As many others here have pointed out, you can definitely work with your provider to provide the endpoint tunneling to increase the security of the connection. In addition to which, the method by which the endpoint client (outlook) is configured can itself provide SSL based encryption to the traffic.
If someone has the ability to put up a proxy with SSL bridging, that would be a concern for a MITM but frankly if they have the ability to spoof a trusted version of your access point SSL certificate, you are probably in trouble anyway as a practical matter because either the SSL provider issued in error, your PKI is compromised, or your trust lists are awful. If you are concerned about third parties hosting your data, perhaps another middle ground to consider is hosted gateways to your mail install. Microsoft purchased frontbridge a while back and offers these services to various companies. You may find this an adequate solution as your mailbox servers (in Exchange 2007) would then be locally hosted and the third party is simply providing an offloaded bulk spam and anti-malware capability that would then pass on the email to your external access point across encrypted channels. From that point, the transit and storage should all be local infrastructure, and thus secured by your company and infrastructure policies. One last thing to consider here, are you subject to regulation? SOx? HIPAA? Anything DoD related? In those scenarios, you may need to consider the implications of third party hosting on auditing and your compliance requirements. -W Wayne S. Anderson http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Denton Sent: Friday, November 16, 2007 10:36 AM To: 'Shayne Sales'; [email protected] Subject: RE: Security and Implications of Hosted Exchange Thanks all for the many replies, they have all been helpful. The opinions I've received are similar to what my presumptions were. Thanks again! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Sales Sent: Friday, November 16, 2007 11:24 AM To: [email protected] Subject: Re: Security and Implications of Hosted Exchange Past companies I have worked with, who have used Hosted Exchange services, the provider used SSL to secure the access. OWA over SSL and also RPC over HTTPS (SSL) for direct Outlook client Access. (2003 and Newer Outlook Clients I believe) As for the user info, the providers I saw in use, did not need nor require any user info. The providers had Web Based administration to add/remove/edit user accounts, and the person doing this filled in as much or little personal info as they want. I also assume that being it is a hosted solution, they farm out the exchange server to numerous other companies, but if done right, you never noticed, you don't see the other clients in the GAL nor the Public Folders. The biggest concern I had with this method was Data Recovery... If the provider should go under, what means and legalities are needed to obtain your data back from them? Hope that helps somewhat. On 16-Nov-07, at 9:34 AM, Roland Dobbins wrote: > > On Nov 15, 2007, at 11:11 AM, Dan Denton wrote: > >> But, having the features of >> Exchange without having to backup/restore the system or worry about >> patches >> and fixes is pretty attractive. > > I'm sure at least some of the folks who offer hosted Exchange would > also offer a VPN service whereby the Exchange server wouldn't be > exposed to the general Internet (or to other servers for other > customers), but would be isolated with all appropriate network, host > OS, and application BCPs, and accessible only via a VPN of some sort. > > ----------------------------------------------------------------------- > Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice > > Culture eats strategy for breakfast. > > -- Ford Motor Company > >
