Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Secure email gateways and IAM: where the real control gap is


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Secure email gateways still matter because they stop phishing, malware, and spoofing before delivery, but identity-based attacks increasingly bypass mailbox perimeter controls once an account is compromised, according to SecurEnds. The real security problem is not email filtering alone, but whether IAM and lifecycle governance can prevent trusted identities from being abused inside cloud email platforms.

NHIMG editorial — based on content published by SecurEnds: secure email gateway guidance and the role of identity governance in email security

Questions worth separating out

Q: How should security teams use secure email gateways without overrelying on them?

A: Treat the gateway as a perimeter control, not a complete email security programme.

Q: Why do compromised email accounts still create business email compromise risk?

A: Because once an attacker controls a valid mailbox, the messages often look legitimate to users and to some security tools.

Q: What breaks when email access reviews are infrequent?

A: Stale accounts, excessive delegation, and orphaned mailboxes remain trusted long after business need changes.

Practitioner guidance

  • Tie mailbox access to lifecycle controls Make sure joiner-mover-leaver processing removes mailbox access when a role changes or employment ends.
  • Add identity monitoring to email defense Use mailbox anomaly signals, impossible travel, unusual forwarding rules, and suspicious sender behavior to detect compromise after delivery.
  • Verify mail routing end to end Confirm that all inbound and outbound mail actually traverses the secure gateway, including cloud-to-cloud connectors and legacy routes.

What's in the full article

SecurEnds' full article covers the operational detail this post intentionally leaves for the source:

  • Configuration guidance for routing Microsoft 365 and Google Workspace mail through a secure gateway
  • Detection methods such as sandboxing, heuristic scanning, and URL analysis explained in implementation terms
  • Questions to ask vendors about zero-day handling, policy management, and compliance reporting
  • How identity governance complements gateway controls in real deployment environments

👉 Read SecurEnds' analysis of secure email gateways and identity risk →

Secure email gateways and IAM: where the real control gap is?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Email security is now an identity governance problem, not just a filtering problem. Secure email gateways reduce exposure at the perimeter, but they cannot solve trusted-account abuse after compromise. Once a mailbox is legitimate in the system, the attacker’s activity often blends into normal communication patterns. The implication is that email defense has to be measured by identity integrity as much as message interception.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how far identity governance still has to go before perimeter controls can be considered sufficient.

A question worth separating out:

Q: Who is accountable when a secure email gateway misses an identity-led attack?

A: Accountability sits across security operations, IAM, and the business owners who approve access. Gateway teams own message inspection, but identity teams own whether the mailbox should still exist, still have that privilege, or still be delegated. Mature programmes treat email compromise as a shared control failure, not a single-tool failure.

👉 Read our full editorial: Secure email gateways are not enough for identity-based attacks



   
ReplyQuote
Share: