Email security gateways monitor an organization's inbound and outbound email traffic for unwanted or malicious emails. These products block or quarantine malware, phishing attacks, and spam as their core functionality, but many also offer data loss prevention (DLP) and/or email encryption capabilities for outbound emails.
Many email security gateway products and services are available, and collectively they meet the needs of virtually every organization. Trying to select one product or service from the many available options can be a daunting task. As part of an email security gateway evaluation, an organization should develop a set of criteria, such as a list of questions, to answer for each evaluated product through research, vendor discussions, product testing and/or other means.
This article provides several potential criteria that should be included in an email security gateway evaluation.
How advanced are basic security functions?
Every email security gateway should protect the organization from "bad" emails: those that contain malware, phishing attempts and spam. However, this isn't meant to imply that an email security gateway product should just offer basic antivirus, antispam and antiphishing capabilities. Technologies based on this old generation of antimalware controls are not very effective against current threats.
Instead, an organization should look for more advanced antivirus, antispam and antiphishing technologies. For example, malware detection should use sandboxing and other advanced techniques to evaluate files for possible malicious behavior. Simply using signature-based techniques for malware detection, such as antivirus signatures, is not sufficient any more.
Ideally, the basic security functions should also leverage up-to-date threat intelligence. Threat intelligence is information collected by a security vendor about current and recent threats, such as the IP addresses of hosts performing attacks, or the URLs of malicious domains. By incorporating threat intelligence services and advanced detection techniques, an email security gateway can be much more effective at detecting malicious emails, assuming that the threat intelligence is kept current at all times (e.g., updated every few minutes).
What other security features do email security gateways offer?
Some gateways only offer the basic security functions discussed above. However, increasingly gateways are offering additional email-related security functions, particularly DLP and email encryption capabilities for outbound emails.
For many organizations, especially larger enterprises, these additional functions are irrelevant because the organization already has enterprise DLP and email encryption capabilities. But for organizations without these capabilities, adding DLP and email encryption options to an email security gateway (often for an additional fee) can be a cost-effective and streamlined way to add these capabilities to the enterprise.
How usable and customizable are the management features?
Usability is an obvious plus for email security gateway management; the easier a gateway is to manage on a daily basis, the more likely it will be managed properly and -- therefore -- the more effective it will be. However, the importance of customizability shouldn't be overlooked. Although organizations may not want to spend significant time customizing their email security gateways, doing so can improve detection capabilities, as well as enhance the management process itself by customizing administrator dashboards, gateway reports and other aspects of the gateway.
The needs for usability and customizability of gateway management vary widely among organizations. Some, especially small and medium-sized businesses, are often looking for solutions that require little or no management, and these organizations typically aren't concerned about customizability. Other high-risk organizations require a high degree of customizability in order to make detection as advanced as possible -- even if it negatively affects usability.
What are the typical false positive and negative rates?
A false positive rate is the percentage of benign emails that are incorrectly classified as malicious. Similarly, a false negative rate is the percentage of malicious emails that are incorrectly classified as benign. Ideally, false positive and negative rates should be as low as possible, but it is impossible to get these rates all the way down to zero -- no detection technology is perfect -- and something that lowers one rate often causes the other rate to increase.
Because each email security gateway uses several detection techniques in parallel with each other, it's not generally helpful to report overall false positive and negative rates for the entire gateway. Instead, typical rates are provided for each threat type (spam detection, malware detection, phishing detection, among others). An organization should be able to "tune" the gateway's detection methodologies to raise or lower the rates so the gateway has the desired balance of rates; one business might be able to tolerate a relatively high false negative rate in order to achieve a very low false positive rate, for example.
Are email messages or attachments processed or stored in an external system?
Some email security gateways are cloud-based services, so obviously with these products the organization's emails will pass through an external system. What is not so obvious is that some on-site email security gateways, hardware and virtual appliances, may route suspicious emails to a server controlled by the gateway vendor for additional analysis.
Transferring emails to an external server for processing or storage may be an unacceptable risk for some organizations, particularly if internal emails are being analyzed. This could cause sensitive data to be accessed by the email security gateway vendor and inadvertently or intentionally exposed to breach. Similarly, if the vendor's server is compromised, the sensitive data could be compromised as well. Organizations with particularly high needs to protect the confidentiality of their emails that aren't encrypted may want to consider acquiring on-site email security gateways instead of cloud-based services.
Another consideration for the use of external systems is that security and privacy laws and other requirements may differ among jurisdictions. Suppose an organization purchases services from a cloud-based email security gateway provider. If this provider has cloud facilities set up in multiple legal jurisdictions, particularly different countries, the email messages may be subject to different laws, which may necessitate the use of additional or different security and privacy controls. It may also pose different risks -- for example, a foreign government might have the authority to access the organization's emails on the vendor's servers within that country.
Do your homework and evaluate
It can be overwhelming to try to evaluate email security gateway products and services when so many options are available. Defining basic criteria for evaluation is a helpful step in analyzing the possibilities. There is no "right" solution for all organizations; each has its own security requirements, email infrastructure and IT environment, as well as a different combination of threats against it.
This underscores why it is so important for each organization to do its own email security gateway evaluation. Simply relying on third-party evaluations is not sufficient to make the best selection, although such evaluations can provide valuable input into an organization's own evaluation processes.
This article presents several criteria, which are meant as a starting point for an organization to develop its own more comprehensive list of criteria. By no means are the criteria listed in this article meant to be complete. Each organization should consider all of its unique requirements, including applicable laws, regulations and other compliance needs.
Read about the key features of cloud email security.
Several important criteria to consider as part of any email encryption evaluation.