Managed Email Providers with Specific Requirements

matt_garman

Active Member
Feb 7, 2011
207
38
28
Didn't really know where to post this, so I thought I'd try this general forum...

At my work we do email via MS Exchange and Mobile Iron, and it's all in-house. This isn't our strong suit, and furthermore there are a lot of security-minded strict requirements. So we currently have a fairly complex setup. I'm trying to see if we can just outsource the whole thing. Does anyone know of any email/groupware providers that can meet the following minimum requirements:
  • Can't access via Internet. Need to access email via VPN or a peering agreement. Perhaps another way around this is to host the managed services in a cloud environment where the cloud provider has VPN or peering capabilities. But none of our PCs have Internet access, so we need a way to work with this restriction.
  • Need strict controls on user quotas and attachment sizes.
  • Ability to run some kind of "hook" or custom check script on all outgoing email. Or maybe the service offers a canned scanning/checking mechanism that works for us?
  • Spam, virus, malware, phishing, etc prevention
  • Cannot be accessed from outside the company office (except in very special case, see next item)
  • Can work with Mobile Iron, Good, AirWatch or similar tool that allows people to access email on their BYOD mobile device, but with very strict controls (no copy/paste outside of secure container, no forwarding, no attachment view, etc). (Currently doing this with Mobile Iron.)

Thanks!
 

Drewy

Active Member
Apr 23, 2016
207
55
28
52
I don't have an answer for you but...
Don't rely on your last bullet point if it can be read, it can be copied. A camera is a pretty effective tool.
 

matt_garman

Active Member
Feb 7, 2011
207
38
28
I don't have an answer for you but...
Don't rely on your last bullet point if it can be read, it can be copied. A camera is a pretty effective tool.
I agree, there's always a way around whatever measures we put in place. But the higher-ups insist we do everything we possibly can. Those are the requirements I have.
 

Blinky 42

Active Member
Aug 6, 2015
615
230
43
46
PA, USA
With your list of requirements, are you better off hiring some local firm with exchange admins to manage the infrastructure you have currently in-office vs. spending the extra $ to implement the above list? Are you trying for cost-savings, or offload the whole email debacle to a 3rd party so the in-house team doesn't need to worry about it anymore?

I have dealt with some legal / pharma / healthcare type outfits in the past where they were able to achieve a tighter end result with a multi-layered setup, with mail servers at the edge that were the only items that had direct internet connectivity and provided the majority of the filtering / attachment scanning and first line of quote implementation, then would forward/relay the mail to the actual internal exchange server cluster for in-house use.

How realistic are they in terms of what is achievable for security when it comes to non-encrypted email to the normal outside world? As @Drewy mentioned you just need a camera to take a picture of emails. Unless you aggressively monitor and kick off devices from the network with unknown MAC addresses (and track down and kick out the offending people) then all sorts of higher bandwidth leaks like a bridge between the secure network and a cell phone or LTE->wifi hot spot is easy to setup with what any employee with a laptop probably walks into the office with already.

I ask because putting anything offsite, the cost to fully wall off and isolate the email setup in a new location could be significant given their expectations and legal needs. If they are ok with just IPSec tunnels between routers in your office and a colo/provider's rack as a secure tunnel than you have hope, if they are paranoid and want truly dedicated connections that you still need to encrypt then you will spend a fortune.
 

matt_garman

Active Member
Feb 7, 2011
207
38
28
Hi Blinky, thanks for your feedback...

With your list of requirements, are you better off hiring some local firm with exchange admins to manage the infrastructure you have currently in-office vs. spending the extra $ to implement the above list? Are you trying for cost-savings, or offload the whole email debacle to a 3rd party so the in-house team doesn't need to worry about it anymore?
Generally the latter. Here's where I'm coming from: Linux is really our bread and butter; all our critical stuff runs there. We have Windows basically for "boilerplate" productivity applications, mostly MS Office (which includes Outlook), and with Cygwin, as a "bridge" to the Linux systems. We only have one guy doing Windows support, and in general our Linux expertise is stronger (more people, deeper experience) than with Windows. Combine that with the higher-ups' requirements for "enterprise grade" reliability, "military grade" security, and absolute least-cost, I feel we are out of our league when it comes to MS Exchange. So I was hoping maybe we could just outsource the whole thing with an SLA in place and not have to worry about it.


I have dealt with some legal / pharma / healthcare type outfits in the past where they were able to achieve a tighter end result with a multi-layered setup, with mail servers at the edge that were the only items that had direct internet connectivity and provided the majority of the filtering / attachment scanning and first line of quote implementation, then would forward/relay the mail to the actual internal exchange server cluster for in-house use.
Our model is that everyone has two PCs, both in locked steel cages. One PC is for the internal network, the other we call DMZ. The internal network has absolutely no Internet access, except indirectly via connection to our Exchange server. The DMZ has basically full Internet access. The two networks are completely separate (both logically and physically), excepting only for the dual-homed Exchange servers, which straddles both networks.

