Hosted Exchange Server providers seem to be multiplying by the day. I recently considered moving my own business...
to Exchange Online, but decided I was too much of a control freak to put my message stores and calendars in the cloud.
I've definitely seen benefits of moving Exchange Server to the cloud during security assessments, but one alarming aspect I've also noticed is that cloud security is frequently mismanaged and often ignored.
If you're shopping for a solid hosted Exchange provider, make sure to ask these six pertinent security questions:
1. Do you fully understand information security? Remember, security is a lot more than just passwords and SSL. It includes everything from the network hosts to Outlook Web App (OWA) to the actual physical security of the company's data centers.
2. What security frameworks do you follow? An SSAE 16 report is one thing, but what else is the hosted Exchange provider doing? The NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing and the Cloud Security Alliance's Cloud Controls Matrix are a good start. Also, is the company listed on the cloud security alliance's Star Registry?
3. What do you offer for content filtering and data leakage prevention? Does the provider rely on tools built into Exchange Server, or does it allow you to add third-party security controls?
4. Do you offer additional managed security services? The provider should offer security services that track and record security anomalies in your Exchange messaging environment. Also, make sure to get its policy on patching and data backups.
5. Where are your data centers located? Cloud providers that cross state, provincial or international boundaries can create legal complexities you may not be willing or able to take on. This is especially important as it relates to information ownership, security incidents, forensics investigations and e-discovery requests.
6. How do you handle compliance? Run from any company that claims its managed service will magically make your messaging system "compliant" with state and federal privacy and security regulations. It's not that simple. Always remember that regulatory compliance does not come in a box or a cloud.
Your provider may or may not acquiesce when presented with these questions. It all depends on the size of your business, what industry you're in and the visibility the provider will receive.
More on hosted Exchange:
One of the biggest misconceptions surrounding the cloud is that you can just "set it and forget it." As we've all learned in IT, a big part of our job is making tradeoffs, and that is especially true in the cloud. You still have got your own compliance and client-side issues to worry about.
The best way to approach cloud services -- be it Exchange Online or something else -- is to ensure that you not only trust your hosted provider, but also that you verify everything it's doing. Each hosted Exchange vendor is going to handle things differently. Make sure to ask the tough questions, hold people accountable, and stay involved.
Cloud security is highly intangible, and there will always be a gaping hole when it comes to accountability. No matter what your contract or service-level agreement (SLA) says, and no matter what the marketing and sales folks promise, you are ultimately responsible for what happens to your hosted Exchange environment.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta-based Principle Logic LLC. With more than 23 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 10 books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the best-selling Hacking For Dummies. In addition, Beaver is the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at www.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.