Email security is a bit of an ambiguous term. It can refer to keeping outbound messages secure from unauthorized prying eyes. It can refer to ensuring that incoming email from trusted sources is secure. It can mean that incoming email does not pose a threat to the enterprise, and I'm sure that there are other things that might fit neatly into the category. Fortunately, we don't need to be quite that rigorous in defining the details of the problem.
As it happens, we can abstract away from the details so we're left with two broad issues: Is our outgoing email protected from compromise and is our enterprise protected from infected incoming email? Addressing those two challenges is what this month's product group is all about. Interestingly, we found that the products we looked at fell into two distinct subgroups: those with full features for inbound and outbound security and those that focused on inbound content management only.
As well, a few of the products in this group actually are part of a product suite that sits on an overall platform that often adds significant - but not directly related - functionality, such as IDS/IPS. In the products that offered encryption, we found that there are several ways to do this, and we were interested in how email is encrypted for receipt by third parties not using the encryption software of the sender. We have dealt with this issue in other group tests and it is, arguably, the single most potentially limiting factor in email encryption.
Inbound email, generally, is checked for phishing, spam and malware. We found that, usually, all of the products that purport to perform these functions do them well. This is an example of the convergence of content management gateways with email functionality. Where we began to see some weaknesses was in support, management interface and functionality. We found, in at least one instance, that the product simply did not live up to its billing.
Full-featured email security management tools are complicated beasts. They can be tricky to deploy, complicated to manage and may or may not interface easily with such enterprise functions as Active Directory. It's a good idea when selecting a system-based product to go through a pilot phase and take the extra time to see what it really means to deploy the product.
Some vendors - none in this group - admit that their systems are tough to deploy and recommend engaging one of their engineers to assist. In the case of the products we reviewed, while no vendor actively suggested that they send an engineer around to help us, most had help available if we needed to get someone on site. Since we insist that we be treated exactly as a potential buyer would be treated, we conclude that this is an available service for customers.
Another hint that can work for an implementation is what I refer to as a "dry deployment." In this case, one deploys the tool transparently and does not configure it to block anything. Instead, it should log everything. Analyzing the logs after an initial pilot will help admins decide how to configure the gateway for maximum benefit and minimum pain for users. Not all of these products are the same, even though they might, at the end of the day, achieve the same objectives. Our advice: Make sure that they meet your objectives, that you can deploy them, that they are as transparent as possible for your users and, most important, that you can administer them and provision users easily.
Encryption can add a whole new can of worms. If the product within your enterprise includes encryption, make sure that the encryption meets your needs and does not overtax your users. Encryption needs to be as transparent as possible to users who are not power users, so make sure that it is pretty tough to foul up the works. Also, of course, the recipient needs to be able to decrypt emails whether or not they have the same tool. Finally, you need a way to recover encrypted emails and documents if the user forgets their password or leaves the organization.