With many organizations moving toward hosted Exchange services, it's a feeding frenzy for vendors that host Exchange services. However, jumping right into a hosted environment without looking past the marketing or sales talk can be a recipe for trouble.
Features, uptime and manageability are often key selling points for cloud-based messaging services. If you're serious about hybrid Exchange, think things through and ask the tough questions about vendors' hosted Exchange security.
Vendors for hosted Exchange options are everywhere. But it's not quantity that matters; it's the overall quality of the option and how seriously vendors take information security and resiliency. These will no doubt vary. Here are six hosted Exchange security questions to ask vendors when planning your environment.
- What are your plans to keep data safe and available in case of an outage, environmental disaster or hardware failure?
As we often see in the headlines, many cloud vendors haven't thought these scenarios through enough to effectively respond to serious events, especially if they've never experienced such an outage. Make sure your vendor has a detailed cloud disaster recovery plan in place to protect your Exchange data.
- How will you respond to security-related incidents?
Simply having a disaster recovery or a higher-level business continuity plan is not enough. You need to know specifics on how these vendors will address areas such as intrusion monitoring and detecting anomalous network behavior as well as how they'll respond to denial of service attacks and known breaches.
- What additional security controls do you offer beyond the basics?
According to recent security surveys, a large number of companies have at least one employee with compromised credentials as well as a number of end users who reuse passwords across applications. In addition to this, the average company uses hundreds of cloud services. Will you be able to monitor Exchange account usage and how end users interact with other cloud services? Does your hosted Exchange vendor offer such services? Can you integrate your technologies within their platform?
- How do you address email archiving?
In particular, you'll want to find out how long vendors keep email, other collaboration data and any backups. How does this correspond with your organization's specific data retention policy or requirements? You may find there are conflicts in this area, perhaps even violating your own contracts with customers and business partners.
- What types of security testing do you perform, including external and internal network hosts and the Web front-end?
Expect to hear periodic vulnerability scanning and internal audits at a minimum. SOC 1 or SOC 2 audit reports will tell you very little in terms of technical security vulnerabilities such as SQL injection, missing patches, weak passwords and other security issues that get people into the most trouble.
- Do you have someone on staff responsible for security compliance of your cloud environment?
Someone needs to internally oversee information risks, at a minimum. An ideal scenario would be to have a specialist focusing on customer-facing security and compliance options for their service offering. Third-party oversight will work too -- just make sure someone is doing it.
Consider your own Exchange configuration, business needs and risk tolerance for all of these areas. Your situation will be different from others, and you shouldn't just fall into the mold of what the hosted Exchange vendor thinks is best.
"There is nothing quite so useless, as doing with great efficiency, something that should not be done at all," said management consultant Peter Drucker. You're outsourcing Exchange systems for a reason, but no one will care about the security of a messaging environment as much as you care. Service-level agreements are one thing, but reality is another.
Drucker also said what's measured improves and stays in check. Find out what you're getting into in terms of hosted Exchange security and, just as importantly, keep vendors honest by keeping tabs on how things are going. When choosing a vendor to outsource your Exchange setup, follow the age-old security principle: Trust, but verify.
About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio booksand blog providing security learning for IT professionals on the go. Kevin can be reached atwww.principlelogic.comand you can follow him on Twitter, watch him on YouTube and connect to him on LinkedIn.
Basic security questions for hosted Exchange providers
The pros and cons of Microsoft Exchange Online
Hosted Exchange: What are your options?