You’ve got mail (problems)

Spam has become so prevalent that not even the most die-hard fan of Monty Python – whose famous sketch was the source of the name – finds it funny any more. Indeed, Jaquith, Yankee Group’s Senior Analyst for the Security Solutions and Services Decision Service, suggests that the amount of spam being received is not less than 50 percent of the total inbound e-mail percentage. “We’ve seen estimates suggesting that in some industries it is as high as 80-90 percent; in the banking world, for instance, it is quite common for it be 95 percent on weekends and 80 percent during the week,” he says. Even so, spam is “pretty straightforward” to mange compared to the current industry bete noir: malware.

The challenge with malware is making sure malevolent software such as viruses, Trojan horses, etc. are kept out of the e-mail system. “I think the figures that we’ve seen suggest that of the inbound unsolicited e-mails, something like 20 percent is malicious,” continues Jaquith. “It can obviously vary from individual to individual, but the point is that most people know the threat landscape has changed dramatically; you’re not just seeing a little harmless worm that e-mails itself to everyone in your address book – you’re seeing stuff that is really designed to compromise data integrity, to capture keystrokes, to look for bank account information, all kinds of things that are genuinely damaging to individuals and businesses. Getting that under control is a priority.”

In both these cases, the solutions for keeping good e-mail hygiene really revolve around three things. “You can either buy standalone software like Symantec’s Brightmail; you can buy an appliance that essentially has something like Brightmail in it (or some other software) and typically runs with anti virus as well; or you can outsorce e-mail to a managed service, the idea being you ship your e-mail traffic to a company before it even enters the perimeter of your firm. When it comes back to you, it is hopefully relatively clean.”

At Yankee Group, it is the managed services option that is most favored. “We think that this option represents the right use of organizations’ money. It’s getting very hard to keep up with the changes and the threat environment, and the techniques the spammers are using to evade spam rules are simply getting more and more sophisticated,” Jaquith asserts. “If you look at a managed service, they have a wide view over all e-mail traffic across multiple customers that most companies could never achieve, so they have economies of scale that you’re not going to get with an appliance approach. It also means if you outsource and get this element taken out of your e-mail, you don’t have to archive it for regulatory or other reasons.”

Jaquith also notes that companies need to get a handle on their e-mail system from what he refers to as a ‘policy standpoint’. “What this boils down to, particularly on the outbound side, is that companies sometimes make inadvertent mistakes sending sensitive information out of the enterprise. A classic case would be social security numbers or credit card numbers. People just send spreadsheets out all the time with this type of information on it.

“You may or may not want to send this information out in the first place, but if you do, you may want to encrypt it. As such, one of the things we’re seeing increasingly offered by appliance vendors or managed services is software that helps you control the outbound flow of your mail.”

Keeping compliant

So what of storing and retrieving e-mails? Research has shown that only 37 percent of companies could find an e-mail more than a month old, which will obviously have implications on the ability of companies to meet various compliance standards that are now required.

Putting this to Jaquith, he suggests it depends on whether the figure is in reference to end-users searching their inboxes, or legal asking for e-mails to be checked for certain information. If so, “then you might well only get 37 percent of people who can find something.”

However: “Some industries are heavily regulated; if you look at investment banking, for instance, they are required to keep everything for seven years – meaning they are required to recreate an entire trading day – so e-mail is clearly part of that, as is instant messaging.

“You’re therefore seeing quite a few solutions that are specifically designed to look after e-mail archiving. What these tend to do is sit on your e-mail server and then divert a copy of every e-mail to a message store where it can be stored and managed, etc. Symantec has a product in this arena by virtue of the Veritas acquisition, and there are certainly a lot of other little start-ups moving into this area. They all do more or less the same thing: they’re essentially trying to sweep the e-mail off into an archive and then back it up to tape, which enables you to serve whichever compliance regime you need to serve.

“I’d say if you’re a big company and you’re regulated in any way, you really need an e-mail archiving solution. Simply running around routing for tapes, hoping you have them all, is really not a good strategy.”

Ease of use

The challenge here, of course, lies in how best to capture the data in a usable fashion – what do companies need to think about when considering searching, indexing and archiving? “What is interesting is that today, e-mail is everybody’s knowledge management system,” points out Jaquith. “You probably retain a lot of e-mail – I know I do – and today it’s very easy to search for and find a particular e-mail. But whilst we’re seeing an increased need to be able to easily go and look through your past e-mails, the requirements for searching and indexing are slightly different than for archiving. With archiving, what you really care about is essentially the chain of custody – you can show legally you have captured the e-mail in a consistent fashion, that you’re not missing anything and that it’s not mishandled during the process of capturing and storing it – that it hasn’t been subject to modification by a third party.”

So is it possible to both store and search reliably? “The only guidance I would give for buyers is that if you want to be able to do both – to store it forensically for compliance, and be able to search it easily – then you’re probably going to need to expand your selection requirements a little bit and be a little more careful in the evaluation of possible solutions because some products are good at one but not the other.”

Other sources

With this in mind – and with the proliferation of IM, for example – it is also important to make sure that any system used is flexible enough to draw in data from other sources as necessary. So what additional points need to be considered to make sure companies don’t fall foul of compliance issues?

“I think there is essentially two key points here,” Jaquith stresses. “First, you need to make sure the IM system you are using can capture information not only from the company-approved IM system that you’re using, but also public networks as well. There’s a reason people use AOL, Yahoo, MSN, etc. – they’re easy to use, they’re free and a lot of friends use it. It’s probably difficult to assume that everyone’s going to use just one system. You therefore need to have something that can interoperate with all the public IM systems.

“The second thing is that, if you are in an industry that’s regulated, you want to log your stuff and capture it and make it clear to your users (if you haven’t already) that this kind of stuff is going to get logged.”

In the latter case, companies that are required to implement e-mail archiving are discovering it poses its own cost and security issues. Jaquith highlights two factors that need to be borne in mind: “First, like I mentioned before, you need to think carefully about your selection because archiving and searching for the purposes of knowledge management aren’t the same thing. I think that a lot of people assume that when they get one they get the other. That’s not necessarily the case.

“The thing is that you want an archiving system to ‘play nicely’ with your backup software. You want these systems to (hopefully) use a tape backup system you’re familiar with, use a rotation scheme that you understand and that essentially is going to be operational – you need to make it as operational as you can with your existing operations staff.”

For these reasons, e-mail outsourcing is becoming increasingly popular, certainly with regard to message hygiene and outbound filtering – essentially the two problems Jaquith feels need addressing as a matter of priority. “We found that something like a quarter of corporations are using outsourcing services. What’s interesting is, of the biggest companies and the ones that spend the most money, 40 percent are outsourcing. It’s a significant percentage and I think it bodes well for the future.

As for outsourcing archiving, this isn’t quite as common. Jaquith believes it’s generally viewed as an internal operation that you need to become good at. “It’s essentially about operational mastery, but I do think it’s going to become more popular. If you look at a company like Message Labs, for instance, they will sell you an appliance that will essentially sit on your network and ‘vacuum up’ messages from your corporate e-mail system, but will store it as a managed service. There’s some interesting hybrids emerging between the managed service approach and onsite archiving, and I think that’s an area that is certainly going to be worth watching.”

Inevitably, the decision as to which model to go for comes down to the age-old issue of value. “The question companies need to ask themselves – whether we’re talking about archiving or inbound and outbound filtering – is whether being good at it is something that really adds any value to your corporation, or if it’s sufficiently mechanical and CAPEX-intensive that you might simply be better off having someone else manage it?”