Skip links

Is your cloud email protection service legitimised ransomware?

Is your cloud email protection service legitimised ransomware?

Ideally before entering into a cloud contract, you should be considering your cloud exit strategy.

Specifically, you should be asking if you’ll be able to get your data out in a timely and affordable manner (and also in a format that’s readily usable) in the event of the SaaS provider closing down or a change in your cloud strategy.

After all, isn’t one of the appeals of the cloud the freedom to switch subscriptions?

Although a standard API called REST (REpresentational State Transfer) has been developed by the web community to enable cloud applications to communicate with each other, and vendors pay lip-service to the ability to export data when you need to, there’s evidence that some SaaS vendors are only offering limited API access and very poor data extraction tools that are not viable for mass data exports.

In short, they are effectively holding their customer’s data to ransom and stopping them from moving on with exorbitant end of contract extraction fees.

A good example that we have seen at close hand is with cloud-based email archive and journaling services. 

How easily can you get your data back?

Having been in the email archive migration business for over a decade, Cloud Essentials is well versed in handling the various technical challenges of moving data between platforms.

Usually a move boils down to achieving a fast, accurate extraction from the legacy archive, and similarly, getting the best ingestion performance into the target system.

For example, when migrating to Office 365, this involves the use of techniques to mitigate the slowing down effects of Microsoft’s throttling, which is understandably used to protect the performance of the service for other tenants.

Although some on-premises archives have a highly proprietary format, the fact that it’s possible to get direct physical access to the underlying data files means an extraction route can invariably be found.

When extracting data from cloud-based archives, the challenges are much bigger:  Lots of throttling and quota limits on API extracts, along with unhelpful data formats are commonplace.  They are also difficult to side-step – especially if you don’t have direct access to the underlying storage.

The only failsafe route to get your data out of some SaaS providers is to pay for a mass extraction.  This can be a costly service.

The various fees we’ve encountered for extraction from platforms such as Enterprise and Mimecast range from an average of 16$-20$ per GB, or in half your annual subscription cost if you want to export all of your data.

STOP PRESS: It looks like even the timelines for extraction are also unacceptable.

We recently we heard from a client who had to wait 8 months to get a paid-for extract of less than 40GB from their email protection vendor.

Don’t miss our webinar: Exit from Third-Party Security >

Can you dodge the exit fee?

Possibly – but only if you’re a relatively small enterprise.  The tools offered under the banner ‘data extraction tools driven by customer’ tend to be slow, limited and difficult to check and administrate.

For example, as a Mimecast administrator it’s possible to perform limited extractions (e.g. for the purpose of re-building a user’s mailbox).   However, given that the main repository you’ll want to extract is your entire journal, as yet, we don’t know of a failsafe route to get this back ‘through the back door’, so to speak.

We’ve known of attempts at manual extractions and some migration vendors have offered ‘automated solutions’ that perform eDiscovery searches and download the results, but we’ve yet to hear of a fully successful outcome (especially given unpredictable results of using text strings and wildcards, etc).

Add to this the fact that Mimecast currently limits search results to return fewer than 50,000 messages at a time (and if an export takes longer than 14 days to complete, it will fail and need to be restarted) it could take several years and lots of heartache to complete.  You’ll also have to keep paying your subscription for the duration of your extraction activity.

Effort and time aside, with this much scope for error and no real audit, it’s debatable whether you’ll get back exactly what’s in your compliance journal.  This will compromise any future case that relies on the integrity of your email journal.

The best route for larger enterprises to get their data back reliably is to pay the extraction fee.  However the fee may so large, it may prove a huge barrier.

There may be some justifiable reasons to push on through…

Reasons to bite the bullet….

  • You resent being held over a barrel… ‘nuff said.
  • You want to protect your company’s interests.  Back in 2013, an early cloud storage firm, Nirvanix, gave its clients two weeks to move their data out of its cloud.  Verizon did similar in 2016.  Even though in both cases data was freely available for download, the timeframes involved, and available bandwidth were a huge challenge.  It’s likely your third-party vendor is robust enough to survive the economic challenges of delivering a SaaS solution, but it’s worth consideration.
  • You feel you’re paying for the same functionality twice over.  You probably signed up with your third-party email protection service provider many years ago.  Office 365 has advanced significantly over the last few years – especially when it comes to email threat protection.  The justification for a separate service is now less compelling.  Check out our earlier article which compares Microsoft Advanced Threat Protection with third-party products such as Mimecast, Proofpoint and Forcepoint.
  • You want protection across your entire Office 365 ecosystem:   If your workforce is using Office 365 properly, conversations will now be taking place in Teams (instead of emails sent back and forth), and documents will be getting shared in SharePoint (and not sent as email attachments).  This means your SaaS protection vendor must also be tightly integrated with Teams and SharePoint, etc.  There’s also shadow IT to consider.  Needless to say, Office 365 offers integrated threat protection across email, SharePoint, OneDrive for Business, Office and Teams that’s hard to beat.  Office 365 also makes it easy to give management control and oversight to non-IT and Governance users.
  • You want to take advantage of ‘free’ storage in Office 365: If you’re using a third-party for email archiving, the virtually unlimited storage you get in Office 365, and the ability to retain leavers’ mailboxes indefinitely may be worth costing out as you reach your SaaS archive annual renewal date.
  • You’re feeling more confident of Office 365 service uptimes: Microsoft provides a comprehensive Service Level Agreement (SLA) which guarantees an uptime of 99.9 percent.  Many of the clients we speak to that use a separate email failover service can’t recall a time when they had to use it.
  • You want to rip off the plaster:  Ultimately, the longer you stay with your SaaS vendor, the higher your exit fee will be as your storage grows exponentially….

