Advanced data management for corporate and cloud environments

HomeProductsSolutionsSupportAbout
Resources IconResources
Schemus InterChange Box Icon

Uniting distributed data across your organisation. Download the Schemus InterChange overview

Schemus CloudBase Box Icon

Controlled sharing of data with cloud services. Download the Schemus CloudBase overview

Email security in the cloud - reducing cost of ownership

Internet email has always been "in the cloud" and so was a natural target for pioneering cloud providers to augment with email security services, such as virus protection and spam defences.

One of the key services offered by such providers is to protect against the illicit harvesting of an organisation's valid email addresses. Such harvesting can be achieved by the sending of email to an array of possible recipients and checking to see which addresses are rejected - it's much like the cold calling of random phone numbers. To stop these attacks an email security provider needs to be able to check for valid recipient addresses, filtering out email to invalid addresses and silently dropping them. To perform this filtering requires each customer to make available a list of valid email addresses to their provider and ensure that list is kept up to date.

The maintenance of this email address list represents a significant potential cost of ownership issue for the cloud service customer - so let's look at some of the issues.

How to share the knowledge?

Typically the knowledge of this set of valid email addresses resides in a critical repository such as an organisation's network directory or HR database, so the manner in which this information is shared with the cloud provider raises serious issues of trust, performance and accuracy.

Even for small organisations with few users and email addresses it is a burden to manually administer a list of email addresses via the web portal of a cloud provider. So the options are:

  • have the cloud provider directly interrogate the corporate directory - PULL
  • export the relevant information to the cloud provider - PUSH

Pull - too open?

Opening the corporate directory to interrogation from the cloud would allow dynamic look-up of the relevant information, but a per-email look-up would be impractical due to the performance impact on both the cloud service and an organisation's critical directory or database. Having the cloud service directly extract the valid addresses as a batch operation would still require careful control of the access to ensure only what's needed is accessed and no more. However granting of such access control rights to an external service raises serious challenges for access management. Even if such external access can be adequately controlled the required data may not reside in one repository.

Push - keeping control?

By focussing on "pushing" the required information to the cloud provider, an organisation can retain control over what data is exported, ensure its accuracy and control the loading on their critical information systems.

Where does the knowledge reside?

Unfortunately for many organisations the set of valid email addresses does not reside in a single authoritative address book or directory. This may be due to operating a mix of email systems e.g, Exchange, Notes and Unix servers with local addresses. Corporate acquisitions further compound the problem - either for a transitional period or as a permanent fragmentation of data sources.

Some email systems such a Notes/Domino have very flexible email address matching rules, allowing the user part of an Internet email address (i.e. joe.bloggs@...) to take a number of forms. This represents a particular challenge as a user may effectively have a number of internet email aliases, none of which explicitly appears in a directory or address book. >

Is the knowledge correct?

Within most organisations, there are many more email addresses than users. This is not necessarily a result of bad housekeeping as there are many legitimate reasons for this, including supporting multiple email aliases. In addition the addresses needed by the cloud provider are only those that should receive email from the Internet, so this excludes addresses such as:

  • send-only addresses e.g. used only for automated mailing
  • local Internal-only addresses e.g. for users of local domains or sub-domains
  • unpublished system addresses e.g. server administration addresses

It is therefore important to export the right information to ensure the cloud provider can deliver the necessary protection without opening up new vulnerabilities.

Is the data clean?

Even having located all the relevant email addresses within the organisation that you want to externalise, some of the final challenges will involve transforming the data in order to:

  • remove duplications (e.g. remove or modify those with deprecated domains)
  • correct the formatting

How frequently does the data change?

One of the most important aspects in providing the email address information to a cloud provider is the issue of "timeliness". When a new user joins the organisation their new email address needs to be made known to the cloud provider in a timely manner which fits with the service update cycle. An automated synchronisation can take care of the routine additions and deletions taking place on the email address set. The frequency of this synchronisation depends both on the rate at which the source data changes and service update cycle of the cloud provider - little point in running an hourly synchronisation when the cloud provider only updates their systems once a day.

In order to minimise the scale of the synchronisation operation, a complete export of the email address set should only be necessary on day one and the routine task kept focussed on add/delete/modify operations.

The Schemus CloudBase solution

The leading provider of email cloud security has supplied Schemus CloudBase to its customers since 2006, primarily to enable each customer to synchronise their email address set with the cloud service.

Each customer deploys Schemus CloudBase in their local environment so that email address data can be easily extracted from various sources including directories and files. A simple wizard interface enables rapid configuration.

During each synchronisation task any required transformations are performed on the data before it is deduplicated and the updates calculated. Customers can choose the frequency with which to synchronise their data with the cloud and the calculation of updates keeps the data exchanged to a minimum. A specialised CloudBase "connector", unique to the cloud provider, is used to provide secure transmission of the data to the cloud.

As well as providing scheduled synchronisation, Schemus CloudBase provides an interactive means to reset the cloud data set and to reset the update calculation based upon the cloud data set.

Schemus CloudBase is relied upon by the customers of one of the pioneers of cloud security and has been deployed to over thousands of customers since 2006. It is in constant use by a wide range of organisations including enterprises with over 500K users.

Address
Lincoln House
Station Court
Great Shelford
Cambridge
CB22 5NE

General Enquiries
Tel: +44 (0) 1223 566733
Fax: +44 (0) 1223 566727
info@schemus.com

Schemus on LinkedIn

Sales & Support
Tel: +44 (0) 1223 566733
sales@schemus.com
support@schemus.com

ISO 9001:2015 certified
ISO9001:2015

All trademarks acknowledged as the property of their respective owners.