Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships



Similar documents
Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Research Agenda and Key Issues for Converged Infrastructure, 2006

Q&A: The Many Aspects of Private Cloud Computing

IT Operational Considerations for Cloud Computing

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Key Issues for Identity and Access Management, 2008

The Five Competencies of MRM 'Re-' Defined

Managing IT Risks During Cost-Cutting Periods

Eight Critical Forces Shape Enterprise Data Center Strategies

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Discovering the Value of Unified Communications

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

Business Intelligence Focus Shifts From Tactical to Strategic

Toolkit: Reduce Dependence on Desk-Side Support Technicians

The Current State of Agile Method Adoption

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

Best Practices for Confirming Software Inventories in Software Asset Management

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Now Is the Time for Security at the Application Level

Cloud IaaS: Service-Level Agreements

The What, Why and When of Cloud Computing

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Roundup of Business Intelligence and Information Management Research, 1Q08

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Emerging PC Life Cycle Configuration Management Vendors

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

The IT Service Desk Market Is Ready for SaaS

IT asset management (ITAM) will proliferate in midsize and large companies.

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

Assessing the Security Risks of Cloud Computing

Repurposing Old PCs as Thin Clients as a Way to Save Money

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

Overcoming the Gap Between Business Intelligence and Decision Support

Business Intelligence Platform Usage and Quality Dynamics, 2008

Organizations Must Employ Effective Data Security Strategies

Key Issues for Data Management and Integration, 2006

Governance Is an Essential Building Block for Enterprise Information Management

Data in the Cloud: The Changing Nature of Managing Data Delivery

Understanding Vulnerability Management Life Cycle Functions

Gartner Defines Enterprise Information Architecture

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

Real-Time Decisions Need Corporate Performance Management

Risk Intelligence: Applying KM to Information Risk Management

User Survey Analysis: Usage Plans for SaaS Application Software, France, Germany and the U.K., 2009

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

Research. Mastering Master Data Management

Private Cloud Computing: An Essential Overview

Gartner Updates Its Definition of IT Infrastructure Utility

How to Develop an Effective Vulnerability Management Process

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Global Talent Management Isn't Just Global

Successful EA Change Management Requires Five Key Elements

Containers and Modules: Is This the Future of the Data Center?

NGFWs will be most effective when working in conjunction with other layers of security controls.

Establishing a Strategy for Database Security Is No Longer Optional

How BPM Can Enhance the Eight Building Blocks of CRM

Government 2.0 is both citizen-driven and employee-centric, and is both transformational and evolutionary.

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

The Next Generation of Functionality for Marketing Resource Management

What to Consider When Designing Next-Generation Data Centers

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Make the maturity model part of the effort to educate senior management, so they understand the phases of the EIM journey.

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

Evaluating Microsoft, Oracle and SAP CRM Application Strategy

2009 Gartner FEI Technology Study: XBRL in the U.S. Enterprise

Transcription:

