GovDefenders Wednesdays: Email Migration to the Cloud - Planning & Security
GovDefenders Wednesdays is written by Van Ristau, DLT Solutions’ Chief Technology Officer. Throughout the month, he’ll explore the world of public sector cybersecurity; introducing concepts, offering opinions, providing resources, and identifying ways to protect your agency. You may also follow Van on Twitter at @VanRistau.
When mandated to consider cloud computing and the commitment of migrating a minimum number of applications to the cloud, many Federal agencies selected email as their first choice.
The rationale included the considerable cost savings to be realized in both license fees and O&M costs, the recognition that consolidation of the diverse email applications that had grown over the years was needed to improve efficiency, and the belief that adoption of cloud email in employees’ personal business would ease the inevitable organizational change resistance to a new email model.
While Federal agencies have valid reasons for lagging behind commercial businesses in speed of adoption, there is sufficient experience in agency cloud email migration at this point in time that two general observations may be helpful to those agencies that have yet to move down this path:
Planning is the Key to a Successful Migration
While the GSA has rigorously vetted cloud email offerings and established a blanket purchase agreement for Email-as-a-Service (for which DLT Solutions is a prime contractor), clear dialog between agencies and potential cloud migration contractors is essential.
Agencies need to fully disclose their current environment and, if that environment is not well understood, an assessment should be undertaken to identify all email applications, their geographic location, the current archiving policies and how they differ among agency bureaus, and the various security policies and compliance tools in place (which in many cases varies among email management teams).
Consideration should also be given to the available bandwidth for the migration activity to ensure that it can be accomplished within the desired time frame.
Do you have automated applications such as SIEM or CRM that generate their own emails? These need to be inventoried and provisioned during the migration process.
The “to-be” architecture should then be modeled to ensure that the functionality, governance and compliance, and security controls will meet your agency’s requirements.
As a test of the planning, give serious consideration to a pilot implementation that is representative of all issues that will be encountered during the actual enterprise migration.
Email Security Needs Special Attention.
A recent MeriTalk survey of Federal email and information security professionals found that work email is the number one source of government data leaks. Agencies tend to have a mix of email security solutions in place depending on the needs of the end users for each implementation. In some cases this will be a local appliance while in other situations the email manager may have decided to use a cloud-based, managed security service for this function.
When migrating to a cloud email model, agencies should decide what the security model will be for the consolidated solution and plan accordingly. Tradeoffs are inevitable. For example, encryption may be desirable but may also hide the content, reducing the effectiveness of some data loss prevention tools that need to see into each packet to do their job.
Will your current single sign-on solution support your cloud email? This is a critical issue that should be evaluated and tested in a pilot well before the enterprise migration is undertaken.
There is no single perfect email security answer that will satisfy all situations, but the experience of your vendor will enable you to evaluate options and benefit from the lessons learned from those who have gone before.
Additional Cybersecurity Wednesdays articles:
What is an Advanced Persistent Threat (APT)?
Information Security Continuous Monitoring (ISCM) Enabling Technologies: Can You Name Them?
Continuous Monitoring is not like a Mobius Strip: How to get in the Loop
Picture courtesy of Marketware.com