Web based email and a prediction for the future

I’ve been following an interesting Q&A thread on LinkedIn where the question is asked “Should business messages be allowed to flow through personal/webmail services?”

What’s interesting to note is the difference in opinion between the more technical network security analyst types and those more business orientated individuals.

Security & Systems Engineer: This should not be allowed. Security is tough enough without introducing additional systems that are not under your control

Sr Systems Architect: Business messages should not be allowed to flow through personal services, just as employees should not be doing work on the home computers.

Network and Data Security Architect: Absolutely not. It’s unprofessional.

Information Security Specialist: This is a business decision not one for IS engineers

Principal Consultant: while many security researchers and practitioners would be quick to shoot down the suggestion of personal webmail, that’s oversimplifying the situation

Chief Information Security Officer: The business owns the data, so they measure the risk and define the acceptable use for that information

This comes back to the point I made a few days ago about not allowing the IT department to set policies. Decisions such as this must come from the business and I wholly agree with the response quoted above from the CISO. If the business decides that it needs to use webmail services for whatever reason then it’s up to us to ensure that the risks in doing so are adequately mitigated, communicated, agreed etc. Of course, I might want to recommend a different service from the one being proposed and I would hope that my views on risk would be taken into account (and don’t forget to review the terms and conditions too – you want to make sure that you still own your own documentation!).

In this particular question of webmail, there is a much bigger picture to take into account too. “In the cloud” services (PaaS, SaaS) such as Google Apps, web-based email, SFDC and so on will, in my opinion, one day very soon be just as normal in the workplace as Microsoft Word and Exchange-based email are today. We need to adjust our thinking accordingly.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

"Business messages" is such a vague and broad term, you can't do anything _but_ have the business define what they mean. Then it's up to the security architect/analyst to tell the business what the risks are (in terms the business can understand), before the business decides whether they want to accept the risk (and then deal with the consequences), or mitigate it. After all, a conversation between two office-mates as to what colour they want the walls of their office to be when it gets painted next week - that's a "business message", but nobody's going to care if the discussion is held over GMail. Of course, if you're shipping my credit card number to a bank for transaction processing, I'd want it to be encrypted, even if it's going over a leased line that's owned by you and the bank!
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close