Continuing to send email attachments is costly, dangerous, and unnecessary, given the readily available alternatives. It is time to tackle the root causes of our cybersecurity challenges rather than the symptoms.
鉴于容易获得的替代方案,继续发送电子邮件附件非常昂贵,危险且不必要。 现在是时候解决我们网络安全挑战的根本原因而不是症状了。
Seemingly innocuous, email attachments are not. A design that dates back 50 years, inefficient from inception, has now become a destructive force diverting our precious resources as we continually tackle their collateral effects in collective resignation of a status quo that needn’t be.
看似无害的电子邮件附件不是。 可以追溯到50年前的设计,从一开始就没有效率,现在已成为破坏性力量,转移了我们的宝贵资源,因为我们在集体辞职的过程中不断解决不必要的附带影响,这是不必要的。
Around 306 billion emails are sent and received every day. In the corporate environment, about 25% of messages carry file attachments, or 76 billion messages [1]. These are big numbers. Among the biggest, when it comes to any communication today. It is past time to question this most common file sharing method, especially when considering the billions of dollars spent trying to mitigate problems that find their roots in this outdated technology. An astounding amount of resources (time, money, effort, and lost opportunity) are directed in an attempt to secure, govern, and manage the detritus of this archaic model of file exchange [2]. It is time to question, in particular, because for years, secure file links have stood as a readily available alternative.
每天大约发送和接收3060亿封电子邮件。 在公司环境中,大约25%的消息带有文件附件,即760亿条消息[1]。 这些是很大的数字。 在当今最大的交流中,这是最大的。 现在已经是质疑这种最常见的文件共享方法的时候了,尤其是考虑到要花费数十亿美元来尝试缓解源自这种过时技术的问题时,这一时机已经过去。 大量的资源(时间,金钱,精力和失去的机会)直接用于保护,管理和管理这种古老的文件交换模型[2]。 特别是应该质疑的时候,因为多年来,安全文件链接已成为一种随时可用的替代方法。
The challenge of email attachments stems largely from two aspects of its architecture, namely, duplication (data sprawl) of content and the lack of security.
电子邮件附件的挑战主要来自其体系结构的两个方面,即内容的重复(数据蔓延)和缺乏安全性。
Email is data sprawl on an epic scale
电子邮件是史无前例的数据泛滥
数据蔓延 (Data Sprawl)
The email attachment model of embedding a copy of a file into the message ensures that data will be duplicated. This duplicity grows exponentially when coupled with the common end-user behavior of copying (Cc, Bcc) and forwarding messages to others, even to those who will never open the embedded file. Taking available data, we can estimate the number of files each business worker sends and receives per year at 17,125 [7]. For lack of data, this calculation assumes that an email with an attachment carries on one file, which clearly underestimates the total number of files duplicated in email. In a previous article, we calculated that around 6,000 of these attachments are completely ignored. These numbers represent only the amount of files represented by the user’s inbox, not accounting for copies in redundant servers and archival systems, which further multiply the quantity. Furthermore, those attachments that get read are often saved locally, thereby creating yet another copy in the recipient’s device. Finally, and also not accounted for in these statistics, is the additional duplication resulting from the recipient’s possession of multiple devices (e.g., laptop, mobile, etc.) — each which can receive its own copies. In an enterprise with one redundant email server and one email archive, we can comfortably assume that, at the minimum, each user represents more than 50,000 files per year.
将文件副本嵌入到邮件中的电子邮件附件模型可确保重复数据。 当最终用户复制(抄送,密件抄送)并将消息转发给其他人(甚至那些永远不会打开嵌入式文件的人)的常见最终用户行为时,这种双重性就会成倍增长。 利用可用数据,我们可以估计每个业务工作者每年发送和接收的文件数量为17,125 [7]。 对于缺少数据的情况,此计算假定带有附件的电子邮件带有一个文件,这显然低估了电子邮件中重复的文件总数。 在上一篇文章中 ,我们计算出这些附件中约有6,000个被完全忽略了。 这些数字仅代表用户收件箱代表的文件数量,而不考虑冗余服务器和档案系统中的副本,而副本数量进一步增加。 此外,那些被读取的附件通常被保存在本地,从而在接收者的设备中创建了另一个副本。 最后,在接收者的拥有多个设备(例如,笔记本电脑,移动设备等)的情况下,还会产生额外的重复,这在每个统计数据中都没有考虑到,每个设备都可以接收自己的副本。 在拥有一台冗余电子邮件服务器和一个电子邮件归档的企业中,我们可以轻松地假设每个用户每年至少要代表50,000个以上的文件。
With email attachments representing, very conservatively, around 17,000 files per worker per year, we conclude that in a 1,000 person company a staggering 17 million file copies are created every year as a result of email’s file-sharing methodology — or about 50 million file copies given email redundancy and archives, but not accounting for the copies used by recipients outside of the email message. Email is data sprawl on an epic scale.
