The idea behind a comprehensive email security tool is that it must do whatever one needs it to do, and admins need to be able to implement and oversee it fairly easily. Users should not be troubled by it either, so ease of use and seamless deployment and administration all are important.
So, what do these tools actually do? One big thing that we saw was the increase in appliances that sit as front-end gateways and enforce email policies. That is a big plus for this year's group. Almost all are policy-driven - and the big moving force behind that functionality is compliance. Just as with many other product categories, compliance is driving email security and with compliance comes policy. The ability to turn regulatory requirements into executable, manageable, reportable policies is the cornerstone of much of today's security.
We still see organizations that conduct compliance audits for the sake of checking off the boxes on the audit form, but more and more organizations are biting the bullet when it comes to cost and acquiring tools that do what needs to be done: Achieve compliance while actually keeping the enterprise more secure. These tools help speed us toward the day when "compliance does not equal security" may be a thing of the past. The products that we looked at this month certainly are headed in that direction.
Once one has determined what is needed in the environment, the path is clear to start looking at products. Let's begin by examining how to make that determination. First and foremost, potential buyers need to look at the third-party products and services with which the mail security tool will interface. The obvious one is Microsoft's Active Directory, but there are others. For example, will the user be encrypting email? Then, a tool that talks to the in-house encryption device/software and tells it when to encrypt might be called for. Not all emails need to be encrypted, and if admins can take the decision out of the user's hands so much the better.
Interestingly, behind regulatory requirements - and, probably ahead of them from the end-user's perspective - is spam control. If one doesn't have a tool to control spam, look for a tool that includes that functionality. Another important piece of activity is anti-phishing capability. From a pure security - not just compliance - perspective, this is a big deal given that a huge percentage of breaches begin with phishing.
Anti-malware has been with us a long time - as has encryption. However, the integrated nature of some of these products pulls us deeper into a secure environment by deeper analysis of both incoming and outgoing emails. As far as incoming, we care about spam, phishing and malware. For outgoing, we're concerned about data leakage prevention (DLP). This is another big deal, and this crop of products takes DLP very seriously.
That's primarily because there are myriad ways data can exfiltrate an enterprise. Not all of them are email, to be sure, but email is a big contributor to the problem. I faced a case a few years back where a well-meaning employee was sending Social Security numbers (SSN) to his public email so that they would not get lost as he changed jobs. He did not realize that the cut-over between email accounts took care of that. Had we not had DLP working at that moment, we never would have known. Tying DLP to an email gateway is an efficient way to stop that exfiltration.
In addition to multiple exfiltration channels, there are various types of data that can escape. Some need to be handled in unique ways. For example, there are regulatory requirements that drive DLP in the realm of personally identifiable information. There are none that govern how one manages exfiltration of trade secrets, but both are equally important. The problem is that it's relatively easy to spot a SSN on its way out onto the internet. It's not so easy to spot trade secrets. If one needs to make this distinction, make sure that the product selected has a lot of granularity and flexibility in its policy engine.