Blogger: Eric Maiwald
Email is information on the move! It is different than information at rest.
In talking to analysts in Burton Group’s Collaboration Strategies Service about one of their talks at Catalyst, I heard a very disturbing idea. We were discussing hosted email and one of the analysts, Bill Pray, mentioned that enterprises that were moving toward using hosted email (email in the cloud) were keeping “sensitive” departments (HR, finance, etc.) on internal email systems. The reasoning was that these departments dealt with sensitive information and therefore should not be included on a hosted system.
But wait! This assumption may sound right on the face of it but it does not hold on further analysis. Back in (ancient) history, information was stored in filing cabinets. Cabinets in HR and finance were locked to prevent unauthorized people from seeing the information. As we moved to a more computerized environment, sensitive departments were given their own file servers so all of the sensitive information was stored together and the number of people authorized to access the files was limited. This worked as the information was at rest.
Email is information on the move and violates this base assumption. You can segregate the email from HR, Legal, Finance, and other sensitive departments to protect it, but as soon as someone sends email out of the protected environment, all bets are off! Most email is likely to be between team members but not all. Just think about HR. Employees may send sensitive emails to HR people and vice versa. The sensitive information exists in the email system – not just within the HR email system. The same is true for any of the other departments as well.
Don’t just assume that the paradigm used for information at rest works for information in motion. You have to treat them differently!
Of course, the bottom line for very sensitive information is: Do not send it over email in the first place. If you absolutely, positively, have to send very sensitive information over email, use some type of encryption mechanism along with a strong authentication mechanism to protect it.
Eric,
I agree. Segregating HR, Legal, Finance's email is a bad idea and bound for failure.
Most Cloud based email platforms provide encryption capabilities e.g. Google Message Encryption[1] in Google Apps. Enterprises should use that instead.
1. http://www.google.com/a/help/intl/en/security/pdf/message_encryption.pdf
Posted by: Saqib Ali | June 26, 2009 at 02:42 PM
you knoiw I use hosted emeail all the time, and I never envision myself being taken advantage of, or my email being detected by a hacker, but this blog is making me rethinkg the whole thing.
Posted by: Electric bicycles | July 16, 2009 at 05:10 PM
Nice, This website has given the details of risks with hosted Email. Lot of things we came to know how the hosted emails are creating problems or risks.
www.ermsummit.com
www.gsmiweb.com
Posted by: PSI | August 24, 2009 at 07:53 AM