Jan 21, 2013

Can cloud email be secure enough for enterprise?

Gmail has millions of users, and most of the people I work with have a personal gmail account, with few if any of them experiencing significant security issues. One thing that we have not explored as a company is using cloud based email, mainly out of security concerns. The CIO pointed out that LA had refused to allow the LAPD to use Google's email services in Apps for Government because they found it did not meet FBI CJIS requirements. Frankly, I assume that the main attack vector for email accounts is passwords, which is a problem that doesn't change significantly whether you are using your own server or a cloud based account. I guess it could be vulnerable during data transmission from the cloud server to the user too. Is there significantly more risk to cloud based email? Would you be comfortable with it for business use?

Here's an article that looks at the risks of cloud based email from the perspective of defense contractors, but I think some of this applies to businesses as well.

Dangers of Cloud Based Email

"Issues/Risks With “Cloud Email”

Email and attachments can be stored anywhere in the world
Cloud email providers typically claim a license on all content including emails
There are security reports and unclassified but restricted information that can not be sent to these email accounts
Information assurance regulations in the DoD will preclude using cloud email
FISMA applies to DoD contractors and requires protection of government information
Cloud software is acceptable if the provider provides a warranty and security controls which most cloud email providers do not"

Hello Friends,

A swath of the largest enterprises are steering clear of public cloud services because of security fears, says a survey by the Open Data Center Alliance (ODCA). The ODCA is an association of large enterprise IT executives that formed two years ago. It's chartered with formulating industry requirements for the migration to cloud computing. ODCA members shy away from the cloud due to the risk of a breach, or the risk of running into regulatory and compliance rules.
Stokes talked about an ODCA survey, where 40 percent of respondents cited security as the No. 1 inhibitor to using cloud services, followed by application migration regulatory issues and cloud on-boarding. Stokes said customers, vendors and cloud providers all must agree to deliver standardized security levels across products and providers.

Thanks and Regards,
Agili Ron



Colorado has started using a portal that adds additional levels of encryption to cloud based email to meet both HIPAA and CJIS standards. The state partnered with a company called Zix Corp (which I had never heard of before) to set it up. The contents of messages are encrypted and never readable when stored, and can only be read in the compose/read window of the logged-in user. In addition to encryption, the portal requires multi-stage authentication. I'm not sure what kind of cost we are talking about to do this, and it may not be particularly cost effective for private businesses.  On the other hand, a data breach is not particularly cost effective either!  



The risks of cloud-based email certainly seem to be a matter of some debate. But a recent survey by Osterman Research shows that 59% of enterprises with at least 5,000 employees plan to have cloud-based email within two years, while 93% of smaller enterprises plan to go to the cloud in that same time frame. So despite reservations about where their email data will be stored or who has control over it, enterprises are moving toward considering cloud-based mail an acceptable risk.


Even if you think your enterprise must go to the cloud, then there's the matter of picking a cloud vendor. This article has some advice on what to look for and what to ask. 



Answer this