A new, web-based secure messaging system announced this morning by Mimecast aims to address the continuing problem of malicious payload passing through email.
Mimecast’s strategy with its simply named Secure Messaging service is not entirely new: Direct Outlook to upload email attachments to a web gateway, encrypt them there using AES protocol and let browsers manage the transfer of the encrypted attachments through secure sessions.
What's new, however, is Mimecast’s appeal to customers. Please trust a cloud for your security.
“We do retain data in the cloud, so you can archive perpetually with us,” said Orlando Scott-Cowley, Mimecast’s director of technology marketing and a certified security engineer, speaking with CMSWire. “Or alternatively, if you have legal concerns about security and privacy of using a cloud service, we have a zero-drag or zero-retention which just sends the mail straight through to the organization.”
Blocking the Open Door
Email remains the single most exploitable channel in all of business.
By playing on recipients’ willingness to trust, naiveté, curiosity or even their likelihood of clicking on a button that says, “Click This,” malicious agents can pass payloads into networks unchecked.
Enterprises continue to procure technologies and appliances that can filter out most of these incursion attempts.
Compliance measures and best practices have helped workers stay somewhat more alert than they were before. Even then, even with a one-in-ten-thousand chance of success, ten thousand attempts eventually succeed in planting one malicious agent somewhere in the network.
When that network belongs to Sony, more people are interested in what secrets the incursion uncovered, than in taking steps to ensure the same calamity doesn’t happen to them.
Mimecast is making a genuine effort to make it more feasible for individuals to avoid making the mistakes that open their networks to incursion.
The company already offers an email archiving service with a secure gateway to that archive. With Mimecast Secure Messaging, an Outlook add-on gives senders the tools to upload attachments into that archive, and then send recipients secure links to retrieve those files.
Each link triggers an HTTPS process in the recipient’s browser, so not only is the download encrypted but the retrieval of that download as well.
The Whole Business with Keys
Up until very recently, said Scott-Cowley, organizations that enforced their requirements for encrypted email resided in certain industry niches — for instance, defense contractors.
It’s only within these niches, he noted, that these organizations have successfully gone through the motions of setting up PKI encryption infrastructures, complete with public and private keys.
“If they got it wrong, and people start showing the wrong keys or start doing the wrong things, they ended up not being encrypted,” he said. “It’s just a huge pain, a huge cost, and an added level of complexity which is hard for organizations to try and achieve.”
The issue of the failure of these complex systems was only brought to the forefront in the past few years by the Edward Snowden affair. Businesses investigated their options, and for a while, he said, they resumed the 1990s practice of swapping digital keys.
That lasted about as long as NBC’s revival of “Ironside.”
“We developed Secure Messaging to give the IT team the ability to roll out a very simple, secure channel for sending confidential information to external contacts,” said Scott-Cowley. For existing Mimecast customers, he added, the “rollout” is a process of Mimecast turning the service on, admins propagating the Outlook add-on, and then enforcing communications through that add-on by way of group policy.
That policy applies a filter capable of screening out, for example, personally identifiable data (PID) or health-related data from communications to non-employees.
It can blacklist IP addresses or domains from being sent messages in the clear, or else enforce rules where messages sent to those recipients are always through Mimecast.
The sender can apply restrictions to the message such as preventing printing, or suppressing Reply or Reply All; or the sender can apply expiration dates to messages.
On the recipient end, Mimecast customers receiving messages from other Mimecast customers may request to receive attachments through the secure gateway, even if they were originally sent in the clear.
“It doesn’t require all the usual hoops you’d have to jump through to deploy traditional e-mail encryption services,” said Scott-Cowley, “so we’ve removed cost and removed complexity. We’ve made it easy for the administrators, and then the end users, to actually adopt a secure messaging infrastructure.”
Beginning today, Mimecast is rolling out Secure Messaging as part of its cloud security suite.