Minerva Studio - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Personal email servers: What are the security risks?

Hillary Clinton has taken much criticism over the use of a personal email server. Expert Michael Cobb explains the risks of shadow IT email and what enterprises can do about them.

Former Secretary of State Hillary Clinton has come under fire for her use of a personal email server rather than solely relying on a government-issued email account. While I understand there are implications for national security because of this, are there any lessons enterprises can learn? Are there security controls that can be put in place if employees or executives use personal email servers?

Most organizations suffer from shadow IT, where individuals and even whole teams circumvent IT policies and set up unauthorized cloud services or install their own software. The Cloud Security Alliance's Cloud Adoption Practices & Priorities Survey Report 2014 found that nearly 72% of IT managers didn't know how many shadow IT apps existed within their organization. Hillary Clinton's use of a private email server and address for government business is a good example of the problems shadow IT can cause. Top secret information was transmitted over a network that probably didn't meet the requirements for processing such highly classified information. It also creates problems with archiving and E-discovery as well. The Federal Records Act requires government officials to preserve emails on department servers, and most organizations need to archive emails for various periods of time depending on the regulatory framework within which they operate. E-discovery becomes almost impossible if emails and documents are spread across employees' own personal email servers and accounts.

Enterprises have to know where their data is in order to build an appropriate data security strategy to protect it. Cloud computing is making the task a lot harder, and shadow IT makes it impossible. Finding which cloud applications are being used by employees is a job for an automated tool. For example, CipherCloud offers Cloud Discovery, which searches for and risk assesses all the cloud applications being accessed by an organization. Netskope's Advanced Discovery and Skyfence's Cloud App Discovery are other tools that enable administrators to assess authorized and unauthorized cloud application usage.

But tracking down private email servers is not easy, so the problem needs to be tackled from a different angle. The main reason people use shadow IT is convenience, so enterprises should create a procedure that makes it easy for departments, teams and individuals to request to use alternative services or systems. Build consensus when developing the policy so it won't be seen as an arbitrary set of rules handed down from up high. When people understand why they need to do something, they are far more likely to do it, so highlight the risks shadow IT introduces to the organization and for the employee. Overly strict security policies can backfire, as employees will try to circumvent them, so make an effort to approve a request or offer a compromise when an employee makes a valid request.

In addition, enterprises should ensure employees are aware of the disciplinary consequences of noncompliance, while security training should highlight the risks of shadow IT; a personal email server will lack all the safeguards and physical protection of on-premises corporate servers, and may well be in breach of various legal and compliance requirements. If you feel your enterprise is at risk from shadow IT, try declaring an amnesty so employees can own up without fear of dismissal. This at least gives you the opportunity to get shadow IT under control before bringing in new measures to stop it spreading again.

Next Steps

Read about tools and tips to improve enterprise email security

Find out how Pandora addresses shadow IT and cloud app security

Compare the best email security gateway products in the industry

This was last published in April 2016

Dig Deeper on Email and Messaging Threats-Information Security Threats