Admin - Privacy of email details
Idea shared by Merle Wait - 5/16/2018 at 4:30 PM
Long story very short:
A auditor of a gov't agency suggested to one of our clients that "we" (the email provider), may be in violation of being able, as ADMINs, to read/see our client's email while logged in as SM Admin.
So to be clear, the gov't agency suggested that when we are in ADMIN status, we shouldn't be able to read our client's email, either without approval or some sort of other control.  Never-mind that we obviously don't  "read" our client's email.. just have access to their inbox/account for trying to trouble shoot whatever problems exists.
Has anyone else had this issue raised??  Am a little perplexed on how to respond to this auditor.

3 Replies

Reply to Thread
Respond them that you are not just able to read every word, but run AI algorythms and train your machine learning systems on the contents of your customer's messages, and sell this material to Cambridge Analytica and similar companies.
You should not just get away with it but become an admired celebrity as Zuckerberg or Google and all the others do. :-) just kidding.
Security principles are built around Confidentiality, Integrity, and Availability.   Europe's GDPR have raised a ruckus over the confidentiality piece.   But the email infrastructure is dominated by unsolicited content sent from malicious servers and non-malicious servers with user accounts that were compromised by password-guessing techniques or other methods.   Quite simply, the Integrity requirements of the email infrastructure require some loss of confidentiality.
System administrators have a responsibility and an expectation to act on behalf of the user to protect them from hostile and unwanted mail, and this cannot be done successfully without occasional access to the message body.   If the user wants full privacy, he can use OpenPGP, S/MIME, or PKI certificates to ensure end-to-end encryption.   All of this can be documented with a statement of privacy practices. 
Hospital patients have privacy rights, but hospitals also have security cameras.  This means that a security guard may see Miss Celebrity in her bathrobe without makeup, and that picture may be recorded.  The existence of the picture does not constitute a privacy violation when it is part of a system for patient safety.    All of this applies as long as the photo is not leaked for unauthorized purposes.
You may want to ask him what mail system has met his expectations. I've worked with 3 different mail systems in my career. I can think of ways to get access to user mailbox data on all of them without even logging in to the mail software.
1. A high level of separation in duties would be required to meet his expectation no matter the system. In other words, you would need multiple administrators where each one keeps an eye on the others.
Take exchange for instance, it runs on a windows server and requires an administrator to administer it. There are mail components, database components and permission based security. As an administrator on the server you can remove the permission that permit administrators to access mailboxes. You can therefore restore the permission when convenient. The database can be offloaded where you can run exchange recovery software on it or perhaps set it up on your own exchange server. Between the mail admin, database admin, and backup admin there will be at least one person who can access the data at will unless the contents are encrypted. In Smartermail the email data is stored in .grp files that can be parsed with any text editor. Having access to the storage location of user mailboxes is also access to their emails.
2. Permission based security must be coupled with good logging and routine auditing.
It's not enough to secure access to resources. Access to those resources must be audited to ensure you don't have bad actors rummaging through your system. If you see an administrator logging in to accounts for no apparent reason then you might have a problem.
3. If you have access to the server containing the private SSL key then you can capture SSL/TLS packets and decrypt them. With a little programming those packets can be parsed to extract all email data.
In the end, having proper security permissions is important but there will always be someone with access to mail data unless the mailbox users have implemented their own form of encryption. Monitoring and auditing the system is just as important to ensure your permissions are effective and users with elevated permissions aren't abusing them. You can implement restrictions to limit use of external storage devices, setup detailed logging when folders are accessed, send an alarm if x amount of data is moved, or parse log files for specific events that trigger an alarm. But if you are the one and only administrator, there are ways around nearly everything.
We recently had an issue at Office 365 where a user requested support for a one drive issue. The user keeps unencrypted data on their one drive because someone told her it was secure. Sure, Microsoft implements storage level encryption but that doesn't prevent support from seeing your files. The user received the support they requested and everything was fine until the next morning when she couldn't locate a particular folder. I was able to look through the Office 365 logs and saw that she had mistakenly copied the folder in to another folder. But I also found that several hours after her support session ended the support rep accessed her files twice. This was under the pretense of "following up" on the support ticket but most certainly could have been any reason they wanted. If your not encrypting on a per file or per email basis then someone has access to that data, period.

Reply to Thread