As the market for content security products and services continues to grow, it is interesting to compare and contrast the delivery of content security via ‘insourcing’ and outsourcing.

Companies deploying and managing software themselves to provide content security software are insourcing. Companies who sign up a third-party service supplier - typically an internet service provider (ISP) - to deliver a content security service are taking the outsourcing approach.

Those organizations that choose the outsourced approach are not all in the commercial sector. There is clearly a need to provide content security in educational establishments. However it would be impractical and uneconomic for each school to provide its own content security. The recent deployment of Clearswift's e-Sweeper content security software by the U.K. ISP Equinox Converged Solutions provides protection to over 1 million pupils at 2,700 London schools and colleges. This deployment, part of the capital's London Grid for Learning project, is an excellent example of an effective ISP content security solution.

Defining the ISP market

Defining the nature of ISPs is not an easy task - partly because ISPs have traditionally tried to do something of everything. At the top end of the scale are the large ISPs who have tried to create the application service provider (ASP) market. Categorizing ISPs using a standard metric is not simple; some people use number of subscribers as a measure, while others assess the value added the ISP delivers to its end users. Clearswift differentiates ISPs at the highest level between business and home/personal providers on the basis of the number of leased lines the ISP services. A further categorization criterion is the number of companies the ISP services (as opposed to the number of end users). We completely exclude the dial-up market, as this is almost exclusively anti-virus with negligible value added services being provided by the ISP.

The profile of those companies that choose to use ISPs for content security is an interesting one. Although they vary from the very small to the very (unusually) large they typically don't have dedicated IT support. They are also likely to be users of an email service provided by an ISP who then sells them a content security service. And, with some notable exceptions, they tend to be small to medium-sized enterprises (SMEs). The ISPs tend to be local or regional companies who sell a range of service to their customers. Typically, these services include systems integration and outsourced IT infrastructure services or facilities management.

ISPs often need to work closely with the vendors supplying the managed content security software, in order to deliver the service offerings successfully and it is at this point many potential offerings fail due to lack of understanding vendors have of ISP operational requirements.

Issues that need to be resolved before the ISP launches a service include:

  • pricing
  • invoicing
  • allowing end users to opt in and opt out
  • integration with existing IP services provisioning systems
  • policy and message area management
  • structuring the value-added element for the end user - this shouldn't be just an anti-virus service, as this provides a very limited revenue stream
  • service management and administration

Providing an anti-spam service

The provision of an anti-spam service is a popular value-added service provided by an ISP as part of a content security service. However, the solution provided must be completely transparent. In particular the ISP should not take it upon themselves to discriminate what is legitimate mail and what is spam on behalf of their users in case they inadvertently become (in legal terms) an 'editor.' Any ISP assuming the role of content editor can potentially be held responsible for the content, and may consequently lay themselves open to claims of libel.

However the programmatic filtering of email for a variety of threats (spam included) is usually deemed in law as taking due care towards their users. The key to not falling foul of the law is that the ISP must be seen to have obtained the end user's consent for any checking/filtering that they may offer. The other factor is that, for many ISPs, the sheer volume of traffic and spam is such that it would not be possible to provide timely quarantine investigation services for their users. Given the size of the ISP market, the reality of ISP anti-spam services is that 0 percent false positives is an ideal.

The way in which ISP anti-spam services will develop is that there will be programmatic segmentation of spam messages with final arbitration and management delegated back down to users. As the anti-spam software becomes more powerful, it will detect emails that it is 100 percent sure are spam and will delete them immediately. Where there is a level of doubt, the software will automatically place these messages into a 'possible spam' folder, which the end user can review offline at some convenient time; or even tag and deliver them for the user to handle in their inbox.

Service levels

The idealized service level of 24x7 is one for which many companies express a need - but are often unwilling to pay for. More realistically, business hours support is the service level most often in evidence. ISPs are, in effect, large corporate entities, whose email system/service is mission critical. For ISPs however, a critical failure in service delivery could cause severe harm to many companies.

The vendors' content security software used by ISPs has to have intelligent real time diagnostics, so as to alert the ISP when the system performs in an inappropriate fashion. The type of service required by each ISP customer will often be unique. In order to achieve this, the vendor's content security software has to be extremely flexible to allow the ISP to tailor the service to fit each company's individual needs.

Future trends

The growth in the ISP market for content security is hard to predict. On the one hand, there is still a very healthy growth in the number of new, small businesses being created. However, technology for small business is becoming easier to use and deploy. The latest Microsoft Exchange Server, for example, is easy to deploy and use and it is not particularly technically challenging for end users to set up email and email content security for both internal and boundary email. Another factor, as the realization that email and email management is mission critical becomes more widespread, is that many more SMEs will be nervous about relying on a third party for their content security.

On the other hand, as even small businesses become more reliant on their messaging systems to deliver real value to their bottom line it is essential that their security and defenses are up to date and rigorously monitored and managed. It is in these aspects that a hosted service for aspects of this security blanket makes most sense.

Paul Rutherford is chief marketing officer for Clearswift (