The last effort of the NIST Agency in the development of email security guidelines is dated 2007 when it published the NIST SP 800-45, Version 2 – Guidelines on Electronic Mail Security.
The new NIST guide is a document composed of 81 pages that aim to give recommendations and guidelines for enhancing trust in email.
This guideline applies to Government IT environment, but it is also useful for private organizations of any size.
The recommendations in NIST guide for secure email include suggestions on the practices to adopt for securing the environments around enterprise mail servers and mail clients. This guide also provides recommendations and guidance for email digital signatures and encryption (via S/MIME), recommendations for protecting against spam messages.
Security email needs a multidisciplinary approach that involves secure solutions, effective configurations and trained personnel.
“Email communications cannot be made trustworthy with a single package or application. It involves incremental additions to basic subsystems, with each technology adapted to a particular task.” states the NIST guide on secure email.
Encryption is essential to secure email systems, the guide urge administrators to build out a cryptographic key management system (CKMS) and use keys to protect email sessions.
“As with any cryptographic keying material, enterprises should use a Cryptographic Key Management System (CKMS) to manage the generation, distribution, and lifecycle of DKIM keys. Federal agencies are encouraged to consult NIST SP 800-130 [SP800-130] and NIST SP 800-152 [SP800-152] for guidance on how to design and implement a CKMS within an agency.”
Despite the numerous incidents occurred in the last years, the NIST still considers trustable the DNS due to the numerous security enhancements, including the DNS Security Extensions (DNSSEC), which is a set of extensions to DNS that provide to DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity.
The NIST guide highlights the importance of the S/MIME (Secure Multipurpose Internet Mail Extensions) for secure email messages.
“Secure Multipurpose Internet Mail Extensions (S/MIME) is the recommended protocol for email end-to-end authentication and confidentiality. S/MIME is particularly useful for authenticating mass email mailings originating from mailboxes that are not monitored, since the protocol uses PKI to authenticate digitally signed messages, avoiding the necessity of distributing the sender’s public key certificate in advance. This usage of S/MIME is not common at the present time, but is recommended.” states the guide.
The guide included a warning to the organizations that rely on cloud services for their email, in particular on services offered by a third party.
Organizations need to make sure any email sent by third parties will pass SPF checks, the verification is simple because the enterprise administrator should include the IP addresses of third-party senders in the enterprise SPF policy statement RR.
The NIST guide is out for public comment until May 1st, I suggest you to read it.
(Security Affairs – NIST, secure email)