|
The Strategic Value Of
Secure Email
Securing your corporate email systems
from email-based attacks will help minimize staff productivity
losses and further reduce the costs of the ongoing operation
of one of your most valuable communication tools: email.
Microsoft Exchange Server is central to
the digital collaborative capabilities of millions of organizations.
Microsoft Exchange Server is the market's leading email
and collaboration platform, and as the market leader it
is often the target of malicious hackers and virus writers.
Why Is Securing Email So Critical?
When you stop and think about it, your
email server is nearly as vulnerable to hostile activities
as is your organization's web server. Email, by its very
nature, is designed to exchange information with other computers
that are not necessarily known or trusted by your domain's
administrator. It is the most vulnerable point of your corporate
network next to your web server.
Many viruses and hostile "attacks" penetrate
corporate networks through email. Others attempt to penetrate
through the web server, but many attacks rely on unsuspecting
users clicking a link, opening an attachment or otherwise
"allowing" the hostile attacker's code to execute. Simply
filtering all email so that only internal email addresses
can be a sender or recipient of email would make the network
more secure, but it would make email useless to communicate
and collaborate with external parties. How would you ever
receive an email from a hot, new lead to your "sales@" or
"info@" email address?
The best answer to prevent these hostile
acts lies in securing the way that Outlook communicates
with Exchange so that only "authentic" communications are
allowed, even if coming through the Internet. Microsoft
made Exchange Server 2003 and Outlook 2003 "work better
together" to do this through a new communications protocol
called Exchange RPC. Exchange RPC is only available for
users that use Outlook 2003 to connect with an Exchange
2003 server.
Why Is Exchange RPC More Secure?
The Exchange RPC protocol is implemented
as an encrypted RPC request and is then bound to standard
HTTP traffic on port 80, the same port your organization's
web server uses to enable visitors to browse your corporate
web site. Because of this, your firewall administrator is
now able to close several critical ports ... several of
which are frequently used in Internet-based exploits that
take advantage of standard RPC calls.
Recently, MSBlast took advantage of RPC
to wreak havoc on private and corporate email systems that
cost millions of dollars to contain and eradicate.
Security analysts warn that such attacks are likely to increase
in the future, will spread faster, will become more damaging
and will become even harder to eradicate.
It sounds like the cost related to preventing,
controlling and cleaning up email-based viruses
is likely to be increasing in the near future.
Why not protect yourself and implement a cost-containment
strategy at the same time? Upgrade to Exchange Server 2003
and Office System 2003 now.
What is the difference?
Exchange RPC / "Standard" RPC -- Sounds The Same To Me!
Standard RPC calls use a series of different
ports to enable a remote computer to communicate with and
execute commands on a different computer residing somewhere
on the network. RPC is a technology that pre-dates the popular
use of the Internet as a widespread public communication
medium, so it was designed to be used on a safe, secure
LAN or WAN. It is NOT designed for a hostile environment
like the Internet. Exchange RPC is.
VPNs create a virtual "WAN" environment
using a technique called tunneling to provide somewhat secure
Internet connectivity. However, even VPNs are subject to
penetration and they are complex to implement, problematic
and costly to maintain. Even with a VPN, a "private" connection
would be created and would remain until Outlook and Exchange
finish communicating with each other. This provides an attacker
the time required to analyze the network traffic and "hijack"
or "spoof" the VPN connection. Exchange RPC resists both
types of attacks.
Exchange RPC reduces, and virtually
eliminates, these threats because:
- The RPC instruction itself is encrypted
so an attacker will have a difficult time deciphering
the instruction, modifying it, and then forwarding it
on during the short period of time allowed before the
connection times out.
- By traveling as encrypted data over
a standard HTTP request your organization's firewall
can be closed down. Additionally, existing web server
security and intrusion detection software will continue
to work.
- Since HTTP is stateless, the connection
between Outlook and Exchange is only open long enough
to transmit an instruction and then it is closed. A
new connection is opened for the next instruction or
the response to the previous instruction.
The point is any one connection is open
very briefly and then it is closed. This does not give an
attacker much opportunity to penetrate the system. Adding
a rules-based, policy-driven software firewall like Microsoft's
Internet Security and Acceleration Server (ISA Server) provides
even greater security and virtually eliminates unauthorized
access or transmissions from reaching their intended destinations.
With ISA Server, the Exchange RPC protocol
is authenticated "at the edge" of the firewall rather than
"behind" it. This means that once the traffic is confirmed
as being legitimate, the credentials accompanying the instruction
must pass authentication before being delivered to the server
for execution. Anonymous requests, and nearly all viruses
use the Anonymous or Guest account to run, are no longer
allowed to execute unless the Administrator explicitly grants
the proper rights.
What's The Real Value Of This In Business Terms?
Organizations spend a great deal of time
and money to maintain reliable, efficient and secure messaging
and collaboration tools. That's reality. It's also reality
that remote workers and mobile workers are a part of every
organization's workforce and those users have typically
been the most demanding and costly to support and ensure
availability of corporate technology services from any location.
Now that the Internet is the "universal
network" that connects everything together in an economical
way, and it must be considered a "hostile" environment.
It is prudent to take heed of the analysts warnings that
attacks on email systems will continue and are likely to
become harder to prevent using "old" technology. When you
add it all up, it means that the longer you wait to upgrade
the more likely it is that you will be spending your IT
budget cleaning up some nasty, virus-related melt down instead
of on new, more powerful capabilities for your organization.
All of these factors combine to make the
choice of not upgrading to Exchange 2003 and Office
2003 a potentially costly one in terms of legal exposure,
lost productivity and additional costs to secure and eliminate
vulnerabilities.
