I have several mail accounts. One is on an exchange server and usually
accessed with Outlook, which works poorly and is not accessible from outside a
certain protected network. I therefore asked for my email to this exchange
account to be automatically forwarded to my mail account on Google. The
exchange server administrator agreed, but now he is whining that this is a
security risk. How on Earth can simply forwarding mail messages be a security
Ah, those whiny administrators. Why can’t they just get out of the way and
let us do our work, right?
Having worked in a corporate environment in the past, I do understand your
frustration. Not all of the decisions or rules make sense.
The problem is I can also understand your administrator’s position.
It all boils down to the definition of “security risk”.
Normally, when we think of “security risk” we’re thinking about things like viruses, spyware, malware, account hijacks and all sorts of other badness that we continually hear so much about.
And you’re very correct – simply forwarding email doesn’t add any additional technical risk. If the mail had a virus, then the forwarded one likely will too. If it was safe, forwarding the email through another service like Gmail certainly isn’t going to add malware to it.
And I’m certain – or at least hopeful – that this isn’t what your admin had in mind.
Instead, I’m going to guess he’s concerned about something else. I’ll use a very vague and general term, and call it a “risk of exposure”.
You’ve indicated that your email’s available on a “protected network”. I’m guessing that could be as simple as a private LAN. That means that inter-office email never travels across the internet, and that email coming in from the internet never leaves the private LAN once it arrives.
In other words, your company, and your administrator, have total control over your internal communications. Access is restricted to those individuals who have been given access to that LAN. Even unauthorized access to your email, for example, would have to be an “inside job”, since your email is never allowed to leave the LAN.
If you auto-forward to Gmail, or any other service out on the internet, that changes. In theory it should be just as secure, or at least as secure as you keep your Gmail account. However, it opens the door to a few other issues:
If your Gmail account is compromised, sensitive company information could be visible.
If your ISP or internet connection is compromised, sensitive company information could be visible.
If you happen to access your email in an unsecure way at, say, an open WiFi hotspot, your company emails could be visible to an unauthorized third party.
Regardless of the problem or compromise, once the email has left your corporate LAN, your administrator has no control over what happens, and cannot rectify any problems that might result.
Most companies place these types of restrictions purely for that last reason: the risks of some kind of problem cropping up are simply perceived as too great, and the ability to “fix it” if something does happen is simply too small.
I’m not going to venture a guess as to whether or not your company is being overly cautious. Certainly the administrator could just be protecting himself, or retaining control, as opposed to truly thinking about what’s best for the company. The company rules could be in place simply to cover their assets. But it’s also quite possible that at the other end of the spectrum there are scenarios where what you’re asking for could legitimately be considered too risky.