Magic Quadrant for Secure Gateways

Transcription

1 Magic Quadrant for Secure Gateways Gartner RAS Core Research Note G , Peter Firstbrook, Eric Ouellet, 27 April 2010, R The security market is very mature. Targeted phishing detection, outbound inspection, encryption and delivery form factor are the major differentiators. WHAT YOU NEED TO KNOW The security market is very mature, and there has been minimal vendor movement in the Magic Quadrant since our last analysis. Spam-filtering effectiveness is at an acceptable rate for most organizations. Inbound improvements are still needed to detect targeted phishing s, which are an increasing problem. Content-aware data loss prevention (DLP) that includes numerous prebuilt dictionaries and regulatory policies is a significant differentiator; however, buyers must understand how these capabilities will be used in context of the broader enterprise DLP strategy. Policy-based encryption is an increasingly important capability and a significant differentiator of leading products. security solutions are available in various delivery models. Appliances and security as a service (SecaaS) are the most popular, but the availability of hybrid (combination of on-premises and SecaaS) and virtual appliances is increasing. The breadth of the product portfolio is also an important consideration as organizations look to consolidate security buying around fewer, more-strategic vendors, especially in mature product domains. MAGIC QUADRANT Market Overview The market for secure gateways (SEGs) has matured considerably since our last Magic Quadrant. The penetration rate of SEG capability among Gartner enterprise customers is close to 100%. Few new vendors are moving into the market, and merger and acquisition activity has slowed considerably, as the Leaders quadrant fills up with strategic vendors with broad portfolios and formidable sales channels. Basic spam and virus detection effectiveness is 99% or more for almost all the vendors in this analysis. Although spam detection effectiveness is not perfect, it is within acceptable limits for most organizations, and buying activity is limited to organizations that are replacing aging appliances or are at contract termination.

2 2 Although high-volume spam campaigns are getting easier to filter out, one area of deficiency in spam-related functionality is the ability to detect highly targeted phishing attacks. Most solutions rely heavily on reputation and are good at catching highvolume attacks, but few have adapted to changing attack patterns that are more sophisticated. Because reputation filtering is responsible for 80% to 90% of rejections at the gateway, organizations must be careful to protect their own reputations. An increasingly common attack method is to get credentialed access to systems via targeted phishing attacks seeking employees Outlook Web Access (OWA) user names and passwords. Attackers then exploit the lack of outbound spam detection or message throttling on corporate systems to send spam, damaging the victim organization s reputation. In 2010, vendors will have to improve their defenses by improving outbound spam detection and throttling policy options, as well as by improving their effectiveness against highly targeted phishing attacks. Figure 1. Magic Quadrant for Secure Gateways ability to execute challengers SonicWALL Trend Micro Barracuda Networks Fortinet Messaging Architects PineApp leaders Cisco/IronPort Symantec Microsoft Google/Postini McAfee Proofpoint Websense M86 Security Clearswift Webroot WatchGuard One area of significant differentiation among products in this analysis is in outbound security features, such as content-aware DLP and encryption both of which are critical for intellectual property protection and privacy-related regulatory compliance. Source: Gartner (April 2010) DLP provides content inspection of an s body text, headers and attachments to identify sensitive information. Support for advanced DLP capabilities beyond straightforward regular expression (RegEx) matching such as partial/exact document matching, fingerprint matching, structured data fingerprinting, statistical detection techniques, proximity matching and machine learning will be a key differentiator in some deployment scenarios to support intellectual property protection and to reduce the number of false positives. However, for most buyers, the inclusion of a predefined policy that meets regulatory requirements, thus simplifying the implementation, will be a bigger differentiator. Buyers must consider how native SEG DLP features will fit within broader enterprise DLP strategies. Integrated encryption (see Note 1 and Note 2) that can easily secure sensitive content for any recipient is a mandatory requirement for compliance. On-box or hosted encryption from the same vendor is the most desirable; however, partnerships are also often acceptable. Hosted encryption solutions are gaining niche players visionaries completeness of vision As of April 2010 traction as organizations gain more experience with the actual administrative cost of encryption support. Hosted solutions can drastically reduce the costs of encryption solutions. Gartner clients consistently report that the number of users who require encryption services are typically less than 10% of the overall user population, so buyers are cautioned not to overbuy this service. Product form-factor options continue to be a significant differentiator. SecaaS offerings that put all filtering in the cloud along with ancillary services, such as archiving, backup mailboxes and Web filtering are increasingly popular among larger enterprise buyers, and should be the default form factor for smaller organizations. Leading vendors are all acquiring or building their own SecaaS solutions. Virtual appliances are also getting more attention due to data center consolidation projects and 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

