From the first time we start using email we're told that sending an email is like sending a postcard. Anyone who wants can read it and do what they will with the contents. We tend – if we're over the age of around 20-something – to take that admonition seriously. Of course there are stories all over the internet about people who inadvertently pressed “reply all” to their eventual sorrow, but, in general, we pretty much accept that the internet, especially where email is concerned, is an open book.
I am amused by the emails I receive with the disclaimers at the bottom that say something to the effect: This a private communication – don't read it, destroy it and notify the sender. If you get to the bottom of the email, you've already read it and, if it has something juicy in it, I doubt that anyone will forget it. You can't un-ring the bell. So, it would be good if there were a way to rid ourselves of useless disclaimers and, at the same time, protect our emails as we send them thither and yon. That's what this month's products are all about: email security and management.
Email security is not just encryption, though. In fact, it is not always necessary to encrypt. The invitation to the company Christmas party probably is not confidential enough to warrant encryption, but a message that contains HIPAA information certainly is. Many of the products we looked at have the ability to apply a rule set and, if the rule that says “confidential” fires, the message is encrypted.
These products contain, then, a form of data leakage prevention (DLP) that applies to emails and their attachments. The tools look at the message and attachment in clear text and decides what to do with it. It may prevent the message from going entirely (it contains proprietary information that should not be exfiltrated from the organization), it may force encryption (the content is sensitive, but it can leave the organization), or it may do nothing and simply send the message (this is not sensitive at all, according to the rule set).
This was an interesting year for these products. So far this year most of our product groups have been pretty fat. We've had lots of products to look at and most were pretty hot. This month we had fewer products than we expected, but those we did have were good. Not all of these tools do the same thing, of course. Email security and management is a rather fuzzy description and the functionality offered can be equally fuzzy.
For example, some of our products touting encryption provided on-board encryption, while some forwarded the email on to a third-party encryption gateway. Some provided secure mailboxes in the cloud which recipients could use to extract their encrypted messages, while some offered decrypting readers. Even with such a small collection of products, it seemed as if there was pretty much something for everyone.
Most of the products were policy-driven as one would expect. Policy-based control is the current state of the practice for most information security tools and these are no exception. The policy engines tended to be robust and fairly easy to use, and system configuration generally was straightforward. We like that in a product group where application in a large enterprise can be challenging.
Overall, it was an interesting month with SC Lab Manager Mike Stephenson putting these products through their paces. The test bed was our usual for email-based products and we were pleased with the ease with which they set up and ran.