Email communications are essential to getting the job done in today's business world, but many companies are overwhelmed by spam, the security risks of e-mail borne viruses and worms and liability implications of e-mail containing pornography or other undesirable content. It's getting harder and harder for network administrators to keep it all under control.
And if you're in a regulated industry, you may have no choice: communications containing clients' personal information, medical records, financial data and so forth must, by law, be secured.
One solution is to work harder, invest more money in anti-spam software, anti-virus software and more sophisticated firewalls. Another solution - one increasingly being chosen by small and medium sized companies that don't have the personnel to deal with e-mail security onsite - is to "outsource" it to a managed e-mail security service. In this article, we'll look at the pros and cons and some of the options that are available.
How does a managed e-mail security service work?
These services intercept the e-mail addressed to your domain and filter it before it ever reaches your e-mail servers. That keeps malicious attachments, spam and other unwanted mail off your network and thus unable to do harm. Images can even be analyzed by software that can detect inappropriate content, based on a sensitivity level that you set.
Most services allow you to configure the filtering options to prevent false positives. Just as with onsite filtering software, you can construct blacklists and/or whitelists to ensure that undesired mail never gets into your system, and to ensure that the mail you do want doesn't get caught by the filters.
Advantages of using a managed e-mail security service
Using a service to do the filtering for you frees up your IT resources for the use of your business. Administrators don't spend all their time on e-mail security issues. Network bandwidth isn't taken up by unwanted messages. Mail server storage space isn't diminished because of unwanted messages. Users don't waste time deleting unwanted messages. And the downtime that can be caused by a virus that gets into the network via e-mail is eliminated.
Other advantages include:
- Your company doesn't have to purchase any additional hardware or software to implement the security solution.
- Services can use the most sophisticated and advanced filtering technologies that are beyond the budget of small and medium sized businesses.
- If there is a problem with the filtering software or hardware, it's taken care of by the service, and a good service will have redundant hardware and software with failover to reduce the impact on your incoming and outgoing mail.
- The service can be the first line of defense in a multi-layered e-mail security plan; you can still implement internal security controls to work in conjunction with it.
- Because services handle a large amount of e-mail traffic from different clients, they can analyze and identify new security threats before they are published and before your internal security mechanisms would be able to protect against them.
Drawbacks of using a managed e-mail security service
Perhaps the biggest concern that IT professionals and company managers have with using a managed e-mail security service is, well, security. Your company's e-mail must pass through someone else's hands before it gets to you, and the potential exists for it to be read by unauthorized persons or even diverted, deleted, changed or disclosed to others.
It's important to realize that sending e-mail across the Internet is always like sending a postcard through the postal system. It's open to anyone along the way who wants to read it. Unless you encrypt your e-mail, it's not secure just because you run your own mail servers. How do services address the security concerns? Content is filtered by software according to various algorithms so it is being "read" by a computer, not by human beings.
Other concerns with using a managed e-mail security service include:
- Will there be a delay in getting and sending mail due to its having to pass through the service?
- Is there a mechanism for reviewing mail tagged as unwanted to allow users to catch and retrieve wanted messages that have been misidentified?
- In case of problems, does the service provide 24/7 support?
Choosing a managed e-mail security service
There are a number of companies offering managed e-mail security services. Examples include:
- IBM E-mail Security Management (IBM Global Services)
- Postini integrated message management
- MessageLabs SMB and Enterprise managed email solutions
In selecting a service, be sure you know exactly what you're getting for your money. Read the contract and don't be shy about asking questions. Here are some things you'll want to know:
- Does the service provide virus filtering as well as spam filtering?
- Do you get a service level agreement that guarantees no malicious software will reach your network?
- What is the spam capture rate claimed by the service?
- What is the false positive rate?
- Does the service enforce your email policies by controlling content of email sent out of, as well as into, your network?
- Are the rules configurable to meet your specific needs?
Another big concern is scalability. Can the service handle the volume of email your organization generates as it grows? Can you transition smoothly and seamlessly from an SMB solution to an enterprise level solution?
Some email management services provide solutions that are specifically tailored to individual industries, such as financial services, government/public sector, healthcare, or professional services. This can be especially useful in terms of spam filtering accuracy.
Much of IT is moving from a product-based to a service-based model, and management of email is no exception. There are many advantages, especially for a small to medium business that doesn't have a large IT staff, to outsourcing your email security management - if you take the time to do your homework and select the service that's right for your organization.