Monday, May 1, 2017

Migrating email to the cloud as a security strategy

I feel like this article was actually written about 5 years ago, but there are still many organizations that aren’t leveraging a security rich cloud-based email system such as Office 365. Let’s face it, notwithstanding hard-dollar cost reduction, rarely is there a business need to switch email systems or email providers. Migrating email to the cloud is no different – unless the cloud has a compelling story.

In the recent past, I have found that it has been consistently difficult to find financial justification for moving email services to the cloud. Many times, it is hard to prove that the investment will pay off and quite often, it ends up simply being more expensive. While soft costs are something that should be considered, many small businesses don’t put as much weight in soft costs as they do hard dollar savings, so gaining any traction on these types of projects are tough.

Why then, should we be considering such a move? Risk Reduction!

I have seen many implementations of email systems - they typically consist of a cluster of servers with a disk array attached. Redundancy is accomplished with a combination of application features and tools based replication. … and, don’t forget about backup. Disk-to-disk and tape still exist to supplement grandfathering retention requirements. Add on the requirements the need for eDiscovery and true mailbox archiving, and you have yourself quite a robust system that likely grew incrementally over the years. Considering the already large footprint of your typical email system, we haven’t even started discussing email encryption, data loss protection, mobile access, storage sprawl, and the various spam and malware mitigation that is attached to most systems. When it comes right down to it, the on-premises email eco-system is huge, has a lot of moving parts and is difficult to manage, which makes it clear that it poses a major risk to the organization.

Many IT folks still running in-house email systems might call it heresy to suggest that we should entertain a cloud-based a strategy to enhance security and reduce risk, but when you take an objective look at the email mess that exists in many organizations, it only makes sense.

Cloud advocates like to tout the many benefits of the cloud, whether it be the elastic nature of cloud services or the availability of immense computing power at your fingertips, but lately its becoming a conversation of capability and simplicity – two very important components of a security strategy.

Some of my duties as a consultant have me tasked with running cost/benefit analyses, forecasting spend and justifying capital expenditures. As cloud technologies continued to mature, it became clear that there are many features offered in cloud-based email offerings that are either not available with in-house email or that those features will add cost and complexity to the already complex environment.

Here are some examples of what can be accomplished (or consolidated) with Office 365 and Microsoft’s offering in Azure:
• Self Service Password reset
• Data Loss Protection (DLP)
• Mobile Device Management (MDM)
• Email Encryption
• Multi-factor Authentication (MFA)
• Archiving, eDiscovery & Retention
• Rights Management (RMS)

How many of the technologies above do you have in your on-premises email deployment? How many vendors does this represent?

Don’t get me wrong, cloud-based offerings aren’t for everyone. Like any initiative, a healthy risk based review should be incorporated into any potential project, or corporate initiative. There are also challenges with the cloud and hybrid environments, but understanding these challenges and exploring opportunities (reducing risk by reducing complexity, taking advantage of advanced security solutions and consolidating vendors), will likely lead you toward identifying cloud based email, such as Office 365 as a great approach for your organization.

No comments: