Audit and Assurance

Expand all | Collapse all

Microsoft ActiveSync Risks, Controls and Mitigation options

  • 1.  Microsoft ActiveSync Risks, Controls and Mitigation options

    Posted 28 Jan, 2020 10:02
    We are investigating the risks and controls around Microsoft Exchange ActiveSync and how these relate to Mobile Device Management (MDM) versus Data Loss Prevention (DLP).     The concern - if a remote user can access their exchange email on a smartphone (iphone) using ActiveSync, what prevents them from opening up email attachments on the mobile phone and detaching and forwarding them somewhere else? This looks like a DLP matter, not necessarily a MDM issue.    Also where is this activity even logged or tracked.  Any thoughts or ideas on how to best control/audit this?   Our IT Dept mentioned Microsoft InTune for MDM, but says it won't address data exfiltration which is the audit concern.  How are others controlling this?


    ------------------------------
    Joseph Campbell
    Information Technology Auditor
    ------------------------------


  • 2.  RE: Microsoft ActiveSync Risks, Controls and Mitigation options

    Posted 28 Jan, 2020 10:52
    Hi Joseph,

    My company too is evaluating the same and the long discussions are on way right now. My view is Android and iOS/ mobile devices don't have DLP solution hence the Microsoft Active Sync is playing well in this domain.

    End point such as laptops/desktop can be managed with DLP. Most of the DLP vendors don't have DLP support for Linux and iOS, hence can be manged through Active Sync as it is on the top of your exchange.

    This means Host may not be able to control the data leakage but exchange could as email shall travel through exchange only.

    This is my understanding for now as I stated we too are evaluating for now.

    ------------------------------
    D Anand
    ------------------------------