Two months ago I wrote a post about why the United States needs Zero Trust Security for Email.
For example, we noticed that upon closer inspection of the phishing attacks evading detection, they were sent via legitimate, American infrastructure companies like Amazon, Sendinblue, Twilio, Mailchimp, and Mailgun.
In addition, we saw headlines like this:
White House Weighs New Cybersecurity Approach After Failure to Detect Hacks (NY Times)
“Both hacks exploited the same gaping vulnerability in the existing system: They were launched from inside the United States — on servers run by Amazon, GoDaddy and smaller domestic providers — putting them out of reach of the early warning system run by the National Security Agency.
The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens.”
It was clear to us that we can no longer trust email sent from American hosting and infrastructure companies.
In short, a new system was needed. And quickly.
As such, this post is a summary of what we rolled out to our customer base this week: Zero Trust Email.
Zero Trust Security recap
As a recap, Zero Trust is an IT security framework that requires strict identity verification for every person and device trying to access resources on a private network.
The philosophy behind Zero Trust security assumes there are attackers both within and outside of the network, therefore no one and nothing should automatically be trusted.
It should be noted no single technology is associated with zero trust architecture.
Zero Trust Email
We chose to focus on multi-factor authentication (MFA) for our implementation of Zero Trust Email.
MFA involves requiring more than one piece of evidence to authenticate a user. For the end user, this is often a piece of information on their phone, either a code sent via SMS or an authenticator app.
For our purposes, we chose to to use MFA not to authenticate a user per se, but a machine.
Here’s an example. Let’s say a mail server is attempting to send an email to our customer. Since we serve as the MX record for our Paubox Email Suite Plus and Premium customers, the sender’s mail server sends it to Paubox first.
During the SMTP conversation between mail servers, let’s say the the sender announces itself as being a part of Amazon’s SES platform. Using existing tools like RBL, SPF, DKIM, and DMARC, Paubox verifies the sending mail server is indeed part of Amazon SES.
With our new Zero Trust Security for Email feature however, those checks aren’t good enough. We now require one more piece of evidence to authenticate the email is truly legitimate and not a phishing attack cloaked under the guise of Amazon’s email platform.
This new piece of evidence is unique to each customer and changes based on time and usage. In other words, it’s very difficult for bad actors to impersonate.
How much does Zero Trust Security for Email cost?
Zero Trust Security for Email is now part of Paubox Email Suite Plus and Premium. If you are an existing customer, we deployed this at no additional charge to you this week. If you’re a new customer, our prices have not increased.
In short, we added this new feature at no additional cost. It’s part of our commitment to market leadership in the HIPAA compliant email sector.