Security Best Practice

Document created by user.oxriBaJeN4 Employee on Sep 23, 2015Last modified by user.oxriBaJeN4 Employee on Nov 5, 2018
Version 11Show Document
  • View in full screen mode

At Mimecast, we treat security with the utmost importance. This guide helps you by providing recommendations to enhance your account's security including:

  • Managing user access and permissions.
  • Communication in and out of your environment.
Ensure you allow connections to the appropriate ports from the entire Mimecast Data Centers and URLs, and that they're mapped through to the correct destination on your network.

Account Settings

 

Your Mimecast Account Settings include information about your account, including:

 

Security SettingAccount Setting SectionDescription
Designated Account ContactAccount ContactSpecify the representative we contact in the event of an emergency. This must be kept up to date at all times.
Details of all other technical contacts must be emailed to Mimecast Support. See the "Managing Super Administrators" section of the Understanding Administrator Roles page for full details.
Cloud Password RulesPassword Complexity and ExpirationWe provide options to enhance cloud account security, by reducing the risk of a security breach through a brute force attack or of end users setting weak passwords. These settings include defining the password length and complexity (i.e. enforcing numeric, non-alphanumeric characters, and uppercase letters), password expiration period, and account lockout attempts.
Restricted Administration Console AccessUser Access and Permissions - "Admin IP Ranges (CIDR n.n.n.n/x)" optionYou can restrict access to the Administration Console to specific IP addresses and/or ranges.
User PermissionsUser Access and Permissions

These settings define the default permissions for all users on your account. See the "User Access and Permissions" section below for details on how to further control user access.

 

User Access and Permissions

 

  • User Groups: Groups of users with the same access requirements can be added to a group. The group uses an Application Setting to control access to end user applications and services (e.g. Secure Messaging). Each application setting uses an Authentication Profile to control the method users must use to authenticate with our applications. See the following pages for full information:
  • Individual Users: At least one internal domain owned by your organization was added when your Mimecast account was set up. You can add other internal domains or subdomains (e.g. for journaling). See the Configuring Internal Domain / Subdomains page for full details.
  • Import Users: You can import multiple users, complete with their permissions. See the Importing Users via a Spreadsheet page for full details.
You can delegate mailbox access to other users. See the End User Applications: Configuring Delegate Mailbox Access page for further details.

Roles

 

Roles are a set of permissions assigned to administrators that control the depth of access they have, and the tasks they can perform. We provide a set of default roles with your account, but you can create your own custom roles. We recommend administrators are assigned a role with the lowest level of permissions required to perform their administrative tasks.

 

See the Understanding Administrator Roles and Managing Administrator Roles pages for full information.

 

Content View Access

 

Content view functionality allows you to control who can view the content of messages. Each time a message is viewed, this access is logged in the Message View Logs. We recommend that you don't share generic accounts, but use the provided Super Administrator account to create personal accounts with the required access. If an administrator requires basic and privileged access, you can have two accounts; one with basic access (username@domain.com) and one with the privileged access (username-content@domain.com). The task performed determines which account is used.

 

See the Understanding Administrator Roles and Managing Administrator Roles pages for full information.

 

Staff Leaving Your Organization

 

When someone leaves your company, it's important they no longer have access to your Mimecast account. You should disable or remove their Active Directory account. For an account that is deleted, the status of the email address in Mimecast is changed from "Directory Generated" to "Message Generated". This ensures that if LDAP recipient validation is used, inbound messages to this address are rejected. For enhanced security, if we detect an Active Directory account as deleted or disabled, this account's ability to use a cloud password logon is also disabled.

 

We can also automatically restrict access when both the:

  • "UserAccountControl" attribute is exposed via the Active Directory synchronization.
  • The Active Directory connector has the "Acknowledge Disabled Accounts in Active Directory" option enabled. This is the default setting.

 

2-Step Authentication

 

Passwords only offer a single layer of protection to a user’s identity and can be easily compromised. Our native 2-Step Authentication adds an additional layer of protection, by denying access to users with just a password. With it enabled, your administrators and users need a password and a one-time verification code to access our applications. You can choose how 2-Step verification codes are received / generated. The following options are available:  

  • Via email
  • Via SMS
  • Via a 3rd party code generator (e.g. Google Authenticator or FortiToken).

 

See the 2-Step Authentication Overview and Configuring a 2-Step Authentication Profile pages for full details.

 

Targeted Threat Protection

We employ a multi-layered approach to phishing detection and prevention, with numerous technologies and techniques being used by Targeted Threat Protection. We work to provide the most accurate and up-to-date protection for customers, boosted by our global security teams who monitor and fine tune the service. However, due to the highly dynamic nature of these types of attacks, we cannot guarantee that all information relied upon is comprehensive and error-free. Some risky phishing emails, sites, or attachments may not be identified, and some safe emails, sites or attachments may be identified in error.

