Jay HeiserIdeally, there would be no sensitive data in email, or it would be encrypted. Email is an unsafe, and unreliable service, and it leaks like a sieve. It was never meant to be ‘secure’, and it is not. While careful administration and reliable technology can protect stored email from unauthorized access, hacking into PST files is not the major source of email leaks. Unanticipated use of the ‘forward’ button, followed by user addressing errors, and lost laptops are the biggest sources of email ‘breaches’. NOTHING sensitive should be in email without encryption.
Practically, this isn’t going to happen without widespread use of a more sophisticated form of DLP than we have now. A further reality of life is that a store of mildly sensitive messages amounts in aggregate to something of significantly higher sensitivity.
Many early email service providers fully recognized the sensitive nature of email. While it is difficult to prove whether or not they took adequate pains to secure it, many providers apparently put a lot of attention into it. Vendorsthat accommodated highly-regulated customers put additional emphasis into archiving, and however clumsy the interface to the stored data, countless e-discovery processes have demonstrated a useful level of reliability in the archiving process, and the safe maintenance of that saved data.
Ultimately, asking how secure SaaS is becomes tantamount to asking how high is up. Until a set of stds are established and a reliable 3rd party testing system appears, customers looking to save a buck will just have to tough it out. SAS 70 is NOT the answer to this problem (see the RN that French and I released this week, SAS 70 is Not Proof of Security, Privacy, or Continuity Compliance). ISO 27001 is not bad, although it is weak in addressing the unique risks associated with the design and build of new computing models and proprietary technology. BS 25999 may prove adequate for continuity and recovery, but it has even less traction than the ISO security std.
From the user point of view, the convenience of SaaS-based mail cannot be denied. While Gartner has concerns about enterprise administrative functionality, it is the case that the employer can have a useful level of control over a SaaS-based email system that it purchases and provides its employees. If IT won’t meet user demands, some users are just going to go get their own web-based mail account, and it will be invisible to the enterprise until the inevitable security, continuity, or legal failure.
The only simple answer is “if you need a lot of control, then don’t give up control to someone else.” If you only need some control, then some products are probably adequate, but given the sensitivity of email, this still raises a very difficult question “if a failure occurs, can you adequately defend your decision to use this service?” Choose wisely.
Category: Applications Cloud risk management security Vendor Contracts Tags: 25999, 27001, certification, email, SaaS, SAS70, security
4 responses so far ↓
1 John Kelly June 30, 2010 at 10:55 am
Hi Jay, We met briefly at the Summit last week. I attended the Research Factory session and voted for your SPA. Do you feel SaaS-based email does not put a company in danger of a major business impact by 2012? I would personally be devestated by a loss or corruption of email data.
Thanks,
John
2 Jay Heiser June 30, 2010 at 11:03 am
The SaaS-based email systems offering archiving are probably doing a good job of it. There have been many opportunities for their clients to encounter missing email when they do e-discovery, so the civil legal system effectively provides an ongoing testing of email.
There are a raft of small email service providers that don’t support archiving, and not all customers are taking advantage of archiving when it is offered, so there are still a lot of opportunities for an unrecoverable mail cloud meltdown.
3 Tweets that mention Why I’m ambiguous about SaaS email -- Topsy.com June 30, 2010 at 4:30 pm
[...] This post was mentioned on Twitter by Gary Meadows. Gary Meadows said: Why I’m ambiguous about SaaS email http://ping.fm/KcDJL [...]
4 James Blake July 16, 2010 at 6:48 am
You bring up some interesting points in your posting, especially with regards the suitability of existing security standards and certifications to evaluate vendors utilising what is a fairly new and evolving delivery model.
The work by Cloud Security Alliance and Cloud Audit are making good progress in delivering a set of recommended controls specific for the cloud, along with a mechanism for third-party evaluation of conformance but in the mean time customers just have to exercise caveat emptor on a case-by-case basis.
Customer due diligence is the key in choosing to outsource your email to a third-party, but this due diligence has to take into account what you actually do on-premise as a baseline and not have some utopian expectation.
I work as the CSO for a leading email management SaaS vendor and I can’t tell you the number of 300 – 400 hundred question RFPs we receive from customers who’ve searched for them on the Internet. On closer inspection of the customer’s current solution you find PST files scattered across their network, unencrypted archive databases, countless email and archive administrators, single points of failure and fragmented inconsistent administration across the multiple platforms that form their email infrastructure.
In these instances moving to the cloud is going to instantly deliver improvements over their existing security, but still these customers hold irrational fears because they are nervous about moving their data from a data centre where they can touch and feel the hardware to a service that abstracts it all away. They deliberately build a level of expectation that far exceeds their currently level of security as a mechanism to justify not moving to the cloud.
Security breaches are bad for cloud service providers, they elongate the sales cycle increasing the cost-to-sell; they impact renewal revenue, which is the means of survival for must cloud vendors; and breaches play into the hands of on-premise vendors using FUD to put customers off considering the cloud. Cloud vendors cannot get away with throwing a bunch of hardware and software into a customer data centre and disappearing for three years until the next upgrade is due.
Cloud vendors are judged day-in day-out by the performance, and the security, of their services. Due to this, most cloud providers take considerable effort to ensure their environments, platforms and services are secure.
Not all cloud vendors are created equal however, many aren’t true cloud services. They are the latest incarnation of what were application service provider or management service provider platforms, re-purposing on-premise appliances or software by just creating a web front-end to these products which are often ill-suited to run in multi-tenant environments. Customer due diligence must identify these kinds of ‘cloud’ offerings and the risks that are inherent to these environments (for instance client separation; end-to-end encryption; chains-of-custody of data that may need to be used as evidence at a later date).
Email is a critical business tool, but a commodity, which makes it prime candidate to outsourcing to a cloud provider. Cloud providers will often deliver immediate benefits in security, but potential customers must exercise the appropriate due diligence and weigh the results against their current environments as a baseline. Many customers will find themselves pleasantly surprised by decreased cost, increased functionality and increased security.