All government organizations should have implemented STARTTLS and DANE by the end of 2019 to prevent "eavesdropping" on email. Only 50% of government organizations implemented DANE by this deadline. The lack of support for DANE in cloud product Office 365 proved to be a sticking point. Microsoft announced on April 6 that they will fully support DANE in Office 365 Exchange Online by the end of 2021.
In the announcement, Microsoft indicates that implementation will take place in phases. The first phase includes support for e-mail sent from Exchange Online. This will be completed by the end of 2020. The second phase includes support for receiving e-mail in Exchange Online. That will be completed by the end of 2021.
Although the announced support is still some time away, it offers more than 100 government organizations already using Exchange Online a positive outlook for meeting security requirements.
Microsoft reminds customers that, in the meantime, they have the option of using proprietary SMTP gateways that do support DNSSEC and DANE. E-mail messages could possibly be exchanged between the gateways and Exchange Online via connectors. Such a relay gateway involves complexity and cost. For these reasons, inherent support for the standards in Exchange Online is crucial, even in products from other vendors. Forum Standaardisatie advises government organizations that want to switch to Exchange Online to wait until Microsoft has actually implemented the standards.
Several vendors already currently offer support for DANE. More than half of government organizations make use of DANE possible for secure e-mail traffic. For example, the municipality of Den Bosch, government service provider SSC-ICT, the House of Representatives and the police apply it.
DANE prevents attackers from "eavesdropping" or modifying mail traffic. It stands for DNS-Based Authentication of Named Entities and is a mandatory government standard. The technique builds on DNSSEC (standard for domain name security) and provides assurance of the identity of the receiving mail server. This prevents an attacker from impersonating a receiving mail server, allowing it to intercept mail traffic. In addition, DANE enforces the use of an encrypted connection. This prevents an attacker from being able to block the setup of a STARTTLS-protected connection in order to gain access to unencrypted messages.
The correct application of DNSSEC, DANE and STARTTLS standards is the minimum that can be expected of government e-mail. These standards are therefore also part of the Government Information Security Baseline (BIO) via measure 13.2.3.1 (BBN1). BBN1 is the security level that all government systems must meet as a minimum.
Ensuring secure e-mail traffic between government organizations with citizens, businesses and co-governments is important for the reliability of the (digital) government. Because of the bilateral nature of this information exchange, the risks of vulnerabilities lie not only with the government organizations concerned, but also with the parties with whom they communicate digitally. Government organizations have a duty of care to citizens, businesses and co-governments to put digital security in order.
Via Internet.nl you can test whether your organization's e-mail traffic is protected against eavesdropping and spying. This tool tests the application of encryption standards STARTTLS and DANE. Correct application of these standards on a mail server helps prevent eavesdropping and espionage.
This news item can also be found in the Information Security file
