The increasing popularity of in-the-cloud email delivery and email security solutions, and the wealth of innovations available, raises the discussion of whether email administrators should consider cloud-based solutions. While the free, Web-based email remains out of the question for corporate use, some other cloud solutions that offer more robustness and security may be appropriate for some users.

Security is always imposed in cloud-based systems to one degree or another, but a major limitation is that many cloud providers still implement their own proprietary security approaches. While such an approach may well impose good security, this has still limited the uptake of cloud-based models. A more appropriate approach to cloud-based security would be the adoption of a common security model, made available through the cloud platform-as-a-service.

As outlined in “Cloud computing made easy,” co-authored by yours truly, a cloud platform (as opposed to cloud “software as a service” applications) imposes common software elements, which are used by developers to write cloud applications without having to re-invent the wheel for every aspect of each application. The use of a cloud platform is particularly useful for imposing rigorous security, in that it presents a standard security model for managing things like authentication and authorization, role-based access, secure storage, multi-tenancy, and privacy policies. Developers of common SaaS applications may not always be experts in security, but by using the common security model of a cloud platform, the developer is able to draw against the expertise of other developers who are.

The advantage is especially evident for smaller businesses which often lack full-time, specialized IT security personnel. It is much more likely that a cloud provider will have devoted time, money and resources to security, than would a small company with four or five employees, and in such a case, the small business is more secure by leveraging the services of a reputable cloud provider as opposed to running unsecure or marginally secure applications in-house. This of course, assumes that the small business takes the time to conduct due diligence on the cloud provider, examine the service level agreement in detail, and ensure that the provider has taken steps to ensure the security of the applications being accessed.

It is certainly possible for a company to impose tight, near bulletproof security in-house, and this possibility keeps many from moving to the cloud. But the question should not be “is it possible”, but rather, “is it likely.” A realistic examination of a company’s resources, in-house talent, and ability to adhere to sometimes draconian security policies is the first step in the decision. Do you have the money and somebody on hand to implement the technology? And then, once implemented, do you have the management will to impose necessary but potentially unpopular security policies? Besides technical security such as authentication and authorization, and policies such as frequent password changes, physical security must also be imposed—including locked server rooms, personally escorting laid off employees off the premises, and regulated access to the physical equipment. Cloud providers are more likely to impose these measures as a general rule, which may lead to better security.