Product Group Tests
Email security (2007)
We award our Best Buy award to PGP Desktop Enterprise Email v9.6. This is a first rate product that fits into most environments cleanly. PGP continues to set the standard for pure email security in an enterprise environment.
We rate Tumbleweed Secure Messenger v6.3 SC Recommended for its strong capabilities. This device not only secures email, it is also a way of monitoring, securing, and filtering all in one.
Full Group Summary
Encryption and disposal are key to keeping your messages safe, even if some vendors have other ideas. Peter Stephenson rounds up the enterprise solutions that met his criteria.
We thought this one would be easy. We'd just send out the call for email security products and exactly what we were looking for would start rolling over the transom. What actually happened was that the phone started ringing off the hook. It seems that the notion of "email security" is not as clear as I had assumed.
When I think of email security I think first of encryption. That keeps email secure so it's a nice, simple approach to the problem. Next, I'm concerned, as are many organisations, about the security of email I wish to dispose of. That means shredding as far as I can see. So, I add secure deletion to the mix. From this point on there are, I guess, a nearly infinite number of possible optional features.
Most of these features fit into another genre, however. For example, we were presented with products whose strength was not encryption but the ability to decide who gets the message and how long it lives. This, in my view, is closer to document rights management than to email security. There is an entire group of email digital rights management products that makes up its own class.
Another example is the management of what is allowed to go into the email in the first place. This is closer to content management (see our other group review). It also nibbles around the edges of exfiltration control. We have a group review coming up on that one, but it's not email security.
Finally, there is a broad range of anti-this and anti-that we were told by several vendors was part of email security. At the end of the day, we ended up with eight products whose core competency, at least, is good old email security, pure and simple. Some have a few additional capabilities, but the primary motivation behind these products is taking a piece of email, securing it and sending it off to the recipient. They try to do this as transparently to the user as possible.
What to look for
Now that we have defined some minimum requirements, here are some things to look for. We found that email security products for the enterprise tend to be of three broad types: appliance, software or integrated toolkit. The key to look for is enterprise management capabilities.
First, there needs to be a way to push out encryption to the user transparently. This is done most easily by seamless integration with the user's mail client. Often this is Microsoft Outlook or Lotus mail. What the user sees, if anything, is a button on the email desktop that he or she pushes to encrypt or sign the message. If this happens automatically and without user intervention, so much the better.
The second issue to consider in an enterprise environment is key distribution. The average office worker has neither the time nor the inclination to manage public and private keys. Thus, key distribution and management need to be as transparent as possible. This is important as the easiest way to defeat public key encryption (which is the basis of most secure email products) is through user spoofing. Also keys sometimes need to be revoked, for example when a user leaves the organisation. Thus, key management is important.
Finally, from the technical perspective, there is the issue of key recovery. When a user leaves or forgets their password, critical information in emails that are encrypted must be recovered. While no encryption provider likes the term "back door", the notion of a corporate key recovery scheme represents exactly that and needs to be available.
The most important things to look for, after the technical features, are ease of use, ease of management and data recovery in an emergency.
How we tested
This was an easy test. We started with a simulated Exchange/Outlook environment with two complete enterprises in our test bed. Each enterprise had its own server suite (MS Server 2003), exchange server and clients with users. We set up Active Directory and gave each enterprise its own domain.
Once the enterprises were talking to each other and exchanging email seamlessly, we inserted the products under test into the mix and completed our series of tests covering ease of setup and use, both for the administrator and the user, robustness and performance, feature set and other things specific to email security such as strength of encryption, transparency to the user, etc.
We found, in general, that most products performed well, but there were some shining stars.
- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/