Imagine you’re the security manager at a company where a new executive just got hired. This executive will be regularly handling the most sensitive information flowing through your company.
Unfortunately, she thinks the rules don’t apply to her and she immediately states that she won’t use the company email account you created for her, she’ll use her own. It’s not AOL, Gmail, Yahoo! mail or any other common third party email system—it’s a mail server in her house, managed by someone she insists is very security conscious.
You point out that your company’s Acceptable Use Policy says:
Users may establish and use personal accounts (such as personal email) only for personal purposes. Personal accounts must not appear to be, or represent, company opinion or content. They cannot be used to conduct company business or to store company information.
That may apply to other users, the executive replies, but not to her. She then proceeds to start using her own email server exclusively for all business correspondence.
If you were a security manager in this situation, what would you do?
I was inspired to imagine this hypothetical scenario by recent revelations that Hillary Clinton did more or less the same thing when she was U.S. Secretary of State.
While we could debate her motivation to take these “unusual” actions (although it’s easy for me to guess why someone would do this) and whether or not it was against the law or just broke the rules, that’s not the purpose of this article.
What I’d like to explore is the security implications if a user in your organization decided to follow Clinton’s example and use their own email server exclusively. The way I see it, there are three main security problems in this scenario:
- The security of the email server is unknown and unmanageable. This is probably the most obvious concern for security professionals. University of Michigan cybersecurity expert J. Alex Halderman said:
“The question is [whether] whatever provider she’s using gives her anywhere near the same level of protection for the confidentiality and the authenticity of the communications as she would be getting from her State Department email.”
Security managers can only assure the security of systems within their control. There is no way you as a security manager can protect the information stored in a server you can’t access. You’ll also never know if that information has been breached unless that breach is made public.
- You can’t retrieve emails without user cooperation. When your organization manages the email server, you have absolute ability to view any email sent to or from the system. This is important for the government to comply with laws such as the Freedom of Information Act. For businesses and other organizations, this control of emails is important for business continuity, security investigations, and ediscovery.
If you have a user who has full control of their email, you’re at their mercy if you ever need any of their emails. Even if they provide copies of all their emails at your request, you’ll never know if you really have all the emails or not. - Sets a precedent. When an organization creates security policies and rules, the expectation is that everyone will follow them. True, there are occasional exceptions, but in each of those cases, there must be a compelling business reason, strong mitigating controls must be in place, and the exception must be tracked with the goal of ultimately bringing it into compliance.
In the case of the Clinton email server, though, none of these requirements existed: she did it because she wanted to and nobody stopped her.
The problem with allowing that to happen is what’s to stop someone else from deciding to do the same thing? You would have a hard time telling someone that the rules apply to some people and not others. You’d either need to enforce the rule with the person who broke it in the first place, be inconsistent with enforcing the rule, or just stop enforcing the rule at all. Which is the most secure approach?
Conclusion
While the political drama around the Clinton email plays out, we can at least learn a lesson about good businesses security: only let users use business accounts for business purposes and personal accounts for personal purposes.
What do you think? Please leave your comments below!
Photo credit: Jatkins
My question is… is there a violation of 18 u.s.c 1030 on the availability clause. AND violation of FISMA AND FIPS 199? Media has not touched on these yet but after carefully reading and rereading the languages on the law, I think so!