The department which houses Prime Minister Julia Gillard, her staff and the Cabinet yesterday signalled it would bow to a request from the Federal Auditor-General and block access to public web-based email services such as Hotmail and Gmail from 1 July, with the auditor seeing the platforms as an inherent security risk.
In a report on the security of information held by government agencies first reported by iTNews, the Auditor-General Ian McPhee recommended that “agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services”, specifically calling out ‘hotmail’ and ‘gmail’ as examples of such platforms.
The problem with such services, according to McPhee, was that they provided “an easily accessible point of entry for an external attack”, and subjected departments and agencies to “the potential for intended or unintended information disclosure”.
The auditor’s examination of the information security of a number of agencies — including the Department of Prime Minister and Cabinet, but also Medicare, ComSuper and the Australian Office of Financial Management, found that webmail accounts were accessible by staff in the Prime Minister’s department, with logs showing that some staff were using the accounts “on a regular basis”.
In response to the auditor’s recommendation, PMC agreed it would shut down access to the webmail platforms.
“Current access arrangements for web-based email will cease on 1 July 2011,” the department wrote. “While access to web-based email was in response to business requirements, there were control measures in place. However, we accept the threat and risk assessment has changed and access will no longer be permitted from departmental systems.”
The move raises questions about the technical differences between what the auditor’s office deems to be public webmail services, and corporate-focused email platforms such as Microsoft’s Business Productivity Online Suite and Google’s Apps platform.
Like all of what Microsoft terms its ‘software plus service’ offerings, the vendor’s BPOS platform uses much of the same underlying technology as its Windows Live platform (including Hotmail), and is based on its Global Foundation Services infrastructure spanning datacentres around the world. The same is true of Google’s Apps platform, which is targeted at business and government use but shares the same infrastructure with its public Gmail offering.
A number of large Australian organisations have recently shifted to cloud-based email solutions from either Microsoft or Google, as part of a wave of interest in the area over the past several years. In addition, some organisations — such as Qantas with its flight attendants — are even recommending some workers use private email services for professional purposes, to simplify administration of staff who might not need daily access to email.
Microsoft and Google will be contacted this morning and asked for comment on the matter.
In general, the auditor’s report found agencies had implemented government security requirements well. “The agencies had established information security frameworks, had implemented controls to safeguard information, to protect network infrastructure and prevent and detect unauthorised access to information; and had controls in place to reduced loss, damage or compromise to ICT assets,” the auditor wrote. However, it noted some areas — such as the complexity of passwords, regular patching of software and so on — could be improved.
Image credit: Harrison Keely, royalty free
I assume they’re also going to disable the ‘forward’ button, which would be a much larger (by far) source of information disclosure than vulnerabilities in gmail or hotmail.
For that matter, they better also disable the ‘reply’ and ‘compose new email’ buttons just to be safe.
… but those actions go through their infrastructure and therefore they can track what is sent out / block malicious things that try to get in.
A few years ago this would have been a pain, but with the proliferation of smartphones with email access, people can just use those now.
Of course this is assuming the issue is one of security – if the issue is one of employees wasting time, well, they should stop trying to use a technical solution to fix a social problem :)
hey Chug,
I would defy any corporation to stop a 200kb encrypted file containing sensitive documents from being forward on via email. There is simply no way that corporate email systems — or any other systems — can know what is being sent out if the data is encrypted.
In short, there are a thousand ways around this sort of corporate ‘security’, for the informed user.
Inbound, things are a bit different — it’s mainly mass threats (virus, spam, trojans) that are being blocked. But then again … is it possible to say that any organisation can do a better job of blocking such things than Microsoft and Google, which block them for hundreds of millions of accounts already?
Renai
If the file is crypt with in-house corp policy; it can be blocked. Also, you still need to break the crypt once you get it out.
If the file has be crypt with 3rd party the problem becomes how that happened. If a user has that access to manipulate a file… they wouldn’t be emailing it; They wouldn’t need to.
… yeah but who would be stupid enough to encrypt a file with an in-house corporate system if they want to extract it? ;) Freeware tools like TrueCrypt should do the trick.
This is perfectly sensible. External email systems are completely uncontrollable to corporate administrators, and as such “provide” an angle for unchecked material to enter and leave the network.
