Mike Allow me to give you a cold dose of reality
A. Internal email is never 'confidential'. 1. As long as you have Web access, mobile devices and USB sticks - you may assume that everything an employee has access to in the company can and will be sent to people outside the company. This is not a fantasy - this is what happens at every account we work with. 2. People with VPN access to mail inside your company can and will take mail and other data into their own domain (home, business partner office, outsourcing partner, contractor). You have no control over the data flow just because you have a VPN - as a matter of fact - because you have a VPN - you are lulled into false sense of security. 3. You can try DRM / IRM and / or shutdown attachments in your enterprise email. Your employees will take the data home on a USB stick and email it from home or ftp it or IM it or tunnel it or proxy it. We had a case data was leaked by users with IM tunneled over telnet tunneled over HTTP. 4. Internal mail systems have a back door from home/business partners/contractors into the the office on the OWA/Squirrelmail/PoP/IMAP over VPN - It's a common way to inject malicious content into the network, usually unwittingly B. There are no free lunches 1. It is discouraging to consider the number of companies that are doing a poor job managing their messaging infrastructure - i.e. frequent downtime, capacity issues, inbound/outbound content abuse and data theft. 2. The cost of ownership for internal mail is high. The companies that manage their own mail infrastructure invest a lot of money and head count to get it right. The alternative most companies take is to outsource - and expose their data to a person who works at your company in the morning and at a competitor in the afternoon. 3. Inbound content security takes a fair chunk of IT/IT security management attention and change. More than is reasonable it a company with over 1000 employees. To set the record straight - my comment about preferring Google Apps mail/calendar related to a fairly innocent question by Yonatan regarding the allternatives to Squirell Mail etc for Hebrew support. >From a usability perspective, - OWA and Gmail have it way over the OSS products. >From a TCO perspective - For a SME - Google Apps Mail/Calendar is probably a better fit for a business than outsourcing to Matrix or doing it yourself. >From a security perspective - there is no single silver bullet, but I'd like you to consider the following security countermeasures for protecting information: 1. Implemement a chokepoint and control inbound/outbound data flow at the chokepoint 2. Have a professionally managed service from a trusted vendor (if you trust dreamhost more than Google - go for it) 3. Have a single 24x7 point of service contact I don't sell Google Apps but I suggest reading their story at http://www.google.com/apps/intl/en/business/details.html I am glad there has been such a lively discussion. Danny http://www.dannylieberman.info On Tue, Aug 18, 2009 at 10:39 PM, Michael Tewner <tew...@gmail.com> wrote: > > > 2009/8/18 Danny Lieberman <dan...@software.co.il> > >> Shachar >> >> On the Internet - size is not an indication of threat surface. Ability to >> provision and maintain is more important. >> >> You have to engineer your solution to your needs. >> >> For us - the combination of Google Apps, slicehost (for smaller projects) >> / rackspace (for big projects) rocks. >> >> Google Apps Mail and Calendar are amazing applications especially if you >> have colleagues in 5 or 6 time zones and people with iphones and >> blackberries like we do >> >> I can't believe that there are people on Linux-IL who seriously consider >> Squirrel Mail a competitor. >> > > There you go again with the "Don't even think about hosting your own > Webmail" > > Danny - There are companies out there which consider internal mail as > "classified" - Hosting the emails on third-party servers, even encrypted > versions of the emails, is simply a security threat. It's called keeping > your data "close to home", and it's quite important, especially when your > content might be problematic in other jurisdictions. > > And anyway - no one outside of my company network/VPN should have IMAP/POP3 > access to the mail server. With Google Apps you carefully craft your office > firewall rules, then move mailbox access to *outside* of the network??!! > > -mike > > > >> d >> >> >> On Tue, Aug 18, 2009 at 5:44 PM, Shachar Shemesh <shac...@shemesh.biz>wrote: >> >>> Amos Shapira wrote: >>> >>> 2009/8/18 Danny Lieberman <dan...@software.co.il> <dan...@software.co.il>: >>> >>> >>> d) We deploy security countermeasures to protect assets: >>> 0) We don't use Google docs, Never. >>> 1) None of our really sensitive assets are on Google Apps and that includes >>> Calendar and Mail >>> >>> >>> So what's left from your use of Google? >>> >>> BTW - do you (the plural "you" to the entire list) consider mail >>> hosting by other companies besides Google as more secure? >>> >>> >>> In most aspects, yes. >>> >>> First, another provider will likely be a smaller target (security by >>> anonymity). >>> Second, another provider are not cross linking your emails with other >>> things they know about you. Granted, that's mostly because they don't have >>> that other info, but whatever the reason - it works. >>> >>> As for traditional security - Google's extra size is a mixed blessing. I >>> wouldn't work with someone small using a tailor made solution, but someone >>> using a standard solution is likely, in the long run, to provide comparable >>> security level to those Google provide (theoretical more chance of being >>> vulnerable is offset by less chance of being exploited). >>> >>> Shachar >>> >>> -- >>> Shachar Shemesh >>> Lingnu Open Source Consulting Ltd.http://www.lingnu.com >>> >>> >> >> >> -- >> Danny Lieberman >> >> ------------------------------------------------------------------------------------------------- >> Protect your data: http://www.software.co.il >> Twitter: http://twitter.com/onlyjazz >> Skype: dannyl50 >> Warsaw:+48-79-609-5964 >> Israel: +972 8 9701485 >> Mobile: +972 - 54 447 1114 >> >> _______________________________________________ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> > -- Danny Lieberman ------------------------------------------------------------------------------------------------- Protect your data: http://www.software.co.il Twitter: http://twitter.com/onlyjazz Skype: dannyl50 Warsaw:+48-79-609-5964 Israel: +972 8 9701485 Mobile: +972 - 54 447 1114
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
