Magic Quadrant for Secure Gateways

Transcription

1 Research G August 2011 Magic Quadrant for Secure Gateways Peter Firstbrook, Eric Ouellet The secure gateway market is a mature market. Buyers must look at advanced functionality, service delivery, vertical integration of related products and strategic vendor relationships to differentiate solutions. What You Need to Know The security market is very mature, and there has been minimal vendor movement in the Magic Quadrant since our last analysis. Spam-filtering effectiveness is at an acceptable rate for most organizations. Inbound improvements are still needed to detect targeted phishing s, which are an increasing problem. Content-aware data loss prevention (DLP) that includes numerous prebuilt dictionaries and regulatory policies is a significant differentiator. However, buyers must understand how these capabilities will be used in context of the broader enterprise DLP strategy. Policy-based encryption is an increasingly important capability and a significant differentiator of leading products. security solutions are available in various delivery models. Appliances and security as a service (SaaS) are the most popular, but the availability of hybrid (combination of on-premises and SaaS) and virtual appliances is increasing. The breadth of the product portfolio is also an important consideration as organizations look to consolidate security buying around fewer, more strategic vendors, especially in mature product domains. 1-16XZCJ7

2 Magic Quadrant Figure 1. Magic Quadrant for Secure Gateways Source: Gartner (August 2011) Market Overview The secure gateway (SEG) market is a mature market. Spam and virus filtering is at an acceptable rate, and features are sufficient for most organizations. The penetration rate of commercial SEG solutions is close to 100% of enterprises. Buyers are becoming more price-sensitive; 60% of recently surveyed reference customers (see Note 1) said that "price" would induce them to change vendors. The overall market growth flattened out in 2010, and there were no significant mergers or acquisitions in the past 12 months. DLP and encryption remain the single biggest solution differentiators and are the primary reason we have not yet moved to a MarketScope format for this analysis. We continue to see form factors influence decisions, with interest and deployment of virtual solutions and SaaS solutions continuing to outpace traditional appliances and software. Leading vendors in this market are expanding their offerings vertically into adjacent markets, such as mailbox hosting, hosted archiving, e-discovery and continuity services, and horizontally into secure Web gateway (SWG; see "Magic Quadrant for Secure Web Gateway") solutions linked by common DLP and management. 2

3 Global spam volumes declined significantly in late 2010 and early 2011, primarily from the Rustock botnet takedown. Although this doesn't signal the end of botnets or high-volume spam, we expect to see a shift in more advanced spam campaigns to a more targeted approach. Reduction in bulk spam volumes has increased the necessary emphasis of solutions on more targeted spam and phishing attacks. We anticipate the decline in pure volume will be followed by increases in more limited-volume targeted attacks. The recent compromise of marketing firm Epsilon and others will likely seed the next generation of more targeted attacks that exploit the knowledge of customer relationships with brands and other information to create a more targeted spam or phishing campaign. We anticipate that older techniques, such as volume-based reputation filters and signaturebased content filters, will become less effective in blocking new threats. Anti-spam solutions must continue to invest in new techniques to catch these new threats and the last 0.5% of spam that continues to slip through. One new approach is cloud-based prefilters or cloud-based look-up mechanisms, which allow on-premises solutions to benefit from more rapid changes in cloud protection techniques and more up-to-date cloud intelligence. We also expect leading anti-spam research labs to continue to invest in improvements in data collection and analytics to detect new spam and malware trends early. The primary malicious technique will remain the redirection to a malicious website rather than actual executable binaries in . Successful SEG vendors will have significant research in Web malware and a presence in the SWG market. Integration between the SEG and SWG products for vendors that do both is a bonus, especially for organizations using complex DLP policies. Smaller organizations and leaner IT organizations should look for both solutions from a single vendor. However, we still see these as different buying centers in the large enterprise market. The primary malicious file attachments will be malformed documents (Office and PDF) that take advantage of vulnerabilities in the host program. These types of attachments cannot be easily filtered with static policy (that is, no executable attachments). Static code analysis that searches files for known attack techniques is the most productive detective technique for this type of threat, but we also see value in active code analysis (either in the cloud or on-premises) that actually executes code in a virtual environment looking for malicious output. One of the biggest frustrations of administrators is legitimate bulk marketing s that users think are spam. Solutions are finally starting to address this class of unwanted with specific quarantines for bulk that users can deploy in their efforts to clean up in-boxes while avoiding potentially dodgy "unsubscribe" processes. DLP remains a significant differentiator. Recently surveyed reference customers (see Note 1) reported that 30% were already using DLP, while 32% were planning on using it within the next 24 months. The breadth and depth of content detection techniques, the number of predefined dictionaries and lexicons that can be used in policy, the flexibility of policy development, and workflow and reporting specific to DLP tasks vary widely across solutions. DLP capabilities were weighted heavily in our analysis, given that over 60% of buyers will be exploiting this functionality within the life cycle of their next contract renewal. The adoption of DLP drives the adoption of encryption. Companies that search for sensitive or private information in often find it. However, exchanging this content with third parties is often a business imperative, and blocking it outright is rarely an option. Encryption becomes an enabling tool to send sensitive content safely and in compliance with regulations. The primary form of encryption that is the most common is pull-based that 3

