Email security

This scenario is for ISVs that provide email security by redirecting email traffic to ISV’s cloud. The purpose of such integration is to provide MSPs with the ability to protect the mailboxes of their customers and scan emails for malware, phishing and spam.

Recommended Extension points

To be able to extend Acronis Cyber Platform with Email Security capabilities, the following Extension Points should be used:

Integration settings - to enable the integration, provide credentials for accessing ISV cloud and map ISV customers to Acronis customers.
Roles - to define which Platform roles will have access to Email Security functionality.
Alerts - to display alerts and events generated by the Email Security service.
Main menu - to configure tenant-level settings for customers.
Widgets - to display Email Security status.

Integration settings

Email Security is a customer-level application. This means that the Partner needs to enable the integration for each End Customer individually. Typically, Email Security integration contains the following settings:

Client ID and client secret - required to authenticate in the ISV cloud and fetch the list of End Customers. These settings enable the integration for the Partner.
Customers mapping - a list of customers fetched from ISV cloud that allows specifying an existing customer mapping or creating a new corresponding customer mapping in Acronis Cyber Platform. Mapping an ISV customer to Acronis customer results in enabling the application for the specific customer.

Application configuration and mapping can be done only by Partner and cannot be done by End Customers.

Roles

For the Email Security application, it is recommended to use the following Acronis roles:

Company Admin or Management Portal Administrator - required to enable the integration and perform customer mapping.
Company Admin, Protection Cyber Administrator or Protection Administrator - grants full access to the application functionality. Allows users to check and modify the configuration, work with alerts, change reports, etc.
Protection Read-only Administrator - grants read-only access to the application. Users with this role can see the alerts brought by the integration and customer settings.

Users who don’t have any of the roles above should not have access to Email Security functionality.

Alerts

It is recommended to report information about malware detections in emails in a form of Alerts. Alerts must be submitted as a new alert type and contain the following parameters:

Threat name.
Action executed upon the threat detection.
MD5, SHA1, SHA256 checksums of the detected object.
General email information (sender, subject, received date, etc.).
Email account.

Main menu

To be able to configure parameters for Email Security, it is recommended to create a dedicated page for the application in the Email Security section of Acronis Cyber Protection Console (a new menu item). This page should contain application settings that are applied to the customer tenant. Such settings may be:

List of protected domains.
List of protected mailboxes.
Protection settings.
Exclusions.

Page content must be described in the declarative format in Vendor Portal. Settings specified on this dedicated page are communicated from Acronis Cyber Platform to ISV cloud via API Callback Gateway.

Widgets and Reports

The Email Security application should create several widgets to report the protection state. For example:

A historical diagram of email scanning alerts.
List of top 5 mailboxes with the most number of alerts.
List of 5 latest alerts generated by the Email Security application.

These widgets should be declared by the application. The widget data must be based only on alerts or workload attributes submitted by the application.

It is recommended to add application-specific widgets to the Overview dashboard in Acronis Cyber Protection Console and in the Detected Threats report. Additionally, the application may register a new custom report on email security with all the widgets created by the application.