In McAfee's report "Cloud Adoption and Risk," the company found some significant trends that apply to sensitive data in the cloud, and the risks of moving to cloud-based email in particular. Several items of note include the following:
- Of all files in the cloud, 21% include sensitive data, which has increased 17% in the last two years.
- Threat events in the cloud have increased 27.7% year over year, and 80% of all organizations experience compromised cloud accounts once per month at least.
- Threats in Office 365 have increased by 63% in the past two years.
None of these statistics should be surprising, given the explosive growth of cloud services, but they're alarming nonetheless.
Challenges with cloud-based email security
When moving email services to the cloud, there are some key differences most organizations experience with regard to security. First, depending on which provider the organization chooses and how it implements email service, there's a chance the organization will experience reduced visibility into activity. In most cases, real-time visibility is affected, sometimes severely. Enterprise security teams rely on logs and alerts from email platforms as a primary indicator of unusual behavior and threats that are occurring, and getting fewer logs, logs with less detail, or logs after the fact may significantly harm the overall security monitoring and response efforts of many security teams.
Additionally, the cloud-native options from some providers are not great. It's tempting to sign up for the all-in-one suite of security services, which likely includes antispam, antiphishing, some malware detection and prevention, data loss prevention (DLP), and perhaps more. However, cloud email services aren't necessarily known for being top-of-the-line security in any of these areas, and making tradeoffs for perceived simplicity and ease of operational management may negatively affect the real security controls.
Most cloud email providers leave a lot to be desired for advanced teams that truly need deep analytics about email behaviors, real indicators of malicious activity or compromise from email headers and traffic flows, or the actual attachments to malicious emails for malware reverse-engineering.
For SMBs, this may still be far better than what they've had in the past, so these unified offerings aren't all bad. However, comparatively many of them don't stack up to dedicated service providers with years of expertise and deep insight into email threats and controls to mitigate them. One exception might be easier encryption of content based on patterns or other policies, and this could help reduce the likelihood of exposure -- based on the McAfee report, large amounts of all kinds of sensitive data is being moved to the cloud and it's constantly under attack, so organizations better encrypt more of this data, and quickly.
Another major area that is called out in the McAfee report is user account compromise, which is particularly problematic for end users and their email. It's tempting to think that the thorny problems of multifactor authentication, device authorization and passwords being reused left and right have been conquered. However, email is likely the No. 1 end-user application service for business today, and users are terrible at managing credentials and devices. Universal support for all types of devices and multifactor authentication isn't offered by all cloud email services, either, so this could prove challenging for some organizations that may have to implement new or different technologies they're not comfortable with just to facilitate email access.
How to secure cloud-based email
Luckily, it's not all doom and gloom. Organizations can take steps to minimize potential risks of cloud-based email implementation right away:
- Ensure a strong email security policy that's updated for cloud services is in place.
- Look at device authentication options that may help restrict access to cloud email services, such as Microsoft's InTune or Mobile Device Management software that might integrate with cloud email services.
- Ensure multifactor authentication is a requirement, not a "nice to have," for all access to cloud-based email. Also look into new "password-less" options like Microsoft's Authenticator app.
- Employ a federated single sign-on service that can help implement central auditing and control of accounts and access. Organizations should also consider using a cloud access security broker that increases the efficacy of DLP, encryption and antimalware, along with user behavior monitoring.
- Weigh email security control options -- there are many and it's important that organizations do their homework on the right vendors and providers with cost in mind given their particular needs. Some cloud service providers offer controls that might be perfectly adequate for the risk tolerance level, but don't expect them to be the best out there.