The Cybersecurity Risks of PST Files

Office 365 migrations can open the door to unforeseen cybersecurity risks. One aspect that is often overlooked is the security risks when PST files are left behind in a migration project. In this article, we’ll dive into what the risks are and the importance of migrating and properly managing your existing data.

What is a PST file?

Also known as Outlook personal folder files (.pst), PSTs date back to the mid-1990s. First shipped with Outlook 1996, PSTs allowed users to offload their email data from Exchange Server storage to cheaper local storage options. This practice has continued for decades, even as mailbox space has become inexpensive and abundant. This practice results in email data being uncontrolled, and potentially exposed when it could be more secure in a user’s mailbox.

PSTs store local copies of email messages, contacts, and calendar events. In essence, each file is a container made up of a folder structure. PST files can become large and unwieldy, which not only is a data risk, but the actual file can become unstable and corrupt as well. Corruption risks have increased for remote network-stored PSTs, a common practice that is not truly supported.

From administrative boon to security boondoggle

PST files were a great boon to email administrators at the outset, where the demand for email was outrunning their storage budgets for email servers. This was quite the problem at the time where Microsoft Exchange required expensive fast disks. PSTs enabled administrators to reduce data on email servers without dealing with end-users who had reached their mailbox quotas but still wanted additional storage for their emails and other Outlook data.

Fast forward a couple of decades or so, however, and you’ll find that PSTs have long outlived their usefulness. Worse, they now pose a severe threat from a data loss, compliance and productivity standpoint. To make matters even worse, with the enhancements of data protection laws around the world, these files make compliance extremely difficult. Violations of these laws in some cases do not have a limit, creating significant risks for organizations.

The risks of PSTs

Although PST files can be password protected, this is just a password displayed to the user when the file is opened. The files themselves are not encrypted and can be easily cracked or removed. With the portability of these types of files, if a file does go missing, you must assume the data is exposed and begin your organization’s data breach procedures.

Because the PST itself is simply a database or a container for email data, it is very difficult to analyze. e-Discovery and compliance solutions typically have to import the file to run its analysis. In essence, this means that the files need to be migrated regularly to be analyzed if still in use.

When an organization wants to migrate PSTs, they also have to account for “orphan” files. Orphan files are files without an owner. This can be a disconnected file on a network share or files from terminated users.  Orphaned files are a very large effort to address. Many of these files can be duplicates and backup copies. This can be very time-consuming and difficult to manage without additional migration tools.

PSTs allow users to avoid email retention and compliance policies, for these policies can only control what resides in actual mailboxes. Users keen to retain their data are savvy to note this and move their data into PST files. Many organizations with document retention policies that did not disable PSTs can find themselves in a situation where business is being performed with this out-of-scope data. Most have to make a policy to exclude data from PSTs, at least at first, from retention policies on import. This will allow the data to be retained for a longer period of time, while the organization adjusts to complying with the retention policy in place.

With the lack of control over PST Files, there are additional risks. These files are often stored on local workstations. Workstations are rarely backed up so controlling these files can be quite difficult. As a result, many organizations find that their PST files are very vulnerable. There are scores of examples where these files have been compromised and the email inside the files exposed, and even more examples of data loss when hardware simply fails without a backup.

To move PSTs to online archive or not during a migration?

Of course, if you’re embarking on an Office 365 migration, this doesn’t necessarily mean that you need to move all your data right away. However, many organizations will want to address this sooner than later. The optimal Office 365 user experience is obtained when all of the user’s data is inside the platform. For users to truly take advantage of the full feature set of Office 365, all user data, including PST files, should be migrated. Migrating all data allows organizations to leverage the full power of the e-Discovery and compliance features in Office 365. It’s important to note, wherever possible, older data that is no longer needed should be deleted and filtered in order to maintain a clean environment.

Security features in Office 365

We mentioned above that centralizing your user’s data, including migrating PST files, makes it easier for the user to communicate and work. This also allows organizations to bring this data into Office 365 and enjoy several security features. These features include:

  • Audit and logging features ranging from basic audit log searches about who changed/deleted/shared which content to advanced alerts. For example, you can receive alerts on suspicious deletions and other activities. You can set alert policies that trigger specific actions if a certain activity occurs. You can also monitor user and admin activity in Azure Active Directory, OneDrive for Business, and SharePoint Online.
  • Office 365 retention policies allow either administrators or end-users to classify data in categories such as sensitive information, HIPAA or GDPR materials. Content can also be classified as Transitory (typically deleted after one year), Work in Progress (typically deleted after three years), and Business Records (typically deleted after five years.)
  • Other features that can be particularly useful for regulatory compliance include eDiscovery cases for managing your organization’s legal investigations, Litigation Hold for retaining specified content, and communications compliance for ensuring that messages comply with communications standards.

Moving PSTs to Office 365 online archive

Microsoft also offers a tool called the Office 365 Import Service, which takes care of the basics of importing PST data into Office 365 mailboxes. However, this tool is lacking in several areas.

The Import Service provides no assistance with identifying the owners of PSTs, meaning that this task needs to be done manually. Other manual tasks include deduplication of content, removing passwords from PST files, corruption fixing, network disconnects, and, perhaps the highest impact, cleaning up the Outlook profile. There are more automated solutions available like PST Flight Deck which can help identify, migrate and eliminate PSTs for you.

Reducing your risk

All in all, the importance of migrating and properly managing your organization’s data, PST files included, cannot be understated. The built-in security benefits that Office 365 boasts provide organizations with the ability to remove significant data security risks when executed properly.

You can learn much more about how to approach migrations in these articles: How to migrate PST files to Office 365 and Planning tips to ensure a smooth Office 365 migration.

About the Author

Mike Weaver

Mike Weaver is Microsoft MVP and Technical Product Manager at Quest where he specializes in Office 365 tenant-to-tenant migrations and PST migration projects. With a wealth of experience in Mergers, Acquisitions and Divestitures (MAD), Mike often writes about technology solutions and personal considerations to ensure both successful integration and adoption.

Related Articles