What are the pros and cons of outsourcing email security services?

In this SearchSecurity.com Q&A, application security expert Michael Cobb explains whether it's right for your organization to hand off email security services to another provider.

Would you recommend outsourcing enterprise email security? What are the pros and cons when hundreds or thousands of users are involved?
For the vast majority of enterprises, there is a strong business case for outsourcing email services. Enterprise-scale email infrastructures use uptime and resources, and email security has become an ever-increasing challenge. Many enterprises have already outsourced email to reduce their overall messaging costs. Leaving their IT departments to focus on core competencies, these companies have also improved reliability.

A well-planned move to outsourced email security service should allow most organizations to reduce capital costs,...

achieve predictable costs, as well as improve performance, reliability and security. An obvious advantage of using such a service is the convenience of having someone else manage messaging processes and infrastructure associated with message filtering, delivery and the elimination of spam-related network traffic.

Another advantage of email security outsourcing is its relatively easy implementation. Outsourcing doesn't require on-site equipment or third-party access to private servers and networks. Setup usually just involves changing a domain name system's MX (mail exchange) record to point to the service provider's mail gateway.

Such an arrangement also provides a side benefit: your email servers will be protected from denial-of-service attacks. If your mail server only picks up mail from the service provider, all DoD mail attacks will have been filtered and handled by the service provider's defense infrastructure. Also, because filtering is performed outside of your own network, it won't interfere with your perimeter defense devices. With outsourcing, it's often easy to avoid over-engineered systems. In many cases, the services can be scaled to current usage requirements.

When reviewing possible service providers, you must verify that the service level agreement (SLA) is going to deliver the security, reliability and costs that you require. A good email service provider should offer the following:

  • Anytime, anywhere, reliable access to email
  • Load balancing and a fully redundant infrastructure
  • A wide range of messaging features such as webmail
  • Filtering of incoming mail for viruses, spam and inappropriate content

    I would also look for a provider who offers outbound message cleansing and policy enforcement. Secure connections are also important so that encrypted email pathways can be set up between offices and business partners.

    So, are there any downsides to outsourcing? Some organizations may feel uncomfortable losing control over some of their infrastructure. A service provider does add another hop to the email chain, and that may cause concern for some, since email is inherently insecure. My opinion is that outsourcing email is no more or less risky than using an ISP or using mail delivery services such as FedEx or UPS.

    However, there are the risks that exist in any commercial relationship. How financially stable is the provider? How easy would it be to move to another provider or bring email back in-house if you weren't happy with the outsourced service? As with any outsourcing decision, you must do proper due diligence when choosing from one of the many outsourcing services. You should try to find a provider that will protect against such issues.

    More information:

  • Learn how to maintain compliance when outsourcing enterprise services.
  • Visit Messaging Security School and review email security basics.

This was last published in July 2007

Dig Deeper on Email and Messaging Threats-Information Security Threats