2

The organization at which I work wants us to download our e-mails rather than use a remote/online service like gmail. I have argued that this is less secure because downloading the e-mails brings the text and any attachments behind our firewall. I am fairly certain they are requiring this not for IT security reasons, but to try and save money (i.e., our current online e-mail allocation is only 1 GB, which is rather small when you routinely send 10+ MB papers to/from colleagues).

So is it more or less dangerous to use an e-mail client where one downloads the e-mails to their personal computer than an online e-mail client (e.g., gmail)?

honeste_vivere
  • 177
  • 6

2 Answers2

3

Both approaches have their own risks: If you have your mail remote then you fully depend on the security provided by the external provider. If you host it locally it is more under your control. Which is more better depends an what you and what the provider are able and willing to do regarding security but the provider is definitely the more lucrative target for an attacker and thus needs to have better protection.

Apart from this general statement I could think of several particular problems:

  • With web mail the provider has to deal with the usual than you you are open to all the web based risks, like CSRF, XSS, session hijacking etc. That risk does not exist when stand alone mail clients are used.
  • If the mail is stored permanently at an external provider you risk that this provider gets hacked and all mails (with confidential company data) get exposed.
  • If your company has full control of incoming (IMAP, POP) and outgoing (SMTP) mails it makes filtering much easier. This includes filtering for malware, phishing and spam, restriction who can send, detection of data leakage etc. On the other hand a good external provider might offer better protection than a cheap in-house solution.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

Frankly speaking, the best is to use combination of both which is IMAPS. With IMAPS the connection is secuie (IMAP over SSL, or rather, TLS), and the client retrieves the list of emails and when you click on email, it is downloaded. Similarly Exchange protocol works this way. So it keeps email on the server so you can browse them online and downloads the one you need (or you can make some clients download it anyway). Searches are also performed on the server (in Outlook this happens if you choose to not store email locally at all).

To fully download emails, you'd use POP3S (POP3 over TLS).

However, in todays world it's the cloud holding our data and not devices.

10MB limit on email is small, modern email systems can handle big email mailboxes no issues. They are sometimes compressed and indexed, so holding 100GB mailbox is not an issue.

When you download emails, you need to backup your whole system or outlook PST file. This adds additional hassle plus you need to make sure your PST file is backed up securely.

Downloading emails is very risky, you should today use web interface with 2FA (Two Factor Authentication). This way Evil Sysadmins or Cleaners won't download all your emails by either reading your harddrive or getting Gmail web account password from browser saved passwords.

Since stealing emails is such big risk and issue today, you'd be good with encrypting the harddrive. It's in the MacOS, Windows (BitLocker) and Linux (LUKS) if you really want to download them.

Some harddrives also support encryption, so you can use it as well (in BIOS), and the backup PST file to encrypted USB stick. To encrypt USB stick you can use Bitlocker.

Aria
  • 2,706
  • 11
  • 19
  • Thanks for the response. Just to clarify, the storage limit of our e-mail client is only 1 GB. The 10 MB reference was to individual e-mails. Given that I often send/receive 10s to 100s per day, it doesn't take long to fill up the 1 GB allocation. I think they are just trying to avoid paying for more storage so they require us to download our e-mails for archiving/record keeping. – honeste_vivere Sep 08 '16 at 14:00