Oh, and it’s not like we have people refusing to use VPN. It’s just that there is no explicit policy that forces VPN use. If there is a policy, we can enforce it. If there is no policy, we can write it up and suggest it and then the powers that be can either approve it or shelve it pending on how much is it going to cost in implementation, how much training will be required and etc..

More often than not security related stuff gets shelved “for later”. So in other words apathy towards security from up top results in a sense of apathy towards security reforms from IT and general state of complacence.

I’m not saying POP and SMTP will go away completely. I’m just saying that major ISP’s might phase them out completely and replace them with webmail, and most users won’t even notice. Small ISP’s are a different matter.

Unfortunately excel is not always the best solution. Let’s face it - POP+SMTP is essentially free + maintenance cost of the linux boxen that run these services.

Exchange is maintenance + licensing fees + the windows tax. No matter how you cut it, it is more expensive. And it is yet another chain Microsoft can yank whenever they want more money.

I’ve seen some people switch to Zimbra. In fact I know a guy who works at a company that used to offer cheap POP+SMTP and Exchange hosting to small business sector. They are discontinuing the plain POP+SMTP service and replacing it with Zimbra.

One of Loa’s customers put it to me this way recently (I’ve edited a bit to protect his identity)

I work virtually (I live in [one city] and my company is in [another]). … I do not like being logged into the vpn all day because it slows my computer down, and attachments are painfully slow. I would like to use Outlook, though, vs. web mail because of its extra features.

That’s just one example of what I mean by the rich and complex reality that people face in their working lives. It means that unless the IT policy is built on the right tools, important email that has to go to customers now when the sales person is in the airport lounge is sent via an airport WIFI connection in clear text and originates from bigdaddy69@hotmail.com, or stored on a Google server somewhere being mined by Google’s software, all because the VPN didn’t work from behind that particular firewall. When confronted with this breach of IT policy, the sales department’s (correct) response is “Did we want the order or not? And if the answer is that we didn’t want the order, are you going to pay my missed commission?”) Meanwwhile, the CIO and the CEO are signing off statements to regulators warranting that the company’s intellectual property was appropriately protected at all tiimes during the preceding quarter.

Although now that you say that, I guess we could probably just throw in a linux box into the mix to do VPN for mere mortals (and perhaps firewall it from the parts of the network I don’t want people poking into). That’s something to look into.

Security was never a big priority here until recently. Or rather it is not a big priority now, but at least it got added to the very bottom of our priority list so it’s an improvement. We do make people submit confidential files via SSL encrypted site, and they do use WinZip’s AES 128 bit encryption on email attachments. We also have plans to deploy PGP at some point but at $200 per user it is a hard pill to swallow for the mgmt and I’ve been toying with GPG+Outlook recently to see if I can make it not suck.