Note that this is only from the security
perspective. The security argument for upgrading does not
include the other benefits and new capabilities found across
the entire family of Office System 2003 and Exchange Server
2003. Many of these features and products will boost individual
productivity on a daily basis and serve as an enabler that
allows your organization to further integrate and automate
Office applications to gain mid and long-term operational
efficiencies. Even the new version of Outlook Web Access
that comes with Exchange Server 2003 is a compelling reason
to upgrade in itself.
Upgrading to Office System 2003 and Exchange
Server 2003 will have a direct strategic impact on manageability,
reliability and agility in addition to the obvious tactical
and financial implications of slowing down the spread of
email-based viruses.
Will SalesOutlook Work With Exchange 2003 and Office
2003?
Yes. SalesOutlook is releasing a major
upgrade to its flagship "Common Sense CRM" system shortly
after the official launch of Exchange Server 2003 and Office
System 2003. The Microsoft launch is slated for the week
of October 21, 2003. See the Microsoft Events website or
the Office website at
www.microsoft.com/office for information on Microsoft
launch events in your area. Then, stay tuned. SalesOutlook
CRM 4.0 will make its debut shortly thereafter.
SalesOutlook
4.0 will fully support the Office System 2003 client
and Exchange Server 2003, and it will also support
the more secure Exchange RPC protocol.
SalesOutlook 4.0 fully supports connected,
offline and "cached mode" use, and it supports the new,
more secure Exchange RPC protocol. SalesOutlook 4.0, when
combined with Exchange Server 2003 and Office System 2003,
will help your organization deliver remote and offline users
the safety and security of VPN access without the cost and
complexity of implementing and maintaining a VPN.
What's New In SalesOutlook 4.0?
SalesOutlook 4.0, like Outlook 2003, improves
performance for all users by implementing data caching technology
so that information is available on the local computer quickly
when needed. SalesOutlook 4.0 also sports a new user-configurable,
dashboard-like interface that is more intuitive and easier
to navigate. It enables individuals to configure SalesOutlook
to display information according to their personal preferences
without any programming.
A new System folder enables Administrators
to add more than 200 different custom business objects to
the SalesOutlook system, and as long as the custom business
objects are designed according to SalesOutlook specifications
they will seamlessly "plug-in" to the core system. You will
find that improved flexibility and extensibility is a recurring
theme driving the development of the SalesOutlook 4.x generation
of products.
The SalesOutlook 4.x generation will continue
to evolve and expand, even beyond the initial 4.0 release.
As time progresses, the 4.x generation of SalesOutlook will
add many new features and capabilities. This includes an
all-new "modular" approach that enhances your ability to
customize, integrate, extend and automate your SalesOutlook
system. By employing a modular-based architecture, SalesOutlook
4.x will be able to meet the needs of virtually any organization.
The core SalesOutlook 4.x system will
continue to provide the basic blocking and tackling that
is the cornerstone of the SalesOutlook brand, and several
optional modules are planned that will bring advanced and
industry-specific functionality to those who need it. Using
this modular approach, we will be able to keep the costs
of buying, implementing and maintaining your core CRM system
down while still being able to offer the advanced functionality
that you or many other organizations require.
Recommendations
Simple. Upgrade your collaboration infrastructure
to SalesOutlook 4.0 running on Exchange Server 2003 and
Office System 2003, and deploy it as one project having
two distinct phases. An optional third phase can easily
be added if your organization is also committed to Windows
Server 2003 and the enhancements available for Active Directory
in Windows 2003 domains.
Since many organizations are moving closer
to the annual budget free-for-all, perhaps now is a great
time to begin planning and estimating how and when you will
make your move to Office 2003, SalesOutlook 4.0 and Exchange
2003. A breakdown of the key phases of the full 2003 upgrade
project might include:
Phase I: Upgrade / Deploy SalesOutlook
4.0 and Office System 2003 simultaneously
Phase II: Upgrade Your Exchange Server
to Exchange Server 2003
Phase III: Upgrade Your Domain to
Windows Server 2003 and a 2003 Domain (Optional)
Upgrading / Deploying SalesOutlook 4.0
and Office System 2003 together will help you keep costs
down and maximize ROI since you will only have to visit
your knowledge worker's computers 1 time, train your users
1 time and deal with the higher demand for support (early
operations phase) 1 time. In addition, all change management
issues, political issues, cultural issues, budget issues
and personnel issues can be addressed as a single project
to upgrade your core digital collaboration infrastructure.
Since SalesOutlook 4.0 is so affordable
that it will represent a small percentage of the overall
project budget, including it in the project plan and budget
request will enable you to defend the approach from the
ROI perspective. Show that in addition to more secure systems
with greater future potential (.NET and XML) you are also
deploying a comprehensive CRM capability.
Also show the cost of the project without
the added CRM capability and everyone will see what a great
deal you found for the company. This approach should help
you win the dollars you need to do the whole project, and
you only had to ask one time instead of two! In fact, your
boss may even take you to lunch or give you a pat on the
back for your wisdom and business acumen.
Explore The Possibilities
After you upgrade let your customers,
partners, employees and developers "get creative" while
guiding you on the automation needs of your organization.
Explore the possibilities that XML and .NET based collaboration
tools bring to your organization. But most importantly don't
forget to train your users so that they can unlock the power
of the fantastic tools they have available to them. In the
end you will be the hero of the day, and wouldn't that be
a nice change of pace?
Every organization using Exchange and
Office must at some point address the question of "Should
we upgrade?". Hopefully this briefing provided you with
several good reasons and the solid business justifications
you need to implement more secure, less costly, more reliable
and more capable collaboration and customer interaction
management tools. Let Outlook 2003, Exchange Server 2003
and SalesOutlook 4.0 combine their power, securely, to help
your organization achieve these important strategic goals.
Click here to schedule a demo
of SalesOutlook CRM today.
|
