Postini End of Life: Can You Rely on a Cloud Application Provider for Security?

Let’s assume you’re an IT professional. A major part of your job is to make sure the technology you adopt and deploy to your workforce enables productivity and helps the business run efficiently. You also need to make sure you evaluate any risk introduced to the security posture of your company by new technology. Experience tells you to trust a security vendor to help set this posture, but what if your security vendor is no longer a security vendor?

IT is undoubtedly experiencing a transformation in which all roads seem to point to the cloud. Players such as Microsoft and Google have developed business productivity suites – Office 365 and Google Apps, respectively – that live in the cloud and give access to email, documents, and calendars from anywhere with internet access. While the productivity gains from these suites may be endearing, the decision to move security customers to one of these suites, as in the case of Google’s end-of-life plan for Postini, leaves a questionable security posture for those making the transition.

Take a case where you decide to make the move to one of these cloud productivity suites. All of your employees are now working online, and are likely more productive than ever. Your costs are down. Your helpdesk inquiries, however, are a bit troublesome. Week after week, you receive emails from the Sales Director expressing frustration. Internal documents are leaking outside of the organization. Reps are demanding the ability to encrypt email so they can conduct business in highly regulated verticals. Looking to your app provider to address these issues, you come up short of a complete solution. Sure, they filter spam and viruses from your email, but there is no option to encrypt, or to identify and stop data from accidentally leaving the organization via DLP. Should you be surprised? Honestly, no.

Cloud-based Productivity Suite providers typically have the goal of making your business more productive, not more secure. Security simply isn’t their core competency. Security takes relentless dedication, one that is out of scope for Google and many others. Microsoft’s decision to discontinue several Forefront products shows just how difficult it is to balance security with the priority of other product lines. This challenge is further validated by the ever-changing list below of vendors with the mostsecurity vulnerabilities in their products:

Top 20 Technology Vendors by Number of Distinct Vulnerabilities

CVE Details: The ultimate security vulnerability datasource; ‘Top 50 Vendors by Number of “Distinct” Vulnerabilities’. 2012.

While the major app providers above clearly have some issues keeping their products secure, this does not mean their services will not help boost employee productivity—perhaps even save you money.

From the perspective of a security professional, however, this lack of focus could leave your sensitive data too vulnerable to tolerate, and is not a viable alternative in the long run. Try taking a step back to look at where your cloud vendor falls short, and learn how you can upgrade your security posture to truly meet business needs with layered security from a dedicated vendor.

For regular updates on this topic, follow us on Twitter @IntelSec_Biz.

Leave a Comment

twenty − seven =