As many others here have pointed out, you can definitely work with your
provider to provide the endpoint tunneling to increase the security of the
connection. In addition to which, the method by which the endpoint client
(outlook) is configured can itself provide SSL based encryption to the
traffic.
If someone has the ability to put up a proxy with SSL bridging, that would
be a concern for a MITM but frankly if they have the ability to spoof a
trusted version of your access point SSL certificate, you are probably in
trouble anyway as a practical matter because either the SSL provider issued
in error, your PKI is compromised, or your trust lists are awful.
If you are concerned about third parties hosting your data, perhaps another
middle ground to consider is hosted gateways to your mail install.
Microsoft purchased frontbridge a while back and offers these services to
various companies. You may find this an adequate solution as your mailbox
servers (in Exchange 2007) would then be locally hosted and the third party
is simply providing an offloaded bulk spam and anti-malware capability that
would then pass on the email to your external access point across encrypted
channels. From that point, the transit and storage should all be local
infrastructure, and thus secured by your company and infrastructure
policies.
One last thing to consider here, are you subject to regulation? SOx?
HIPAA? Anything DoD related? In those scenarios, you may need to consider
the implications of third party hosting on auditing and your compliance
requirements.
-W
Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson
-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of Dan Denton
Sent: Friday, November 16, 2007 10:36 AM
To: 'Shayne Sales'; focus-***@securityfocus.com
Subject: RE: Security and Implications of Hosted Exchange
Thanks all for the many replies, they have all been helpful. The opinions
I've received are similar to what my presumptions were. Thanks again!
-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of Shayne Sales
Sent: Friday, November 16, 2007 11:24 AM
To: focus-***@securityfocus.com
Subject: Re: Security and Implications of Hosted Exchange
Past companies I have worked with, who have used Hosted Exchange
services, the provider used SSL to secure the access.
OWA over SSL
and also RPC over HTTPS (SSL) for direct Outlook client Access. (2003
and Newer Outlook Clients I believe)
As for the user info, the providers I saw in use, did not need nor
require any user info. The providers had Web Based administration to
add/remove/edit user accounts, and the person doing this filled in as
much or little personal info as they want.
I also assume that being it is a hosted solution, they farm out the
exchange server to numerous other companies, but if done right, you
never noticed, you don't see the other clients in the GAL nor the
Public Folders.
The biggest concern I had with this method was Data Recovery... If the
provider should go under, what means and legalities are needed to
obtain your data back from them?
Hope that helps somewhat.
Post by Roland DobbinsPost by Dan DentonBut, having the features of
Exchange without having to backup/restore the system or worry about patches
and fixes is pretty attractive.
I'm sure at least some of the folks who offer hosted Exchange would
also offer a VPN service whereby the Exchange server wouldn't be
exposed to the general Internet (or to other servers for other
customers), but would be isolated with all appropriate network, host
OS, and application BCPs, and accessible only via a VPN of some sort.
-----------------------------------------------------------------------
Culture eats strategy for breakfast.
-- Ford Motor Company