Re: Use of Acompli to accelerate email to IOS and Android

[Mike Osterman <ostermmg () WHITMAN EDU>]

As are we, David. Students and some faculty on Google Apps, but staff and many faculty on-premise. We're looking to 
move away from on-premise completely, so these questions of user satisfaction/choice and custody/control of data are on 
the forefront of our minds.

Regarding Microsoft's reaction, the article that Douglass linked sums it up nicely:
"There is some truth in the assertions being made, but like everything else in life you have to put the issues into 
context. And in terms of IT security, that means understanding where risk exists and how to control that risk." 

I suspect if there's enough non-adoption that they feel they can attribute to these concerns, they'll address it, 
otherwise, adoption is tacit acceptance.

-Mike

> On Jan 30, 2015, at 11:08 AM, David Treble <David.Treble () UMANITOBA CA> wrote:
>
> We may be an exception Mike.  Our students are on Office365, but faculty and staff are on-premise based on the 
> decision from our Legal and Privacy offices.  So obviously, apps such as this challenge our ability to enforce that 
> decision.  On the other hand, we did not go so far as to block mail forwarding; and it is known that some staff 
> forward mail to Gmail to avoid the activesync policies - or they just prefer that client.  So it is the age old 
> problem of user satisfaction and choice; and custody and control of data.
>
> It will be interesting to see how MS reacts to the criticisms and if they feel this is a problem they need to resolve.
>
> David Treble
> IT Security Coordinator
> University of Manitoba
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Steve Terry 
> [terrys () DENISON EDU]
> Sent: January 30, 2015 12:48 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Use of Acompli to accelerate email to IOS and Android
>
> Mike:
>
> How many schools are not already in the cloud with email?  Exchange, on-prim may be the exception, rather than the 
> norm?  So if schools are already using cloud-based solutions (Gmail, Office365, etc.)  is the OAuth scenario still 
> applicable?
>
> Steve 
>
> Steve Terry
> Director of Enterprise Applications
> ITS
> Denison University
> Fellows Hall - 102B
> Granville, OH 43023 
> 740-587-8685 <> | www.denison.edu <http://www.denison.edu/>
> On Fri, Jan 30, 2015 at 12:24 PM, Mike Osterman <ostermmg () whitman edu <mailto:ostermmg () whitman edu>> wrote:
> I think the issue with Acompli (or CloudMagic, Inky and the others that support non-OAuth mail) password storage is 
> that it's storing the password on a remote server rather than on the person's device. There's always the risk that 
> the app itself could turn evil and leak your credentials, but in the remote server scenario, you're providing a 
> credential to a third party that could prove very dangerous in SSO-enabled environments like the EDU space. Sure, 
> it's encrypted, but if they lost their encryption keys and the database, that's a pretty substantial loss.
>
> Worse still, I don't think anyone but IT folks really understand the distinction of the location of the password 
> storage or cares to do the research to make an informed decision.
>
> Even in the OAuth scenario, you're avoiding the credential issue, but do still have highly-sensitive mail data 
> (except in the case of Inky - http://inky.com/faq/ <http://inky.com/faq/>) passing through 3rd party servers in most 
> implementations. If an organization is using Exchange on-premise, then you'll lose the inherent data privacy benefit 
> by having institutional mail data--"metadata" at a minimum--traveling outside the organization.
>
> It's tough, because this new breed of mail clients offer some fantastic functionality (I personally love the Snooze 
> feature in Mailbox.app and use it with my personal email), but there are privacy tradeoffs, and many of our 
> institutions don't have the policies and/or technical controls in place to be able to address these risks.
>
> Mike Osterman
> Director, Enterprise Technology
> Whitman College
> (509) 527-5419 <tel:%28509%29%20527-5419>
>
> > On Jan 30, 2015, at 9:00 AM, Steve Terry <terrys () DENISON EDU <mailto:terrys () DENISON EDU>> wrote:
> >
> > Dennis:
> >
> > Microsoft purchased Acompli a short time ago and turned it into a new version of Outlook for iOS and Android devices:
> > http://www.theverge.com/2015/1/29/7936081/microsoft-outlook-app-ios-android-features 
> > <http://www.theverge.com/2015/1/29/7936081/microsoft-outlook-app-ios-android-features>
> >
> > I have used Acompli for about a year and have found it to be a fantastic piece of software.  I have also downloaded 
> > and run the new version of Outlook to compare it to my previous version of Acompli - it is same, but better!  (Add 
> > file access to Dropbox and other services.)
> >
> > As for authentication, (Denision is a Google Education shop) - it prompts and uses our SSO authentication services 
> > to establish the initial connection to (Gmail) for us.  I see no differences, in this new version of Outlook, in 
> > terms of "storing" account information over any other previous iOS email clients?  
> >
> > Steve
> >
> > Steve Terry
> > Director of Enterprise Applications
> > ITS
> > Denison University
> > Fellows Hall - 102B
> > Granville, OH 43023 
> > 740-587-8685 <> | www.denison.edu <http://www.denison.edu/>
> > On Fri, Jan 30, 2015 at 10:11 AM, Dennis Levine <dennis_levine () emerson edu <mailto:dennis_levine () emerson edu>> 
> > wrote:
> > Hi All.
> >
> >   Just wondering if anyone is using or is considering the use of Acompli (https://www.acompli.com 
> > <https://www.acompli.com/>) to accelerate email distribution to IOS and Android mobile devices.
> >
> > I’m a bit hesitant because they require a login to the exchange server and then store the email and account 
> > information on their servers, though they say it’s encrypted.
> >
> > Any thoughts,
> >
> > Dennis
> >
> >  
> >
> > Dennis Levine | Network and Security Administrator | 120 Boylston Street  Boston, MA  02116-4624 | (617) 824-8972 
> > <tel:%28617%29%20824-8972> | Dennis_Levine () emerson edu <mailto:Dennis_Levine () emerson edu> | www.emerson.edu 
> > <http://www.emerson.edu/>
> > <image001.jpg>