Managing e-mail to prevent information leakage

Blogger Paul Mah explores how the rush to open up e-mails via the network can lead to potential leaks via mobile devices and other unsecured devices.

I wrote recently about how smartphone device loyalty will trump standardization in the enterprise. A number of TechRepublic members such as Palmetto wrote that users in their organizations are forbidden by company policy from bringing in privately owned laptops and smartphones. In fact, TechRepublic member travis.duffy declared, "No matter how loyal someone is to their iPhone" they are not going to be connecting them to his company network. On the flip side of the coin, we have TechRepublic member bharman, who pointed out that regardless of company restrictions, savvy users will find ways to circumvent the rules. The comment by bharman underscored the position I was trying to put across -- that the bottom-line reality in many organizations might not match up to company policies specifying the devices that employees can or cannot bring to the office.

The entire discussion thread did get me thinking a little further, specifically to the risks when one's e-mail account is inadvertently or maliciously exposed. While it is conceivable for IT departments to lock down access at every nook and cranny, the truth is not every organization will have the resources or expertise to do so.

Today, I attempt to highlight some possible avenues that might result in the inadvertent leaking of sensitive e-mails.

Avenues for e-mail leakage

One common scenario would be IT-savvy employees linking up their personal laptops to their company's Exchange Server. Obviously, these additional workstations represent additional points of vulnerability, especially so if they are used outside the company premises. While it is possible to disable or block HTTP access to forcibly divert the access of e-mails to the LAN, this is hardly a practical solution against the backdrop of an increasingly mobile workforce. In this context, the use of VPN does not protect against the risk of e-mail leakage.

For organizations on Microsoft Exchange, it is trivial to enable Exchange ActiveSync to allow mobile devices such as Windows Mobile smartphones to access corporate mailboxes. However, this also opens the door to devices such as the Apple iPhone or iPod Touch, as well as other mobile phones that implement the Microsoft ActiveSync protocol. Organizations concerned about the security of such devices can, of course, disable such access from Exchange. However, Exchange push mail represents the most affordable option for many SMBs; they will be hard-pressed to pay for the steep licensing fees to implement a secure BlackBerry Enterprise Server with RIM BlackBerry solution.

IMAP is a popular choice used by many organizations to access server-side e-mail without having to buy into Microsoft Exchange or other costly enterprise e-mail systems. Most smartphones and mobile devices now have built-in capability to access IMAP services natively, leading to additional points of vulnerability from lost or misplaced phones that might contain cached e-mails or even passwords.

Organizations that use Microsoft Outlook should also be aware that it is trivial to sync e-mails and contact lists directly from Outlook using tools that are widely available on the market. While the information is static and limited to what was transferred in the last sync, it does not detract from the danger that the loss of the device represents.

Other avenues where e-mails might leak would be via the use of POP access. It is not uncommon for some users to opt for Save a Copy of E-mail on Server on their e-mail client so that they can download the same e-mails onto a different machine or laptop. In addition, any forwarding rules will only create additional copies of corporate correspondence that can be lost or compromised.


There is no doubt that none of the points of vulnerability above represents insurmountable obstacles to a diligent and skilled network administrator. I hope I am wrong, but it is a little hard for me to imagine many smaller organizations that would bother to address all the areas highlighted above.

How does your organization lock down e-mail? I would love to hear about it.