THE SECURITY OF HOSTED EXCHANGE FOR SMBs In the interest of security and cost-efficiency, many businesses are turning to hosted Microsoft Exchange for the scalability, ease of use and accessibility available in the Cloud. Gold: C: 7, M:0, Y: 100, K: 28 Black: C: 23, M:2, Y: 0, K: 77 Grey: C: 3, M:0, Y: 0, K: 32 Hosted Exchange is the Secure Choice Regardless of your industry, email is the lifeblood of business in the 21st century. Smartphones and tablets have extended the access and value of email outside the corporate walls for a workforce that desires to operate worldwide 24 hours a day. This discussion will focus on the benefits of hosted Exchange 2010 email with regards to scalability, ease of use, security and accessibility, and why these are important factors to selecting an email service program that will maximize business efficiency. Unfortunately, if you are not an enterprise with a large, dedicated IT team, you are often forced to compromise on important email features such as availability, secure connectivity and personal archiving. Cloud based email makes it affordable to implement enterprise-grade capabilities at an inexpensive and consistent per user cost. There is no additional software or hardware to buy or consultants needed to implement hosted Exchange; and you can scale up or down your number of users easily as your business needs fluctuate. It is common for businesses, regardless of size, to have one or many resources on their IT staff dedicated to email. It is the first application that generates complaints to IT due to performance issues, outages, or lack of features such as self-service recovery of deleted email. Email is also the first point of entry by attackers using spam, malware, phishing and viruses. Even RSA, the company that provides security products to enterprises and government agencies, fell victim to an email attack that resulted in attackers gaining control of the company s file systems. A recent study has shown that 40 percent of all targeted attacks since 2010 were focused on small businesses with less than 500 employees, compared to 28 percent that were directed at large enterprises. The same study surveyed 1,900 organizations worldwide, and 46% indicated that a targeted attack would result in a revenue loss for the organization. While IT can implement training and education to users to minimize your risk of threats and attacks, security is improved by both meeting the demands of your always-on and mobile workforce, while having security mechanisms in place that are as transparent as possible to users. While most small and medium businesses are familiar with many types of security threats to their business, not many businesses take the precautions necessary. A recent poll by Symantec Corp. found that most SMBs do not see themselves as targets, and are therefore, not taking action against their susceptibility to an email attack. Luckily, the Cloud allows SMBs to take action, and be proactive with layers of built-in security precautions.
Integrity of Connections When users connect to a hosted Exchange provider, they are likely using an internet connection instead of a corporate network or VPN. This is a convenient way to allow users to access their email with Outlook whether they are in the office, at home or traveling. Although they can always connect securely to Outlook Web Access (OWA) in a web browser, Outlook provides the benefits of being integrated into the desktop and applications, along with plug-ins users might have for web conferencing and collaboration. Securing this connection for an enterprise can be achieved through a virtual private network (VPN), but it is easier to implement RPC over HTTPS, which is a very simple and effective way to provide email security in a protocol that computers, mobile devices, routers and firewalls can implement Cloud providers offering Microsoft Exchange 2010 have implemented RPC over HTTPS as a way to secure the connections of your workforce for their Outlook clients, smartphones or tablets. RPC over HTTPS provides three levels of security: 1. Security through the web proxy server 2. SSL encryption of your email and RPC proxy verification 3. Restriction on RPC proxy level as to what email servers can receive RPC over HTTPS With RPC over HTTPS, users no longer have the complex responsibility of establishing a VPN connection to the office with the time and overhead latency required each time they need to check email. Using cloud based email, your environment is more secure, since you no longer need to have an open firewall to manage and monitor constantly for threats. Hosted Exchange providers have deployed sophisticated environments with dedicated and trained security staff to ward off threats behind the scenes 24/7. Physical security is just as important as network security. Hosted Exchange providers have years of experience operating in data centers with multiple control levels of security. Access to the servers, both physical and logical, is controlled through operational policies and monitored for compliance. When your email is backed up, it is in a controlled facility, not in a box of tapes or disk drives in a closet, where they can easily be misplaced or not properly wiped when they are no longer needed. Email Confidentiality Hosted Exchange providers also offer the latest features for customers that are unlikely to be deployed at most onpremise environments. Even though your connection to the Exchange server can be secured, some customers require email to be encrypted so that only the intended recipients can read the message. This is an invaluable feature for companies that share sensitive information that they need to secure from unauthorized employees or outside attackers. Two ways that server side email encryption is deployed include policy based content management and self-encryption. Policy based content management creates rules that scan emails for compliance, such as HIPPA (The Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), or PCI (Payment Card Industry) and encrypt the email if it detects sensitive information such as social security and bank account numbers. This is the easiest type of encryption to implement for companies. User emails are automatically encrypted and administrators can control the settings that determine which emails are encrypted in order to ensure the company is compliant with their security, industry, or regulatory compliance rules. Self-encryption allows end users to force emails to encrypt ad-hoc. For law firms and professional service firms and organizations, self-encryption helps maintain trust with their clients in their communications.
