Should our company allow employees to forward their Exchange email to GMail?

security email gmail
5,821

Solution 1

There is one really good reason to disallow this:

Even if you configure gmail to use the company address as the FROM-header, gmail will still add a

Sender: <[email protected]>

To every mail that is sent out.

Now, this might seem like a small issue, was it not for Outlook that displays a Mail with these headers:

From: <[email protected]>
Sender: <[email protected]>

as a Mail from "[email protected] in behalf of [email protected]". Even worse: Replies will be sent to the google alias now.

So this not only confuses potential recipient, it also means that company mail now ends up in private mailboxes where it's not subject to a companies possible audit- or backup policy.

Solution 2

I think from a security perspective, you should not allow this.

All the data in the company mail system belongs to the company, I think you'll be putting the company at risk this way by opening this up - as usual - security comes at the cost of convenience, there's no easy way around it. Of course you can't go too far with restricting people's freedom with an iron fist either because if staff feel shafted, they'll go out of their way to circumvent the system, and that's much worst - you then have to start worrying about insiders (more so than usual that is).

Secondly, if using gmail for example becomes the norm, you're then also exposing the company (more so than already) to social-engineering attacks. People who've not looked into this (including me at first) laugh at this kind caution, but social engineering attacks are in general much more difficult to protect from than you think - in most cases you wouldn't even know it when it occurs.

And as previously mentioned - I think Audit would vomit when they hear about this :)

Solution 3

By allowing them to forward their email to GMail, you are now dependant on the developers to implement the security for protecting sensitive company information, rather than being able to enforce strict password and security options centrally.

If a user replies to an email from their GMail account, this then completely bypasses any logging and tracking on the Exchange server, the company will never know an email was sent on their behalf.

Solution 4

The Security Side of Me:

One of the companies (MediaDefender, I think, anyone want to confirm?) that was helping the RIAA track down and prosecute Bittorrent sharers permitted one of their VPs to forward his company mail to his Gmail account.

Some people who did not appreciate this company's efforts guessed his password and pulled all his mail, and leaked all the company-related mail. You can probably still find torrents of it floating around. Included were salary documents, operating plans, etc.

So, you need to not only trust Google, but also trust the developers to pick reasonable passwords. You might think that, at least once it's explained, it would be a simple matter to get the developers, who should all be "computer people" (but sometimes aren't) to pick good passwords. Anecdotally, however, I've seen many developers with piss-poor security.

The User Side of Me:

On the other hand, I hate having multiple mailboxes, and I get much better productivity out of having all my mail flow into one. I check it all in one place (and all the bloody time); and I don't really have to care where people email me at, it all reaches me eventually.

As we speak, actually, I'm doing a mail migration of several Gmail accounts into one GAFYD account, and after that I'll be pulling in my old Outlook/Exchange archives.

If I couldn't forward my work mail into my GAFYD account, I'd be very peeved, and you (the person stopping me) would be rather screwed anyways, because I would be importing my archives instead. Which brings us to the bottom line: The primary reason not to let me forward my mail into Gmail is security. And if I want my mail in Gmail bad enough, I'll get it there one way or the other. Maybe it won't be in real-time, but I will eventually, and once it's there, it's the same as if you let me forward it in.

Solution 5

I'm not sure that "trusting Gmail" is the issue really. It's a governance matter - do you know where your corporate information is? Has your Intellectual Property remained at all times under your control? etc.

I work with Loa PowerTools, a company that provides a virtual local SMTP service. We have users whose employers cannot, for accountability, liability and regulatory reasons allow their corporate email to reside on Google servers that may be mined (by software, admittedly) for information of use to Google.

Share:
5,821

Related videos on Youtube

Assaf Lavie
Author by

Assaf Lavie

assaflavie.com

Updated on September 17, 2022

Comments

  • Assaf Lavie
    Assaf Lavie almost 2 years

    Many developer prefer the GMail interface and thus forward (actually pull) all their email to GMail.

    Assuming we trust Google, are there any reasons why this should be disallowed?

    Edit: Interesting article today from Bruce Schneier about Cloud Services and security.

  • pilif
    pilif about 15 years
    yes. this really sucks. there is a large thread in the gmail user group, but google just ignores the pleads of their users. Posting this as a comment as it's not relevant to the question.
  • Assaf Lavie
    Assaf Lavie about 15 years
    If a developer can access email at home from POP or a VPN, then he can also archive it for later use. So I don't get this argument. You either trust your employees or you don't.
  • Assaf Lavie
    Assaf Lavie about 15 years
    Email doesn't have to be broken. Gmail is simply better.
  • Assaf Lavie
    Assaf Lavie about 15 years
    I trust Google more than our own backup. And when a "formal" email has to be sent, people can still use Outlook (since they're well aware of the header confusion). I did not quite get the audit part (maybe our legal system is a bit different) - can you explain what you mean?
  • pilif
    pilif about 15 years
    depending on your country there are legal requirements for companies to retain every email ever sent or received. Or it might just be company policy that all communication needs to be archives. Because Outlook replies to the wrong address, these mails will be missed by the archiving process. This is especially bad if for example the legal department of your company needs a mail sent from a customer as proof of something.
  • Dan
    Dan about 15 years
    I assumed developers don't have POP3 access either. Not sure if VPN access would give you access to download all your email. Webmail might enable a developer to download files, but that would be tedious grabbing lots of emails. I hadn't considered what if a user sets up a rule in their email client to just forward every email they receive.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I safely open a suspicious email?
Why does Google call Thunderbird "less secure"?
How to send a batch file by email
Flutter receive emails
PHPMailer $mail->From headers not working with gmail
Unable to get HTML formatting to work in GMAIL
Swiftmailer config : send mail using gmail
Sending Email to Gmail's SMTP server using TLS and Plain Authentication
As a recipient, is it possible to detect if an email was sent via Gmail's "Schedule Send" vs. "Send"?
How can I get the unread/new messages from Gmail using POP3?