I’ve been following an interesting Q&A thread on LinkedIn where the question is asked “Should business messages be allowed to flow through personal/webmail services?”
What’s interesting to note is the difference in opinion between the more technical network security analyst types and those more business orientated individuals.
Security & Systems Engineer: This should not be allowed. Security is tough enough without introducing additional systems that are not under your control
Sr Systems Architect: Business messages should not be allowed to flow through personal services, just as employees should not be doing work on the home computers.
Network and Data Security Architect: Absolutely not. It’s unprofessional.
Information Security Specialist: This is a business decision not one for IS engineers
Principal Consultant: while many security researchers and practitioners would be quick to shoot down the suggestion of personal webmail, that’s oversimplifying the situation
Chief Information Security Officer: The business owns the data, so they measure the risk and define the acceptable use for that information
This comes back to the point I made a few days ago about not allowing the IT department to set policies. Decisions such as this must come from the business and I wholly agree with the response quoted above from the CISO. If the business decides that it needs to use webmail services for whatever reason then it’s up to us to ensure that the risks in doing so are adequately mitigated, communicated, agreed etc. Of course, I might want to recommend a different service from the one being proposed and I would hope that my views on risk would be taken into account (and don’t forget to review the terms and conditions too – you want to make sure that you still own your own documentation!).
In this particular question of webmail, there is a much bigger picture to take into account too. “In the cloud” services (PaaS, SaaS) such as Google Apps, web-based email, SFDC and so on will, in my opinion, one day very soon be just as normal in the workplace as Microsoft Word and Exchange-based email are today. We need to adjust our thinking accordingly.