4 strips content at the gateway and holds that content for pickup by the recipient in a Secure Sockets Layer (SSL)- encrypted browser interaction similar to a Web mail interaction. Another popular option is to strip the content of the and put it in an encrypted PDF file, which is then attached to the original . The options for customizing the experience for recipients and senders, such as setting passwords and enabling encrypted reply, message hold limits, message recall, read monitoring, and message branding, are all differentiators of encryption solutions. The experience of sending or receiving an encrypted on mobile devices is also a significant differentiator. Encryption solutions can be hosted on-premises. However, SaaS-based solutions are increasingly popular as organizations seek to outsource the certificate management complexity of these solutions. Encryption capabilities are weighted heavily in this analysis, as we estimate that more than 65% of organizations will be exploiting this functionality within the life cycle of their next contract renewal. Other common feature improvements in this analysis included IPv6 support, Outlook plug-in support for spam reporting, large file offloading, global spam detection improvements, support for DomainKeys Identified Mail (DKIM), and Sender Policy Framework and administration interface improvements, such as improved role-based administration, log data segregation, dashboard customization, improved reporting and message trace functions, and security incident management (SIM) integration. The SaaS form factor continues to outpace the growth of on-premises deployments. We estimate that the revenue from SaaS-based deployments is now roughly 37% of the overall market. We see interest in SaaS across the board from all clients, but especially those that have fewer than 1,000 seats. Very large organizations (that is, more than 20,000 seats) are also very interested in SaaS as a means to rapidly standardize across a global set of loosely federated IT departments. We also see an increasing interest in organizations adopting additional SaaS services, such as archiving, continuity and mailbox hosting. We also see some interest in "hybrid" offerings that provide a combination of on-premises outbound features, such as DLP and encryption, with SaaS-based inbound spam and virus filtering managed from a common console. For on-premises solutions, we see a significant interest in virtualization form factors as more organizations become more proficient in this platform. Vendors that offer a full range of services are given extra credit in this analysis. Longer term, the gradual migration to cloud-based mailboxes which always includes virus and spam protection threatens the SEG ecosystem, since third-party filtering services become largely unnecessary when mailboxes reside in the cloud. Market Definition/Description The SEG market is defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against inbound and outbound threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of appliances or software that goes on customer premises, hosted solutions that reside in solution providers' data centers, or multitenancy SaaS that exists in multiple data centers around the globe. Unified threat management (UTM) devices that combine firewalls with some spam filtering are not included in this market. The total market size was roughly $1.6 billion in Last year, we predicted the growth rate in 2010 to decline to 8% due to market saturation, increased bundling/suite deals and intense competition among market leaders. However, these elements had a more significant effect than predicted, and the market grew only by approximately 1%. We anticipate a slight increase in 2011 due to a recovering economy. However, we see the 4

5 market growth rate is now at an effective plateau that accompanies a saturated and mature market. Ancillary services, such as archiving, DLP and encryption, are the main drivers of growth, while traditional spam- and virus-filtering services and other license and subscription revenue will decline. The increase in suite bundling will blur the SEG market, making future growth and market size difficult to identify. The increase in acceptance of the SaaS delivery form factor continues. The five-year compound annual growth rate (CAGR) of SaaS revenue (between 2005 and 2010) was 31%, while the CAGR of the on-premises solutions was 15%. SaaS SEG revenue in 2011 will be roughly 37% of the total market. Inclusion and Exclusion Criteria The solution must have its own proprietary capabilities to block or filter unwanted traffic. Supplementing it with third-party technology is acceptable. The solution must provide virus scanning via its own or a third-party antivirus engine. The solution must provide basic intrusion prevention. The solution must offer encryption functionality beyond Transport Layer Security (TLS) on its own or via a third-party relationship. The solution must offer the ability to scan outbound according to a set of basic vendor-supplied dictionaries and common identifiers (for example, U.S. Social Security number [SSN], credit card, bank account and routing numbers). Vendors must have at least 2,000 direct (not via OEM) enterprise customers in production for their security boundary products. Multifunction firewalls (also known as UTM devices) are outside the scope of this analysis. These devices are traditional network firewalls that also combine numerous network security technologies such as antispam, antivirus, network intrusion prevention system and URL filtering into a single box. Multifunction firewalls are compelling for the small or midsize business (SMB) and branch office markets. However, in most circumstances, enterprise buyers do not consider multifunction firewalls as replacements for SEGs. Other Vendors This Magic Quadrant is not intended to be an exhaustive analysis of every vendor in this market, but rather a focused analysis of solutions that are most interesting to the majority of our clients. There are other vendors that were not included in this analysis because they do not fit the technical inclusion criteria. Sendmail is one that has a respectable large enterprise presence but takes a unique approach by offering a platform that allows enterprises to plug in various security applications from other vendors. This approach allows enterprises to build their own solutions from component vendors, while offering an overall management framework and underlying scalable messaging transfer agent. There are also vendors like Spamina, Axway and Mimecast, which focus on a particular geographic or vertical market niche. 5

