This week, I had the opportunity to record an interview with Tom Shinder and Yuri Diogenes of Microsoft; the topic was security in cloud-based email systems, including Microsoft Office 365. It was an interesting interview; it hasn't been posted yet, but you should eventually be able to see it on From End to Edge and Beyond. There was one aspect of this topic that I wanted to go into in more detail.
Oftentimes, customers who are considering hosted services, or considering outsourcing their current services to on-site staff from another company, express concern that the hosting providers or outsourced employees will do something malicious. "How can I protect my business and data?" they ask.
The only answer to that question used to be the phrase made famous by long-time Exchange MVP Ed Crowley: "There are seldom technological solutions to behavioral problems." Given the new technical controls that Microsoft Exchange Server 2010 gives us, is that still true?
The answer is simple: It's more true than ever.
The advent of hosted email solutions means that the number of people who could potentially read or tamper with your mail is probably greater than it would be if you maintained an on-premises system. The good news is that Microsoft has taken a number of visible steps to reduce the security risks associated with hybrid or pure-hosted Exchange deployments:
- Microsoft's cloud operations are certified to meet the SAS 70 and ISO/IEC 27001:2005 standards for security. These standards set out a long list of physical, electronic, and policy security controls that must be consistently applied to win certification. Although it might be tempting to dismiss the value of certification, Microsoft clearly recognizes the marketing value in maintaining these certifications when so many of its cloud competitors do not.
- Exchange 2010 Role Based Access Control (RBAC) gives you and Microsoft an effective means of separating access to objects. You can manage things that belong to you, such as users, contacts, and some access settings, and Microsoft gets exclusive access to manage things such as servers, mailbox databases, and Client Access server URLs. Neither side can touch objects they shouldn't.
- Exchange 2010 also includes a robust set of tools for auditing changes made to the environment by administrators. This is distinct from user-level audit logging, which is still weak, unfortunately. However, the admin audit logs give you a good way to keep track of what changes were made, when they were made, and who made them.
- The links between you and the Office 365 installation are encrypted. This goes for mail transport, directory sync, and client access. Compare that to typical environments where SMTP traffic flows freely without any sort of encryption in place.
In the end, though, the same two factors that protect your on-premises environment still reign supreme in the cloud world. The first factor is financial: Most rational people won't do anything that they know will cost them large sums of money. This rule is generally true of companies as well as individuals; Microsoft has a strong vested interest in maintaining the security of its customers' data because a serious breach would drive customers away en masse.
The second reason, of course, has to do with the sheriff, or whoever provides your local law enforcement. There's a small minority of administrators who might be tempted to misuse their access, but within that minority, the vast majority of would-be miscreants are well aware of the legal risks they'd face from stealing data, so they don't do it. For the rest, well, that's why you need good audit logs and forensic skills, so you can prove your case against them.
Privacy and cloud-based email, however, is a very different matter. I'll have more to say about that issue in a future UPDATE.