Product Group Tests
Email security (2008)
PGP Universal Gateway Email 2.8 is this month's Best Buy. It is a true enterprise-class product that is transparent to end users, uses several open standards and integrates well with other products.
Our Recommended choice is the Entrust Entelligence Messaging Server v9.1 for its great set of email security features and support for DKIM.
Full Group SummaryRemoving user interaction in favour of centrally managed gateway solutions is a positive development, even if there are still issues around standards to be resolved. By Nathan Ouellette
Securing enterprise email has been a growing concern for many organisations. There are several important reasons to investigate technologies to help an organisation control the use of email within their environment. Confidentiality is one of the most important issues facing enterprises that deal with personally identifiable information. Ensuring that sensitive information is properly protected and preventing data leakage is not only a best-practice concern, but also a compliance issue.
Another growing concern is message integrity. Sophisticated methods for infiltrating organisations have steadily turned to email-based attacks, using a combination of techniques, mostly social engineering, to trick users into opening backdoor channels. Lastly, the need to protect all of this information by using standards-based security has presented challenges, given the number of sender authentication standards that organisations can choose from, and the lack of one, agreed-upon method for all.
Some leading security professionals have called for security to be integrated into the infrastructure and not be seen as an 'add-on' to the enterprise. This opinion seems to be lining up with email security vendors, as the convergence of features is bundled more towards the edge as gateway products, with less focus on the individual desktop client. We applaud this approach, as removing control from the users helps to ensure policy is enforced, and seamless integration into the enterprise eases the burden for administrators and users alike. We use the term "transparent" in this group review to indicate whether a product has this capability.
We noted that many vendors are combining encryption, digital signatures and other features into a centrally managed gateway solution. While this isn't news in itself, integration into other suites of encryption products really helps to bolster the email security investment. But that's not to say gateway solutions are the right product for everyone. Desktop client encryption also has its place in the enterprise, as some vendors still base their products on this mantra and even the gateway solutions offer client components for additional user empowerment.
We also took note of the sender authentication debate. Sender authentication is a way to ensure message integrity that is being adopted by large ISPs, webmail vendors and other organisations. Benefits include a way to combat phishing, spam and email spoofing as messages can be trusted from mutual sources. Standards are evolving and the major players in the email security space have banded together in an attempt at standardisation. We noted that some products are moving to support specific sender authentication standards, while others rely on different ones. This is an issue that most organisations will want to keep an eye on as message integrity and compliance with ISP standards moves to the forefront in the next year or two.
All of the products in our group review tested very similarly and choosing our Best Buy or Recommended products was a tough call. The decisions on which product to buy can sometimes be boiled down to preference, price or even the standards they support.
How we tested
All products were installed on either Windows XP Professional SP2 host machines or Windows 2003 SP2 servers. Email servers included several versions of Microsoft Exchange and the clients tested were Microsoft Outlook and Lotus Notes. We were impressed with the range of appliance-based offerings that plugged into our environment, as well as increased support for virtualisation using VMware.
All of the products were scored on our typical criteria of support, documentation and price. But we also considered ease of administration and configuration, performance of the application to encrypt, decrypt and sign messages and other features that may have been included. We also looked for centrally administered products that represented a true enterprise-class look with powerful policy-based security decisions.
The majority of our products tested very well. Reducing the control from an end user perspective, a simpler email client experience or complete transparency is available in some form with all the products we tested. We were impressed with the features of most tools and are glad to see a move towards integrating with other technologies.
Pricing is interesting, as some vendors offer a subscription-based or perpetual licence. Customers should do the math and ask questions with regards to perceived value for each approach.
- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/