6 Added Sophos reappears in this analysis. Dropped PineApp and Messaging Architects were dropped from this year's analysis. Evaluation Criteria Ability to Execute Vertical positioning on the Ability to Execute axis (see Table 1) was determined by evaluating the following factors: Overall viability was given a heavy weighting, because this is a mature and saturated market. Overall viability was considered, not only in terms of the overall company revenue, channel reach, management team and resources of the vendor, but also in terms of the importance of the security unit at each company. Sales execution/pricing scores reflected a comparison of pricing relative to the market. Market responsiveness and track record measured the speed in which the vendor has spotted a market shift and produced a product that potential customers are looking for, as well as the size of the vendor's installed base relative to the amount of time the product has been on the market. This weighting takes into account a vendor's performance over time, but performance during the past 18 months was evaluated most significantly. Customer experience measured the quality of the customer experience based on reference calls and Gartner client teleconferences. We incorporated research and reference call data on support responsiveness and timeliness, quality of releases and patches, and general experiences when installing and managing the product and service on a day-to-day basis. The operations score reflects the corporate resources (in other words, management, business facilities, threat research, and support and distribution infrastructure) that the SEG business unit can draw on to improve product functionality, marketing and sales. We also took into consideration the focus and transitions of the teams in charge of engineering, management, marketing and sales for the relevant product lines. 6

7 Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Weighting Standard High Standard High Standard High Standard Source: Gartner (August 2011) Completeness of Vision The Completeness of Vision axis captures the technical quality and breadth of the product, and the vendor's organizational characteristics that will lead to higher product satisfaction among midsize to large enterprise customers, such as how well the vendor understands this market, its history of innovation and its geographic presence. In market understanding, we ranked vendors on the strength of their commitment to this market in the form of strong product management, their vision for this market and the degree to which their road maps reflect a solid commitment of resources to achieve that vision. We heavily weighted the product features of the vendors' flagship solutions in the Completeness of Vision criteria. Product features that Gartner deemed the most important were: Anti-spam/phishing effectiveness and investment in malware research Management and reporting functionality DLP capabilities Encryption capabilities Delivery form factor options Other functionality or solutions relevant to the buyer in the target market of the supplier, such as archiving, disaster recovery and file transfer, were also taken into account. 7

8 Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Weighting Standard No rating No rating High No rating No rating Standard Standard Source: Gartner (August 2011) Leaders Leaders are performing well, have a clear vision of market direction and are actively building competencies to sustain their leadership positions in the market. Companies in this quadrant offer a comprehensive and proficient range of security functionality, and show evidence of superior vision and execution for current and anticipated customer requirements. Leaders typically have a relatively high market share and/or strong revenue growth, own a good portion of their threat or content-filtering capabilities, and demonstrate positive customer feedback for anti-spam efficacy and related service and support. Challengers Challengers execute well, but they have a less-defined view of market direction. Therefore, they may not be aggressive in preparing for the future. Companies in this quadrant typically have strong execution capabilities, evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole or other factors. However, Challengers have not demonstrated as rich a capability or track record for their security product portfolios as vendors in the Leaders quadrant. Visionaries Visionaries have a clear vision of market direction and are focused on preparing for that, but they may be challenged to execute against that vision because of undercapitalization, market presence, experience, size, scope and so forth. 8

9 Niche Players Niche Players focus on a particular segment of the client base, as defined by characteristics such as a specific geographic delivery capability or dedication to a more limited product set. Their ability to outperform or be innovative may be affected by this narrow focus. Vendors in this quadrant may have a small installed base or may be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investment or capability to provide security threat detection organically, a geographically limited footprint or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendors' value in the more narrowly focused market they service. Vendor Strengths and Cautions Barracuda Networks Barracuda Networks (Barracuda) is a private California-based company that focuses on producing a range of economical, easy-to-use appliances and a SaaS-based solution. Barracuda's solutions are aimed squarely at cost-conscious SMBs, as well as educational and government institutions, but Barracuda is starting to address larger enterprises and service provider markets. Barracuda Spam & Virus Firewall appliances are shortlist candidates for organizations seeking "set and forget" functionality at a reasonable price. The Barracuda Security Service (BESS) is appropriate for organizations in supported geographies. Strengths The Web-based management interface is designed to be easy to configure, even for nontechnical users, with numerous wizards, context-sensitive help, and clearly visible recommended settings and explanations. It has a very good message-tracking search capability, with granular filters and fast drill-down into message and header details and log content, as well as contextual right-mouse-click action options. We also like its ability to delegate quarantine management. Barracuda leverages the open-source and white-hat community with its anti-spam technology, along with its own growing security lab. It is one of the few vendors that have a false-positive/negative report to monitor spam detection quality. It also offers an Outlook plug-in to report spam and false positives. Barracuda now includes an optional cloud-based prefilter, which filters out obvious spam in a Barracuda data center before final filtering is done on-premises. Encryption was recently added to the solution and comes at no extra cost. It supports push- and pull-based encryption and is suitable for mobile devices. It also provides very basic DLP capability free of charge. Barracuda Control Center can manage multiple boxes and centralize configuration, logs and reporting. It comes as a free cloud-based offering or an on-premises appliance. Service prices are per box, rather than per user, making Barracuda a significant price leader. 9