Research Publication Date: 26 February 2008 ID Number: G00154838 Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships Matthew W. Cain This report discusses the often hidden risks in moving to a hosted e-mail delivery model and suggests ways to mitigate those risks. It is relevant to core e-mail and security operational staff, as well as to compliance and procurement staff. Key Findings The market for e-mail hosting services is poised for explosive growth in the next few years. There are four areas of common misunderstanding in hosted e-mail relationships: legal; security and integration; contract startup and cessation; and operations. Recommendations Clarify legal aspects before signing the contract, including how discovery and preservation requests will be processed. Discuss security and integration before contract, including risks associated with a multitenant server model, as well as directory, application and communication service integration. Go through contract startup and cessation issues before contract, including onboarding and data migration costs, version support and upgrade schedule, and cessation costs and procedures. Clarify operational matters before contract, including archiving and purge services, as well as level-one help desk duties. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW Companies need to address numerous areas of risk in a hosted e-mail relationship before engagement. STRATEGIC PLANNING ASSUMPTION By 2012, 20% of enterprise market e-mail seats will be delivered via software as a service (SaaS) and similar models. ANALYSIS This document is an updated version of the document published on 26 February 2008. This report uses the term "hosting" to refer to externally provisioned e-mail services. SaaS is one form of hosting typically one that emphasizes a standard feature set that is easily provisioned, and often sold in large volumes. An example of e-mail SaaS is Google's Gmail service. Vendors that sell Exchange-based multitenant and dedicated server model mailboxes are not necessarily SaaS providers, but they are e-mail hosters. Hosting, however, does not cover outsourcers, which typically supply e-mail and other desktop services together, with both on-premises and off-premises server models. Therefore, the term "e-mail hosting" refers to a range of external provisioning models, excluding traditional outsourcing. While the uptake by companies of hosted e-mail services has been limited about 1% of the overall market and largely restricted to smaller companies for which the economics are more attractive, Gartner forecasts rapid growth of the market to 20% in 2012 (for more information, see "E-Mail Hosting: Poised for Explosive Growth"). Given the anticipated shift in delivery models, it is prudent to mine for best practices from the experience of companies that have already gone through the hosting process. For a broader view of e-mail hosting concerns, see "Toolkit: E-Mail Hosting Request for Proposal," and, for a more detailed look at service-level agreements, see "Establishing E-Mail Service-Level Agreements." One area that stands out is the need to minimize risk in an e-mail hosting relationship. The best way to do this is to clarify the respective roles, responsibilities and costs of the more esoteric points. These concerns fall into four categories: legal; security and integration; contract startup and cessation; and operations. There are, of course, many other factors to consider in an e-mail hosting relationship (see "Toolkit: E-Mail Hosting Request for Proposal") but the items listed here are the ones that most often lead to contention later in the relationship. We believe clarifying these issues before entering the contract will prevent strife and help foster a harmonious relationship with the hosting partner. In some cases, investigation of certain issues such as legal ones may lead organizations to conclude that a hosting relationship is not appropriate, given the lack of clarity or experience on the part of the vendor. Legal Given the increasing involvement of e-mail in litigation, companies should anticipate that they will be required to meet court-ordered discovery requests, as well as preservation orders. Complying with such requests can be onerous and expensive, and when responsibilities for compliance are not addressed in a hosted relationship, contentious relations are often the result. Generally, local archives personal folders (PSTs) in Microsoft Exchange parlance are the responsibility of the service consumer, but there is no clear responsibility for e-mail stored on the server or Publication Date: 26 February 2008/ID Number: G00154838 Page 2 of 6

resident on hoster backup tapes. The process, cost, and duties for discovery and preservation requirements need to be negotiated upfront, and the appropriate protocols for maintaining attorney-client privilege should also be established at the outset. Similarly, companies should know upfront how the hoster will handle requests for access to corporate messages from governmental agencies, such as the Federal Bureau of Investigation or the National Security Agency in the U.S. Finally, there is an increasing number of country-specific regulations relating to e-mail for example, privacy laws in Germany and e-mail append disclosure requirements in the U.K. Companies should ascertain if hosting companies can meet these requirements and, if so, what costs (if any) would result. The agreement should clearly state what jurisdiction applies to the contract and how a conflict of laws issue would be mitigated. Security and Integration While there are numerous security and integration issues to be addressed in any hosting relationship, there are several that can often lead to disputes. Directory integration, for example, can be done in several different ways: hosters can join the corporate Active Directory forest (in the case of Exchange); they can create an external resource forest; or they can host the entire directory. Each approach creates roles and responsibilities for the hoster and customer that need to be clarified before contract. Customers also need to know what steps the hoster has taken to remediate a known security exposure when Outlook 2003 is run against a multitenant server hosted model. Similarly, customers should ask vendors to demonstrate how a breach in one customer's environment does not pose a risk to other customers hosted in the data center. Customers should request that the Simple Mail Transfer Protocol (SMTP) e-mail relays use Transport Layer Security (TLS) when possible to ensure additional over-the-wire security. On the integration front, organizations need to understand the steps required and/or costs involved in allowing an application to use hosted e-mail services (often SMTP services) for existing and new applications. Finally, as the industry moves toward a converged communication paradigm (for example, integrating presence into e-mail or routing voice mail to e-mail), procedures and costs for such integration need to be spelled out, particularly in the case of an on-premises/hosted hybrid model. Contract Startup and Cessation Client performance, of course, is paramount in any hosted relationship. In the hosted model, adequate bandwidth (and, in some cases, latency reduction) is imperative. Companies need to establish the amount of bandwidth required for fast client access, the cost of and responsibility for the payment of the bandwidth (including redundant links) and the responsibility for managing the network connectivity. Similarly, any startup costs, typically for onboarding and/or data migration, must be made clear. Because version upgrades lead to feature expansion, it is important to know what version will be used at the back end, and it should be clarified when the next migration is scheduled (for example, the hoster will move to the next version or service pack within six months of commercial availability) and what the costs, if any, will be for the version upgrade. Customers should insist that vendors provide pricing tiers in the contract for additional mailboxes. For example, if a contract calls for 5,000 users, they should ask the vendor to have a price ceiling in the contract for additional blocks of 500 users. Finally, the steps and costs for the cessation of the contract, including any costs, duties and procedures for data migration, need to be detailed. Operations Responsibility for providing level-one help desk support is sometimes overlooked in hosted deals. Most hosters will not provide the service, so alternative provision needs to be made. Similarly, the escalation procedure, authorized callers, and time to respond to level-two help desk calls need to Publication Date: 26 February 2008/ID Number: G00154838 Page 3 of 6

