We thought this one would be easy. We’d just send out the call for email security products and exactly what we were looking for would start rolling over the transom. Well, some plans are better than others. What actually happened was that the phone started ringing off the hook.
When I think of email security I think first of encryption. That keeps email secure so it’s a nice, simple approach to the problem. Next, I’m concerned, as are many organizations, about the security of email which I wish to dispose. That means shredding as far as I can see. So, I add secure deletion to the mix. From this point on there are a nearly infinite number of possible optional features.
Most of these features fit into another genre though. For example, we were presented with products whose strength was not encryption but, rather, the ability to decide who gets the message and how long it lives. This, in my view, is closer to document rights management than it is to email security.
Another example is the management of what is allowed to go into the email in the first place. This is closer to content management (see our other Group Test, pg. 58) than it is to email security. It also nibbles around the edges of exfiltration control.
Finally, there is a broad range of anti-this and anti-that that we were told by several vendors was part of email security. At the end of the day, we ended up with eight products whose core competency, at least, is good ol’ email security. Some have a few additional capabilities, but the primary motivation behind these products is taking a piece of email, securing it and sending it off to the recipient. They try to do this as transparently to the user as possible.
What to look for
We found that email security products for the enterprise tend to be of three broad types: appliance, software or integrated tool kit. The key, and the first thing to look for, is enterprise management capabilities. First, there needs to be a way to transparently push out encryption to the user. This is done most easily by seamless integration with the user’s mail client. Often this is Microsoft Outlook or Lotus. What the user sees, if anything, is a button on the email desktop that they push to encrypt or sign the message. If this happens automatically and without user intervention so much the better.
The second issue that needs to be considered in an enterprise environment is key distribution. The average office worker has neither the time nor the interest in managing public and private keys. Thus, key distribution and management needs to be as transparent as possible. Additionally, the easiest way to defeat public key encryption (which is the basis of most secure email products) is through user spoofing. Also, keys sometimes need to be revoked, such as when a user leaves the organization. Thus, key management is important.
Finally, from the technical perspective, there is the issue of key recovery. When a user leaves or forgets their password, critical information in emails that are encrypted must be recovered. While no encryption provider likes the term “back door,” the notion of a corporate key recovery scheme represents exactly that, and it is necessary that such a provision be available.
The most important things to look for are ease of use, ease of management and data recovery
in an emergency.
How we tested
This was an easy test. We started with a simulated Exchange/ Outlook environment with two complete enterprises in our test bed. Each enterprise had its own server suite (MS Server 2003), exchange server and clients with users. We set up Active Directory and gave each enterprise its own domain. Once the enterprises were talking to each other and seamlessly exchanging email, we simply inserted the products under test into the mix and completed our series of tests covering ease of setup and use (both for the administrator and the user), robustness and performance, feature set, and other things that were specific to email security, such as strength of encryption, transparency to the user, etc.
We found, in general, that most products performed well, but some were shining stars. We had a hard time differentiating in some cases, and the scores were close. Because Group Tests are never shootouts, in these cases the final choice may well come down to your preference.
- Mike Stephenson contributed to this Group Test.