In SearchSecurity's 2014 Security Priorities survey, the topic of email security stands out by virtue of a few
interesting data points. First, the survey found it to be the most frequently occurring product category respondents planned on evaluating or purchasing within the next year. Secondly (and for our purposes perhaps more interestingly), it was also the first software as a service (SaaS) security offering respondents indicated their organizations are likely to adopt.
This data is a bit surprising when you stop and think about it. After all, it's not exactly like email is new technology; the original Request for Comments governing Simple Mail Transfer Protocol (RFC 821) was authored in 1982, meaning email has been a thing since well before many organizations had computers on every desktop.
Implementation of controls that don't require processing on the endpoint device itself can have advantages, and this opportunity presents itself perfectly in the cloud.
Another topic to add into the "not new" category is email-based attacks. Email-borne malware such as the recent CryptoLocker are certainly destructive, but so too were worms like Melissa, circa 1999, or ILOVEYOU from 2000.
All this begs the question: What's behind the increased interest in email security technologies? If email security technology isn't new, and email has always been a vector of attack, what has changed that is causing a sudden surge in interest in this product category?
One difference is what organizations are using email for -- specifically through the increased use of bring your own device (BYOD) and mobile technologies as a way to consume email. Employees today are using personal devices, including smartphones, PCs and other hybrid devices like tablets, to conduct legitimate business activities, namely email. A recent survey from PC Connection found that 91% of firms with a BYOD policy in place allow employees to access email from personal devices. This isn't particularly surprising until you consider that the second-most allowed activity (instant messaging) came in at 48%, meaning email is a full 43 percentage points more prevalent than the second-most allowed activity. The trend is parallel for mobile use; data from Sand Hill Group found that email/calendaring/contacts is available to 77% of organizations and the second-most frequent usage (support tools/content) comes in at 39%, 38 percentage points lower.
So, we have discerned that email is the "killer app" for both mobile and BYOD. However, organizations are now faced with protecting this type of usage, which can be difficult if using existing technologies in the space. In both mobile and BYOD scenarios, deployment of a control on the endpoint itself (be it a mobile device or an employee-provisioned device) can have challenges. For BYOD, intrusive mechanisms of control can be difficult to support given the diversity of devices in use and unpopular with employees who do not want to sacrifice control over their own devices. For mobile more generally, controls with heavy processing requirements (e.g., email malware scanning) can be limited by the processing capabilities of the device.
The combination of these challenges means that implementation of security controls that don't require processing on the endpoint device itself can have advantages. In turn, following the emergence of cloud computing for utility-centric demands like processing, data storage and increasingly application infrastructures, more organizations are considering the cloud for additional services, like security. Positioning email security in the cloud is a viable consideration for a couple of reasons. First, being able to pre-filter messages before they hit devices or networks organizations maintain directly can be advantageous (more on that below). Likewise, cloud email security services actually have a long history (recall that Postini, the cloud email security pioneer later acquired by Google, was founded way back in 1999). As such, there may be less reticence to consuming these services via the cloud as compared with other types of security services.
Navigating the market
Assuming an enterprise does intend to purchase an email security service via the cloud, what should it look for? The features of such a large product space would be impossible to describe here. There are, however, a few features and possible advantages a cloud-based architecture can bring to the table that should help organizations evaluate and choose the appropriate product(s) for their business needs.
First is spam filtering. This is the grand benefit of cloud email security services, and for good reason. Pre-filtering known spam emails before they traverse the organization's network not only saves network bandwidth but also reduces resource requirements for subsequent security activities. For example, malware filtering activities conducted on email are reduced in impact because they don't have to operate on incoming spam. Moreover, activities that require storage (e.g., email archival) can also operate without the burden of the incoming spam. Additionally, keeping problematic messages from reaching an organization's network in the first place can simplify administration, as signatures are kept current centrally rather than requiring separate updates at various disparate control points.
Other features to keep in mind when evaluating cloud-based email security services are those capabilities that would be process-intensive to complete in-house. These can be simplified when performed in the cloud. For example, organizations that have implemented it know that email encryption and data loss prevention features can be processing-intensive. Because of this, they typically either leverage the client for processing (i.e., operate at the endpoint) or introduce latency if performed on the server. This was always a catch-22 for these tools, and mobile devices only compound the challenge because client-based processing on these devices may not be practical. Implementing these features in the cloud instead can help mitigate the mobile issue (server-based processing can as well), but, unlike hosting an email processing gateway internally, economies of scale can make the resource constraints associated with this the cloud service provider's problem to solve.
Finally, many organizations look to the cloud as a key element of their storage strategy. For email archival, using a cloud service means you can start archiving quickly and only pay for storage as you use it, as opposed to needing to estimate and pre-buy storage. It also means that the mechanics of ensuring availability and rapid recovery are managed for you.
While these are not the only features available in this market space, they are three that any organization should consider when evaluating cloud-based email services. There are also without a doubt new features coming down the pike that could change the face of email as we know it. Even a list of what features and services there are now won't stay current for long.
Finally, understand that email is the life's blood of most enterprises, so understandably some organizations' stakeholders will be wary of trusting an external party with this sensitive and critical information. However, knowing what the drivers are -- and what possible advantages cloud might offer -- for implementing these services can give a leg up to organizations as they evaluate. As more and more enterprises evaluate cloud-based options for email security, they may become more comfortable with the concept and allow usage to expand. In fact, because email security is (as the SearchSecurity survey found) one of the predominant security services organizations are considering leveraging the cloud for, it could very well be a productive early step as part of an organization's broader cloud strategy and a test case for other cloud security services down the road.
About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.