The best email security gateways: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Email security gateways prevent emails with malicious intent and messages that violate an organization's security and use policies from reaching their destinations. These emails may contain malware, phishing attacks, spam and other malicious content. By blocking or quarantining these emails, whether inbound or outbound, an email security gateway can prevent a wide variety of attacks from ever reaching their targets.
It's hard to imagine an organization that doesn't use email and equally hard to think of an organization that wouldn't benefit from an email security gateway. Although email security gateway appliances are traditionally thought of as being used by larger organizations because of their cost, there are now public cloud-based email security gateway products that offer cost-effective solutions for smaller organizations. Other architectures are also available, such as having email security gateway software installed onto an organization's mail server, or using an onsite virtual appliance that can be part of a private cloud or a local non-cloud server that supports virtualization. All of these architectures provide the same functionality when it comes to email filtering.
It can be hard to differentiate email security gateway products from each other because -- on the surface -- they all seem to provide a single security benefit: they block "bad" emails, thus preventing attacks. As if that wasn't enough of a reason to acquire email security gateways, a closer look reveals that there are other benefits provided by these gateways. These are described below.
Compensate for weak or missing client security controls
As the name implies, an email security gateway is deployed as a network-based security control; there is no such thing as a client component for an email security gateway. However, because all inbound and outbound email is funneled through an organization's email servers anyway, this is not a weakness or drawback. On the contrary, this can be highly beneficial because detecting the latest threats means updating threat intelligence, malware signatures and other threat detection methods as often as possible -- such as every five minutes. Pushing out updates to all client devices every five minutes is not feasible for most environments, but it's easy and efficient to update one centralized device that often instead.
What's more, client devices may lack fundamental client security controls such as antivirus software and antispam software, antiphishing features in their Web browsers, email clients and so on. This is more likely to be true for an organization that has mobile devices (smartphones and/or tablets) deployed, because these devices often don't have robust security controls available. It is particularly important for any organization that permits bring your own device (BYOD) usage, as the organization generally has no control over the security configuration of these devices, so they may have outdated security controls (e.g., antivirus, antispam, antiphishing) or no security controls at all. In these cases, the network security controls are the only ones that an organization can rely on, which makes the email security gateway a critical part of an organization's security architecture.
Provide data loss prevention functionality for email
Some email security gateways offer optional data loss prevention (DLP) functionality for email messages. Primarily intended to be used to inspect outbound email messages, DLP technologies are designed to detect sensitive information being improperly exfiltrated from an organization. Examples of such sensitive data are Social Security numbers, credit card numbers and medical records.
Users may accidentally or intentionally attempt to email sensitive information outside an organization, potentially causing a serious data breach. A breach could damage an organization's reputation, violate laws or regulations, and cost an organization significantly in terms of fines, lawsuits, vulnerability remediation, credit monitoring services and other expenses.
If an organization already has an enterprise DLP capability deployed and managed, then email is probably already being analyzed for sensitive information, so having this capability as part of the email security gateway is probably not beneficial. On the other hand, an organization without enterprise DLP could significantly benefit from using DLP capabilities in the email security gateway to prevent some data breaches.
Note that DLP requires monitoring and tuning, so organizations need to dedicate resources to DLP in order for it to be effective.
Support basic email encryption services
A capability offered by some email security gateways is email encryption. These email encryption services protect the confidentiality and integrity of emails in transit. This is helpful in preventing eavesdropping by attackers who can monitor a segment of a network along the route that an email message traverses and view the contents of email messages, copy their attachments and so on.
Unfortunately, there are limits to what these email encryption services can do. Because these services are gateway-based, they don't provide any protection for emails along the path from the sender's client device to the email security gateway. They also can't provide protection for email messages and attachments at rest, such as those stored on the sender or recipient's client devices. This means a compromise of a client device, such as a malware infection, could expose the sensitive contents of email messages and attachments to attackers.
Organizations may need amore robust email encryption product, such as one that provides true end-to-end encryption along the entire path from sender to recipient, and one that encrypts email bodies and messages in transit and at rest, including when they are stored on client devices and intermediate hosts (e.g., email servers).
In such cases, organizations should evaluate and acquire a more robust, dedicated email encryption product or service. But in cases where the possible threats are mitigated through other security controls -- such as using Transport Layer Security to encrypt email communications between a sender and an email server or email security gateway -- it may make more sense to rely on the email encryption capabilities provided by an email security gateway.
At their core, email security gateways are all about filtering emails to prevent malicious messages and attachments from reaching their intended recipients. By detecting and blocking malware, spam, phishing attempts and other malicious content, email security gateways can significantly reduce the number of attempted and successful attacks against an organization.
Email security gateways are particularly beneficial in environments where client-based email security controls are weak or missing, such as BYOD.
Some email security gateways offer additional security functionality. DLP is a common feature integrated into these gateways to prevent outbound emails from inadvertently or intentionally transferring sensitive data outside an organization's systems. DLP looks for patterns of Social Security numbers, credit card numbers, medical records and other such data in email message bodies and attachments, and can prevent emails that contain such data from reaching their recipients. Some gateways also offer limited email encryption capabilities, which protect the confidentiality and integrity of email message bodies and attachments as they transit unsecured networks between the gateway and the recipient's client device.
Regardless of their support for these additional capabilities, email security gateways are invaluable for detecting and stopping email-based threats before they reach their targets. Because so many of today's threats come via email, email security gateway software, appliances and/or cloud-based services have become indispensable for most organizations.
Read about the key features of cloud email security.
Several important criteria to consider as part of any email encryption evaluation.