How a Large Financial Services Company Protects Against Data Leaks with Lookout Secure Email Gateway
Regardless of industry or organization, corporate email is the leading cause of unauthorized and accidental data leaks. Employees constantly send emails to external parties that may contain sensitive company data, personally identifiable information, trade secrets and other intellectual property. Reducing the risk of exposure of sensitive data through corporate email can be tricky, especially when a company moves from on-premises email to a cloud-hosted email service, such as Gmail. and Microsoft Exchange Online. Integrating these on-premises devices with cloud-based email services creates complexity and inefficiency. A large financial services company became aware of this problem when it moved its email service to Microsoft Exchange Online and associated it with the Microsoft Outlook client. To complicate matters, their old email security solution from Symantec was running on-premises, which made their workflow much more complicated. To simplify their network design and ensure the efficiency of this new cloud model, they turned to Lookout Secure Email Gateway (SEG).
Lookout SEG is cloud-hosted and deployed as an SMTP-based mail transfer agent gateway inline with cloud-hosted customer outbound email from Exchange. Unlike the proxy-based approach employed by others, their SEG does not require any additional software components. Because it’s built on their integrated platform, it uses all the built-in data protection elements, including modern DLP and enterprise digital rights management (EDRM), to protect the information inside and outside the organization’s perimeter.
The challenge of data protection in e-mail
This high-profile client processes volumes of sensitive data every day for its financial markets clients. This data can be shared with up to 5,000 trusted web domains, often through an email exchange with multiple recipients at the same time. To operate effectively, the company needed to secure sensitive data without increasing complexity or limiting productivity. But the switch to Microsoft Exchange Online with the Microsoft Outlook client was not without problems.
Message traffic backhauling: clumsy and inefficient
While a cloud-hosted email solution offered many benefits, pairing it with Symantec’s on-premises email security solution was both clunky and ineffective. All incoming/outgoing email messages now had to pass from Microsoft Exchange Online in the cloud to a central on-premises data center where security policies were enforced. Only then could the message be sent back through the cloud and then onto the internet. You don’t have to be a network engineer to realize that this traffic backhauling approach puts a strain on expensive network elements.
Securing email traffic with Lookout Secure Email Gateway
Cloud-hosted Lookout SEG was deployed as an inline SMTP-based MTA gateway with customers’ cloud-hosted inbound/outbound email from Exchange. With the move to cloud-hosted messaging, one of the great appeals of Lookout SEG was that it eliminated backhauling and greatly simplified the customer’s network design. As part of the Lookout Security Service Edge (SSE) platform, it also allows customers to apply unified DLP policies across every application or platform used.
Core features include:
· Advanced data recognition and classification
The first step in securing email is to identify and classify the sensitive data contained in the message. This is where Lookout really outshone its competitors. As one of the most advanced DLP solutions on the market, it supports nearly 300 file types, embedded content and multiple languages.
The platform deeply scans attached files to extract attachments and other objects. Consider the case of an Excel spreadsheet embedded in a zipped Word file. In this example, the sophisticated DLP software examines the zipped file, reads the Word document, analyzes it, finds and reads the Excel data, and analyzes it. It is also capable of inspecting various types of images such as JPEG, BMP, PNG, and SVG, as well as scanned documents such as PDFs for detecting sensitive data using this Optical Character Recognition (OCR) software ). In short, the built-in DLP acts as a safeguard that identifies sensitive data before it is unintentionally exposed.
Automatically block unauthorized recipients
One of the main concerns for this client was the accidental transfer of sensitive data to unauthorized third parties. To solve this problem, the SEG allows IT security teams to define and apply policies based not only on content inspection, but also on contextual analysis. While content awareness involves breaking into the message to inspect the actual data being sent, context includes external factors such as sender and recipient, message header, message size and format, which can be used to get more information about the content. The ability to combine message content and context was another value proposition over competing solutions. Now, when an employee mistakenly sends an email to an unauthorized party, SEG automatically removes that recipient before the message is sent, without affecting other authorized parties. Suspicious messages can be moved to a quarantine area for further analysis.
Support secure productivity with a wide range of remediation options
Accurately identifying the sensitive data the customer needed to secure was only half the problem. The ability to take corrective action was a key requirement for finding the right balance between productivity and safety. Lookout SEG offered a wide range of data remediation options, including:
Authorize and save
Apply data classification labels
Add a disclaimer
Integrate email security into every HSE solution
While the customer reviewed several vendors as part of their evaluation, the Lookout SSE solution was chosen because of its native data protection capabilities that extend to messaging through the use of SEG. By implementing Lookout SEG, the customer was able to remove their on-premises email gateway appliance with confidence. Now, its entire messaging workflow resides in the cloud. With business information flowing freely between employees and partners, the number of places where sensitive files can spread increases, making it increasingly difficult to ensure a secure information boundary. This client was able to reduce the likelihood of a data breach and therefore the business risk associated with it.