be established. Many companies also have strict policies on e-mail retention some purge certain folders after a set time, and/or preserve some message types or entire folders. Companies need to ensure that the hoster has the capability to meet these requirements, that it can demonstrate compliance, it explains the rights and procedures for accessing archived messages, and stipulates any costs for these services. Many organizations focus on uptime service-level agreements to ensure continuous operations. But these do not address true disaster recovery (DR), which ensures continuous operations in the event of a catastrophic failure at the data center by replicating data to another site. If true DR is required, then site-to-site failover services and specific recovery point and recovery time objectives, and the cost of these services, need to be contractually agreed. Monitoring and reporting can also contribute to risk mitigation. Customers can contractually obligate hosting vendors to provide specific reports on a regular basis, as well as real-time monitoring, to ensure the customer has maximum control over the environment. In addition to clarifying version upgrade schedules, we recommend adding a patch management clause to the contract timely application of the Exchange daylight saving time patch last year, for example, was crucial for continuous stable operations. Tactical Guidelines Legal Clarify the cost and responsibilities (in-house staff versus hoster staff) for complying with discovery mandates. Establish the cost and responsibilities (in-house staff versus hoster staff) for complying with preservation requirements. Determine the actions the hoster will take if a government agency requests access to corporate e-mail. Ascertain the hoster's ability to maintain attorney-client privilege. Clarify the hoster's ability to meet any geographic legal requirements for user privacy, disclosure or preservation. Establish what jurisdiction applies to the contract and how a conflict of laws issue will be mitigated. Security and Integration Find out the process by which in-house directories will be linked with, and managed by, the hosting partner. Discover any security risks associated with a multitenant server model (for example, Outlook 2003 access enabling third-party address book viewing). Ensure that TLS is used at the SMTP e-mail relay to encrypt data over the wire when possible. Determine the steps necessary to allow applications to use e-mail services and what this will cost. Ascertain the steps needed and what it will cost to enable converged communication capabilities (for example, integrating presence into e-mail or routing voice mail to e-mail). Publication Date: 26 February 2008/ID Number: G00154838 Page 4 of 6

Contract Startup and Cessation Establish the amount of bandwidth required for fast client access, the cost of the bandwidth and responsibility for its payment (including backup pipes) and the responsibility for managing network connectivity. Determine any startup, onboarding and data migration costs. Clarify the version of the back-end server to be used and the schedule (and costs, if any) for migration to new versions of the server software. Find out the processes and costs for terminating the contract, including any costs and procedures for data migration. Operations Clarify the responsibility for providing level-one end-user help desk services. Establish the ability of the hosting provider to meet corporate e-mail purge requirements. Ascertain the ability to supply e-mail archive services and their costs. Determine the ability to offer true DR. Publication Date: 26 February 2008/ID Number: G00154838 Page 5 of 6

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 26 February 2008/ID Number: G00154838 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information