SaaS Email Security for Complete PHI Protection

SaaS Email Security

Security and the Email Giants

Microsoft 365 and G Suite have quickly become the two primary email and productivity suites for most enterprises and smaller organizations. The ability to access corporate email from anywhere via cloud services gave us the flexibility, affordability, and agility that we needed. Now organizations can easily scale up or down as needs change, without dependencies on hardware or datacenters for service delivery. But as the old saying goes, for every pro, there is a con. Traditionally, the email server would sit inside the premises where devices like firewalls, DLP solutions and web gateways that would filter and apply policy to protect everything inside that controlled environment. But for data that traverses the cloud, these on-prem solutions are useless. This is where a SaaS email security solution becomes necessary. Both Microsoft and G Suite offer a level of security via encryption, but neither encrypts the entire email. Nor do they protect against the rogue forwarded address, or other data exfiltration methods employed by threat actors. And just as importantly in the Bring Your Own Device (BYOD) age, neither solution fully protects the unmanaged device. But what is the difference between an unmanaged device and a managed device?

BYOD and the Managed Device Dilemma

The biggest difference in a managed device and an unmanaged device is the managed device requires the installation of an agent through which the device is controlled. This is OK when the company is willing to purchase all devices that will be used for business, but still not the ideal solution. The costs of new laptops, phones, and tablets can add up quickly, especially in companies with larger numbers of employees. And the agent, as lightweight as it may be, still does impact battery life and system performance on the installed device.

The BYOD strategy solved one issue by allowing employees to use their own devices to get the work done. The problem is it created another. Organizations still needed some level of control over these devices and the data being pushed to them and had to have an agent installed (managed solution) to control their data on the device. But employees were not comfortable with their bosses having this much control and visibility into their devices, especially their phones. This is where the well- designed next-generation CASB solution sets itself apart from other SaaS email security solutions. By contrast, an agentless, or unmanaged solution places a cloud access security broker between the email application and the device, providing a control point for complete visibility and data protection. Users sign into email as they normally would, and email is transparently filtered through the broker, where security policies are enforced in the cloud before they ever get to the user’s device or inbox. It allows organizations to apply policies that only apply to your data, so you do not need employee consent, as nothing is applied to or installed on their devices. Nor does your staff have to worry about the company viewing or deleting personal data for any reason. And it does all this in real-time. It really is the best of both worlds. But how?

Cloud Access Security Brokers (CASB)

Let’s say you’re on the go and you need to send information to a business associate or other entity using G-mail, M365 or your cloud-based EHR system from your mobile device or tablet. Or maybe one of your staff members needs access to part of the document to do their jobs but should not see the PHI or PII. Or in more nefarious scenarios, one of your staff member’s phones is compromised and an email forwarder is silently placed on the mailbox. The policies applied in the cloud can be configured to not allow anyone with an email address outside of your domain to view parts of the document, or the document in its entirety. These same types of controls can also be applied to protect the business from the careless or disgruntled employee. But let’s see how it works.


Most CASB solutions rely on an Application Programming Interface (API) to scan data for sensitive information. The problem is that these are basically plug-ins and aren’t streamlined, so they can take several minutes to alert administrators of a data breach. By this time, it is already too late because the data is already gone. In contrast, the best Next-Generation CASBs employ a multi-protocol proxy solution which allows scanning and control of information in both directions and in real-time before it ever reaches the end user. The user logs into G Mail or M365 just as they normally would, but instead of directly interfacing with the application, all communication is silently redirected through a multi-protocol (forward and reverse) proxy engine, which “brokers” the exchange between application and device and applies controls based on policy. This happens in-line, in real-time, so the configured data protection policy has already been enforced before it ever touches the device. See the diagram below for a visual simplification of how this happens for user authentication and inbound email.

User login and inbound email

Outbound email works in much the same way, just in the reverse direction. Instead of an outbound email going directly to the intended recipient, it is again silently redirected to the CASB engine, where policy is again checked and applied to be sure that only recipients allowed by the policy can see senstitive information, if they are allowed to receive the document at all. See the diagram below for a visualization of how this works.

Outbound email security

Control, Visibility, Management

Full control and visibility are now being enforced against the data, where the true value lies. This provides an added layer of protection against device compromise through real time protection of data as it traverses the cloud. It doesn’t matter who has control of the device. You still have control of the data. This is critical when handling patient PHI or PII, and is a pillar of HIPAA security and compliance from a data standpoint.

Email Secured

In addition, because there is no agent to install on endpoints, deployment to the entire organization can be completed in minutes. Role-based policy configuration allows you to granularly allow different levels of visibility for different staff or partners and because it is all centrally managed, administration is just as easy on your administrative team as deployment.

After the Cliff-notes version of how the right next-generation CASB solution can provide complete SaaS email security (or security for any other cloud-based application), you may have more questions, or just want to see it in action. You can contact us for a free proof of concept and see all that it does to give you the control and visibility you need to manage a secure and productive remote workforce. Click the button below to learn more.

Mundell Phillips

Mundell Phillips

Mundell Phillips is CEO of Nutech Solutions LLC. His prior work experiences include over 15 years technical and managerial roles in the private and public health information technology and cybersecurity sectors. Mundell has led the design and implementation of several disaster recovery, performance optimization, security and compliance remediation projects for the proverbial alphabet soup of Government agencies (DOD, VA, DOJ, DOT, etc.). He has now committed his specialized expertise and experience to tailoring those same solutions to healthcare providers and others under HIPAA compliance mandates, helping them to scale up and out through IT solutions and process development and refinement.

Leave a Comment

Your email address will not be published. Required fields are marked *