3 Note 1. Encryption Options encryption options typically offered by vendors in this market include: Push options An encrypted message is sent to recipients PC or mail systems: Transport Layer Security (TLS): Session-level encryption between two servers. SSL/TLS link encryption between mail domains: s are only encrypted over this link and are in plain text from the termination point of the SSL/TLS link onward. S/MIME: This industry standard is for the encryption of using standard delivery infrastructures. Pretty Good Privacy (PGP)/Open PGP: This industry standard is for the encryption of using standard delivery infrastructures. Pull options Recipients pick up encrypted contents in a Web transaction: A recipient receives a plain text message with a URL directing him or her to the encryption Web service. Users log in to the service and can read/reply to s and also download attachments. The Web service that holds the for pickup can be in the SEG solution or in another box on the sending party s premises, or it can be hosted in a third-party data center by a service provider. Hybrid option This combines push/pull functionality. The entire content ( body and attachments) is sent to the recipient in one encrypted message. Access to the decryption client software and decryption keys is usually obtained from the login and authenticating to a secure portal. Note 2. Third-Party Solution Providers Many of the vendors included in this Magic Quadrant license or resell encryption from dedicated encryption vendors. Provided below is a highlight of the most common vendors that have partnerships within the SEG vendors in this report: PGP ( is a venture-funded organization that repurchased a number of PGP assets previously sold to Network Associates. It supports a wide diversity of encryption-related solutions, including key management, desktop encryption, file and folder encryption, and encryption. Its solutions support all push (TLS, S/MIME, PGP/OpenPGP) and pull encrypted delivery models. Its solutions support mobile devices. Voltage Security ( which was founded in 2002, is a privately held, venture-capitalbacked organization that started as an encryption solution provider. Throughout the years, it has expanded its product portfolio and now offers a diverse range of encryption-related solutions, including key management, database encryption, file and document encryption, and data tokenization using IBE and other proprietary technologies. Its encryption solutions support all push (TLS, S/MIME, PGP/OpenPGP and IBE) and pull encrypted delivery models. Its solutions support mobile devices. ZixCorp ( is a U.S.-based publicly traded organization that focuses on outsourced encrypted solutions (including a hybrid model where an appliance typically resides within the client premises, as well as a fully outsourced service). With more than 20 million encrypted addresses under management, ZixCorp is, by a wide margin, the leading service provider in this category. Target industries for its solutions include financial, healthcare, government and SMBs. Its solutions support all push (TLS, S/MIME, PGP/OpenPGP) and pull encrypted delivery models. Its solutions support mobile devices. 3 growing virtual server production acceptance. At a minimum, virtual appliances allow for easy testing of prospective solutions, and for inexpensive standby servers. We have been advising buyers to consider SEGs and secure Web gateway (SWG) purchases together to save costs and improve DLP and communications policy reuse across these two critical channels. As more and more communication traffic moves to Webbased channels, such as social networking, instant messaging, voice over IP (VoIP) and Web conferencing, managing and securing these channels will necessitate improved convergence between these tools. Most of the leading vendors participate in both markets. Organizations with less than 1,000 seats are already attracted to the SWG offerings of their incumbent providers. However, many larger organizations have different buying centers and consider these domains separately. Larger organizations must take Web communication channels into consideration when they plan their security solutions. Market Definition/Description The SEG market (previously called the security boundary market by Gartner) is defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against

