Is e-mail SaaS right for your company? Learn more about what to take into consideration when choosing an e-mail SaaS provider, such as e-mail archiving for compliance and SLAs.
About the speaker:
Adrian Lane is an Analyst and CTO with Securosis, LLC.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
E-mail security and SaaS for midmarket companies
Adrian Lane: For a couple of reasons, right now, cost is always the
driving factor. With many of the smaller organizations needing to be
able to implement antimalware technologies and antispam technologies
over and above what e-mail security services they have had in the past,
the cost and the processing power is growing quite a bit. We have talked
to a number of smaller companies who were literally spending more, in
terms of hardware investment, to provide the antimalware and antispam
capabilities then they were on the rest of their infrastructure, so it was just
an incredible burden on them to be able to implement that type of
antispam/antimalware within their e-mail security. Then they are also
trying to add-on web security into the same, and many of the policies
are going to be the same for the web security as it is for the e-mail security
about content, what is appropriate content coming in and out of the organization.
For the larger organizations, we see a slightly different motivation. They
have already invested heavily in e-mail security, they already have a set
of programs and functions in place, but what they are doing is they are
taking the existing hardware and they are off-loading these tasks into
the cloud to be able to perform the other antispam and antimalware
capabilities that they want without having to re-buy or reinvest in all
of the hardware. It give them a longer lifespan for the existing
infrastructure and existing investment, and then having a Postini or
a Websense out there doing some of those other functions for them.
They appear to be merging, from the customers that we have
been talking about. As what I said, for one, the management tasks
are very similar and the policy sets are very similar. It makes sense,
because in many cases, the data is flowing over the same set of
servers and the same gateways, so we see them merging.
That is a great question. For the larger vendors, certainly, ease
of management is one of them, but most of the providers we are
running into, Propoint, Websense, and Postini is relatively easy to
manage and easy to set up. If we are talking about e-mail SaaS,
being able to provision a number of accounts very rapidly and
performance issues are some of the gotcha's that we are now
hearing about. Some of the larger organizations really have trouble
scaling or are having some outages with these various providers.
That is one of the things you want to look for. The other thing is
statistics. Being able to report on the statistics of what is being found,
how much data is moving through, and spam success rates, some
of the vendors do not provide good statistics. We are having our
own struggle with our own company and we are only a two-person
shop, as well, so I know the larger organizations are having some
trouble with this, getting the right reports. Those are the two big
ones that we are seeing right now.
It is a constant cat-and-mouse battle between the spam providers
and the spambots, and what the antispam providers are doing. Really,
a bad antispam product is going to get you 98%, a good one is going
to get you 99.6%, so it is a pretty small window. We are sensitive to
that problem, we do not like having to deal with this type of noisy
security threat of having our inbox flooded with spam, and a lot of
the stuff that gets through is the really obvious stuff, too, so we
tend to notice it. By and large, most of the providers out there
are doing a pretty good job; it really is commoditized, as you said.
One week, if you make the decision that this quarter we have only
seen a 98% success rate, and you go into the process of making a
decision to move to another provider, maybe that month and that
quarter, your provider gets better, as their own rules and their own
policies adjust to improve. As I said, you also have a choice, if you
are using a hybrid model, especially, that you have your own in-house
antispam products running in conjunction with what you want to
outsource in the Cloud, so this is one of the reasons going to a
cloud is such a good idea. You can off-load, as I said, a lot of the
processing costs and have maybe a MacAfee product outside,
and some other vendor product inside.
You are getting the various enhancement and enlargement advertisements,
or Viagra, and you just really notice it. It is not like the old days when
there would be 500 pieces in my inbox, it may be only 2 or 3 during
the day, but as I said, we are just so sensitive to it and it is such an
annoyance to us that I think we notice it more now, but it is less of
a problem than it has been in the past. Still, the amount of spam that
anybody's gateway is seeing is hundreds of thousands, if not millions,
of pieces of spam every day.
The first that comes to mind is the service level agreements; what
level of service are you going to be provided? That comes not only
with just uptime for e-mail and success rates of legitimate e-mail
getting through, but it also comes with data security. Most of us,
even in the analyst community, do not really know what is going
on behind the scenes. We have not been able to audit, and they
are not sharing information of what is going on behind the scenes.
Data segregation, separations of duties, and what actual security
within their own infrastructure is being provided, we just do not know.
You need to query your vendor, to make sure you understand what
security assurances and what compliance assurances, because
even though you have outsourced your e-mail and web security,
that does not mean you have gotten rid of the compliance requirement.
That means you have pushed it outside of your organization, but you
still have to be able to produce the reports and the assurances that
the auditors need.
I think that they are going to ask the same questions. It is, as you
pointed out, it is an issue of the amount of resources they have because
their budget could be 1/10th the size of a large enterprise, but they have
the same basic compliance requirements and security requirements that
a large enterprise is going to have. It is much more apparent, the ease
of management issues for their adoption, the ease of being able to push
in different technologies that need and requirements for those reports,
because they just do not have, they cannot dedicate a headcount to
be able to produce compliance reports or audit security.
I do not follow as closely as my partner does, Rich Mogul, but we do
see that the majority of spam is coming from spam bot networks. What
that is, for those who do not know, as machines get taken over, end
user machines, corporations, and networks get taken over, malware
gets installed, and those machines are programmed to send out spam.
They are given a template, and then they start sending out spam to
e-mail lists that they have, and they will generate hundreds of millions
of spam messages from machines that they do not own. It makes it
much harder to be able to filter and prevent that when it is coming from
companies that you do business with, it is coming from other companies
that are trusted by your own white list and blacklist filters. It is an
enormous problem, and that is one of the reasons why, to prevent
spam, we are going to have to get better at our own data security
and our own network topology and setup to be able to combat the
Certainly, it is one of the new aspects of the cloud e-mail security
providers are offing; it is the archival of e-mail that takes the burden
off your organization. It allows you to provide some compliance
reporting for legal, for a lot of the school systems we hear about
would like to be able to adopt this for various reports, FISMA,
and that sort of thing. We are getting a lot of inquiries from the
government as well, to be able to outsource, but so far, none of
the providers we are aware of, who are able to meet the security
assurances that the government requires in privacy. There are
some rumors that some of the providers are out there are building
a Government cloud, specific for government clients to be able to
some of that, but we have not seen it yet.
None immediately come to mind. It is the same set of challenges
that you are going to have with an e-mail service that is in-house.
The problem is that you lack visibility of what they are actually doing
and what they are actually providing, so it is much harder for you to
get those questions answered during the evaluation process. The
beauty of e-mail on the cloud is that since you are just literally
pointing your e-mail server to somebody else's IP address, if you
are dissatisfied with the one vendor, it is a very simple process to
just switch to another one. Even if your evaluation process is not
a happy one, you have recourse; you have the ability to go switch
to another vendor.