I've come across sizable businesses in recent years with network admins and security staff who believe they can...
just outsource their Exchange environment to the cloud and "be done with it." Hosted Exchange services are a great option for many organizations, but you have to be careful. Outsourcing doesn't absolve you of security and other IT responsibilities just because a trusted third party is managing your business's messaging system.
Even the most seasoned IT and security experts can get caught up in the cloud hype simply because they see hosted Exchange services as a way to take yet another system off their plate, and I don't blame them. Time is no doubt the scarcest resource in IT, but you still have to be smart about your approach to outsourcing what's arguably your most critical business system.
Outside of typical IT functions, areas affected when outsourcing Exchange also include legal, internal audit, compliance, security and general information risk management. You cannot just hand over the reins to a third-party hosted Exchange provider, even if it's a well-known name brand). There's just too much at stake.
Considerations for hosted Exchange services
There are some crucial things you need to consider beyond the sales pitches for hosted Exchange services and SSAE 16 audit reports that cloud vendors are often very proud of.
- Outlook Web Access and Exchange Servers are fair game for attacks. Be it password-cracking attempts against the Web front end or host-level attacks against the servers, they're just as susceptible to hacking and other abuse as they run on your own network if they're not properly tested on a consistent basis.
- Virus and spam protection, as well as ongoing security patches at the hosted environment, are great for locking down the servers, but the hosted environment is not where the real risk is. Even when you use cloud-based services, it's your own workstations -- especially the third-party software that's often all but ignored -- that create the most problems. The Verizon Data Breach Investigations Report and similar studies underscore the challenges with this.
- End users having "anywhere access" to resources such as their email, calendars and shared files via SharePoint means that your business information is accessible to anyone who comes into contact with a lost or stolen mobile device that's not properly protected.
- Realize that ActiveSync controls may not be enough. You may need a more scalable mobile device management system, such as Airwatch, or a more niche option, such as ZixCorp's ZixOne, to deal with your bring your own device-borne Exchange challenges.
- Availability, resiliency and actual security are different things. Most cloud vendors are in the business of uptime. Data loss prevention is a whole different consideration, and some hosted Exchange vendors will offer this service. Email isn't the only escape route for your sensitive information. Furthermore, some vendors advertise that you can stay compliant by using hosted Exchange services, but it's not that simple. You've got to look at these issues and your environment holistically.
Six steps for securing hosted Exchange
After you've reviewed these considerations and decide to outsource your messaging environment to the cloud, take the following six steps to ensure your messaging environment stays safe.
- Determine specific business needs around security, not what the vendors want to sell you.
- Know where your information is. Here's a hint: Personally identifiable information and intellectual property are scattered throughout your Exchange environment.
- Understand your messaging risks. You have them and they're unique to your business.
- Understand how you need to manage email archiving and deletion for compliance, contractual obligations and other legal requirements.
- Ask your potential hosted Exchange provider cloud security-related questions and demand that any security deficiencies be resolved.
- Get others on board and keep them informed of what's going on. That way, you'll know what you're committing your business to in the form of policies, contracts and regulatory compliance.
If you look past the marketing fluff about hosted Exchange services, you might just find there's more to the messaging security equation than the "outsource it and forget it" mentality. Businesses that leverage the cloud with a hosted Exchange option are ahead of the curve. This simplification is one of the core positive elements of the cloud. Just know that talk is cheap -- get more information before you dive in.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.