Stephane Charbonneau

In recent years, enterprises and government organizations have started shifting their IT infrastructures to a cloud computing and software-as-a-service model in an effort to lower costs and drive operational efficiencies. With the shift toward less IT infrastructure management, cloud services offer organizations a powerful way to increase their focus on core business practices and focus less on managing IT. By conducting more and more business through the cloud, organizations are also introducing a new set of concerns when it comes to the security and privacy of data.

Leading analyst firms such as Forrester and Gartner have identified cloud security as a major area of concern as organizations move toward increasing the amount of data in the cloud. Primary concerns include the viability of cloud vendors, user access, data privacy, regulatory compliance and data location.

Enterprises and government organizations are consistently becoming more conscious about data security and are making significant investments to ensure data is secure and that they are compliant. Meanwhile, they are moving data into the cloud in an effort to create efficiency. The end result is the creation of security situations where organizations may no longer be in control of their data, and they are putting data at risk of accidental leakage which could have severe consequences.

Email Security Concerns: The True Cost of Data Leaks
An estimated 2.8 billion emails are sent every minute around the world. The amount of data shared in this manner is truly mind boggling, but also serves to quickly explain how email is the greatest area of security vulnerability in most organizations. While it is hard to fully measure the impact of email data breaches - accidental or deliberate - as most go unreported, it is safe to say that, based on the examples that are available, the legal, financial and other implications are great.

In 2010, a senior high-yield analyst at UBS sent an email containing valuation information regarding the $13 billion General Motors initial public offering. The email was sent the night before GM filed its terms for the IPO, breaking SEC fair disclosure rules. SEC regulations forced GM to report the incident and drop UBS as an underwriter for the IPO. Just a couple of months later, an employee at Royal Bank of Scotland (RBS) sent an unauthorized email to institutional investors about an impending $1.6 billion initial public offering by Nielsen Holdings. RBS had been a proposed underwriter for the IPO, but subsequent to the email, which again broke SEC fair disclosure rules, Nielsen filed an amended registration statement with the U.S. SEC that omitted RBS as an underwriter.

These incidents occurred within the confines of the corporate firewall. When email data is moved from highly secure corporate servers to the cloud, organizations are opening themselves to the potential for data to be exposed or for them not to be able to clearly demonstrate they are meeting compliance requirements.

Does Email Security Exist in the Cloud?
Email in the cloud offers a multitude of benefits, yet security considerations have made many organizations reluctant to leverage its potential. Organizations should carefully consider the impact of email in the cloud and map out a strategy that enables them to both maximize the security of corporate systems and efficiencies of cloud services. This is where a hybrid email strategy emerges - where email can be handled both in and out of the cloud to make the most of both worlds.

This strategy enables organizations to control what data can move between the enterprise and the cloud and relies on content analysis and classification of email. Ideally, a user-driven approach to email classification would be at the core of this strategy. Users, as content authors, are most knowledgeable about the data, and are best qualified to make decisions about how data should be handled. This also helps to eliminate delays and false positives that can occur when decisions are made by a server, and ensures that data is not accidently sent to the cloud when it should remain in the corporate domain.

With users classifying every email before it leaves their desktop and moves to the cloud, critical data can be prevented from being read by unauthorized users, or in some circumstances even blocked from crossing to the cloud at all. This also helps to ensure that the handling of data is in line with compliance requirements, and a well-documented audit trail is created.

By creating an email security strategy that works in a hybrid environment, organizations have peace of mind that they are able to enforce security while extending their corporate security and corporate policies into the cloud. Implementing a strategy with user-driven classification at the core, organizations are helping to raise end user awareness about how data should be handled both in and out of the cloud, and reinforce overall security policies.