.png)
.png)
As modern attacks bypass the email perimeter, security must evolve from simply guarding the gateway to actively protecting the sensitive data and accounts inside your cloud workspace.
For decades, the secure email gateway (SEG) has been a cornerstone of email security. As email remains consistently the most common attack vector and the root of the majority (or at least a plurality) of attacks in nearly every industry report, protecting the email perimeter was a no-brainer, and a SEG was a non-negotiable line item in every security budget.
As the way we work has evolved, for the most part, security has changed along with it. Yet email, in spite of being the root of the plurality (if not the majority) of major breaches, remains stuck in the old perimeter-based mindset.
The castle-and-moat: torturing metaphors and security teams alike
The cliched metaphor of the castle-walls-and-moat-as-perimeter-security was never perfect to begin with. And revisionist history has strained that analogy to the point of rupture. But it’s instructive to think about how so much of security operations has evolved with the shift to the cloud as a way to highlight how little email has.
As more of our critical workloads moved to the cloud, the industry recognized that on-premises security was woefully inadequate, and jerry-rigging old defenses to protect a wildly different way of doing business was both costly and ineffective.
As a result, our reliance on network security tools gave way to the alphabet soup of modern cloud security tools, eventually morphing into CNAPP. As our endpoints became more and more mobile and the threats they faced evolved, fragmented AV and IDS systems gave way to comprehensive endpoint detection and response (EDR) tools.
These evolutions reflect two realities: our workers and the work they do are increasingly outside of a “trusted” internal perimeter, and the way we work meant that trusting anything was increasingly risky. This, of course, gave rise to zero trust, and the “assume breach, always verify” mentality.
Yet email security stubbornly refuses to acknowledge this reality. SEGs, and even most integrated cloud email systems (ICES) remain focused on keeping threats out at the perimeter, but do almost nothing once a threat lands. Native email providers’ security has improved by leaps and bounds, but stopping the increased influx of sophisticated, tailored attacks and detecting compromised accounts remain incredibly difficult with today’s tooling.
This results not only in less-effective defense, but it can also muddy operational waters, forcing security teams to monitor traditional IT tasks like managing email flow. Torturing the metaphor further: that’s like forcing the archers defending the castle walls to also be responsible for raising and lowering the drawbridge.
The blind spots of a perimeter focus
A modern SEG can certainly catch a high volume of known threats and obvious attacks–there’s no disputing that. But the most devastating attacks in recent history don’t fall into those categories: they’ve been successful thanks to their ability to get around filters. These aren’t edge cases: they’re the center of email risk in today’s threat landscape.
And it’s not just sophisticated attacks that fall within the blind spots of traditional email defenses. Many, if not most, of the most dangerous attacks facing companies today come from trusted senders or even within the tenant itself, whether in the form of fraudulent requests and invoices arising from compromised accounts of partners and vendors, or compromised internal accounts spreading across the organization by sending threats internally.
Most modern attacks aren’t carrying obvious malicious payloads. Credential phishing, business email compromise, account takeover attacks: these are social engineering campaigns that exploit the people, not the security system.
None of this is to say we shouldn’t try to stop threats at the perimeter–but in today’s world, doing so is table stakes. It’s the bare minimum. Email retains its place at or near the top of lists of most common threat vectors because today’s threats and modern cloud office environments demand we go further.
Native security isn’t enough
Google Workspace and Microsoft 365 have reshaped the way we think about our cloud offices. The collaboration and productivity enabled by these platforms that we now take for granted was unthinkable not that long ago. They helped dissolve the idea of the fixed network edge: everyone can be remote, every device is a potential access point. Identity, not IP address, is the perimeter.
And the security built into these platforms is impressive. Microsoft’s suite of enterprise security tools is powerful and expansive. But it’s cumbersome to set up and maintain, and their underlying infrastructure falls victim to attacks all too regularly. Google’s infrastructure is very secure, but the security tooling built into the platform makes advanced operations exceedingly difficult without extensive engineering work.
SEGs are often put in place to reinforce the native security capabilities and provide another layer of defense against email threats. But even with the two combined, security teams regularly call out the limited visibility into email and file activity across their tenants, the weak retention and auditing controls available, and reactive, rule-based defenses that struggle against subtle and novel attacks.
These cloud office platforms are where your employees work, where they collaborate, and where they keep the information that powers your business. They are more than just attack vectors, they’re targets in and off themselves, and demand visibility and control to secure. But today’s email security model continues to focus on the perimeter at the expense of the core.
Shifting the battleground: a new model of email security
We have decades of proof to show that guarding the perimeter isn’t sufficient for robust email security, so the question becomes: what should email security look like today?
Perimeter defense, again, remains important. Nothing we’re saying here today is to suggest anything else. Monitoring all incoming messages for threats is paramount. But that’s just the beginning.
- Evolve email defenses. The perimeter should still be protected, but more effectively. Combining the flexibility of rules-based detections with the adaptive power of ML models that can identify patterns and behaviors is a good first step. Making it simple and easy to create powerful custom detections enable companies to rapidly react to internal threat intel is critical. Automating user reports enables your people to help protect the entire organization without adding workload to your security team.
- Understand and protect critical data. Email archives and file sharing platforms house years of sensitive, regulated, and mission-critical information. Companies need to be able to index, categorize, and protect sensitive data in both email and files. And critically, they need to be able to do so without slowing the workforce down. Draconian retention policies and overly-restrictive sharing policies solve security, but undercut the collaborative benefits of the cloud office. Enabling secure collaboration is key.
- Detect and contain compromises early. Combining the first two bullets above goes a long way toward enabling companies to find subtle signs of compromise and contain attackers before they can do damage. Tracking access patterns to sensitive data, creation of suspicious email rules like auto-forwarding, abnormal sending patterns, and other behavioral signals raises warning flags of ATO attacks that SEGs simply can’t see.
- Empower incident response. When an attack does occur, forensic information is key. Security teams need to know what was accessed and when in order to remediate quickly. Visibility into everything that goes on inside any account streamlines investigation and response: from malicious emails received and clicked to file access patterns to password resets to file downloads and more.
In short, security has to extend inside the perimeter to where the targets live: the data, files, and accounts. Circling back to the castle metaphor, this approach has the added benefit of allowing your security and IT teams to stick to what they do best: letting your archers be archers.
New questions need new answers
The SEG was the right answer for a very long time… but the questions have changed. Continuing to focus on the perimeter when the most critical risks reside within is a recipe for headaches and worse.
True resilience today comes from understanding and protecting the core of your cloud office: the email, files, and accounts within. It’s time to stop digging a deeper moat and start securing the castle itself.