Email security is no longer simply about installing and running an appliance or software to block spam and nasty...
virus attachments -- it hasn't been that way for a long time.
Broadly speaking, the email security market has changed dramatically because of regulatory compliance, the emergence of the Web as the primary threat vector, and a marked trend to hosted services. These developments present opportunities for channel partners who are in a position to take advantage of them.
Outbound email and compliance
Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), Gramm-Leach-Bliley Act (GLBA) and other regulatory mandates put a lot of pressure on companies to pay serious attention to what kind of email is going out, as well as what is being received.
"Businesses that are impacted by regulations are more concerned with what is leaving the organization than threats coming in, though that is important as well," said Robert Duchouquette, director at Dallas-based SBS Security, a Proofpoint Inc. partner that specializes in messaging security and compliance. "They want to buy something that is capable on both sides," he said.
Inbound filtering is all about reducing spam to manageable levels and stopping viruses, as well as phishing and other ploys to lure users to malicious or compromised websites.
Outbound filtering is mostly about compliance. It's vital to stop sensitive information from leaving the company and to educate users when they knowingly or inadvertently violate policy by emailing proscribed information to someone who shouldn't be getting it. Increasingly, organizations want to implement policy-based email encryption, so email can flow more freely and still be protected if it gets into the wrong hands.
Practically speaking, outbound filtering requires some form of data leak prevention (DLP) technology that can search email headers and content for common red flags such as credit card and Social Security numbers and personally identifiable customer information, as well as business specific data. While DLP frightens off many businesses because of high cost and complex implementation, many email security vendors embed a kind of "DLP light" -- what Duchouquette calls "pragmatic DLP" as an option. DLP light entails simply checking email for private information, rather than implementing a full-fledged deployment, which includes things like desktop controls and data tagging/classification, as well as monitoring all outgoing content such as IM, FTP etc.
The rationale is that most companies can do without industrial-strength DLP and still address most, if not all of their needs. And email is overwhelmingly the most critical DLP vector.
"Email is the biggest thing," said Forrester analyst Chenxi Wang. "Companies that typically have PCI or HIPAA data are now looking at DLP that can scan the body and subject and heading of email and trigger DLP control functions, such as logging, alert encryption."
Regulations have also forced companies to take a hard look at email archiving and e-discovery. Stiff archiving requirements present issues such as storage capacity and cost, and back-end encryption. E-discovery is made more urgent by current Federal Rules of Civil Procedure (FRCP) requirements, which force parties in litigation to respond quickly -- and it's expensive without some sort of automated tool.
All this translates into products and services in the email security market that are far more complex than their predecessors. It also changes the sales approach. Instead of talking to the "IT guy" or the email admin, a reseller will need multiple contacts, folks like the CISO and legal counsel.
"Once you are looking at outbound security, e-discovery and archiving, things become more complex and usually require buy-ins from numerous different people across the organization," said Andres Kohn, vice president of technology product management at Proofpoint. "There's a role for the reseller with proper training and skills to facilitate those discussions and charge for that."
Web and email gateways
Antispam and antivirus are not sufficient to control Web-borne malware. Antispam can certainly reduce the number of phishing and social engineering attacks that ride in with the usual flood of sexual enhancement and credit card relief offers. But email gateway antivirus is pretty restricted against websites that drop Trojans and keyloggers onto PCs or trick users into giving up passwords and credit card numbers.
Most vendors in the email security market now offer Web security gateways, an outgrowth of URL filtering products, which inspect Web traffic and sites for malicious content. It's a natural complement to offer comprehensive content filtering and security as a product or hosted service. Forrester, among others, believes that we will see a trend towards consolidated content filtering suites, covering both email and Web.
"One of the drivers to consolidation is moving to the cloud," said Wang. "If you do have email filtered by one vendor and Web filtering hosted by a different vendor, having different portals to download reports is not as convenient as going to one place."
Email security in the cloud
Email is a hot topic for Software as a Service (SaaS) security. Last fall, Gartner predicted SaaS would account for 30% of the email security market by the end of 2008.
Most of the major hosted email security providers have been gobbled up by larger companies: Frontbridge Technologies Inc. by Microsoft, Postini Inc. by Google and, most recently, MessageLabs Inc. by Symantec Corp. Most of the major email product vendors offer options of hosted services, products or a hybrid approach.
The hybrid is something these vendors are pushing hard. Hosted services tend to play well in the SMB space, where companies have neither the budget nor the manpower to devote to deploying and maintaining on-premises appliances. But large organizations are also sensitive to limited resources and capital expenses.
"We encourage small- to mid-sized businesses towards a hosted solution," said Jim Steinlage, president of Overland Park, Kan.-based Choice Solutions LLC, a reseller for hosted email security service provider MxLogic Inc. "But, we're seeing more in larger organizations: More people are now budget constrained. They're cutting resources; they're attracted to operational cost versus capital expense."
With the hybrid approach, companies use a host service -- perhaps as an added layer of defense -- for inbound filtering, while relying on appliances to control outbound email, so they can maintain maximum control over sensitive content, encryption and archiving. This gives product-centric companies that have recently added host-based services a more diverse portfolio to sell, and service providers like MxLogic a foot in the door with large companies that may be reticent about using SaaS for email security.
Companies may also be just a little tired of the refresh cycle for email security appliances. The rapid increase in email volume is forcing companies to upgrade every 18 months, according to Forrester's Wang.
"I get a lot of calls from organizations who bought appliances thinking they have maybe three-to-five years' use," she said. They're very surprised when they have to buy a new server or appliance. That's definitely a driver for organizations to look at hosted services."