How to maintain email security when switching cloud providers

Danny Bradbury

Switching between cloud-based email archiving and security service providers isn’t easy. Aside from having to export and transfer large volumes of data and transfer it from one place to another, you have to ensure that your new supplier meets all of your security needs.

You may be moving for different reasons, ranging from quality or reliability issues through to differences in cost – but no matter what you’re negotiating, security should take a sacred spot on your list of criteria. Here are some security issues to consider when moving from one provider to another.

What are my email security priorities?

emailarchiveIt may be a while since you’ve reviewed your security criteria. The last time you did it, your business may have looked very different. Take this opportunity to revisit those criteria and see if any of them need changing. Perhaps you’ve taken on new employees and are finding it more difficult to train all of them in email security awareness. Maybe you’ve seen a rise in mobile employees, meaning that emails are being accessed increasingly from outside work. Produce a risk matrix that will set out the various threats facing your organization along with their potential impact, then see how your shortlist of suppliers may help you cope with them.

Will I know where my employee and customer data is stored?

dataIn security, a common term is the CIA triangle. It stands for Confidentiality, Integrity, and Availability. When it comes to confidentiality, how and where your emails are stored is an important factor. They are packed with sensitive information, ranging from confidential discussions between employees to intellectual property documents, and perhaps even where my employee or customer data is stored. Where you store this data can have a profound impact on your security and compliance status.

Last year, the EU struck down Safe Harbour, a complicated voluntary initiative that allowed US companies to store EU citizens’ information overseas. With that legislation now in tatters, companies are now unclear about email privacy laws and are questioning cloud service providers about how and where they are storing their data.

One of the first things you should ask your provider is whether they are able to store your emails in your own jurisdiction and guarantee you that it won’t cross those geographical boundaries. If it can’t make those guarantees, then it’s time for a long conversation about how they’re justifying that – and keeping it safe in the process.

Will it maintain email availability and continuity?

continuityAvailability is an important part of the CIA triangle. Email is a primary form of communication for many companies and, without it, they can quickly fall into disarray. One way to guarantee availability is to include offline access as part of your email protection and archiving solution. Look for a service which reflects an ‘always on’ true email continuity where you can send and receive emails even during an outage. This will give you email continuity, meaning that even if mail is down your employees will still be able to read mails that arrived before the outage, and queue messages for sending when it is back online.

Does it offer defense in depth?

Guaranteeing the integrity of your systems involves minimising the risk of a compromise. Email is still a popular attack vector for those wanting to trick your employees into clicking on links or attachments. When switching providers, be sure that your new provider has at least as much protection as the old one.

This is where defense in depth comes in. The more layers of protection you have, the less likely a rogue email is to slip through. In addition to real-time analysis of message sources, look for multiple spam protection technologies, using varied techniques such as signature matching, and pattern recognition. Talk to your provider to see how many measures they use to spot and neutralize emails before they can do damage.

How much visibility does it give you?

Ideally, configuring an email protection and archiving system would be a set-and-forget procedure. In practice, administrators want to understand what’s happening. A comprehensive reporting system helps them to spot trends emerging across their inventory of email accounts, perhaps spotting attacks on their organization as they develop. But how much visibility does it give you of your users? Your email security provider should be able to give you high-level visibility across all of your users, foregrounding key statistics while also allowing you to drill down into specific areas.

Due diligence is key when considering a new cloud-based email security provide. Nothing will give you more peace of mind than knowing that your cloud provider is secure from the inside out, but it takes a little extra groundwork up front.