E-Mail Content Security: Filtering Out the Hype

E-mail is at risk – vulnerable to external attack from viruses, spam, spyware and phishing technologies. And vulnerable to abuse from within, which could result in: acceptable use policies being compromised; regulatory compliance violations; and/or confidential corporate data being leaked externally. The recent DVLA disciplinary action demonstrated all too clearly what can happen when acceptable use policies are flouted by a large number of employees.

A plethora of e-mail content security technologies have emerged in recent years to address such vulnerabilities. Companies currently have the choice of two major types of email content security solution: software or appliances. Software solutions have been available for about ten years, while appliances appeared on the market around five years ago. Appliances are purpose-specific e-mail content security servers, typically based on industry-standard server hardware and running a security-hardened Unix/Linux OS to provide the platform for the mail-screening software.

Since their inception, appliances have been touted by some as the holy grail of e-mail content security, winning over many customers in the process. Today, however, the tide is turning.

Plug and play?
The major selling point for appliances has always been based on the perception that they provided a “plug and play’, purpose built, e-mail security hardware solution. The idea was that a company could order a pre-configured email scanning system that would simply plug into its email environment and instantly start cleaning spam and viruses from e-mail. In practice, appliances can be difficult and time-consuming to install. The biggest selling appliance product on the market can take up to six hours to install, compared to between 1-2 hours for an equivalent software-only installation. In some cases, an appliance vendor-approved technician must perform the installation because it is so complex, with customers having to pay extra for this service. By contrast, most software solutions can be easily installed by any in-house IT person with a reasonable understanding of email configuration, MS Exchange and firewall administration.

Performance, scalability and high availability
Performance, scalability and high availability are clearly important factors to consider when choosing how to secure a business-critical tool such as email. E-mail scanning should be a transparent process, with no perceivable delay in email performance and should also be scalable – able to manage 10,000 users as easily as it can manage 100. Ideally, it should also be capable of clustering and load-balancing in an array environment, to ensure high performance throughput scanning, and also redundancy for high availability.

Performance is often claimed as a strength by many appliance vendors on the basis that the hardware is dedicated to a specific task. However, performance is really dependent on a range of factors such as processor speed, available memory, disc I/O, volumes of email and the type of email your business sends. Appliances are commonly marketed as suitable for “up to 1000 users,” based on a simple calculation of how much email the average person sends per hour and how much e-mail the server can process. Often this calculation assumes that the average email size is less than 10Kb. In our experience most typical businesses average around 40Kb per e-mail. As a result, a single appliance purchase really only supports 25% of that claim.

In order to actually process the true volume of e-mail the business requires, companies often need to upgrade to a higher specification appliance, or purchase a second appliance. Usually, customers have already made a significant investment in the appliance hardware and are compelled to upgrade, again at significant additional cost and installation disruption.

As a result, many appliance customers are becoming disillusioned with the weaknesses and disadvantages inherent in some of these appliances.

In contrast, the top performing software solutions provide multi-threading functionality, which removes potential bottleneck issues by scanning emails much faster than single-threaded solutions. These high-end software solutions are also able to increase performance throughput by managing multiple email processing node servers in an array. In this set-up, load balancing tools balance the e-mail processing load intelligently between different nodes, all at no additional cost to the customer. One appliance vendor does market a multi-server controller for linking two appliances together and load balancing them to share the task of processing large volumes of e-mail. However, this controller has to be bought separately – yet another additional cost that most customers are unaware of when they make the initial decision to purchase an appliance.

Flexibility and cost-effectiveness
As well as the normal risk assessment, companies reviewing their messaging security solution also need to consider flexibility and cost-effectiveness. By their very nature, even the best designed, feature-rich appliances are inflexible because they are locked into a hardware platform. Functionality is not transferable, and in any case, most do not have the same depth of functionality or power for policy enforcement as equivalent software options. Often, new technologies become available which require higher specification hardware, such as anti-spyware scanning, encryption, messaging scanning, image classification or new anti-spam technologies. In such a situation, the only option for appliance customers is to bite the bullet and upgrade to a new system.

Going down the appliance route also opens up the possibility of hardware failures, which can be very expensive and may leave a company exposed while a replacement appliance is shipped in. Conversely, if there is a hardware failure with the server hosting a software-based solution, there should be minimal downtime. Either the software can be running in a load-balanced, failover configuration on two (or more) servers which means no downtime at all, or it can be swapped onto another box and be up and running again in less than two hours.

Hardened O/S
Another perceived strength of appliances is that they generally have a hardened operating system which protects the appliance from common vulnerability exploits. This is certainly a valid security practice. Most viruses and spyware in the wild are designed to exploit vulnerabilities in desktop versions of popular Windows operating systems. So, using another operating system theoretically makes you less susceptible to infection. However, there are still viruses in the wild for other operating systems such as Linux, which is popular with some of the appliance vendors. But more importantly, the argument for hardened operating systems is somewhat overblown. Microsoft provides exhaustive information for free on how Windows operating systems on dedicated application servers can be locked down and hardened, and it is relatively easy to do.

Conclusion
The perception that appliances are the holy grail of e-mail content security solutions is changing rapidly. The risk of downtime and the potential lag between new vulnerabilities and the ability to install dedicated appliances to counter them is forcing many companies to re-evaluate their choices. Customers looking for easy-to-use, flexible, scalable and cost-effective e-mail content security products with a good ROI are realising that software solutions can often be a better bet for the long term.