Don’t Play Dice with Your Email

by Orlando Scott-Cowley - Cybersecurity Strategist

Mimecast and Gartner have teamed up to talk about moving your email to the cloud. We spent time talking to Gartner’s VP and lead email analyst, Matt Cain about the options available to CIOs for the future of their email; including running hybrid email environments with tried and tested services delivered from the cloud but the Exchange server remaining onsite.

The full video of our time with Matt Cain can be found on our website here.

Some interesting data emerged from the conversation, all of which points towards thinking about your email environment in a Hybrid IT model today, and Hybrid Cloud model tomorrow. Deploying in these Hybrid modes is a drive to mitigate risk and complexity, because email is a vital tool in your business information systems. In Cain’s words “organizations are treating email as a very strategic asset, a mission-critical asset, they're saying, the first rule of thumb with email is; don't play dice with your email system.”

So what causes this hesitancy to move your email infrastructure, wholesale, to the cloud? According to Cain, sometimes there is complexity in the existing environment of an enterprise that limits the flexibility they have for making a move to the cloud. Many enterprise organizations have spent years and millions of dollars building up a complex set of third party applications, routing policies, ethical walls and deeply integrated customizations. Simply switching this complexity off is not possible for large organizations. Conversely though, small businesses have the opposite setup, and can benefit from the cloud today given their more flexible infrastructure.

Cain also mentions problems with Cloud topology and security functionality as factors holding back investment. Topology problems arise when data is stored in one central DC – for international organizations, accessing inboxes on the other side of the globe might be a latency disaster waiting to happen. Security functionality, or lack thereof, in the cloud is important too; Cain mentions many cloud email hosting services are immature in their offerings, vital features like data encryption at rest and TLS may not exist.

There is tremendous pressure from the market to move to the cloud, and when combined with the questions being asked by the C-Suite – such as “why aren’t we in the cloud?” – there’s tremendous interest in working out how to migrate these essential services, like email, to the cloud. Cain predicts that the uptake may be more conservative though, with around 10% of enterprise email seats moving to solutions like Office 365 by the end of 2013.

In the face of these hand-brake issues for cloud adoption, what does Cain suggest we do? Firstly, it’s sensible to conduct a cloud readiness assessment. Ask your business how their email infrastructure is impacted by factors such as third party integrations, legal compliance and jurisdictional issues, where this move would sit in your current email investment cycle and how well does a core service like email integrate with other tools such as IM and collaboration.

Secondly, Cain’s advice is to consider a hybrid approach. Hybrid IT is the adoption of cloud services that augment your core on-premise platforms. In this instance, Cain advises moving some email services to the cloud – services such as email security, email archiving, DR and continuity, while keeping core email inboxes on-premise. This approach acts as a stepping stone to full cloud adoption allowing your enterprise to be satisfied the cloud email service you choose is fully mature.

Hybrid IT, plugging the cloud into your on-premise Exchange server, gives you the flexibility of moving your email environment wholesale to the cloud in the future. Importantly choosing mature cloud email management vendor like Mimecast to augment your on-premise infrastructure also gives your business support for a Hybrid Cloud model too, as Mimecast’s UEM platform augments Cloud solutions like Office 365 too.

Moving from Hybrid IT to Hybrid Cloud with Mimecast and Office 365 would also deliver functionality Cain suggests many organizations are looking for in their cloud providers too. For example; archive services independent of core cloud mailbox hosting, 3rd party compliance tools for security and DLP and 3rd party tools to ease migrations and large scale mailbox moves to the cloud.

So, thinking about these essential services in a more Hybrid model, with on-premise and cloud today, but cloud and cloud tomorrow means your infrastructure will never miss a beat, and helpfully stay ahead of the technology your users are demanding while delivering first class email service into the future.

To see Matt Cain talk about Hybrid IT and your Cloud email management goals, watch our video here.


This is the second post in the mini-series that I'm planning, to coincide with the Games taking place in London this summer. In my previous post I suggested the arrival of the Olympic Games on London will probably cause businesses to rethink about how best to service their users, especially if a greater number of users than usual are working remotely.

This summer London's businesses will have to face a set of untested scenarios as more of the workforce are driven to work outside of their normal patterns. Remote working in particular will be high on everyone's agenda as the advice from Boris to Londoners is to get ahead of the games. Previously I suggested the Cloud as a solution to support you and your remote users, especially for highly demanded services like email; so here are ten ways the Cloud can help take the weight during the Games.

