Ideally, there would be no sensitive data in email, or it would be encrypted. Email is an unsafe, and unreliable service, and it leaks like a sieve. It was never meant to be ‘secure’, and it is not. While careful administration and reliable technology can protect stored email from unauthorized access, hacking into PST files is not the major source of email leaks. Unanticipated use of the ‘forward’ button, followed by user addressing errors, and lost laptops are the biggest sources of email ‘breaches’. NOTHING sensitive should be in email without encryption.
Practically, this isn’t going to happen without widespread use of a more sophisticated form of DLP than we have now. A further reality of life is that a store of mildly sensitive messages amounts in aggregate to something of significantly higher sensitivity.
Many early email service providers fully recognized the sensitive nature of email. While it is difficult to prove whether or not they took adequate pains to secure it, many providers apparently put a lot of attention into it. Vendorsthat accommodated highly-regulated customers put additional emphasis into archiving, and however clumsy the interface to the stored data, countless e-discovery processes have demonstrated a useful level of reliability in the archiving process, and the safe maintenance of that saved data.
Ultimately, asking how secure SaaS is becomes tantamount to asking how high is up. Until a set of stds are established and a reliable 3rd party testing system appears, customers looking to save a buck will just have to tough it out. SAS 70 is NOT the answer to this problem (see the RN that French and I released this week, SAS 70 is Not Proof of Security, Privacy, or Continuity Compliance). ISO 27001 is not bad, although it is weak in addressing the unique risks associated with the design and build of new computing models and proprietary technology. BS 25999 may prove adequate for continuity and recovery, but it has even less traction than the ISO security std.
From the user point of view, the convenience of SaaS-based mail cannot be denied. While Gartner has concerns about enterprise administrative functionality, it is the case that the employer can have a useful level of control over a SaaS-based email system that it purchases and provides its employees. If IT won’t meet user demands, some users are just going to go get their own web-based mail account, and it will be invisible to the enterprise until the inevitable security, continuity, or legal failure.
The only simple answer is “if you need a lot of control, then don’t give up control to someone else.” If you only need some control, then some products are probably adequate, but given the sensitivity of email, this still raises a very difficult question “if a failure occurs, can you adequately defend your decision to use this service?” Choose wisely.