Targeted Threat Protection extends traditional gateway security to defend against malicious links in email and weaponized attachments (where the attachment is not a malicious viral payload itself). These are the two most common attack methods. Real time scanning and blocking of suspect websites and attachment sandboxing, prevents employees from inadvertently downloading malware or revealing credentials.

 

See the following pages for best practice settings:

 

Device Enrollment

 

Device enrollment enhances security when accessing attachments and links in messages, by using an authentication service. If the authentication service is enabled, a cookie is stored on the user's device. When the user accesses a Targeted Threat Protection service (e.g. a rewritten or attachment release link), a check is made to see if the cookie is on their device:

  • If there is, the user is allowed to access the service.
  • If there isn't, the user must complete a two-step authentication process to enroll their device. Once their device is enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service. 

 

See the following pages for full details:

 

Non-Targeted Threat Protection Customers

 

Customers without Targeted Threat Protection who wish to block all Microsoft Office attachments containing macros at the Gateway without any security analysis can enable the policy options listed below. However, doing so can result in a high number of false positives.

 

Traffic Security

 

Traffic security certificates can be used to encrypt traffic such as SMTP, POP3, and LDAP. Although we accept both root CA signed and self-signed certificates, we recommend the use of public certificates.

 

TLS

 

Emails can be transmitted securely using TLS. We use Opportunistic TLS by default, but you may want to Enforce TLS for certain senders / recipients. To make use of TLS you must have:

  • A certificate installed and configured on your mail server.
  • At least one Secure Receipt and Secure Delivery policy.

 

See the Configuring Secure Receipt policies and Configuring Secure Delivery definitions and policies pages for full information.

 

LDAPS

 

Directory synchronization can be used to synchronize all email address, groups, and attributes. It can also allow end users to logon to user services using their network credentials. Directory synchronization can be configured to use LDAP or LDAPS. LDAPS ensures that the traffic is encrypted between us and your environment. It is required to have the FQDN as a primary or SAN on the certificate.

 

See the Enabling LDAP Directory Synchronization for Active Directory page for full details.

 

POP3 Journaling

 

If journaling is configured, we regularly log into the company's internal journal mailbox and extract emails to be archived. This process can be configured to use either POP3 or POP3S. POP3S ensures that communication is encrypted and secure.

 

See the Journaling section for full details.

 

SMTP Journaling

 

An SMTP journal connector must be configured to only accept connections from your authorized IP addresses by default. To secure this communication, you can configure SMTP authentication to:

  • Require a password.
  • Configure the journal email address as the SMTP-AUTH credentials.

 

SMTP journal traffic can also be encrypted using TLS. This requires the installation and configuration of a certificate.

 

See the Journaling section for full details.

 

Secure Messages

 

Secure Messaging provides a user friendly, secure channel for sending and receiving sensitive information via email. Messages are sent via the Mimecast Gateway and accessed by the user using the Mimecast Secure Messaging Portal. This means the messages are not passed through the recipient's email server, and so can only be seen by the recipient.

 

You can set the lifespan that your users can view and respond to secure messages. This ensures that sensitive emails will only be available for a certain period of time (e.g. the intended recipient leaves the organization). This requires a Secure Messaging policy that allows you to specify a duration up to 365 days.

 

See the Configuring Secure Messaging Definitions and Policies page for full details.

Secure Messaging Lite users cannot create or maintain Secure Messaging policies.

Stationery

 

A phishing attack is most likely to come from an external email address that has been spoofed to look like an internal email address. This can be done by subtly changing the email domain to look like the company domain. For example, the domain "company.com" could be spoofed as "cornpany.com" (notice the "r" and "n" instead on an "m").

 

With our Stationery add on, you can add a header to all external messages to alert recipients that it could be a phishing or spoofing attack. See the  Using Stationery to mitigate phishing attacks page for full details.

 

Data Leak Prevention (DLP)

 

Your organization’s value and competitive advantage are inextricably linked to the knowledge you hold. Information such as new product ideas, future business plans, and customer data, represents an invaluable business asset. When stored digitally, it can be shared easily with colleagues and third parties via email. While this flexibility brings great benefit, it also increases the risk of data leakage. Our cloud service protects your organization against data leak, through seamless integration with Microsoft Exchange.

 

See the following pages for further details:

 

Log Review

 

Account Logs

 

We capture and log numerous actions taken on your Mimecast account. This acts as an audit of all administrator, user, and automatic activities, thereby providing monitoring and accountability. This includes account logons, and changes (e.g. policy creation, group configuration). Logs are also created when an archive search is performed or a message is viewed.

 

See the Archive View Logs page for full details.

 

See Also...

 

Attachments

    Outcomes