A version of this post appeared in Forbes.
Whether it’s the rapid adoption of the latest app or the shift to work-from-home sparked by a global pandemic, how we work is constantly changing, and security teams are on the front lines, dealing with it. Securing workflows demands recognizing when they evolve — a persistent and relentless challenge.
One application whose evolution has gone mainly unnoticed is email. With the emergence of the cloud, email has transformed from a simple messaging app to a full-fledged repository of content. Our personal mailboxes are now museums of our past and present digital lives, housing everything from health records to tax documents. Within enterprises, email doubles as an organization’s institutional memory, collecting internal memos, financials, contracts, employee records, customer data and vast amounts of other sensitive content on a daily basis.
In short, today’s mailbox is less like an inbox and more like a filing cabinet. That’s why we’re seeing email become the primary target of consequential cyberattacks like Sony, the 2016 Presidential Campaign, the hack involving SolarWinds, and Microsoft. It’s also why there’s a dire need for security teams to reframe their approach to email security.
"Today’s mailbox is less like an inbox and more like a filing cabinet."
Why Does Email Accumulate So Much Content?
Modern email services have trained us to archive everything. Armed with infinite storage and powerful search, we hoard every remotely meaningful message on the off chance that it will be handy at some point. As part of the broader consumerization of IT, we now do the same thing at work. The result is a growing library of content. Much of it is highly sensitive, but only a fraction is ever pertinent to the here and now.
We also receive a tremendous volume of messages. While it’s just one of many communication channels we use, email remains the lowest common denominator for collaboration. It houses both internal and external communication. It’s where we share work in progress but also the final version. It’s just as useful for long, formal announcements as it is for “quick questions” and “friendly pings.” Email’s versatility is the key to its resiliency as an essential communication tool in every organization.
Email is also the lingua franca for every other app. For example, Dropbox share notifications, completed DocuSign contracts, Jira ticket updates and Zoom cloud recordings all go to email. Regardless of the use case, online services use email as the de facto identity provider. As a result, with every new app we use, our mailboxes end up with even more content.
"Email’s versatility is the key to its resiliency as an essential communication tool in every organization."
Unpacking The Security Implications
The more content in email, the more attractive a target it becomes. Today, most email security products focus on blocking incoming or outgoing messages — what security professionals call data in transit. But when the average mailbox has so much sensitive content, protecting archived messages (data at rest) is equally, if not more, important. Security professionals need to approach protecting email the same way they secure other, more traditional content archives.
"Security professionals need to approach protecting email the same way they secure other, more traditional content archives."
In practice, this means adding foundational new capabilities to the email security toolset:
Monitor Access To Messages, Not Just Accounts
A traditional content system typically maintains an audit log every time someone opens a document. By contrast, if an attacker gains access to an email account, security teams have little data on which individual messages were actually accessed. Imagine investigating a burglary with zero information on what was stolen. The attackers behind last year’s far-reaching breach involving several government agencies and private companies such as SolarWinds, for example, sat unnoticed in the company’s email system for nine months.
Email service providers need to prioritize giving customers access to granular message viewing history to help security teams improve their telemetry. And security teams should incorporate these logs into their existing detection and response playbooks.
Use Escalated Controls For Sensitive Messages
Multiple, layered authentication checks are the norm for both physical and digital access. Bank vaults, police evidence rooms and traditional file-sharing platforms all use additional checks for highly prized or sensitive content. But when it comes to email, every message in your mailbox is treated equally. Is that newsletter from a vendor really as significant as board meeting notes, signed contracts or press release drafts?
When mailboxes contain hundreds of thousands of messages, a single login should not be sufficient to access every message within them. Security teams need to identify sensitive content archived in mailboxes and then add additional controls for accessing it where appropriate.
"When mailboxes contain hundreds of thousands of messages, a single login should not be sufficient to access every message within them."
Revoke Access To Messages When Context Changes
When you switch teams at work, it’s common to lose access to a Slack channel, shared folder or other team resources. But you can generally still access every email from your past team. Unlike other content systems, email does not accommodate changes in context.
With changing priorities, personnel, policies, regulatory environments and more, once mundane messages can become prized assets that need protection, compliance violations or reputational landmines. When undertaking access reviews, security teams need to consider revoking access to messages that are no longer useful to the original recipients. Importantly, they need tools to do this in a fine-grained way, not via draconian policies that indiscriminately delete all messages after a specific time.
Protecting Email As Its Role Continues To Expand
Email is more than a messaging app: It’s a treasure trove of content and the glue that ties millions of people, businesses and applications together. It’s also not going anywhere. Email’s role continues to expand, and security teams need a new strategy and class of tools to protect it.
But just addressing old problems in incremental ways won’t be enough. Tectonic shifts such as the adoption of cloud-based email with Microsoft Office 365 and Google Workspace, for example, provide an opportunity to reframe the problem itself and borrow proven models from other domains.
The way we use email has changed. It’s time to change how we secure it.
.png)