Overview
• Off-site hosting of anti-spam, anti-virus, IP reputation and basic policy enforcement to the cloud
• Replaces anti-spam/virus filtering appliances/servers in the on-premises DMZ gateway layer
• The Groupware
layer
is on-premises (Exchange, etc.)
Critical Things
to Consider
The external gateway systems (typically
in the DMZ) are still required for accepting
inbound mail from the Internet SaaS provider, although for a large enterprise the number of gateway systems many be substantially reduced. The actual cost of outsourcing the filtering layer needs to be carefully calculated in addition to answering the following critical
questions:
•
Is TLS encryption
important to
your organization? It is likely that you will lose control over TLS encrypted
sessions when filtering is done in the cloud. A few providers offer some level of “opportunistic” TLS encryption; however support for TLS authentication, which most enterprises require, is not managed by the cloud
provider.
• Is S/MIME encryption
important to
your organization? As is the case with TLS encryption, you will also lose control over S/MIME gateway encryption. To date, no cloud messaging provider supports S/MIME gateway encryption, a de facto standard for implementing secure tunnels for email. End-users would be required to implement S/MIME at the desktop and there would be no
way to implement server-side
encryption policy for S/MIME. Among potential problems, you could lose the capability to virus scan S/MIME encrypted
messages entering your organization before those messages reach the desktop.
•
Are other methods of message encryption, such as Voltage IBE, important to your business? Some cloud providers support certain types of message encryption; however the ability to intelligently encrypt/decrypt messages needs to be driven by corporate policies. As some of Sendmail customers’ have discovered, cloud filtering solutions, including those offered by Google and Microsoft, provide only simple email policy capabilities. In order to accomplish even basic policy enforcement, the cloud provider requires your Active Directory, and other LDAP sources, to be synchronized with their service —
this alone raises serious security and privacy concerns for many companies.
•
Is your company willing to compromise security for improved spam filtering? In order to provide optimum spam filtering, the cloud
provider needs access to your corporate directories. For example, to perform recipient validation on inbound messages, the cloud
provider requires an up-to-date list of all your valid email users, which raises serious security and privacy issues that must be well thought through before releasing this sensitive data to the cloud provider.
•
Is it important for your IT/Help Desk to have access to email logs? You may lose the ability to access your email logs when using a cloud
provider for message filtering. For example, tracking “lost” messages for end
users may become very problematic if
you don’t have access to all of your email logs.
•
Does your organization have special
spam handling requirements? When outsourcing the spam filtering function, you may lose control of
the
ability to create special use-cases for spam handling.
Conclusion
and Recommendations
•
Depending on the specific requirements of your organization, outsourcing the filtering function can be problematic.
• If encryption is important to your organization, cloud offerings will prove to be difficult.
•
If the cloud provider requires Directory data for improved spam handling and policy enforcement, you must consider the potential security risks of
letting that data leave your organization.
• To avoid any of these potential problems, Sendmail always recommends that you conduct a thorough
Messaging Architecture Review
before outsourcing your external gateway filtering layer to the cloud.
No comments:
Post a Comment