Internet security standards: targets aren't being met
Forum for Standardisation puts pressure on government organisations and vendors
Vendors need to provide better support for modern internet standards, and implementation should be made easier. So says Bart Knubben of the Forum for Standardisation following publication of the Information Security Standards Survey. "The growth has continued, but the agreed targets aren't yet being met. In fact, the use of DNSSEC security for mail delivery by municipal and provincial authorities has declined. That's due to several authorities switching to Office 365 Exchange online, a service that doesn't support DNSSEC or DANE. We're talking to Microsoft to get that changed."
Forum Standaardisatie adviseert de publieke sector over het gebruik van open standaarden. Ze zijn ook de beheerder van de pas-toe-of-leg-uit (ptolu)-lijst, een opsomming van open standaarden die Nederlandse overheidsorganisaties moeten toepassen bij de aanschaf van ICT-producten en -diensten. Op die lijst vinden we standaarden als DNSSEC, DKIM/SPF/DMARC, HTTPS, HSTS, STARTTLS/DANE en IPv6. In aanvulling op deze verplichting zijn samen met het Overheidsbrede Beleidsoverleg Digitale Overheid (OBDO) specifiek voor deze moderne (beveiligings-)standaarden zogenaamde streefbeeldafspraken gemaakt waarin deadlines zijn vastgesteld voor de invoering ervan.
The Forum for Standardisation advises the public sector on the use of open standards. It also maintains the 'use-or-explain' list, which details the open standards that Dutch government bodies are expected to include in their procurement specifications for ICT products and services. On the list are standards such as DNSSEC, DKIM/SPF/DMARC, HTTPS, HSTS, STARTTLS/DANE and IPv6. A Joint Ambition Statement that includes implementation deadlines for those modern (security) standards has additionally been agreed with the Pan-governmental Digital Government Policy Forum (OBDO).
The current adoption picture is illustrated by the following diagrams. As you can see, support for web standards is gradually creeping up towards 100 per cent. The Forum for Standardisation believes that further progress will depend on approaching non-compliant organisations individually.
Where mail standards are concerned, a similar slowdown in growth is apparent, but at a significantly lower adoption level. The figures for DANE and DMARC (with the 'reject' policy configuration) are particularly disappointing, at 45 and 49 per cent respectively. As the Forum for Standardisation observes, half of Dutch government mail domains are not adequately protected against spoofing. Although in principle the Joint Ambition Statement allows organisations until the end of the year to implement the standards, it looks fairly certain that many will miss the deadline.
According to Knubben, implementing DMARC with the 'reject' policy configuration is difficult for many organisations. "Larger organisations that use numerous external mail distributors find it particularly hard to specify all legitimate mail flows. That may say something about how much control government organisations have over their IT infrastructures. It's important that such organisations bring in third-party expertise or ensure that their own staff are properly trained. Plenty of governmental bodies have now shown that the challenges can be overcome." "DKIM, SPF and DMARC are complex standards. Authorising additional mail server addresses to send mail for a domain isn't straightforward. Mail service providers and software vendors therefore need to make it easier to adopt the standards."
Letter to Microsoft
Knubben says that the fall in the percentage of MX portals (mail delivery portals) that are DNSSEC-enabled is mainly due to several municipalities and provinces switching to Microsoft's Office 365 Exchange online, which doesn't support DNSSEC (or therefore DANE). It is not yet clear how the authorities in question reconcile the switch with their obligation to make DNSSEC support a requirement when sourcing new infrastructure and services. "It's certainly disappointing. Any organisation that's using Office 365 Exchange online isn't adhering to the mandatory standards." In the summer, the government's dedicated Strategic Vendor Management team (SLM) wrote to Microsoft Nederland formally requesting the urgent implementation of DNSSEC and DANE on their Office 365 mail servers. The accompanying memorandum setting out the Dutch government's position on DNSSEC and DANE for mail says that Office 365 users are currently unable to comply with applicable regulations and standards. From the memorandum, it's also apparent that Office 365's negative impact on DANE support is roughly ten percentage points.
As well as being required to follow the 'use-or-explain' list and the Joint Ambition Statement, government bodies need to secure their mail traffic in order to comply with local laws implementing the EU's General Data Protection Regulation (GDPR), since some mail will inevitably include sensitive information. Directions on compliance are given in the National Cyber Security Centre's (NCSC's) factsheet Secure the connections of mail servers, which advises the use of STARTTLS/DANE. The National Information Security Baseline (BIO) also makes it clear that DANE for mail must be enabled. "It isn't easy to get major vendors such as Microsoft to act," says Knubben. "The only way is to bring user organisations together to exert concerted pressure." Significantly, the memorandum referred to above points users to the Azure Feedback Forums and the Office 365 UserVoice Forums, where DNSSEC is one of the most frequently requested features. The Forum for Standardisation's biannual surveys also help to put non-compliant government organisations and vendors in the spotlight. "Early next year, our findings will be reported to the OBDO and to the Dutch parliament. So official pressure can be ramped up by naming, faming and shaming." Nevertheless, Knubben isn't sure how Microsoft will respond. "The talks are still ongoing and they've been constructive. We don't believe that Microsoft will be able to ignore the fact that so many users are demanding support for modern e-mail security standards."
Meanwhile the Forum for Standardisation is additionally negotiating with other vendors about better support for security standards. "We've already managed to persuade Cisco," says Knubben. "Their mail appliances now carry out DANE validation before delivering mail. We're currently talking to Proofpoint, Fortinet and others about enabling DANE validation. The talks are going well: both have said that they'll implement DANE. However, it's still important that individual government bodies and other organisations keep telling their vendors that they want these security standards enabled."