Cloud Email Applications Could Put Your Corporate Data at Risk

Tuesday, April 12, 2016

Yotam Gutman


Do you know the risks associated with third party cloud apps?

We examined Boxer, Microsoft Outlook (previously Acompli), Spark, CloudMagic, MyMail, Zero, and InboxCube to understand their:

  • Terms and Conditions
  • Privacy Policy
  • Access rights
  • File sharing capabilities
  • Deletion process
  • Actual connections to the cloud email provider and their origins

What we found may surprise (or scare) you. In the following post you will find a summary of our research. Most of us don’t think twice before accepting the terms of use when connecting to 3rd party applications. But at least when it comes to cloud based Email services, we should all be more wary.

Our security researcher have examined the leading email Apps on the market and found evidence that they pose a serious security threat to enterprises. Research suggests that the number of Cloud based email users is on the rise—from 12% in 2013, to an anticipated 50% of enterprises by 2022. While this shift to the IT Cloud brings many benefits, it also leaves the organization with a new set of security challenges.

Many of these challenges relate to the lack of organizational understanding pertaining to the “Shared Responsibility” model prevalent in the IT Cloud. The model states that the vendor is responsible for creating a secured service, and the client is accountable for using the service in a secure manner. One specific case, where the responsibility to secure falls entirely on the organization’s shoulders is the use of third party applications connecting to IT Cloud email. This scenario did not exist with on premise systems and falls between the cracks with the shift to IT Cloud.

In this new era, employees have the ability to grant applications access to their corporate information. However, organizations do not have the capability to monitor, let alone prevent it. IT Cloud email platforms have created comprehensive sets of APIs to allow third party integrations, offering organizations almost limitless ways to interact with their data. However, these APIs conceal a substantial risk that most organizations do not take into account. Examining a few of the most common email Apps on the market today helps to paint a clearer picture of what it means to allow access to third party apps.

We examined Boxer, Microsoft Outlook (previously Acompli), Spark, CloudMagic, MyMail, Zero, and InboxCube. Our test consisted of reviewing the Terms and Conditions, Privacy Policy, access rights, file sharing capabilities, deletion process, and lastly the actual connections to the Cloud email provider and their origins. The result were not encouraging – after examining the leading email Apps on the market, it is evident they pose a serious security threat.

As long as Cloud email providers lack the needed control and governance functionality, organizations are left to independently implement CASB solutions (Cloud Access Security Brokers) to safeguard their information. CASB solutions supply a complex feature set designed to detect and block malicious apps. This detection is based on a proprietary app library maintained through continuous security research. While the security challenges addressed here pertain mostly to email Apps, many of these problems are true for all third party applications that can access the IT Cloud.


Although this trend is only in its infancy, the continual growth of the IT Cloud will only displace more on premise services. With that in mind, organizations must begin reassessing the way they think in terms of security risks and begin adapting to a new generation of solutions to mitigate these security challenges.

To receive your complimentary copy of this research please write to

Possibly Related Articles:
Cloud Security PCI DSS Enterprise Security Privacy
Email Security Risk IT Cloud CASB
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.