Helping people with computers... one answer at a time.

Forwarding email from one account doesn't add major technical risk, but there are issues that doing so can introduce, and cause IT admins concern.

I have several mail accounts. One is on an exchange server and usually accessed with Outlook, which works poorly and is not accessible from outside a certain protected network. I therefore asked for my email to this exchange account to be automatically forwarded to my mail account on Google. The exchange server administrator agreed, but now he is whining that this is a security risk. How on Earth can simply forwarding mail messages be a security risk??

Ah, those whiny administrators. Why can't they just get out of the way and let us do our work, right? Smile

Having worked in a corporate environment in the past, I do understand your frustration. Not all of the decisions or rules make sense.

The problem is I can also understand your administrator's position.

It all boils down to the definition of "security risk".

Normally, when we think of "security risk" we're thinking about things like viruses, spyware, malware, account hijacks and all sorts of other badness that we continually hear so much about.

"... simply forwarding email doesn't add any additional technical risk."

And you're very correct - simply forwarding email doesn't add any additional technical risk. If the mail had a virus, then the forwarded one likely will too. If it was safe, forwarding the email through another service like Gmail certainly isn't going to add malware to it.

And I'm certain - or at least hopeful - that this isn't what your admin had in mind.

Instead, I'm going to guess he's concerned about something else. I'll use a very vague and general term, and call it a "risk of exposure".

You've indicated that your email's available on a "protected network". I'm guessing that could be as simple as a private LAN. That means that inter-office email never travels across the internet, and that email coming in from the internet never leaves the private LAN once it arrives.

In other words, your company, and your administrator, have total control over your internal communications. Access is restricted to those individuals who have been given access to that LAN. Even unauthorized access to your email, for example, would have to be an "inside job", since your email is never allowed to leave the LAN.

If you auto-forward to Gmail, or any other service out on the internet, that changes. In theory it should be just as secure, or at least as secure as you keep your Gmail account. However, it opens the door to a few other issues:

  • If your Gmail account is compromised, sensitive company information could be visible.

  • If your ISP or internet connection is compromised, sensitive company information could be visible.

  • If you happen to access your email in an unsecure way at, say, an open WiFi hotspot, your company emails could be visible to an unauthorized third party.

  • Regardless of the problem or compromise, once the email has left your corporate LAN, your administrator has no control over what happens, and cannot rectify any problems that might result.

Most companies place these types of restrictions purely for that last reason: the risks of some kind of problem cropping up are simply perceived as too great, and the ability to "fix it" if something does happen is simply too small.

I'm not going to venture a guess as to whether or not your company is being overly cautious. Certainly the administrator could just be protecting himself, or retaining control, as opposed to truly thinking about what's best for the company. The company rules could be in place simply to cover their assets. But it's also quite possible that at the other end of the spectrum there are scenarios where what you're asking for could legitimately be considered too risky.

Article C3924 - November 14, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Pete B
November 17, 2009 8:20 AM

I understand that the mail may pass through several transit points (where it is stored unencrypted) when being transferred from 1 mail server and another, so it's not just your own ISP you need to worry about ...

Mike K
November 17, 2009 9:33 AM

I too understand your administrator's issues being an administrator myself. There are a couple ways that can be opened up for the mobile user of Outlook. One is to enable the exchange server and Outlook for RPC over HTTP. Also the mobile user could VPN into the network and then open Outlook. There could be other, legal or regulatory, reasons the admin needs to keep the email locked down.

Sunny
November 18, 2009 4:12 AM

One option is to implement secure private network to enable the mails available for the users even from out side the corporate network any sort of VPN, Citrix Secure Access are some options.

Another risk in forwarding the corporate mails to private mails like gmail is that once the employee leaves the organisation, he carries one copy of the mails which is generally not accepted

Colin Strain
November 19, 2009 2:02 AM

I have dealt with similar issues at the council where I work.
If you look through Google's terms and conditions for Gmail, they use their search tools to index your email to gather a profile about you. If you have sensitive data in those emails, it is being stored by Google.
They claim that they won't do anything with it but if you use the Youtube experience as a precedent, it is crazy for businesses to want their emails on the Gmail product.

anton
March 22, 2010 8:55 AM

What about creating loops resulting in server problems?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.