The kind of architecture you describe sounds good but complex. Our firm is only about 50 people large, so definitely too much for us to take on without outside help.


How realistic are they in terms of what is achievable for security when it comes to non-encrypted email to the normal outside world? As @Drewy mentioned you just need a camera to take a picture of emails. Unless you aggressively monitor and kick off devices from the network with unknown MAC addresses (and track down and kick out the offending people) then all sorts of higher bandwidth leaks like a bridge between the secure network and a cell phone or LTE->wifi hot spot is easy to setup with what any employee with a laptop probably walks into the office with already.
The internal network we believe to be fairly well secured: locked PCs, wired 802.1x port authentication only (no wireless on the internal net). Remote email access is limited to a subset of employees (basically only operational support staff), and through Mobile Iron.


I ask because putting anything offsite, the cost to fully wall off and isolate the email setup in a new location could be significant given their expectations and legal needs. If they are ok with just IPSec tunnels between routers in your office and a colo/provider's rack as a secure tunnel than you have hope, if they are paranoid and want truly dedicated connections that you still need to encrypt then you will spend a fortune.
From my perspective, I think a VPN tunnel from our routers to a provider's rack would be acceptable. Ignoring the change in physical location and VPN, from the client side, it should look the same: we give Outlook an address to connect to, and it's done. Whether that address is hosted here on site, or is actually going through a tunnel to a remote location doesn't really matter.

From what I've seen, most 3rd party email providers assume clients have Internet access. But I don't see how it's that different to provide access through a VPN tunnel (such as IPSec). That's where I'm at now, just trying to find someone who can do this, and get an idea of what it will cost.

Thanks again!
 

Blinky 42

Active Member
Aug 6, 2015
615
230
43
46
PA, USA
Our model is that everyone has two PCs, both in locked steel cages. One PC is for the internal network, the other we call DMZ. The internal network has absolutely no Internet access, except indirectly via connection to our Exchange server. The DMZ has basically full Internet access. The two networks are completely separate (both logically and physically), excepting only for the dual-homed Exchange servers, which straddles both networks.

The kind of architecture you describe sounds good but complex. Our firm is only about 50 people large, so definitely too much for us to take on without outside help.
The multi-layer filtering is pretty easy to setup, and I would do the ingress / egress filtering servers all in Linux anyway where your IT pool has more experience. The net effect isn't that different than deploying a spam filtering appliance like a Barracuda Networks By adding the layer around the Exchange server(s) helps by keeping them away from the internet to assist on security overall. They are probably doing the same for all internet traffic now anyway (all web traffic through a logged proxy server, no non-proxy access to outside world to avoid skype, IM etc).

From my perspective, I think a VPN tunnel from our routers to a provider's rack would be acceptable. Ignoring the change in physical location and VPN, from the client side, it should look the same: we give Outlook an address to connect to, and it's done. Whether that address is hosted here on site, or is actually going through a tunnel to a remote location doesn't really matter.

From what I've seen, most 3rd party email providers assume clients have Internet access. But I don't see how it's that different to provide access through a VPN tunnel (such as IPSec). That's where I'm at now, just trying to find someone who can do this, and get an idea of what it will cost.
The crux of this is going to be if there are legal/contractual barriers to it (if they are doing full-on secure/insecure desktops on each desk I would imagine there are). Consider if the contents of the email sitting on the server are considered "inside" the secure network or not. Can sensitive information be sent from employee A to employee B as long as it is all inside and no external addresses? Is everythign expected to be encrypted at rest and in transit? The various cloud providers provide the scalability and price competitive aspects because the hardware capex and opex is spread across lots of clients. If you need dedicated resources to maintain your contractual / SLA terms then you will just be recreating what you have now at a 3rd party site and may be better off hiring the 3rd party to manage your email on-site via a restricted VPN instead of picking everything up and putting it elsewhere.

And another thought, since you have full secure / insecure setups across all the employee desktops - are you better off with an internal only email setup that has zero interaction with the outside world and a internet connected email system that has only insecure communication? How practical that is depends on how the people use the current system and if external clients email needs to end up in the "secure" system or not. But at the end of the day, if you let client emails onto the "secure" network and emails out to people via normal email channels then you have a pretty huge exploitable security hole for data leaks for motivated parties, and throwing more money at it is just going to create a complex but marginally more "secure" setup. There is a reason that the places that military contractors I have dealt with have zero internet access at the majority of normal people desk's and anything that is public is in a physically separate workstation in an insecure zone with everything still logged and recorded for future audits.