10 Barracuda also offers an archiving solution that has an interface with a consistent look and feel that can also be managed from the same Barracuda Control Center. Cautions Barracuda uses open-source databases for spam and antivirus filtering, supplemented with Barracuda's own research labs. However, Barracuda Labs is still relatively small. It does not offer any other third-party antimalware engines. The management platform is designed for Barracuda's core SMB market. Advanced features for enterprise users are missing, such as dashboard customization capacity, a hyperlinked drill-down, a reusable objectoriented policy, granular role-based administration, group-level-only data access, directory synchronization and a group-level policy. Reporting is still quite basic and lacks ad hoc capability to create completely new reports. Logs from the cloud-based prefilter service are not combined with appliance logs. DLP is limited to keyword and regular expression (RegEx) filtering. It is not very flexible. Although it includes four predefined dictionaries, each policy requires its own dictionary. Workflow for compliance officers is missing. Cisco Cisco continues to dominate the market for dedicated on-premises solutions for midsize to large organizations. The company's consolidation of malware research groups into a more cohesive unit analyzing the vast amount of data from its global footprint of products is providing improved native malware and spam intelligence. Cisco also enjoys strategic vendor status with many of its customers and is well-respected in the core network buying centers. Cisco is a very good candidate for midsize to large enterprise customers looking for appliance form factors. Strengths Cisco's IronPort appliances offer excellent scalability/reliability and very granular MTA control capabilities. The management interface is easy to use and provides deep policy control. Improvements since our last analysis focused on enhancing protection and the identification of targeted lowvolume attacks. Cisco's outbreak prevention option uniquely rewires suspicious URLs, such that Web content linked from is scanned for malware in real time by Cisco's ScanSafe SWG Service. Other recent improvements include flexible role definition, stronger password controls, mass marketing or bulkmail protection, and SMTP Call Ahead, which ensures a message is deliverable. Cisco is also increasing its Federal Information Processing Standards (FIPS) and Common Criteria compliance. IronPort offers integrated content-aware DLP capabilities with numerous predefined policies, dictionaries and identifiers. The policy and compliance officer interface is complete and easy to use. Policy violations are scored on a severity scale and can have different disposition actions based on severity. The DLP quarantine can be encrypted for extra data protection. 10

11 Cisco offers very flexible, fully integrated native policy-based encryption delivered on-box, off-box or as a service with support for secure delivery via Transport Layer Security (TLS), Secure Multipurpose Internet Messaging Extensions (S/MIME) and Pretty Good Privacy (PGP), along with hosted pull and envelope push encryption capabilities. IronPort's support for secure bulk mailings and e-statement delivery will appeal to organizations with a need for frequent secure B2C communications. IronPort supports the secure transfer of arbitrarily large file attachments via its encrypted pull capability (hosted encryption). IronPort benefits from Cisco's installed base of network security appliances and the ScanSafe SaaS SWG to collect a massive amount of Internet traffic information to spot new trends. Moreover, Cisco's broad array of network security components (firewalls, intrusion prevention systems [IPSs], SWGs and routers) makes it a strategic vendor for organizations looking to consolidate buying around fewer security vendors. Cisco offers a limited North America-based hosted security service that provides dedicated instances of its security appliances managed by Cisco. Cautions IronPort's focus on the needs of large enterprises doesn't always scale down well for the midsize organization. A virtualized appliance is not yet available (due in 4Q11). Cisco's hosted offering is very new and only has data centers in the U.S. so far. These offerings would enable Cisco to more effectively reach the midmarket. Cisco solutions carry a very high list price relative to the market. Buyers must negotiate effectively to gain competitive pricing. Cisco's rapid exit from the cloud-based market (see "The Perils of Cloud Cisco Exits the Market") illuminates its primary focus on the security and hygiene part of the market. Cisco is not likely to offer a vertically integrated stack (for example, security, archive, disaster recovery and hosted exchange). Despite Cisco's deep product and technology offerings, it still has significant work to do to integrate the various components in a comprehensive integrated suite. Today, there is no management integration between IronPort appliances and the other Cisco network security products. Even integration between the two IronPort appliances is weak. Although the M-Series appliance provides common management for IronPort appliances, the DLP policy is not synchronized between these two products, and there is no central quarantine. Cisco does not own an enterprise DLP solution offering of its own. However, it does integrate with EMC/ RSA. Organizations that have an enterprise EMC/RSA DLP deployment can manage DLP features incorporated in the IronPort offering, such as content/policy definition and event management via the enterprise console. The native IronPort DLP quarantine would benefit from a more-advanced capability, such as data redaction and more options for building cases. The IronPort management interface would benefit from a more flexible custom dashboard (although the reporting interface has dashboardlike functionality). 11

