How to choose the right e-mail security approach

A 10-point checklist for selecting a software, hardware, or hosted e-mail security service

E-mail is arguably the most sensitive information application in a company's software suite. With e-mail downtime, corporate data loss, and financial threats being major concerns for any business, strong e-mail security is a must. For companies where employees cannot send communications through e-mail, business relationships with partners, customers, and other constituents can grind to a halt, resulting in executive panic. However, with differences in culture, markets, operations, and business models, companies all have varying IT requirements that continue to fuel the need for choices in the e-mail security space.

[ See which e-mail security service wins in InfoWorld's comparisons: "Test Center: E-mail security services square off" and "Test Center guide: Mail security appliances." | Learn more about fighting spam with Exchange 2007. ]

To protect against e-mail-borne threats, IT professionals can approach security from three angles: 1) by deploying on-premise software, 2) by deploying an on-premise security appliance, or 3) by contracting with a hosted e-mail security provider. Each approach has pros and cons, and the decision as to which to use depends on your specific corporate requirements. But here are the top 10 areas* to consider when researching e-mail security for your organization:

  1. Lowest total cost of ownership, upfront capital investment, ongoing administration, and user training
  2. Access to experienced live customer support to quickly address issues
  3. Preservation of network and server bandwidth
  4. Processing of security threats inside or outside the corporate perimeter
  5. Fastest time to value delivery -- can it be deployed and working quickly?
  6. Reduced risk -- ensuring your choice does not introduce a single point of failure within the organization
  7. Interoperability with network systems and software
  8. Multiple layers of protection against spam, malware, phishing, viruses, vulnerabilities, and other attacks
  9. Simple operation and management to reduce IT burden and allow focus on more strategic IT initiatives
  10. Very little or no user training requirements

*List is restructured version from a Mailprotector security presentation.

Of the three approaches to address e-mail security, software is arguably the most popular.

E-mail security software is typically installed on a server inside the corporate network and processes e-mail threats within the network. This approach can effectively protect against spam, viruses, and other e-mail threats, but it requires daily IT administration. It does provide a perceived sense of control because e-mail data stays within the business's walls. But because software deployments allow e-mail-based threats to enter the walls of the business before being stopped, the business is at risk from attacks by malware and viruses. Also, there are bandwidth costs to hosting e-mail security software on premises, plus the upfront costs of the software licenses and dedicated spam-processing servers.

Note: Exchange Server 2007 has a new server role called an edge transport server; it sits in the perimeter (or DMZ) and is not a domain member. Its anti-spam, anti-virus, and a host of transport rule protections are designed to help lessen the incoming risks. So it may be what you are looking for to maintain security if you take the software approach.

Hardware-based e-mail security appliances also have many benefits, including effective defense against spam, viruses, and other threats such as phishing. They too provide a perceived sense of control because you manage these systems onsite. However, security appliances require significant upfront capital and ongoing maintenance fees. Their continued operation requires daily IT administration, and they allow threats to enter the corporate walls before being addressed. Furthermore, e-mail security appliances must be integrated into the overall network for interoperability and introduce a new single point of failure in the crucial e-mail infrastructure.

The third approach to e-mail security is hosted e-mail security services, also referred to as managed e-mail security or cloud-based e-mail security. The primary advantage of these services from a security point of view is that they process e-mail threats outside the corporate perimeter, so malware, botnets, and phishing threats can be sorted out before delivering e-mail to the internal Exchange or other e-mail server server. Hosted e-mail security services require no capital expense or ongoing maintenance costs of the hardware and software, though of course you pay for the service through an ongoing subscription charge. There is also less of a need for IT training because companies that offer hosted e-mail security are staffed by full-time security professionals, who do the work that internal IT normally would. But a con for some organizations is the perceived loss of control, because e-mail is processed externally by someone else.

In explaining the positive side to hosted email security, David Setzer, CEO of Mailprotector, an email and Web security company in Greer, S.C. said "Whatever you can do to move threats off the server and out of the network is a best practice that will protect your email availability.  Managed email security, like that offered by Mailprotector, keeps these threats offsite while reducing the overall cost - providing enterprise-class redundant infrastructure without financially impacting the customer."

What have you found to be the best approach to e-mai security for your company, and why? Enterprise Windows readers want to know.