Messaging security pros get back to basics

Messaging pros are focusing their security efforts on patching infrastructure holes, identity management and good old-fashioned password maintenance.

Gone are the days when viruses were the number one concern of messaging administrators.

Administrators and vendors say the the new focus in the messaging security game deals with patching holes in the infrastructure, identity management, and good old fashioned password maintenance.

Kat Podgornoff, ETS at Golden State University in San Francisco, whose shop has run Novell GroupWise for the past 7 years, said there are currently two separate but equally important "hassles" that threaten e-mail security.

"The first is knowing when certain users' e-mail accounts are truly not being used and are therefore a security liability," she said. "The second is getting people to change their initial passwords."

Julie Hanna Farris, founder of the San Mateo, Calif.-based Scalix Corporation, said the focus is now plugging the "gaping holes" at the SMTP level, the TCP/IP level and at the mail level.

"Once the technology has matured around that, the next level moves into identity systems," Farris said. "The culture of mail is gradually moving to 'if I don't know who you are, then I am not going to accept mail from you.'"

As a comparison, Farris compared the new system to the way phone calls are handled today.

"Before it was an open channel, and anyone could call you, and you would answer. Now, there's caller ID," she said. "[Today] anyone can send mail to you and you generally would receive it and take a look at it."

Moving to an authenticated method would allow the receiver to determine that the sender is who they claim to be, Farris said.

"This is something that we have to evolve to both technologically and sociologically," she said.

Don Bradford, a vice president of product development at Scalix, considers today's e-mail an "open channel."

"[E-mail] was set up to be open. Anybody can wire in as long as you can find the record for the mail server that you want to send to. There is really [certainty about] the identity of the person that is sending an e-mail to you, unless you authenticate at some point during the chain," Bradford explained.

Bradford believes that the real challenge in the industry today is a general reluctance toward changing their "open" mindset.

"What's needed is a centralized identity and public key infrastructure, but that just hasn't been adopted," he said.

Bradford said that there is a need for a generic key registry. He cited Microsoft's .NET Passport effort as an example, but also noted that no one has really signed on to use it.

Passport is an online service that allows people to use their e-mail address and a single password to sign in to any .NET Passport-participating Web site or service.

Another failed attempt was made by the U.S. Postal Service, which had attempted to implement a program that would have seen every citizen in the U.S. assigned a "e-mail identity" that the service could authenticate. The initiative was eventually cancelled.

"Until we have a clear idea on the identity of someone sending the e-mail then we have to look at a series of authenticating intermediaries. In this [current] system, there is always the chance for something or someone to get through," Bradford said.

For now, administrators like Podgornoff will continue the tried and retried practice of keeping their users in line by cracking down on dangerous practices, such as opening e-mail attachments from strangers.

Dig deeper on Enterprise applications for Linux

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close