One advantage of an on-site active directory server is central policy definition for passwords. A hosted Exchange email service can provide integration into your domain controllers that extends passwords and policies to your external email service. By enforcing strong passwords that need to be changed on a periodic basis, businesses can improve the security for their users and the overall environment because email servers are under attack constantly. It is not the servers that are vulnerable to brute force attacks, but dictionary attacks on user s login credentials as well. Dictionary attacks use common words and phrases in an attempt to hijack a user s login and gain access to their email. A dedicated on-premise authentication store and hosted email provider should support both integration and flexible configuration of password policy rules that can prevent successful dictionary attacks. Email has transformed from a simple notification and messaging tool into a sophisticated collaboration and management platform. Attachment of documents, presentations and spreadsheets are standard ways of collaborating, but this behavior creates security and management problems for IT. As mentioned earlier, nefarious email attachments is one of the most successful ways that attackers gain control of computers in your environment to steal data, spread malware or instigate attacks on other computers. Businesses can reduce this threat by instituting collaboration tools outside of email, such as SharePoint, which does a much better job of version control and data management. By managing your files in another collaboration tool, it forces users to authenticate (log in) to another service in order to upload, share, or download documents. It is much more difficult for an attacker to break into SharePoint, compromise files, and then distribute the corrupted file to users. Attacks like this are more easily detected versus emails with attachments sent by outside companies. Tools like Harmon.ie offer an easy integration of SharePoint and Outlook, automatically taking attached files and publishing them to your SharePoint service, then sending a link in the email instead of the attachment. Another advantage of using integrated collaboration tools instead of email for your files is that it simplifies archiving. The growth of available storage for end users has matured tremendously and unfortunately to the point where users do not consider the ramifications of having local archive stores that are several gigabits in size. IT is still responsible for storing these archived PST files in servers, scanning them for viruses and including them as part of their backup processes. This wastes time and money and creates inefficiencies when users must retrieve archived email. A better option is to run an archiving service on a central server, not on individual computers. With a centralized archiving service, IT can monitor and manage the security and storage of email more efficiently. However, this again requires sophisticated IT staff, hardware and software to implement properly. Many hosted Exchange providers today offer affordable archiving services for the entire corporation. The job of the IT admin is improved with portals that offer policy control and global searching of archived emails, without having to manage servers, disk arrays and tapes. The security of archived emails is also improved because the data resides only in a centralized server that IT has control over not on end user computers that are susceptible to loss, theft or attack. Maximize IT Staff s Flexibility & Availability IT departments are always challenged to stay one step ahead of users that are constantly circumventing IT policies and systems. When a company s email service is down, employees will likely revert to using their personal email in order to continue to conduct business. This is a massive security risk to your company s files and information. Having a highly available and scalable Exchange service for your users can help assure the IT department that their security policies regarding email are always followed. Hosted Exchange providers can offer up to 99.999% uptime reliability, which translates to about 5.25 minutes of downtime per year, or 6 seconds per week. It is common that your IT department spends a majority of its time on break-fix, that is to say, repairing issues that always seem to arise with your network, servers and workstations. One way that IT attempts to stay ahead of repairing issues is to patch servers and workstations with the latest updates. However, this process is time consuming and must
be done off-hours to avoid disruptions. It is also frequent with Microsoft issuing about 15 patches and updates each month for your operating system and Exchange server. With a hosted Exchange provider, they take care of all the updates and patches, while keeping your email running on redundant servers so there is no disruption to your business. Since they maintain hundreds of servers and tens of thousands of email accounts, they are experts at maintaining the security of the email systems. Unless you wish to have a full-time, dedicated email server expert, the power of a hosted Exchange provider allows your IT staff to focus on improving your business and creating new opportunities. Summary The cost of server hardware for businesses has dropped significantly in recent years, creating an interesting opportunity for businesses to run their Exchange email on-site. Furthermore, virtualization, management tools and low-cost backup options make it easier for your IT staff to manage your Exchange service in house. However, the cost of running hosted Exchange is still much higher when factors such as staffing, outages to business, maintenance and power and cooling are factored in. Even with the entire infrastructure in place, security is sometimes the last issue that is addressed, and at that point, the budgets have been spent. Hosted Exchange providers simply have more experience, operational efficiencies and access to better software, hardware and security solutions than most companies outside the Fortune 100. Unless you believe that your IT staff has the budget to implement better security, and that your email strategy is a differentiator to your business, it is worthwhile to consider the performance, cost savings and security benefits of hosted Exchange.
Works Cited 1. About RPC over HTTP Security ; Windows Dev Center Desktop, [ ], 7 Sept. 2011 <http://msdn.microsoft.com/en-us/library/windows/desktop/aa378642%28v=vs.85%29.aspx>. 2. Half of SMBs Believe they are Immune to Targeted Cyberattacks and Failing to Implement Basic Internet Safeguards ; Symantec Corp., [ ], 16 Nov. 2011 <http://www.symantec.com/about/news/release/article.jsp?prid=20111116_01>. address web email phone 6560 S. Greenwood Plaza Blvd. #400 www.verecloud.com info@verecloud.com 877.711.6492 Englewood, CO 80111