ….

well we should try to understand what email system really is.

I will use a top down approach trying to highlight all the issues and references that could have an impact in business and in the security space.

Then we will try to understand what security approach and technologies would be more useful and we could discover some unexpected relationships.

Sending and E-mail

What means allowing someone to use email?
What is email impact to our business?
What is the value of this service?
And the value of the data processed?

Those are questions that we all should be able to answer when dealing with a mail systems. The choice we do will impact our business widely in terms of productivity and customer satisfaction so we should not underestimate this.

So first of all let’s try to define what we’re talking about.

Basically sending an e-mail is a process that allow a User A to send information to a User B.

From a user perspective this require to give some info to the email client in order to be able to allow the message to be correctly delivered.

the User A experience is based on 4 basic steps:

access to email client
bein able to put the destination address and the recipient address
add the info to the email
send the message

Accordingly the User B should be able to recieve the message, open it and read it. At the end B should also be able to eventually answer to the message.

Right at this level we can start doing some consideration around the email system:

Who can access this service?
Who should provide this service?
Could we allow multiple services?
Do we neeed to control the information sentrecieved?
Do we need to control sender and recipients?
Do we need to define devices allowed to send messages?
Do we need to define a perimeter to sendrecieve messages?
Do we need to define SLA related to this service?

of course answering those questions could open new subquestions, for example:

“Who can access this service?” should imply at least:

  • can we recognize the users?
  • what is the general knowledge of those users? do they need training?
  • can we force an identification?
  • can we log them?
  • do we have to store the data sent?
  • is there any legal implication?
  • how we control unwanted access? is this a problem?
  • ….

and for the other questions:

Who should provide this service?
  • can we provide it internally?
  • Could we externalize the service?
  • do we need to hold locally some data?
  • are there any legal implication?
  • ….

Could we allow multiple services?
  • Do we offer just one service (internal mail)?
  • Do we allow the use also of personal email systems (Like Google, yahoo, Live…)?
  • Can we implement control policy on any system?

Do we neeed to control the information sent received?
  • Do we manage sensitive information?
  • Is there any kind of communication that would be dangerous to be sent out by employee?
  • Do we receive sensitive information with this media?
  • how we control the trustworthiness of information received?
  • is any legal implication?

Do we need to control sender and recipients?
  • do we need to impose limit to access the mail systems?
  • do we need to prove our sender identity o the recipient?
  • do we need to check if someone is sending message on behalf of someone else?

Do we need to define devices allowed to send messages?
  • can we expose mail through a web-mail interface?
  • can we allow mail being read on mobile devices?
  • do those devices have to be company owned or could be of any kind?
  • do we force a VPN connection to access email?

Do we need to define a perimeter to sendrecieve messages?
  • can anyone sendrecieve email?
  • are any limitation for role or location?
  • can we define subset of needs that require special care (ie. legal dept, HR, contracts…)?
  • ….

Do we need to define SLA related to this service?
  • what are expected SLA expectation?
  • can we define sla for the several aspects of the service as delivery time, storage, access, uptime…..?
  • ….
Wow
As we can see there are a lot of interesting question that can be raised when we talk a put mail, and we just do not entered the real deployment of the process, we just set up a black-box between sender and recipient.
Some of those question would be better addressed going deep into the process and once exposed the link between email and other business processes. but right now we understood that an apparently easy process like providing and email system should rise several security concerns.
So let not try to understand what is the value of this process related to our business.
Once we understood that sending email involve sending data, we should try to evaluate what kind of data and the value of this data are processed.
In nowadays environment Email systems are one of the most important (although neglected) asset. We actually use email to send any kind of communication, with different level of importance.
From personal note, to projects, presentations, confidential communication, also legal or HR communications and business contract and offers are sent by email.
But E-mail systems is also used for hold and storage those information, basically our mail-servers and the relative client interfaces are used as a not structured database that hold our intellectual property.
Studies estimate that over 90% of company intellectual properties are stored in email systems. 
So would this worth a protection?
in order to better define the process we should also try to understand risk that this systems is exposed to, but to do so we should, first of all, try to understand some little technical implication of email systems.
to be continued ..