The hub of modern businesses
1. Executive Summary:
Email is the hub of modern businesses. It has revolutionised the way modern society communicates. Having access to email from anywhere, anytime and being able to respond quickly to your customer demands means the difference between success and failure in the modern age. Email is now business critical to organisations. Availability is paramount. However, this ubiquitous tool - and many businesses' dependence on it - has become both a blessing and a curse. The exploding volume of unwanted messages known as spam often overwhelms organizations and has reached epidemic proportions. The problem of spam was also highlighted in Cisco's recent annual security report, which said that spam accounts for nearly 200 billion messages every day, approximately 90 per cent of worldwide email, the lower end of Barracuda's estimates.
Spam is not only a time-consuming annoyance; serious damage often results from viruses and other malicious code that finds its way into the enterprise infrastructure via spam. Compounding the problem are infected messages that can multiply and widely propagate when an unsuspecting user opens an infected message posing as legitimate email from a known sender. This makes malicious code harder to detect and spreads viruses faster. Moreover, corporations also face issues regarding messaging downtime from virus attacks, natural disasters, or other catastrophes. While a variety of methods are available to assist an enterprise in recovering from a disaster that impacts their messaging infrastructure, most organizations do not have a solid disaster-recovery plan. Losing email for these organizations often translates into lost revenue from missed sales and other important data. Enterprises need a reliable, efficient way to secure their messaging infrastructure from the negative financial and productivity effects of spam, viruses, and natural disasters such as blackouts and hurricanes. While there are myriad solutions on the market today, businesses are faced with two primary options: installing, maintaining, and managing an internal solution or outsourcing the management of their email infrastructure to a managed service provider (MSP). Both solutions have advantages, but given the complex, time-consuming problem of spam and its impact on business continuity, this is clearly one issue that should be given considerable thought.
This white paper examines the building blocks required for building an effective enterprise message security solution and focuses on evaluating strengths and weaknesses associated with the two approaches companies can use to reach that goal:
- Building and managing the process using in-house resources
- Outsourcing the function to a managed service provider
- Comparison of In-House and Fully Managed Solutions:
Hosted solutions are not appropriate for all environments and solution options
vary by vendor. However, once decision makers know the questions to ask, they can weigh the true benefits and deployment options of a hosted email security solution. For starters, many decision makers question whether hosted services can offer as much control and privacy. The fact is, hosted email security can often meet or exceed the benefits or protections required by organizations in these areas. For IT departments, the decision to outsource any function is based on the interplay of three primary criteria: control, performance, and savings in terms of dollars and resources. Traditionally, both performance and control have been associated with in-house solutions - and for good reason! Many managed services, including connectivity (VPNs, etc.), include a significant trade-off in the amount of control IT has over the service, as well as the performance of specific cloud-based security solutions. This has led many to perceive all managed services as suffering from these twin maladies. Likewise, managed solutions are associated with cost savings, since IT departments are intimately acquainted with the costs of deploying and maintaining new, complex technologies. IT managers ultimately seek to achieve the optimum balance of control, cost containment, and performance. Outsourced message management is a new animal - a managed service that has better performance (including reliability) than an in-house solution, as well as a substantive level of control. Moreover, it retains the significant cost savings and ease of implementation associated with managed services.
By way of comparison, outsourced or perimeter-based message management services are designed to ensure the integrity and security of email before it enters the corporate network infrastructure, thus keeping all threats outside the network for evaluating and significantly reducing risk. The service delivery model requires no capital outlays for software and hardware and covers all maintenance and upgrade responsibilities and costs. Of course, a company must have absolute confidence in the managed service provider (MSP) to entrust its business-critical email messaging to a third party. This is a serious point of evaluation when considering an outsourced solution, since some MSPs lack financial stability and a reliable infrastructure. Likewise, services vary among MSPs, though some provide a complete range of messaging services, including spam and virus filtering and content and policy filtering, along with disaster recovery for both inbound and outbound email. While there are many points of comparison between in-house- and fully managed solutions(see Figure 1). Strengths and weaknesses of each approach follow.
Security, Privacy & Filtering Effectiveness
Hosted email security uses automated processes to scan email, including no before they enter the enterprise network. Hosted services provide filtering on multiple levels for both spam and viruses while analyzing millions of messages daily. Using the information gathered from incoming messages, MSPs can identify current and new spam characteristics, enabling the MSP to build filters that are both more comprehensive and faster than premises-based alternatives. Unlike in-house servers or appliances, managing quarantined mailboxes at the MSP level does not require additional hardware, create additional network congestion, or require IT administration. In addition, when spam is kept on the corporate network, it takes up valuable storage and bandwidth space, which translates into human intervention in the process. In addition, some vendors have a Service Level Agreement in place that assures privacy. This may help with privacy regulations that require the business to demonstrate that they are making reasonable efforts to secure email content. Further, leading hosted providers typically provide a very high level of physical security for their data centers, including multiple access points using two-factor authentication, video surveillance, 24-hour staffing, and more. Also, many data centers have third party certifications that validate these security measures. Many internally managed systems do not offer this level of security. Perimeter-based solutions block spam and virus threats hard dollars. One small law firm using a perimeter based solution found that it was able to reduce its annual connectivity costs from $17,000 to $1,600 simply by implementing the service. Since all spam was kept outside the network, these messages never took up that valuable bandwidth. In-house solutions provide no such savings.