12 Clearswift Clearswift has an established presence in the protection market with small to midsize organizations primarily in the U.K., but with an expanding Asia/Pacific presence. It has also branched out to the SWG market. Clearswift offers a bare metal or VMware solution. The combination of these two products and the provision of good DLP capabilities across both channels make it a reasonable shortlist candidate for buyers in Europe, the Middle East and Africa (EMEA) looking for both solutions from the same vendor. Strengths Clearswift's Secure Gateway offers a clean and logical Web-based management interface and dashboard that manages Web and products. It is easy to use for nontechnical users, and it has a lot of context-sensitive recommendations and help functions. Clearswift exploits Commtouch for a portion of its anti-spam capability and recently upgraded to the most recent engine. The solution includes a "bulk " category, which is useful for reducing nuisance . The ImageLogic pornographic and registered image detection engine is a bonus, and bounce address tag validation (BATV) is supported. Policy development for content inspection/dlp is very good. Clearswift supports numerous policy constructs and lexicons (for example, the U.S. Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Payment Card Industry [PCI] standard, and the U.S. Securities and Exchange Commission, as well as accounting terms and stock market terms). Clearswift now offers on-box encryption with support for S/MIME, PGP and password-protected encryption with a built-in certificate store. Clearswift recently added end-user whitelists, policy audit logs, anti-spoofing for internal addresses, faster updates and on-box encryption (TLS, S/MIME, PGP and ad hoc encryption), as well as partnerships with Echoworx for enhanced encryption capabilities. Cautions New management at Clearswift is moving the company in the right direction, with a focus on the core and Web gateway business and improving customer support. However, it has yet to deliver industry-leading features and functionality that would enable it to break out of the EMEA small to midsize market. It does not offer a SaaS-based delivery model or vertical products such as archiving. As buyers increasingly look for more strategic integrated vendors, Clearswift will have a difficult time standing out in a crowded market. Although the interface is easy to use for nontechnical users, it is limited in detail for more-technical enterprise users. Ad hoc reporting is limited; it cannot limit administrator access to specific groups; it does not have a predeveloped ability to report on spam accuracy; and role-based administrator configuration is not reusable. DLP capability is improved with better workflow this year. However, it is still not delivering best-in-class capability. Enhancements are needed in the ability to describe sensitive content beyond regular expressions along with support for more advanced detection techniques, such as proximity rules and partial document matching. Policy management, workflow reporting and event management are rudimentary. 12

13 Image filtering is inherently prone to false positives. Clearswift prices are high relative to close competitors and SaaS services. The dashboard is limited to what is provided by the vendor and only includes four data graphs (CPU and Disk Usage, Message Queue Size, SMTP Connections and Connection Management). It does not provide an Outlook plug-in "is spam" button to simplify the reporting of false negatives. Fortinet Fortinet is a public company with a broad geographical market presence that offers a broad array of UTM and dedicated appliances for all organization sizes from SMBs to telecommunication carriers. It offers an array of anti-spam technology in various forms from client to unified threat management (UTM). This analysis, however, focuses on the dedicated SEG FortiMail appliances. FortiMail is a shortlist candidate for existing Fortinet customers or those looking for a firewall and SEG solution from the same vendor. Strengths FortiMail offers a very complete management interface that is similar to other Fortinet products. FortiMail provides strong high-availability and scalability features, such as native clustering, load balancing and high-throughput appliances, as well as UTM and client-based solutions. Any FortiMail can be a master and distribute configurations to peers/slaves. FortiManager can manage up to 40 Fortinet devices, and FortiAnalyzer provides centralized log storage dashboards and reporting. FortiMail offers an attractive price-to-performance value, with appliance-based, rather than user-based, service pricing. FortiMail provides on-box or off-box policy-based message archiving that is fully indexed and available from the FortiMail management interface. The product includes some basic DLP capability with RegEx matching via preconfigured and user-definable dictionary profiles. Identity-based encryption, which is now a part of the standard feature set, includes both pull and push modes. FortiMail also supports encryption using TLS and S/MIME. Cautions It is difficult for any company to compete in many markets and across many company segments, ranging from carriers to the small office/home office market, and to provide market-leading features in each market segment. Fortinet is no exception. The company is much better known for its firewall/utm market presence, and only a small percentage of its revenue is related to security. Fortinet's very rapid growth has resulted in inconsistent support and training experiences for customers and channel partners. The administration interface is not really user friendly and would benefit from enhanced search capability. The FortiAnalyzer component is required for in-depth, per-domain report and log access across multiple logs in a single interface. However, this component costs extra. 13

14 Fortinet uses its own antivirus technology, which is not tested in the numerous antivirus bake-offs, and it does not have a big research organization, especially when compared with the Leaders in this analysis or their partners. The addition of an optional third-party antivirus engine would be an improvement. Fortinet does not offer a hosted or managed service for security or encryption. DLP functionality is relatively basic and lacks good compliance workflow, notifications, partial document matching, delegated administration and hierarchical policies. DLP notifications employ static messages with currently no ability to dynamically modify the content. Google Google remains one of the market share leaders in the SaaS SEG market. It has a broad array of customers and a global presence. Innovation and feature development of in-the- SEG solutions have slowed since the company acquired Postini, and Google is struggling to find a successful support model, lowering its execution score this year. Google is a shortlist candidate for any size enterprise looking for a service delivery model, and it is a particularly good choice for organizations considering enterprise Gmail and other Google SaaS offerings. Strengths Google's core strength is in its easy-to-use but functional/rudimentary management interface. Features such as hierarchical policy administration, spam thresholds for different types of spam (sexual content, financial gain, special offers and racially insensitive content), a complete policy summary page with shortcuts to policy edits, granular user and company allow and block listing capability, and role-based administration are major benefits. Policy changes are automatically propagated and not subject to delays. Google also offers extensive routing options for a SaaS solution. Google has recently released a disaster recovery service that allows for a Web mail interface into a 25GB mail queue that allows to be read and sent in the event of a corporate mail server failure. Google released "Health Check," which shows best practices and recommended settings for Postini services to ease optimization and improved log search features since our last analysis. Directory synchronization is eased with on-premises software that integrates with local directories and cache change. Delta updates are provided via standard ports (XML over SSL). Google licenses some aspects of ZixCorp's service for encryption and provides rudimentary DLP capability with the ability to scan attachments for SSN and credit card numbers only. Google is one of the few providers in this analysis that also offers hosted mailbox services (enterprise Gmail). It also offers SaaS "office" suites (word processing, spreadsheet, calendar and collaboration), as well as Cisco's ScanSafe SaaS SWG solution. Google's price is typically very good compared with comparable services, especially for broad bundles of related services. 14