4 4 inbound and outbound threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of appliances or software that goes on customer premises, hosted solutions that reside in solution providers data centers, or multitenancy SecaaS that exists in multiple data centers around the globe. Unified threat management (UTM) devices that combine firewalls with some spam filtering are not included in this market. The total market size was roughly $1.5 billion in 2009, and was growing at approximately 10%. We expect the growth rate in 2010 to decline to 8% due to market saturation, increased bundling/suite deals and intense competition among market leaders. Inclusion and Exclusion Criteria The solution must have its own proprietary capabilities to block or filter unwanted traffic. Supplementing it with third-party technology is acceptable. The solution must provide virus scanning via its own or a third-party antivirus engine. The solution must provide basic intrusion prevention. The solution must offer encryption functionality beyond Transport Layer Security (TLS) on its own or via a third-party relationship. The solution must offer the ability to scan outbound according to a set of basic vendor-supplied dictionaries and common identifiers (for example, U.S. Social Security number [SSN], credit card, bank account and routing numbers). Vendors must have at least 2,000 direct (not via OEM) enterprise customers in production for their security boundary products. Multifunction firewalls (also known as UTM devices) are outside the scope of this analysis. These devices are traditional network firewalls that also combine numerous network security technologies such as anti-spam, antivirus, network intrusion prevention system and URL filtering into a single box. Multifunction firewalls are compelling for the small or midsize business (SMB) and branch-office markets; however, in most circumstances, enterprise buyers do not consider multifunction firewalls as replacements for SEGs. Added Fortinet was added to this Magic Quadrant. Dropped MessageLabs was acquired by Symantec; MX Logic and Secure Computing were acquired by McAfee; and BorderWare was acquired by WatchGuard. These products now appear under the parent companies. Sophos was dropped because the company is no longer focused on this market. Marshal has been renamed M86 Security. Evaluation Criteria Ability to Execute Vertical positioning on the Ability to Execute axis was determined by evaluating the following factors: Overall viability was given a heavy weighting, because this is a mature and saturated market. Overall viability was considered not only in terms of the overall company revenue, channel reach, management team and resources of the vendor, but also in terms of the importance of the security unit at each company. Sales execution/pricing scores reflected a comparison of pricing relative to the market. Market responsiveness and track record measured the speed in which the vendor has spotted a market shift and produced a product that potential customers are looking for, as well as the size of the vendor s installed base relative to the amount of time the product has been on the market. This weighting takes into account a vendor s performance over time, but performance during the past 18 months was evaluated most significantly. Customer experience measured the quality of the customer experience based on reference calls and Gartner client teleconferences. We incorporated research and reference call data on support responsiveness and timeliness, quality of releases and patches, and general experiences when installing and managing the product and service on a day-to-day basis. The operations score reflects the corporate resources (in other words, management, business facilities, threat research, and support and distribution infrastructure) that the SEG business unit can draw on to improve product functionality, marketing and sales. We also took into consideration the focus and transitions of the teams in charge of engineering, management, marketing and sales for the relevant product lines. Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Source: Gartner (April 2010) Weighting Standard High Standard High Standard High Standard

5 Completeness of Vision The Completeness of Vision axis captures the technical quality and breadth of the product, and the vendor s organizational characteristics that will lead to higher product satisfaction among midsize to large enterprise customers, such as how well the vendor understands this market, its history of innovation, and its geographic presence. In market understanding, we ranked vendors on the strength of their commitment to this market in the form of strong product management, their vision for this market and the degree to which their road maps reflect a solid commitment of resources to achieve that vision. We heavily weighted the product features of the vendors flagship solutions in the Completeness of Vision criteria. Product features that Gartner deemed the most important were: Anti-spam/phishing effectiveness and investment in malware research Management and reporting functionality DLP capabilities Encryption capabilities Delivery form-factor options Other functionality or solutions relevant to the buyer in the target market of the supplier, such as archiving, disaster recovery and file transfer, were also taken into account. Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Weighting Standard No rating Leaders Leaders are performing well, have a clear vision of market direction and are actively building competencies to sustain their leadership positions in the market. Companies in this quadrant offer a comprehensive and proficient range of security functionality, and show evidence of superior vision and execution for current and anticipated customer requirements. Leaders typically have a relatively high market share and/or strong revenue growth, own a good portion of their threat or content-filtering capabilities, and demonstrate positive customer feedback for anti-spam efficacy, and related service and support. Challengers Challengers execute well, but they have a less-defined view of market direction, and, therefore, they may not be aggressive in preparing for the future. Companies in this quadrant typically have strong execution capabilities, evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole, or other factors. However, challengers have not demonstrated as rich a capability or track record for their security product portfolios as vendors in the Leaders quadrant. Visionaries Visionaries have a clear vision of market direction and are focused on preparing for that, but they may be challenged to execute against that vision because of undercapitalization, market presence or experience, size, scope, and so forth. Niche Players Niche players focus on a particular segment of the client base, as defined by characteristics such as a specific geographic delivery capability or dedication to a more-limited product set. Their ability to outperform or be innovative may be affected by this narrow focus. Vendors in this quadrant may have a small installed base, or be limited, according to Gartner s criteria, by a number of factors. These factors may include limited investment or capability to provide security threat detection organically, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor s value in the more narrowly focused market they service. 5 Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Source: Gartner (April 2010) No rating High No rating No rating Standard Standard Vendor and Barracuda Networks Barracuda Networks is a private California-based company that has focused on producing a range of economical appliance-based solutions that are easy to use. Barracuda s solutions are aimed squarely at cost-conscious SMBs, as well as educational and government institutions, but Barracuda is starting to address larger enterprises and service provider markets. Barracuda leverages the open-source and white hat community for its anti-spam technology, along with its own growing security lab. It is one of the few vendors that has a false positive/negative report to monitor spam detection quality.