非常保守地,电子邮件附件代表每个工人每年约17,000个文件,我们得出的结论是,在1000人的公司中,由于电子邮件的文件共享方法,每年创建了惊人的1,700万个文件副本,即约5000万个文件副本给定电子邮件冗余和存档,但不考虑电子邮件以外的收件人使用的副本。 电子邮件是大规模传播的数据。
As a result of this explosive generation of duplicated content, most of it useless and all inefficient [3], our businesses, governments, schools and every organization that relies on email as their primary communication platform have to deal with an insurmountable challenge for information security, governance, and infrastructure cost.
由于爆炸性生成大量重复内容,大多数内容无用且效率低下[3],我们的企业,政府,学校和每个依靠电子邮件作为其主要通信平台的组织都必须应对信息安全方面不可克服的挑战,治理和基础架构成本。
安全,治理? (Security, Governance?)
The data sprawl problem wouldn’t be as bad if the files sent through email were encrypted or tracked. Unless the user takes extra encryption steps, email attachments are completely unsecure and provide no tracking of their whereabouts or who is looking at them. Each of those 17,000 files per user per year is readily accessible to whoever has a copy of the email, and that includes the hackers who breach the email system, backup servers, a misplaced device, PST file, etc. — whether in your organization or any organization you communicate with. Furthermore, given that email attachments provide no possibility of revocation after being sent when systems are breached, valuable corporate content sent years before is still there.
如果通过电子邮件发送的文件经过加密或跟踪,则数据蔓延问题不会那么严重。 除非用户采取额外的加密步骤,否则电子邮件附件将完全不安全,并且无法跟踪他们的下落或正在看谁。 拥有电子邮件副本的人都可以轻松访问每位用户每年这17,000个文件中的每个文件,其中包括破坏电子邮件系统,备份服务器,放错位置的设备,PST文件等的黑客(无论是在您的组织中还是在组织中)与您交流的任何组织。 此外,由于电子邮件附件在系统遭到破坏后发送后无法撤消,因此几年前发送的有价值的公司内容仍然存在。
Like smoke from a diesel truck, information leakage, and its resulting liability, is the natural byproduct of our emails
就像柴油卡车产生的烟雾一样,信息泄漏及其带来的责任是我们电子邮件的自然副产品
The anonymity of attachments also facilitates their usage as a means of cyber-attack by bad actors. Commonly classified as the primary vector of attack, email and its attachments provide an ideal delivery mechanism by which to bypass company defenses and get malicious code executed on the user’s device, well behind the company’s firewalls [4].
附件的匿名性还有助于将其用作不良行为者的网络攻击手段。 电子邮件及其附件通常被归类为主要的攻击媒介,它提供了一种理想的传递机制,可以绕过公司的防御并在用户设备上执行恶意代码,该代码远落后于公司的防火墙[4]。
Companies deploy millions of dollars in data loss prevention and data security solutions, from requiring multi-factor authentication, installing network border systems, to providing regular employee information security training [5]. In addition, regulations require responsible custodianship of data and penalize heavily for infraction [6]. But how can the CIO, even the savviest armed with the biggest budget, contain a fundamental architectural flaw inherent in the Internet’s oldest and most widespread technology — an architecture that replicates, with viral efficiency, unprotected, untraceable copies of corporate content inside and outside of the organization, across multiple devices and systems!?
从要求多因素身份验证,安装网络边界系统到定期提供员工信息安全培训,公司在数据丢失预防和数据安全解决方案中部署了数百万美元。 另外,法规要求负责任的数据保管,并对违规行为严惩[6]。 但是,即使是拥有最大预算的最精明的CIO,也如何包含Internet上最古老,应用最广泛的技术所固有的基本体系结构缺陷-一种体系结构,可以有效地复制内部和外部的不受保护,无法追溯的公司内容副本组织,跨越多个设备和系统!