15 Cautions Numerous Gartner customers have complained about Google's support, and it scored poorly in support in an online survey of Google's reference customers. Users and partners advise that it is difficult to get Google support on the phone, and communications and problem resolutions are inconsistent in quality and speed. Google needs to invest in more direct technical support and rely less on online self-service resources and channel partners. Google has not significantly improved its management interface since it acquired Postini in 2007, and it is now overdue for a refresh. In particular, we would like to see better reporting (ad hoc reporting and scheduled distribution of saved reports) that is hyperlinked to the dashboard. Some customization of the dashboard, including shortcuts to specific functions, would be welcome. Reusable administrator profiles, centralized quarantine management, better search functionality, an Outlook plug-in to report spam and more object-oriented policies would be helpful as well. DLP functionality is very rudimentary and disappointing considering Google's experience in content analysis in its search capabilities. It lacks a preconfigured policy for common regulations, extensive dictionaries and number format lexicons for detecting Health Insurance Portability and Accountability Act (HIPAA)-protected health information. Google's policy is not object-oriented. The quarantine is not specific to the task and offers few features to ease compliance management. Not all ZixCorp encryption functionality is instrumented in the management interface. Some elements need to be set up via Google support. Google only discloses U.S. and EU data centers. Google does not offer many security assurances that are commonly offered by other providers, and it does not allow for site visits. As with other major service providers, it is likely that Google will continue to be a target of malicious attackers as it amasses more potentially lucrative information. M86 Security While there is still work to do, in 2010, M86 Security made very good progress converging its various acquisitions into a cohesive company, while retaining much of the acquired talent and bringing aboard new management to move the company to the next level. The M86 Security flagship offering, M86 MailMarshal Secure Gateway, which is a Windows-based SEG solution, is a good candidate for most organizations. Strengths The Windows-based management interface is capable and offers some advanced features, such as task shortcuts and support for batch file workflow commands (which is useful for automating order entry, or triggering actions based on content). Administrators can be restricted to view only managed group data. Reporting is done in a Web-based interface. Recent improvements include more options for end-user spam management and an update to the management console to show historical trends. The company provides its own anti-spam research and filtering engine and is increasing its investment in blended threat detection capabilities. By default, it uses an automatically updated whitelist of 15

16 communications recipients and connecting IP addresses to reduce false positives. Antivirus is provided by an option of Kaspersky, Sophos, McAfee or Norman. The M86 MailMarshal Content Manager, which is a Microsoft Exchange Hub Transport agent that allows the scanning of internal for compliance and policy purposes, was overhauled and relaunched in March Notable improvements include support for Microsoft Exchange 2010, enhanced reporting via Marshal Reporting Console (MRC), updated management tools and an improved content inspection engine. Encryption support includes native TLS and S/MIME. It partners with ZixCorp for pull (hosted) and push encryption. DLP capabilities include basic RegEx matching and identifying system-registered watermarks. They also include some predeveloped policies, dictionaries and number formats. Cautions M86 Security is not a well-known brand in this market, and the growth rate of the SEG part of its business has been very flat since our last analysis. M86 Security still has a lot of work to do to improve the management interface to match the Leaders, and integrate and rationalize its various corporate acquisitions into a cohesive company and easy-to-use product line. Currently, the solutions have three management interfaces: one for policy setting, one for help desk and one for reporting. Policy is a Windows application with lots of pop-up windows, while others have a more modern look and feel that is browser-based. Reporting is a Web-based solution, with yet another different look and feel, and there is very little linkage between products. The solution would benefit from an history summary for the help desk, rather than simply a window into the logs, which can be overly technical. There are limited dashboard elements and no hyperlinked drill-down into reports. Policy development requires multiple windows to complete or to audit. DLP capabilities are limited to a keyword analysis and do not include very many predefined policies, dictionaries or lexicons, nor do they offer much workflow support for compliance officers. caught by DLP policy is stored in standard spam-type quarantines with very limited specific actions for DLP. DLP capabilities are not consistent between the SEG and SWG solutions, and policy and dictionaries must be exported/imported between products to synchronize. M86 Security offers a SaaS service that is limited to New Zealand and the Australian markets. On-box encryption is limited to TLS. M86 Security also offers a S/MIME encryption in another solution and ZixCorp service, but neither provides integrated management or logs. McAfee McAfee has a broad range of endpoint and network security products. It is also one of the more established malware research groups. It offers both on-premises and SaaS-based SEG solutions. The company is now owned by Intel (see "Making Sense of Intel's Acquisition of McAfee"). McAfee is a candidate solution for enterprise buyers, especially those looking to consolidate security vendors. 16