What, no journal?

If your business specifically needs to maintain an email journal, you may already know that Office 365 doesn’t provide a like-for-like replacement.  In fact, journaling is one of the main reasons why many organisations use a separate SaaS vendor in the first place.

So, what are the options if you need to journal in order to meet your business and regulatory requirements?

Option 1:  Use a separate, zero-lock-in Cloud Journal:

For a dedicated, low cost journaling service that can be hosted in your own Azure tenancy, you should check out HubStor.

HubStor offers a highly scalable email SMTP journaling service that can accept journal streams from multiple feeds, including your Office 365 tenant.   You can be selective in what traffic you choose to journal.   For example, you might only need to capture emails to and from certain departments or parts of your organisation.  This helps reduce your journal storage costs.  You can also apply policy-based retention to minimise your ongoing storage costs.

The process of getting an extracted journal from your SaaS vendor (and many other sources) into HubStor is easy and HubStor indexes all content to give you powerful eDiscovery across your legacy journal and your new journal content.

The other great thing about using HubStor is that there’s zero lock in.  There’s just the small egress charge that Microsoft levies when you take data out of Azure, which is around £0.06 per GB.

Option 2: Use Office 365 to ‘journal’:

As we said earlier, Office 365 doesn’t offer a centralised, single-instanced journal mailbox service.

It does, however, offer a service that effectively replaces the role of a journal mailbox.

This is achieved with the multi-instanced, mailbox-level storage approach that Office 365 uses, along with the following capabilities:

  • Use of litigation hold and retention policies to ensure content in all relevant mailboxes is available for eDiscovery (with any user-deleted emails retained in hidden folders).
  • Preservation of all critical envelope data including:
    • Retention of BCC’d recipients in the senders’ mailboxes and
    • Expansion of the members of any distribution lists (DLs) at the point of sending (and stored in hidden headers)

The overheads associated with retaining all of this data have also been assuaged by Microsoft, with:

  • Retention of all emails sent/received with
  • Indefinite retention of leavers mailboxes without a license penalty.

You can read more about the new compliance model introduced with Office 365 in our white paper “Making Office 365 a One-Stop-Shop for eDiscovery”.

Taking an existing journal from your third-party vendor (or even a standard Exchange journal mailbox) and transferring it into the ‘Office 356 journal alternative’, however, is not straightforward.

The right way: The optimal solution from an eDiscovery and data governance perspective is to switch your single-instanced journal into the ‘per-custodian’, mailbox-based retention model.

It’s possible to do this using tools like TransVault’s Compliance Time Machine, but (as you might imagine) the process of splitting out individual copies of emails and placing them into the relevant mailboxes can take a long time.

The ‘upside’ is that you’ll end up with data in all the right slots for eDiscovery and governance.

The realistic way:  Another, quicker route, is to ‘chop up’ your journal and write suitably sized chunks of it into multiple Office 365 shared mailboxes*.

You’ll still probably end up with many hundreds of shared mailboxes, especially if you’re migrating a 10-year old journal.

There are also ramifications on the eDiscovery process, in that you’ll need to include all these mailboxes in any eDiscovery exercise (as you have no indication of who the emails belong to – at best just a timeline).

*Be aware that to be able to put these mailboxes on litigation hold you must purchase an Exchange Online Plan 2 license, but this will also give you 100GB of storage.


It’s no surprise that a SaaS vendor wants to keep your business.

We’d like to think that delivering a great solution and service will keep you ‘sticky’. The great news is that more modern cloud service providers like Office 365 and HubStor, do not ‘vendor lock’ your data, and enable your data to be returned in its native format with no special interventions or costs other than minimal network egress costs.

This has been an important element of gaining the trust of customers who have been locked-in to traditional archive vendors and their platforms.

If you’re due to renew your email protection service subscription or would like to move on (and want to get a better idea of the options available to you) speak to us!

Join the Discussion