The effectiveness of blocking spam and viruses using in-house IT resources is a function of staff expertise and the quality of the filtering mechanisms. Most companies implement both antivirus and antispam products in that order, and often from different vendors. Integrating the two product sets can sometimes prove challenging. The products are both subscription based or installed locally, and IT staff is responsible for the customization needed to provide more than off-the-shelf granularity. Moreover, unless IT staff is highly trained to understand the nature of email-borne attacks, monitoring the enterprise infrastructure for these threats can often be a reactive process, rather than preventative. In this case, IT managers will find themselves fighting fires rather than actually having the protection they thought they had.
Leading hosted providers almost always offer a high level of control over security, generally through the use of web-based management and provisioning capabilities. This allows IT staff to add new users, provision new services for specific users, and provide generally the same level of service they might get with an on premise system. Some hosted email security also provides mail tracking, access to logs, and reports, providing insight into the system and control over specific emails. This allows administrators to troubleshoot email issues even though the solution is hosted. Although functionality varies by vendor, some vendors also provide content control, such as flexible policy creation and content filtering, providing support for compliance and data leak prevention in addition to filtering emails for threats such as spam and malware. Decision makers may wish to look at vendors that offer both on-premise and hosted solutions. These vendors may offer the same granular capabilities in their hosted solution as in their on-premise products, and they may also offer combinations of hosted and on-premise solutions to create hybrid solutions that can put some of these capabilities in the cloud and some on-premise. This provides additional flexibility if organizations wish to maintain content control capabilities on their network while using a hosted service to keep threats off the network.
Companies that deploy messaging protection internally can face business continuity threats since they often rely on a single point of defense rather than a globally distributed messaging security solution. However, the alternative of investing in management expertise and expanded network resources to maintain protection in all areas can be prohibitively expensive for organizations. By comparison, some - though not all - MSPs provide maximum messaging reliability and offer built-in disaster recovery features. IT managers evaluating managed services should carefully evaluate the service level agreements (SLAs) each MSP offers. They should also evaluate the MSP's network architecture. IT managers should look for MSPs that operate multiple load-balanced data centers and use multiple Tier-1 backbones, both of which provide the vital backup capability that premises-based solutions generally lack. Rather than relying on their own limited infrastructure, MSP customers leverage the entire capacity of the MSP's expansive network. When the MSP has a distributed network, email is processed through the closest and most available data center, ensuring high availability and extremely low latency. Routing is transparent to clients, and a typical email is received, filtered, processed, and delivered in approximately two-tenths of a second. While premises-based message management invites risks and consumes IT resources, some fully managed providers have exceptional reliability: guaranteed 99.999 percent availability.
Capacity Planning and Scalability
For IT personnel managing an in-house message security solution, capacity planning can be very challenging. Deciding how many computing resources an organization needs to maintain a certain service level, when those resources are needed, and how much it costs to obtain and maintain those resources is notoriously hard to predict. Managers must ensure that sufficient capacity is available to handle the increasing rise in email and spam message volume along with the resources (hardware, software, personnel) needed to scale the system. MSPs provide an enterprise with the ability to scale in line with 'its needs without any additional hardware or software investment. For companies that don't have the personnel or expertise to keep current with the most recent virus and spam filters, outsourcing provides them with protection that is up to date and available 24 hours a day, seven days a week, even as new spam techniques are introduced. Most IT managers agree that off-loading these tasks will save a lot of headaches and will free up their in-house staff to focus on the organization's core mission.
Hosted messaging security offers a number of advantages over on-premise systems and can serve as either a replacement for or a supplement to, an on-premise security infrastructure. Hosted offerings can be significantly less expensive than on-premise infrastructure, while offering better protection and the same level of flexibility and control. Decision makers in organizations that want to save money and optimize security should consider the use of hosted messaging security to satisfy some or all of their security requirements and should evaluate all of the issues involved in managing both an on premise and hosted system when making a purchasing decision. Some companies feel they are more secure and can control costs better by handling all aspects of message management internally, with no third-party involvement. But as this paper demonstrates, this position is open to debate and is only justified on the basis of soft benefits. The evidence presented in this white paper clearly suggests that relying on a managed service provider to operate a perimeter-based message management environment is the superior approach for the following reasons:
Frees up enterprise IT to focus on more pressing business-specific applications
Spam and viruses intercepted outside the corporate IT infrastructure.
Rapid updates of antispam and antivirus definitions
Lowest total cost of ownership (TCO)
Ease of planning and cost predictability
Accountability (service level agreements)
In conclusion, the benefits of perimeter-based enterprise message management are compelling and self-evident. The expertise of specialists cannot be matched by an enterprise's IT staff. Further, the distributed networks of service providers are more reliable than their enterprise equivalents.