解 (Solution)
Actually, there is a solution, and there is a good chance you’ve used it. Partly in response to email’s limitations, the rapid growth of cloud content storage platforms (e.g., Box, Microsoft OneDrive, Google Drive, Egnyte) provides a new model of file exchange. The cloud storage model does not send a copy of the file, rather a link to the file stored by the sender. This model is the direct opposite of the email attachment model. The benefits of the cloud storage model are multiple. The epic data sprawl caused by email attachments is reduced by more than 75%. Now files are only distributed to those who are interested. Eliminating the aforementioned 6,000 files per user per year that go unread. If we include the elimination of copies sent, but never read, on different devices, backups and redundant email systems within and outside of the organization, we can estimate a reduction of greater than 90% in file sprawl. With the drastic reduction in distributed files, there is a concomitant reduction in network bandwidth and storage required to transmit and save unused files, plus an additional bonus reduction of 37% in file sizes from avoiding email’s archaic file encoding mechanism [3]. Just accounting for attachments in users’ mailboxes, available statistics attribute around 8Gb of files per business user per year — or around 7.8Tb for a 1,000 person company per year required by the email server, another 7.8Tb for any redundant servers, more for archival systems and more for attachments saved to local devices [1]. The use of cloud storage share links eliminates all the storage of attachments not viewed by recipients or copied to auxiliary email infrastructure.
实际上,有一个解决方案,并且很有可能您已经使用了它。 部分响应电子邮件的限制,云内容存储平台(例如Box,Microsoft OneDrive,Google Drive,Egnyte)的快速增长提供了一种新的文件交换模型。 云存储模型不发送文件的副本,而是发送方存储的文件的链接。 该模型与电子邮件附件模型直接相反。 云存储模型的好处是多方面的。 由电子邮件附件引起的史诗般的数据蔓延减少了75%以上。 现在,文件仅分发给感兴趣的人。 每年每位用户消除上述6,000个未读文件。 如果我们包括消除在组织内部和外部的不同设备,备份和冗余电子邮件系统上发送但从未读取的副本,则可以估计文件蔓延减少了90%以上。 随着分发文件的急剧减少,传输和保存未使用的文件所需的网络带宽和存储量也随之减少,并且避免了电子邮件的过时文件编码机制,文件大小另外减少了37%[3]。 仅考虑用户邮箱中的附件,可用的统计信息属性每个企业用户每年大约8 Gb的文件-或电子邮件服务器每年需要1000人的公司大约7.8 TB,任何冗余服务器的另外7.8 TB,更多档案系统,以及用于将附件保存到本地设备的更多工具[1]。 云存储共享链接的使用消除了收件人无法查看或复制到辅助电子邮件基础结构的所有附件存储。
With regards to security, cloud storage links offer significant benefits for the sender and recipient. For the sender, access to files can be controlled, requiring authentication, allowing only viewing (no download), and expiring even after delivery of the message. For the recipient, cloud links provide a safe preview of file content away from their local device, eliminating the dangers of malicious code execution. They also provide origination by pointing back with a secure URL to an authenticated cloud storage account that has an owner, complete with a detailed audit trail, and security controls over how the file got there. In the event of a malicious file deployed from a cloud storage account, internal IT can more easily contend with a single URL than a massively distributed email message. Finally, file delivery is encrypted end to end — of interest to both parties.
关于安全性,云存储链接为发送者和接收者提供了明显的好处。 对于发件人,可以控制对文件的访问,需要进行身份验证,仅允许查看(不能下载),甚至在传递邮件后也将过期。 对于收件人而言,云链接可提供远离其本地设备的文件内容的安全预览 ,从而消除了恶意代码执行的危险。 它们还通过使用安全URL指向具有所有者的经过身份验证的云存储帐户来提供源,该帐户具有所有者,详细的审计跟踪以及对文件如何到达的安全性控制。 如果从云存储帐户部署了恶意文件,则与分散分布的电子邮件相比,内部IT可以更轻松地与单个URL进行竞争。 最后,文件传送是端到端加密的,双方都感兴趣。
呼吁采取行动 (Call to Action)
Like the oft-cited definition of insanity, businesses continue to dedicate significant time, money, and energy into problems originating from insurmountable challenges either directly caused or exacerbated by email. As the news cycle of email caused breaches proves to us on a daily basis, these efforts are of little avail. Until organizations recognize and resolve the root cause, they will continue their Sisyphean task, forever looking for and spending on the next technological miracle bandaid — be it Artificial Intelligence, Machine Learning, Social Graph, or another buzzword.