17 Strengths McAfee has a formidable threat research team and is consolidating data from its numerous security services and products for real-time analysis of emerging threats. McAfee has two on-premises gateway solutions: McAfee Security Appliance and McAfee Gateway (formerly IronMail). All of the development resources for these two lines has been consolidated, and most of the improvements in the lineup are going into Security Appliances. The next major release (version 7) will combine the functionality of these products into a single solution due 3Q11. The McAfee Security Appliance Web-based management interface is complete with granular policy options and allows for customization of dashboard elements for each administrator. Message queues have now been consolidated in a single location, easing lost message search. McAfee's malware and spam-filtering capability is very strong. IP reputation (TrustedSource) results in up to 98% detection at the connection layer. The solution includes targeted threat detection capabilities, as well as protection for Outlook Web Access (OWA) and inotes transactions. McAfee recently adapted reputations to detect phishing messages based on specific message characteristics and URLs. Its native DLP capability is strong and leverages the capabilities of its stand-alone enterprise-class contentaware DLP offering. McAfee provides numerous predefined policies and dictionaries as part of the base product, and it supports self-defined content for policy creation. The solution supports delegated administration for distinct event viewing, along with the separation of duties. Basic encryption methods (TLS, S/MIME and PGP gateway encryption) are supported along with push (secure envelope) encryption, which was significantly improved in the latest version with an enhanced enduser interface and more options, including reply-and-recipient-initiated encrypted options. The solution is now very complete and is deployable on-box, rather than as a separate solution. It also supports the secure transfer of arbitrarily large files via its encrypted pull capability (hosted encryption). It can also be configured to automatically set up a pull-only encrypted based on a predetermined attachment size. The SaaS offering provides a simple, clean, Web-based interface that is very easy to use for managing Web and traffic. Ancillary services include archiving and continuity service with a 60-day rolling history. The service can lock message traffic to a specific geography to avoid processing traffic in foreign legal environments. Recent improvements include the additions of policy-based pull encryption (Echoworx), SPF validation, improved attachment scanning and DLP improvements. Cautions McAfee hasn't significantly expanded its market share in the enterprise SEG market since the Secure Computing acquisition, and it does not show up on Gartner client shortlists or competitive large enterprise deals, as often as we would expect, given McAfee's channel reach. The biggest problem with McAfee's solutions is the lack of integration or feature consistency across the three offerings. Most of McAfee's recent improvements in the past year have been on the Security and Web Appliance code base, and the SaaS service. The former IronMail product (now the MacAfee Gateway) has received little attention. McAfee will be integrating the two existing appliances in a single solution later in This new solution should streamline the product lineup, provide better integration, and 17

18 improve previous criticisms about management interface and reporting, which are common from reference customers and Gartner clients. It will be a critical test of McAfee's ability to merge the best features of these three different products to create a single solution. McAfee has to expand the global footprint of its data center to appeal to more international customers and global organizations. Currently, the service is only hosted in seven geographies (U.S., China/Hong Kong, Japan, New Zealand, Australia, England and the Netherlands). The McAfee network security portfolio is less well-aligned with Intel's priorities and is less likely to receive future management attention and resources. Customers and buyers must demand road maps with firm delivery commitments and monitor McAfee's fulfillment. Microsoft Microsoft offers two complementary security solutions. Its flagship product is Forefront Online Protection for Exchange (FOPE), which is a SaaS-based solution. Forefront Protection 2010 for Exchange Server (FPE) is a software solution that is run on Exchange. FOPE is a good shortlist inclusion, especially for Microsoft-centric customers that purchase premium licensing. It is a default choice for organizations considering Microsoft's Exchange Online or the Office 365 suite. Enterprise buyers should consider FPE primarily as an additional layer of antivirus protection for the Exchange message store and for internal federated Exchange filtering, rather than a stand-alone SEG solution. Strengths FOPE is a multitenancy SAS infrastructure where each data center has a copy of the customer's data, allowing for continuous uptime, even in the event of a data center failure. Mail-processing data centers are located in the U.S. and Europe. Microsoft supports guaranteed "in-geography" mail processing for its U.S. customers that do not want mail to be processed in other countries. Microsoft made improvements to message trace, management integration with Exchange Online, delegated administrator access, URL database quality and routing since our last analysis. Exchange, Outlook, and the FOPE and Exchange Hosted Encryption (EHE) network all support TLS, S/MIME and PGP. FOPE also offers a Hosted Encryption solution that is built on Voltage Security's certificateless identity-based encryption (IBE) technology. FOPE supports large file attachment transfer up to 150MB. Microsoft released the Forefront Protection Server Management Console 2010 (FPSMC) a free download that provides multiserver management for FPE 2010 and Forefront Protection 2010 for SharePoint (FPSP 2010). It also integrates with the FOPE Administration Center. FPE is useful on an Exchange hub for internal spam and virus filtering. Microsoft's security solutions are part of the enterprise client access license (CAL), the Exchange Enterprise CAL and the Forefront Protection Suite. A large number of customers already pay for components of Microsoft's security solutions but have not deployed them. Users should check their license entitlements before they consider alternatives. Exchange Online Archiving (which replaces the previous Exchange Hosted Archive offering) is available as an optional service for Web-based archiving of , IM and other items. EOA is for on-premises Exchange 18

