As many enterprises and government organizations have begun to shift their IT infrastructures to cloud computing, and various SaaS (software-as-a-service) options have appeared to be the solution to cutting costs and improving operational efficiency, it’s time we took a look at the security and privacy of data in the cloud, in particular, data that is transmitted through emails.
Before we delve into the troubling news, it’s important to note that cloud security is a significant area of concern for many organizations in the process of increasing the amount of data they are putting in the cloud. According to leading technical research firms, such as Forrester and Gartner, major enterprise concerns include the viability of cloud vendors, user access, data privacy, regulatory compliance and data location.
Email Data Leaks
Each minute, around 2.8 billion emails are sent worldwide. This is an immense amount of data being shared and transmitted, which means that it is essential that this area can pose huge security vulnerabilities in many organizations. Unfortunately, the majority of email data breaches (both accidental and deliberate) go unreported. However, it’s clear that legal, financial and other implications of such breaches are significant.
Email Security Concerns
In the past, organizations have said that email posed too high a risk to trust to third-party service providers. However, with the recent rise in the adoption of cloud computing, particularly SaaS, more and more organizations are entrusting their email services to the cloud. The two most pressing security concerns are data segregation and user access rights.
The basic concept in cloud computing is the sharing of infrastructure between different businesses, which enables cost reduction and improved resource utilization. One organization’s data may end up on the same hard drive as other organizations’ information, which forces security experts to take a look at the physical and logical separation of information on these shared infrastructures. Other areas of concern include backups and lost or stolen hard drives.
User access rights consist of “who?” and “how?” Essentially, users are permitted access to information by their cloud service provider. Although cloud providers’ access control systems may meet or even exceed security standards, the risk of malicious or accidental user breaches are always present.
Certain organizations may be strongly committed to security, performing background checks on their employees, or other extensive screening processes to ensure that data is handled by the right people. By contrast, other organizations may neglect such practices all together. As the saying goes, security is only as good as the weakest link.
Hybrid Security Strategies
After considering the potential security risks and vulnerabilities of email in the cloud, it’s important that organizations consider a strategy that will enable them to leverage the security of corporate systems as well as the efficiencies and other advantages of cloud services. Security experts suggest a hybrid email strategy in which email can be handled both in and out of the cloud.
Hybrid strategies allow organizations to control the data that moves between the enterprise and the cloud infrastructures. Basically, such strategies rely on content analysis, classification of email and user-driven approaches. As content authors, users would be most capable to make essential data-handling decisions. Ideally, this approach would eliminate any delays and/or false positives that might occur with a server-based approach.
Such a strategy means that users are responsible for preventing emails from being read by unauthorized parties, or even from leaving the enterprise infrastructure at all. Ultimately, this can help to raise end-user awareness regarding data handling, thus reinforcing the enterprise’s security policies and fostering best practices.
This article takes a look at the security of email in the cloud. While the majority of email data breaches go unreported, the reality remains that the legal and financial implications of such breaches are significant. There are two main security concerns around email security: data segregation and user access rights. Finally, the article explores hybrid security strategies, in which email is safely handled both in and out of the cloud.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Multi-Tenancy (Domain 1)
- Enterprise and Information Risk Management (Domain 2)
- Third Party Management Recommendations (Domain 2)
- Provider Selection (Domain 8)
- Recommended Provider Tools and Capabilities (Domain 9)