Wrong, Wrong, Wrong
An article came out today that stated that email security does not work and cannot be easily fixed.
The problem with this article is that email should NEVER try to secure itself – SMTP was never meant for complete security. Applications trying to secure themselves will always fail as will any other security trapped in the enterprise. Saying that email security does not work is akin to saying that beaches erode – doesn’t make the beach bad, it is just a fact.
If you have been hacked, here is a great article on steps you can take to overcome the hack.
The Real Issue
When email security first arrived, it was GREAT. Nobody could beat it and everybody was “safe”. Unfortunately, as with every other enterprise-dependent piece of security software, email security is static. It does not change, has not changed, cannot change. It doesn’t matter how thick your walls are, how strong your shields, never changing something means that your defense will ALWAYS fail…eventually…
Successful apps slowly build on useful features and target dependability, minimize change and do everything possible to create a familiar environment for users. As much as possible, changes are embedded in such a manner to mask change and being static in many ways is a good thing. Creating wild fluctuations, completing re-working core operations and overhauling functionality in real-time (all things security requires) is the antithesis for applications.
So why do people think “application security” is anything more than a nihilistic oxymoron?!?
Security cannot be an application, it has to be a service. Security cannot be static, reactive or ignored – it has to be proactively monitored, continuously adaptive and flexible to a myriad of situations. Cybersecurity is chaotic warfare and any viable security solution needs to change at a moment’s notice.
Of course, an enterprise requires stability, apps need to run in the same manner consistently and users absolutely need routine operations. The only way security can possibly succeed is to be completely separate from the enterprise, applications, and networks. Effective security services have to be able to churn without any unwanted disruptions and that capability is just not possible without separation.
Once you have an environment that is actually secured, email will work just fine. Emails will be protected, highly secure and no longer will researchers lament about how stable applications fail to provide effective, chaotic security online.