This is also why many high security environments – (defence, government, etc) – also disable USB access on most machines – though the recent “USB Stick on a Mother F#%cking Plane” incident proves that’s no always foolproof.
hey Michael,
then perhaps you can explain why so many large corporations find it acceptable to run ‘external email systems’, as you put it? Because under your definition, both Google Apps and Microsoft BPOS would appear to fit into that category ;)
Point well taken – but corporate Gmail and standard Gmail aren’t the same product. There is a very fine line to walk though, absolutely.
:)
Generally “security” in this situation is less about classified documents and more about reducing the number of entry points for viruses and Trojans.
Corporate systems like internal Exchange servers, or centrally managed cloud-based systems can be administered according to the needs of an organization.
What’s the point of carefully developing firewalls and mail rules if you also let people download any old attachment from their personal email, which isn’t subject to the same scanning processes as the corporate mail servers are?
Personal web-based email has been blocked at all but one Federal Govt department I have worked in. Frankly, I’m very surprised PM&C didn’t have it blocked, too.
“which isn’t subject to the same scanning processes as the corporate mail servers are”
Actually, I would assume personal email would be subject to at least the same scanning processes, if it’s Hotmail or Gmail — I know that both Microsoft and Google have extensive security interests in keeping personal email clean here. I don’t get any spam any more, and I would be that viruses and trojans get weeded out.
The crux of the debate here is … can we be sure that a Government department can provide the same levels of security around email as a giant corporation like Microsoft or Google can? I’m not sure.
“which isn’t subject to the same scanning processes as the corporate mail servers are”
Depends how you set it up. The corporate versions of Gmail can allow you accept the incoming mail yourself, run your own checks over it, then forward it to their servers, and the reverse in the case of outgoing mail.
This more relates to the ordinary personal Gmail and Hotmail accounts that people may have to share jokes and images with their friends, and are often the source of malware infection on the corporate network.
Ah yes, true re Google Apps forwarding etc.
I am still to see actual evidence that personal Gmail and Hotmail accounts are a source of malware infection on corporate networks though — I’ve heard zip from security vendors about this over the years. And you can bet that if it was a valid trend, they would have jumped on it ;)
In corporate IT, I’d be more worried that it’s an opportunity to get stuff out, largely undetected.
Maybe someone should check KRudd’s Gmail account for all those nasty election leaks? ;)
Are they going to block access to ISP based web mail as well? That would be more of a risk than gmail IMO.
Agreed — ISP-based email is completely open slather.
I know of some government agencies that block any external URL with the phrase “mail” in the hostname. Not completely excluding everything, no – but tells you they would like to.
So much #fail.
+1
I only know this because I run my own mail server, and the web front end on it was “mail.mydomainname.net”, and I couldn’t get to it.
Changed the name to “somethingelse.mydomainname.net” and it went straight through.
;)
Does any use ISP mail ? I keep forgetting I have an ISP email.
If the million mailboxes deployed by iiNet on Zimbra are any indication … yes, people do use ISP email, sadly ;)
http://delimiter.com.au/2010/10/12/iinet-deploys-a-million-zimbra-mailboxes/
“Deployed” mailboxes is not the same as “Regularly Used” mailboxes… ;)
The real focus here shoudl be on protocol agnostic data leakage prevention technology, but put that in the too hard basket. Webmail is merely one vector as Renai rightly points out. A DLP gateway with even basic policy settings would be a good first step, yet most organisations focus on a “system by system” approach meaning the proxy blocks webmail email via URL, the email system prevents encrypted filesbeinf send, but some other protocol (take your pick of FTP, HTTPS to DropBox etc etc) are all left unattended. Even Twitter can be used to send information and files if required. A device / system agnostics DLP is the only real option for paranoid security auditor who actually know their stuff, yet I don’t see that in the report…
“protocol agnostic data leakage prevention technology’
I’ve seen some great software that does this, it only allows certain people access to files/folders etc and if you try and email it out, it’ll either stop you if you are using internal email system or the file will be unreadable outside of the system.
Also if your job role changes, then your access changes as well etc. Just a pity no one actually uses this kinda stuff cause its a pain in the arse to implement.
Was going to say “assholeish to implement”… ;)
There are other ways to do it, such as fingerprinting of files, and detecting that fingerprint passing the gateway.
Solutions to complex problems don’t necessarily need to be complex themselves.
This is a futile exercise, unless you’re banning personal cell phones (i.e. Android and iPhone) from accessing the network and/or being able to conenct to the “great unwashed” from inside the building.
Ban USB devices while you’re at it.
True; technology is ubiquitous these days; trying to create locked down control zones is fruitless.
Wait … *realizes he is typing this on iPhone*
Comments are closed.