GroupTest: Email security

Similar to other information security threats, securing enterprise email has been a growing concern for many organizations. There are several important reasons to investigate technologies that help an organization control the use of email within the corporate environment. Confidentiality of email messages is one of the most important issues facing enterprises that deal with personally identifiable information. Ensuring that sensitive information is properly protected and preventing data leakage are not only abest practice concerns, but also compliance issues across many regulations.

A second growing concern is message integrity. Client-side email attacks, phishing, spam and other integrity issues have information security managers taking notice in record numbers. Sophisticated methods for infiltrating organizations have steadily turned to email-based attacks using a combination of techniques, mostly social engineering, to trick users into opening back door channels.

Lastly, the need to protect all of this information by using standards-based security has presented challenges, particularly given the number of sender authentication standards that organizations can choose from, and the lack of one, agreed-upon method for all.

There have been several interesting opinions lately from many different leading security professionals. One noteworthy stance has been that security must be integrated into the infrastructure and considered less as an ‘add-on’ to the enterprise. This opinion seems to be lining up with email security vendors, as the convergence of features is bundled more toward the edge as gateway products, and less focus is being given to the individual desktop client. We applaud this approach. Removing control from the users helps to ensure that policy is truly enforced, and seamless integration into the enterprise eases the burden for administrators and users alike. We use the term “transparent” in this Group Test to indicate whether a product has this capability.
We also noted that many vendors are combining encryption, digital signatures and other features into a centrally managed gateway solution. While this isn’t news in itself, integration into other suites of encryption products really helps to bolster the email security investment for many decision-makers and buyers. But, that’s not to say that gateway solutions are the right product for everyone. Desktop client encryption also has its place in the enterprise, being that some vendors still base their products on this mantra.

All of the products in our review tested similarly. Recognizing a product as this month’s Best Buy or Recommended product was a tough call. The decisions on which product to buy can sometimes be boiled down to preference, price or even the standards they support. Each vendor’s offering helps to protect at least one important piece of the email security posture, with some vendors converging features into a centrally managed device and basing security decisions on policy. Each product stands as a solid offering, based on the needs of an organization and the maturity of the infrastructure. Some customers will find benefits in products that offer several features out of the box, while others will be looking for a specific niche to fill as they adopt different standards. 

All of the products in our Group Test were installed on either Windows XP Professional SP2 host machines or Windows 2003 SP2 servers. Email servers included several versions of Microsoft Exchange, and the clients tested were Microsoft Outlook and Lotus Notes. We were impressed with the range of appliance-based offerings that plugged into our environment, as well as the increased support for virtualization using VMware.

Most client-based email components tested well in our environment and integrated directly into Microsoft Outlook. All appliances integrated well with Microsoft Exchange, and all of them support most any server that complies with SMTP or ESMTP.

Pricing considerations are interesting. Some vendors offer a subscription-based or perpetual license. Customers should do the math and ask questions with regard to perceived value for each approach. Also, most vendors offer discounted volume licensing, as ‘per seat’ email security costs can add up in larger enterprise environments.

Nathan Ouellette is consulting director of Viopoint.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.