Email Technology Control Considerations

Discussion Document

December 1999

Prepared by: Benjamin Tomhave, formerly of Ernst & Young LLP, currently independent with Sanction, Inc. (tomhave@sanction.net)

Reviewed by: Mark Hornung, Ernst & Young LLP

PLEASE NOTE: This document is EXTREMELY dated!! It is provided here merely for historical purposes.

Content Management Control Considerations

Content management is a key aspect to protecting your intellectual content (property) and ensuring optimum employee performance. Content management includes blocking various Internet sites (porn, violence, alcohol, etc.), screening email for viruses and filtering for keywords in email messages.

There are many reasons for wanting to implement solutions for content management.  First and foremost is the need for protection of intellectual assets and confidential information.  Content management packages can screen email messages for keywords related to proprietary and confidential information, as well as provide controls and reporting for messages sent to competitors.

Second, it is been found that, with increased access to the Internet, employee performance has diminished slightly. This is caused by an increase in online browsing and messaging time.  Though the Internet is an important resource for research and information transfer, it can also be a drain on your productivity and bottom line.

Third, as email and email attachments become the prevalent method for sharing information, the threat of virus infiltration through Internet gateways has become a viable and immediate threat. Most content management packages now include some form of virus screening functionality that can detect most viruses. The packages also provide functionality for screening or stripping Java and Active X functionality from email attachments or web sites in order to protect the end user, your employee, from malicious attack.  Though these solutions cannot be all-encompassing and fail-proof due to increasingly complex types of attack, it still adds a nice level of assurance at the gateway level.

Fourth, there are considerable legal issues, such as sexual harassment, for which companies can now be held liable. Cases have been successfully made against companies who do not take appropriate proactive steps to stem sexual harassment or even intervene in cases involving domestic violence. Though this may seem hard to prove and outside the normal scope of the work environment, cases have shown that principles comparable to those represented by Good Samaritan laws apply to these types of situations.  Thus, by monitoring email for sexual and violent language, an organization could potentially detect and intervene in such a situation.

There are also concerns related to privacy issues. Though some cases have been successfully fought on the grounds of implied consent, there are still legal and ethical issues that need to be considered when implementing intelligence packages that monitor email for specific content.  Treating employees like subjects in a covert operation can also result in decreased morale and can impact retention.  Furthermore, the legal repercussions could include being sued over violation of privacy, quite similar to protection of employee information. To make an extreme case, consider a larger organization where HR may be centralized, despite several branch offices. A manager may have questions about a specific employee’s history and would contact HR to investigate. Should that email be sent via the Internet (using an extranet-type architecture), that information may become compromised, leading to loss of face or other civil liberty violations. Even if a Virtual Private Network (VPN; can be used to create an encrypted “tunnel” across the Internet, comparable to a leased lined connection, but much more cost-effective) has been implemented between offices, there still may be issues.  Though this may seem like a lightweight issue, it should not be overlooked, especially in light of increasing movements by organizations such as the ACLU to protect the rights of the individual and limiting constraints such as implied consent.  As a result, if implementing content management packages, it is recommend that legal consultation occur and that consent agreements be written to ensure an employee understands that they can and will be monitored.

Example Content Management Solutions

Moving on to technologies, it should be noted that there are a myriad of content management solutions.  However, one key to note is that most are host-based solutions, requiring another system to be added to the network-access chain, and potentially diminishing performance.  Though in some cases this may be an acceptable cost for monitoring employees, it could negatively impact database systems that are importing or exporting data across a WAN.

On the other hand, most firewalls now support integration of third-party packages, or include their own packages, for content management. Below are listed two firewall vendors (NAI and Check Point) who are providing leadership in the field of firewalls and have taken measures to introduce content management features into their products.  Other content management products are listed as well. Not mentioned in this listing are proxy firewall systems, such as MS Proxy.  Most proxies, by their very definition, incorporate content management and perform adequately.

Network Associates, Inc. (www.nai.com) -- NAI’s Gauntlet 5.5 provides new built-in features for virus scanning. The virus scan occurs when the traffic is received.  This functionality is highly configurable.  You can scan incoming messages only, messages going in either direction, outbound only, only incoming FTP traffic, only incoming email, etc.  There are performance impacts, though increasingly negligible, with scanning on the firewall.   NAI’s web site describes  the following: “In addition to newly integrated McAfee anti-virus scanning, Gauntlet 5.5 includes a package of powerful content filtering features to secure your day-to-day electronic business, including protection against fraudulent email addresses, anti-SPAM filters, advanced Java and ActiveX security, URL blocking, and fully integrated VPN capabilities - all controllable through one console.“   Gauntlet is a full-featured Firewall with several nice capabilities.  It is part of NAI’s PGP Total Network Security package.  Gauntlet partners with Cyber Patrol for content management.

Check Point (www.checkpoint.com) -- Check Point’s Firewall-1, through it’s OPSEC (Open Platform for Security) framework, provides APIs for third-party content-screening applications.   FW-1 allows for inclusion of virus screening, URL screening, Java and Active X stripping, and Mail Support.   Check Point partners with Surfwatch and Websense for content management.

Websense Enterprise  (www.websense.com) -- Provides Monitoring, Management and Reporting modules. Allows you to set and enforce Internet access privileges for the users on your network. Settings may be configured by type of permitted sites, by user, by time of day or day of week. This product blocks access to undesirable sites and issues warnings of Internet Access Policy violations.

Surfwatch (www.surfwatch.com) -- Features the ability for   full integration with Firewall-1.   Comparable to other filtering and content management packages.  Allows corporate Internet Access Policy to be implemented and enforced with notifications to system administrators or management upon violation.

X-Stop Internet Content Management (www.xstop.com) -- X-Stop can provide server plug-ins or external hardware or special software for use with Lucent Security Management software.  Performs several functions:  Internet access filtering based on sites and updated regularly (“porn filter”), Internet search engine monitor (based on key words), Newsgroup filter (based on key words – blocks newsgroups if content does not pass specifications), Email filtering (based on keywords or blacklisted sites – will actually replace blocked words with asterisks; requires network reconfiguration), and SPAM filtering.

TenFour (Sweden, www.tenfour.se) --   TenFour’s TFS Secure Messaging Server (SM/Server) provides content and location filtering for email as well as encryption mechanisms and virus scanning.

Junkfilter (junkfilter.zer0.org) -- Junkfilter is a free spam filtering tool that works in conjunction with procmail, a common UNIX-based mail-processing utility.   Highly configurable and free.

MailShield (www.mailshield.com) -- Another mail filtering tool to deal with spam.  Also designed to address mail relaying issues (which should be dealt with through mail server configuration).