像经常引用的精神错乱定义一样,企业继续将大量的时间,金钱和精力投入到由电子邮件直接导致或加剧的难以克服的挑战所引发的问题中。 由于电子邮件的新闻周期造成的违规行为每天都在向我们证明,因此这些努力几乎没有用。 在组织意识到并解决根本原因之前,他们将继续执行Sisyphean任务,永远寻找并花费在下一个技术奇迹创可贴上—无论是人工智能,机器学习,社交图谱还是另一个流行词。
The reality is we are up against the fundamental architectural flaws of technology created decades ago and still in ubiquitous use today. These fundamental flaws have long been recognized. The seminal Internet Mail 2000 proposal posted by cryptologist and email technologist, Daniel J. Bernstein, outlined a new architecture whereby email would no longer be an analog to the postal service, i.e., where content is sent to the recipients, rather the recipients retrieve the content stored by the sender — a far more efficient design, simultaneously resolving email’s problems of spam, bounces, content proliferation, and false origination. However, redesigning the Internet’s most widespread communication infrastructure is a challenge. But we have entered a new moment, a moment where cloud content storage has become commonplace in the business world. With secure storage links, we correct the aforementioned flaws, bringing to fruition the known solution. Investments in user adoption training, increase in email client features for generating file links and services, like MXHero, that automate the creation of file links are far less costly than the perpetual, ineffective, and expensive game of whack-a-mole in common practice by organizations globally.
现实情况是,我们要面对数十年前创建的,至今仍在无处不在使用的技术的基本架构缺陷。 这些基本缺陷早已为人们所认识。 密码学家和电子邮件技术专家Daniel J. Bernstein发布的具有创见意义的Internet Mail 2000提案概述了一种新的体系结构,通过该体系结构,电子邮件将不再类似于邮政服务,即,将内容发送给收件人,而由收件人检索邮件。发件人存储的内容-一种高效得多的设计,同时解决了电子邮件的垃圾邮件,退回,内容扩散和错误来源的问题。 但是,重新设计Internet上最广泛的通信基础结构是一个挑战。 但是,我们进入了一个新的时刻,即云内容存储在商业世界中变得司空见惯的时刻。 通过安全的存储链接,我们可以纠正上述缺陷,从而使已知的解决方案得以实现。 用户采纳培训方面的投资,用于生成文件链接和服务(例如MX Hero)的电子邮件客户端功能的增加,使文件链接的创建自动化,其成本远低于普通的永久性,无效和昂贵的“ hack鼠”游戏。全球组织的实践。
The reality is we are up against the fundamental architectural flaws of a technology created decades ago and still in ubiquitous use today.
现实情况是,我们要面对数十年前创建并至今仍在无处不在使用的技术的基本体系结构缺陷。
Collectively we have a problem that is costing ourselves, businesses, and society billions and billions of dollars. We know the solution. For most organizations, cloud storage is readily accessible. It is time to prioritize and make it happen, namely, replace email attachments with shared links. We have so much more important things to do with our resources than to be trying to patch the collateral effects of a long-obsolete technology. Let’s develop vaccines, solve global warming, educate our young. So please, for you, for me, for our world, no more email attachments.
总的来说,我们面临的一个问题是使我们自己,企业和社会付出数十亿美元的代价。 我们知道解决方案。 对于大多数组织而言,可以轻松访问云存储。 现在是确定优先级并使其实现的时候了,即用共享链接替换电子邮件附件。 与尝试修补长期淘汰的技术带来的附带影响相比,我们与我们的资源有许多重要的事情。 让我们开发疫苗,解决全球变暖,教育我们的年轻人。 因此,对于您,对我,对我们的世界,请不要再发送任何电子邮件附件。
Sources
资料来源
Radicati
拉迪卡蒂
CyberCrime Magazine
网络犯罪杂志
Cisco
思科公司
Wikipedia
维基百科
Gartner
加特纳
SecurityToday
今日安全
Methodology & Calculations (spreadsheet download)
方法与计算 (电子表格下载)
翻译自: https://medium.com/datadriveninvestor/why-we-cant-secure-our-data-with-business-as-usual-b4d13bfcf7d3