  1. Ubiquity of access: The Cloud, by definition, is available from pretty much anywhere you can get an Internet connection, but unlike your own remote access platforms it is built for access, and lots of it. Your users can access Cloud-enabled services from any device and any Internet connection, they're not limited to a single VPN service or gateway.
  2. Scalability of access: Your own remote access service was something I covered in the last blog post, in that the in-house systems you've got were probably only designed for a small percentage of your users. The Cloud services' your business can use are completely different - those services were built with the ubiquity of access (above) in mind so won't act as the remote access bottle-neck like your on-premise solution.
  3. Make remote working easy: I often watch remote workers on trains and in cafés trying to access their corporate systems. Usually there is a VPN client required, a token of some sort, multiple interfaces and portals to negotiate, some even send a text or make a phone call. Most of the time all of these people want to do is simply hit send/receive in Outlook. I'm not being disparaging about access control or security policies, but very often the security applied is far too restrictive and as a result leads to point four below.
  4. Keep users in house: We already know from research that if you demand that your users jump through too many hoops to access your on-premise resources remotely, they will default to their own web-based platforms simply because they are easier to use. Using a cloud platform for business that offers the required level of security and accessibility means you can keep your users on the reservation, which is vital for corporate governance.
  5. Support mobile platforms & BYOD: There are limited ways your on-premise infrastructure can support users on the hoof i.e. those who have a few minutes to kill and might have a smartphone or tablet to hand. Of course email is accessibly on most devices, but normally a maximum of 30 days - not hugely useful if your users want to refer back to older messages. Deploying a Cloud platform that also supports users mobile platforms will give them the ability to be more productive for longer. If you don't issue those devices but support a BYOD policy, then you really do need a platform that supports ubiquity of access like the Cloud.
  6. Keep corporate governance going: As I mentioned in point four, your users may be jumping out to other webmail services just to get their job done. For any IT Managers this will mean a governance nightmare, as the corporate perimeter no longer applies. Email in particular is susceptible to this problem, but using a cloud-based email management solution that is easy to access from anywhere, on any platform will mean your users are still under your control and your policies and governance will still be applied. Centrally.
  7. Deliver reliable and available services to users: As I mentioned in my last post, the Games are going to test your infrastructure to its limits. Most IT admins I know aren't looking forward to finding out where that limit is, and wished they had thought about this sooner. Most reputable Cloud vendors will give you 100% availability, wouldn't it be more comforting if that were an SLA you could pass onto your own business?
  8. Re-deploy your IT team more meaningfully: I doubt your highly trained IT team want to be waiting by the phone this summer. Some companies I know are letting all their staff work from home except their IT team in case something does go wrong; but wouldn't it be more productive to let them work on those projects they've been putting off for years because of the constant firefighting. All of the points above indicate how your IT team are working to keep systems up and running, but also how the Cloud can take the weight of on-premise applications and augment them, freeing up the time of your IT team.
  9. Future-proof your environment: This will be the core topic of an upcoming blog post, but in short I'd suggest that changes you make to your environment now in preparation for the Games (if you're not too late) will be like your own Olympic Stadium; you'll enjoy the immediate benefit of the Cloud now, as well as finding a way of on-ramping the Cloud into your network for the future.
  10. Be prepared!: Need I say more? We used to talk about the cloud as an SME tool, but today enterprise class businesses are using the cloud to augment their creaky on-premise services, the writing is on the wall I think.


An Olympic Endeavour?

by Orlando Scott-Cowley - Cybersecurity Strategist

During "the Games" more and more of us will be working outside of the office, and for those of us that are used to this mode of operation it won't be a problem, either as end-users or as IT departments. For some though this will likely be the first time their infrastructure has been utilized by a larger than normal number of users; and I don't just mean our transport networks.

We are a few weeks away from the London 2012 Olympics and the advice for everyday Londoners is starting to build up. Transport for London have coyly told me to expect a "Major Impact to Travel" in an email earlier this week, reminding me in a fantastically understated way about "...the sporting events which will be held across London..." and how I should consider staying at home, or more precisely; working from home.

The Olympic Stadium

Working remotely is an increasingly common part of our jobs these days; the normal office hours have been eroded by our always-on connectivity (unless you're an O2 customer) and the rise of smartphones and mobile devices has given us more ways to work than just sat at our desks. Bring your own device (BYOD) is firmly taking root in all but the most resistant organizations and it's been posing new challenges for the IT department, who want to enable the technologies rather than revert to a culture of no.