19 2010 mailboxes. Alternatively, Exchange Online (on the Office 365 platform) will include basic archiving or advanced archiving depending on the version purchased. Microsoft is improving its reputation for delivering solid and well-integrated security capabilities and regaining the trust of enterprise organizations. Cautions Despite recent improvements, Microsoft is still not on the leading edge of user interface reporting or functional capabilities. FOPE still does not allow end users to create their own safe senders (allow list) through the Web portal (although Outlook and Exchange Server support safe senders, and administrators can set up a per-user "Allow Policy" and synchronize via directory synchronization) or consolidated quarantine for aliases and distribution lists. There is no ad hoc reporting capability (only filtered versions of existing reports). FOPE does not allow for individual-user spam thresholds for different categories of spam. It doesn't allow for an AD group-specific disclaimer (although the solution does include the ability to set up virtual domains to segment users for policy purposes). Management integration of the various Microsoft components is still fractured. For example, FPE and the Exchange Edge role have different interfaces for managing MTA functionality versus competitive integrated appliances. We anticipate tighter future integration with the recent integration of the Forefront organization unit at Microsoft with the Office business unit, which includes the Exchange team. Microsoft only has data centers in the U.S. and EU, and in-geography-only routing is only available in the U.S. Buyers that have not standardized on Active Directory require Forefront identity manager to consolidate directories in a single addressable entity for synchronization with the service. The DLP capability for FPE is limited to keyword and regular expression searching, and FOPE DLP only includes a single predefined policy (HIPAA). Microsoft cannot scan within attachments for DLP violations and only uses true-type file detection for executable files. It does not have a DLP quarantine that is optimized for compliance workflow. The announcement of an OEM deal with EMC/RSA for its DLP capabilities several years ago still has yet to manifest itself in a functionality offering. Some customers complained that policy changes take some time to propagate through the network, and that they would like a feedback loop to certify that the changes have been implemented. The FOPE spam detection SLA at 98% is lower than the industry norm of 99%. It does not offer a disaster recovery/continuity service. Proofpoint Proofpoint, a private California-based company, is the last remaining dedicated SEG provider in this analysis. It continues to lead the market with innovative features and a broad range of solutions, including archiving, e- discovery, large file transfer and mailbox hosting. Proofpoint increased in execution this year due to a combination of a high growth rate relative to peers, dedicated focus on security issues and continued product enhancements. Proofpoint is a very good candidate for organizations looking for a full range of best-ofbreed SEG functionality in supported geographies. 19

20 Strengths Proofpoint's flagship security solution (Proofpoint Enterprise) is available as a hosted service; as onpremises appliances, virtual (VMware) appliances and software; or as a hybrid combination of these versions. Spam and malware accuracy has always been a consistent strength of Proofpoint, and the company is one of the few that publicly reports its anti-spam effectiveness (see livespamstats.php). Proofpoint recently added DKIM verification. The company continues to invest in new techniques for spam and phishing detection, including a machine-learning classifier for phishing and improved URL link inspection. Proofpoint provides spam classifiers (adult, bulk mail, phish and suspected spam) to enable more granular policy. Its Web-based management interface is one of the best in this market, with numerous innovations and unique features. We particularly like the Ajax-based dashboards that are completely customizable for each administrator. All reports are available as a dashboard widget. The Proofpoint information channel provides Really Simple Syndication feed news items on global threats or product information. Administrators have complete control over the look and feel of the end-user quarantine and secure interface, including color logos, terms, field identifiers, help content and support for numerous languages. Proofpoint offers integrated, push policy-based encryption that incorporates the features traditionally associated with pull offerings, which is optimized for mobile devices. The solution also supports TLS, S/ MIME and PGP secure delivery. DLP features are very strong and include numerous prebuilt policies, dictionaries, number identifiers and integrated policy-based encryption. Policy development is object-oriented and similar across spam and DLP. The DLP quarantine is very sophisticated for a channel solution, and it includes highlighted policy violations and the ability to add comments to incidents. DLP policy can be enforced on Web traffic via a dedicated network sniffer or ICAP integration with a proxy server. The SaaS service provides the same controls and policies as the on-premises appliance, including bidirectional spam filtering and outbound DLP functions. The installed base for this offering is expanding among G2000 customers, including some very large enterprises. Cautions Proofpoint's dedicated focus on is both a strength and a weakness. Although it continues to define best-of-breed functionality, in a rapidly maturing market, best of breed often becomes overkill to some customers. Concurrently, numerous enterprise buyers are looking for opportunities to consolidate product purchases around fewer, more strategic vendors. Proofpoint is not able to offer product breadth horizontally, such as SWG solutions, nor is it able to offer indepth integrated products, such as enterprise DLP that goes beyond the and Web channel. Despite good growth rates, Proofpoint continues to have a smaller market and mind share, compared with early market competitors. Proofpoint needs to improve its delivery through the channel, rather than its dedicated sales force to accelerated market share growth, especially outside North America. 20