The Department of Defense’s standard definition of data integrity (taken from Department of Defense Definition 5200.28, “Security Requirements for Automated Information Systems (AISs)”) is
This requirement breaks neatly into two separate subrequirements. One is that a system with good data integrity controls protects data from modifications
Confidentiality and privacy are the two security domains that users most commonly associate with messaging systems; rightly or wrongly, most e-mail users expect their messages to
Confidentiality means that information stored or transmitted cannot be read except by the intended recipients. Privacy means that information is not disclosed except under the control, and with the permission of, the owner. For messaging systems, these two attributes quickly become intertwined. Consider these basic scenarios to see the relationship between them, and the effect that various Exchange features have on them.
First, imagine that Alice sends an unencrypted message to Bob. The message could
Now, what happens if Alice sends a Secure Multipurpose Internet Mail Extensions (S/MIME) encrypted message to Bob? Let’s assume that Exchange’s message tracking feature is turned off so that no record of the message’s transit
There’s a third scenario, too. Let’s say that Alice doesn’t use S/MIME, but that her server and Bob’s server communicate over a link secured by the Internet Protocol security (IPsec) extensions. In that case, the message isn’t protected between the servers and the users, and it’s stored unencrypted. Confidentiality and privacy are protected only as the message
If these three scenarios seem confusingly similar, don’t worry; we cover them again, with diagrams, in Chapter 2, “Security Protocols and Algorithms,” and Chapter 12, “E-Mail Encryption,” explains how Exchange implements secure end-to-end messaging between Alice and Bob.
The unifying theme in these three scenarios is that the degree of privacy and confidentiality provided varies according to the security mechanisms used. In the
As Ben Franklin said, “Three may keep a secret, if two of them are dead.” This is perhaps too drastic an approach for most situations. However, it’s useful to examine how confidentiality is kept in
Making good trust decisions
At some point, you have to trust your administrators; after all, they have administrative privileges on computers to which they have unlimited physical access, so it’s likely that they can read anything they choose to. Depending on the value of the data in your systems, it might be worth the additional expense to do the same kinds of background checks commonly done for senior executive
Encrypting critical information so that it’s unreadable to unauthorized personnel
Encryption is a staple of military and diplomatic communications because messages are often sent using
Imposing strong physical and network security controls Whenever possible, you should prevent eavesdroppers from gaining access to your communications in the first place. This can be as simple as locking your mail servers in a room and tightly restricting access or as complex as using IPsec to encrypt all traffic traversing your network. Physical and network security go hand-in-hand, because an attacker who can gain physical access to a network connection can still be foiled by the right network protections, like restricting which media access control (MAC) addresses ports on a network switch talk to or using the Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication protocol on wireless connections.
Applying legal or administrative constraints
Nondisclosure agreements might seem useless because they don’t provide any technical protection. However, most people abide by their agreements,
At various points in the remainder of the book, we discuss how each of these approaches can help you protect the confidentiality of message traffic.
In general, privacy is harder to protect than confidentiality because the range of data that users consider private can vary quite widely, and there are many possible routes for disclosure. In addition, users tend to be more sensitive to, but less aware of, threats to their privacy than to the confidentiality of messages they send. Messaging privacy depends on two main items: restricting the availability of data about messages and restricting who can read mail, either while it is in transit or after storage.
Every message contains header data that we normally ignore for confidentiality purposes. Message headers provide lots of useful information about who originated a message, to whom it was sent, the
Received: from sun1.fabrikam.com ([192.168. 0.35]) by cyclone. robichaux.local with Microsoft SMTPSVC(5.0 .2195.4905); Sun, 23 Jun 2002 10:34:52 -0500 Received: (from adatum.com@localhost) by sun1.fabrikam.com (8.9.3+Sun/8.9.3) id LAA04470; Sun, 23 Jun 2002 11:41:14 -0400 (EDT) Date: Sun, 23 Jun 2002 11:41:14 -0400 (EDT) Message-Id: <200206231541.LAA04470@sun1.fabrikam.com> From: email@example.com Comment: 06/23/02NEXTBILLpaul@robichaux.net2xxxxxxxxx Reply-To: firstname.lastname@example.org To: email@example.com Subject: Your Online Statement (2xxxxxxxxx) MIME-Version: 1.0 Content-Type: text/html Return-Path: firstname.lastname@example.org X-OriginalArrivalTime: 23 Jun 2002 15:34:53.0365 (UTC) FILETIME= [851B7E50:01C21ACB]
From this, I learn that my provider has outsourced its e-bill service to a third party, what version of the UNIX sendmail program they used to send me the message (8.9.3), the operating system of their mail server (Sun Solaris), and the name and IP address of the server. I also see that the company kindly included my telephone number in the Comment and Subject fields. So much for my privacy! Some of this information would be extremely useful to an attacker; besides that,
The second privacy factor is potentially more
Of course, there will be times when through no fault of your own you’ll read someone else’s mail. At most organizations, someone has to read messages sent to the Postmaster mailbox, and these messages often include misdirected or misaddressed mail that communicants would consider private. There are also a number of circumstances that might require administrators to monitor a user’s mail.
The best defense for users’ privacy is to make them explicitly aware that the owner of the server (for example, the company or organization that provides their messaging service) might read their mail if necessary. This awareness is often driven by an acceptable use policy of some