Most companies have systems for remote-access for a small subset of their users. Some may provide lightweight services like Outlook Web App access so users can remotely access their email if not already using a smartphone. Others will provide a full range of network based services, usually accessible on the end of a token based two-factor authenticated VPN service. For all, there is normally a large requirement for on-premise infrastructure of some sort, and that's where the strain is likely to be felt most.

I'd lay down a small bet here; 10% of your workforce using your remote-access services on-premise is likely to be do-able, and probably close to what you designed the system to handle. 50% of your workforce all sharing the same infrastructure remotely is probably going to be a little hairy. 100% is where I would bet that most IT departments will start to wonder how well long their infrastructure will last. I bet there's only a small number of remote access infrastructures that were designed for 100% usage - is yours one?

This is the first of a series of blog posts I'll be writing during the Games, of course I can write them remotely so normal service is unlikely to be affected for me. But for you, who may be at the end of your tether holding it together for your users, I'll be suggesting a few sensible considerations and solutions. Including:

  • The Cloud as a solution to support your remote users, especially highly demanded services like email.
  • Your Olympic Stadium: Future-proofing your infrastructure now to solve this problem, but enjoying the benefits for years to come.
  • What if the balloon does go up? How are you going to cope if your data centre is on the othervside of the ORN.
  • BYOD: Be your own IT Superstar by enabling this now to let mobile platforms take the strain.

I'm keen to highlight our customers and anyone else who has taken special preventative measures for the Games too. Please get in touch or leave a comment if you have already made special arrangements for your infrastructure and workforce. Happy London 2012!


Email archiving, in particular, used to be expensive and hard to do well - specially for organisations the size of News Corp. Customers had to buy horrendously expensive systems and pay exorbitant maintenance to keep them going. So it's not surprising that companies opted for the safest, cheapest and easiest way to manage this problem: deletion. However, this problematic solution is no longer necessary now there are low-cost, seamless archiving solutions for business email.

Following TechCrunch’s recent post ‘The Only Reason Companies Delete Emails Is To Destroy Evidence’, I joined many commentators discussing the various reasons why businesses might (or should) delete or archive their email in light of the News Corp revelations. Whereas it used to be time consuming and costly to retain emails, primarily due to the cost of storage, today no such constraints exist.  In fact, there is no longer any technical reason whatsoever to delete email. Interestingly, corporate tendencies seem to differ across the pond: I have found that Americans delete, whereas Europeans hoard.

TechCrunch’s post does, however, point out how useful it can be to have certain communications saved, particularly when retrieval of a conversation is required in the pursuit of justice:

“The News Corp. phone-hacking scandal continues to spiral out of control […] A paper copy of a deleted email found in a crate ties deputy COO James Murdoch directly to the events under investigation.”

Clearly, archiving is crucial in order to maintain transparency within a business. So it’s really more a question of "Should emails be deleted at all?"

With an email archive where you are storing the only copy of the email, you can ensure an email is permanently deleted instead of residing in hundreds of places on the LAN. But how do you decide what to delete and when? On the one hand, companies are often fearful of compliance (like HIPAA, SOX or FSA) or they can be afraid of litigation.

Key to TechCrunch’s post, which commentators seem to forget, is the rules around retention. In the US, for example:

"[if] you can reasonably anticipate legal action on these emails then you are bound by FRCP to hold those documents in anticipation of a possible discovery. Destruction of emails once you know a legal hold is necessary could expose an organization (public or private) to court sanctions for spoliation."

It's a fine line to tread, but there is a way forward with well-designed retention policies.

In addition, we see completely different attitudes on the two sides of the Atlantic: in the US, there is a desire to delete everything as quickly as possible to reduce discovery costs and potential litigation. Whereas, in Europe we are much more likely to see a "keep everything" attitude.

As archiving improves, surely there is a legitimate reason to keep everything if you can reduce the discovery costs and avoid these issues, because -- certainly, in News Corp.’s case -- the deletion seems over-zealous.

Customers of Mimecast don't have to pay exorbitant fees or suffer bad infrastructure to retain everything they want to, because they outsource it to the Cloud. Those  who want to implement deletion policies can do the same; ensuring the right information is deleted at the right time and removing human error from the process.

 Photo CC via Mrs TeePot and Dolescum on Flickr