By Joel Snyder
While spammers and scammers have severely degraded the utility of e-mail for inter-organizational communications, savvy security practitioners are fighting back with commercial and open source products. The goal is to reclaim e-mail as a serious business tool. Two major trends dominate the products used in this fight: the commoditization of e-mail security technologies and the centralization of e-mail security technologies in appliances.
E-mail security as a commodity
Commoditization of e-mail security means that the underlying technologies, particularly antivirus and antispam engines, are becoming undifferentiated and substitutable. The core virus detection technology became a commodity several years ago, and spam detection is barreling rapidly in the same direction. While there are significant differences in the underlying technology we see in the products available today, vendors are rushing to minimize the perceivable variations.
Antispam vendors bombard us with white papers explaining how much better their engine is than their competitors', but antispam users are more interested in real-world results. Just as different operating systems have different scheduling algorithms under the covers, few buyers get to that level of detail in selecting an operating system. So too with antispam and antivirus tools: although they vary widely inside, they are rapidly becoming commodity technologies that must be differentiated in other ways, such as through additional features and services like end-user quarantines, pricing and support services, management interface and configurability, or performance.
Curiously, the e-mail security market has re-emerged from the ashes of the late 1990s. During the 1980s and 1990s, a strong market existed for e-mail firewalls that served as central points for control and management of messages before they entered the corporate network. However, with the rise in adoption of Exchange and Notes as messaging servers, this market disappeared. Enterprises preferred to simplify their e-mail backbones and eliminate the e-mail firewall. The triple threats of viruses, spam and regulatory controls have caused e-mail managers to rethink their e-mail security strategy, thereby re-creating the opportunity for a new market. Now, more than 125 product vendors claim to be in the e-mail security business.
At this stage in the life cycle of e-mail security products, obvious features (such as denial-of-service protection and directory harvest attack protection) are being propagated across the major products, further reducing differentiation at the top tier and placing more distance between the eventual winners and losers in this market.
No one wants to sell a commodity product, and the e-mail security vendors are no different. The e-mail security market suffers from both intense competition and a bloated set of vendors. The antispam part of the e-mail security market is destined to undergo a particularly brutal contraction over the next year or two, with 60% to 80% of the current offerings either becoming targets of acquisition or exiting the market entirely. What will remain is a small number of underlying engines for antivirus and antispam incorporated into a larger number of products that add value to the underlying commodity technology. Buyers of e-mail security technology should plan their acquisitions with this certain knowledge: most antispam vendors will go out of business or be acquired.
E-mail security centralized
Enterprises on the cutting edge of e-mail security have been throwing solutions at the problems raised by spam, viruses, regulatory issues, Internet security and policy. The result is that many early adopters have a broad set of solutions located in many parts of their network. Thus, antivirus scanning might be on an Exchange server, while antispam might be on a dedicated system, with some denial-of-service security being provided by a traditional packet-filtering firewall and a second system running an encryption tool such as PGP.
While the clear advantage of being ahead of the market with these tools brings some value to the enterprise, e-mail security vendors are now stepping up to the plate with appliance-based solutions that incorporate antispam, antivirus, firewall features, regulatory compliance and encryption services. This combination of products in a single performance-optimized box is a potent force that will drive the trend of security centralization.
A second force pushing for centralized e-mail control is the onerous regulatory environment of most large enterprises. The regulatory burden is accompanied by a legal burden that now requires quick production of old e-mail when ordered by a court. As enterprises navigate uncertain waters, blown by the winds of regulation out of their control, the option to centralize many current and anticipated future regulatory requirements is very attractive.
For new implementations, selecting an all-in-one appliance-based solution is almost always the best answer. In the presence of the strong products available at all price points in the marketplace, building in-house expertise at the level required to match these products rarely offers good return-on-investment.
At the same time, enterprises that have grow-your-own solutions will slowly migrate to centralized appliance-based (or service-based) solutions. This will occur for two reasons. First, enterprises will realize that the burden of building and managing their own mix exceeds the acquisition cost of a packaged solution. Secondly, and more importantly, the vendor-provided solutions will achieve a feature, performance and reliability level that makes it uneconomic for companies to continue down a build-your-own path.
Although there is no technical reason that e-mail security should be centralized, the packaging of cost-effective solutions shows us another trend: it's cheaper both in acquisition and management costs, to install a centralized solution than a series of point solutions.
The twin trends of commoditization and centralization will dominate both products and implementations over the next two to four years. While there will always be holdouts, especially in smaller businesses and IT-centric organizations, most enterprises looking for reliable and secure e-mail will find themselves with an appliance-based email firewall (or an Internet-based service) handling antivirus, antispam, denial of service, and some regulatory and policy controls. The greatest area of uncertainty is who will survive. The number of product vendors in this space -- more than 125 -- is unsustainable. Enterprise buyers who elect to follow these trends must be careful in their choice of suppliers, lest they be stuck with expensive doorstops.
About the author
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Ariz., and a frequent contributor to SearchSecurity.com and Information Security magazine. He sent his first network e-mail in 1980, and has been designing and implementing enterprise e-mail systems ever since. He is partially to blame for the X.400 messaging standards and has been trying to atone for them ever since.
This was first published in September 2005