6 6 Barracuda has branched out into other markets, including archiving, SWG, bandwidth management, backup and Web application firewall appliance. The recent acquisition of Purewire gives Barracuda an emerging SecaaS capability in the SWG market that it will be able to leverage to gain an SEG SecaaS capability. The Web-based management interface is designed to be easy to configure, even for nontechnical users, with numerous wizards, context-sensitive help, and clearly visible recommended settings and explanations. It has a very good message-tracking search capability, with granular filters, and fast drill-down into message and header details and log content, as well as contextual right-mouse-click action options. We also like its ability to delegate quarantine management. Barracuda Control Center can manage multiple boxes for configuration and reporting. Attachments can be quarantined and checked against a cloud-based signature database, which reduces the signature distribution lag time. Service prices are per box, rather than per user, making Barracuda a price leader. Barracuda only offers appliance-based solutions. SecaaS is expected based on the Purewire platform, but Purewire was only an emerging U.S. startup, so Barracuda will need to invest considerable resources in building the product and its global presence. (A virtual version is due in 2Q10.) The management platform is designed for Barracuda s core SMB market. Advanced features for enterprise users are missing, such as dashboard customization capacity, a hyperlinked drill-down, a reusable object-oriented policy, granular role-based administration, group-level-only data access, directory synchronization and a group-level policy. Its encryption capability is very weak (TLS-only) and lacks support for a conditional TLS policy. It does not support other push or pull (hosted encryption) mail offerings. This is an important criterion for organizations in need of supporting encrypted ad hoc business-to-consumer (B2C) communications. DLP is limited to keyword and RegEx filtering. It is not very flexible. Although it includes four predefined dictionaries, each policy requires its own dictionary. It cannot search inside attachments (due 3Q10). Barracuda Control Center does not yet manage the full suite of appliance offerings. Cisco/IronPort Cisco continues to dominate the market for dedicated on-premises solutions for midsize to large organizations. The company s consolidation of malware research groups into a more cohesive unit analyzing the vast amount of data from its ISP and enterprise customers across a range of network-based products is providing improved native malware intelligence. Cisco also enjoys strategic vendor status with many of its customers and is well-respected in the core network buying centers. Cisco is a good choice for midsize to large enterprise customers looking for appliance form factors. Cisco/IronPort appliances continue to deliver very good spam and virus efficacy, with solid scalability/reliability and very granular MTA control capabilities. The management interface is easy to use and provides deep policy control. Improvements since our last analysis focused on enhancing IronPort s DLP capabilities via the full integration of the DLP components from its partnership with EMC/RSA, as well as enhancing role-based administration flexibility, mass marketing or bulk-mail protection, targeted phishing detection, and SMS spam detection. The PostX acquisition provides IronPort with very flexible, fully integrated native policy-based encryption delivered on-box or as a service with support for secure delivery via TLS, S/MIME and PGP (see Note 1), along with hosted pull scenarios. IronPort s support for secure bulk mailings and e-statement delivery will appeal to organizations with a need for frequent secure B2C communications. IronPort benefits from Cisco s installed base of network security appliances and the ScanSafe SecaaS SWG to collect a massive amount of Internet traffic information to spot new trends. Moreover, Cisco s broad array of network security components (firewalls, IPSs, SWGs and routers) makes it a strategic vendor for organizations looking to consolidate buying around fewer security vendors. IronPort offers integrated content-aware DLP capabilities with numerous (120) predefined policies and identifiers. The policy interface is complete and easy to use. Policy violations are scored on a severity scale of 1 to 5 and can have different disposition actions based on severity. The DLP quarantine can be encrypted for extra data protection. IronPort supports the secure transfer of arbitrarily large file attachments via its encrypted pull capability (hosted encryption).

7 In 2009, Cisco launched its hosted security service. The acquisition of ScanSafe in late 2009 provides Cisco with an extensive data center footprint (13 data centers), and a provisioning and management framework for future , Web and other SecaaS offerings. Cisco s acquisition of PostPath which provides hosted boxes, WebEx and ScanSafe combined with Cisco s native VoIP and security solutions, as well as Cisco s emerging Nexus data center virtualization program, provide it with considerable resources to create a comprehensive servicebased collaboration suite. Despite Cisco s deep product and technology offerings, it still has significant work to do to integrate the various components into a comprehensive integrated suite. Today, there is no management integration between IronPort appliances and the other Cisco network security products. Even integration between the two IronPort appliances is weak. Although the M-Series appliance provides common management for IronPort appliances, the DLP policy is not synchronized between these two products, and there is no central quarantine. Cisco does not have an enterprise DLP solution offering of its own; however, it does integrate with EMC/RSA. Organizations that have an enterprise EMC/RSA DLP deployment can manage DLP features incorporated into the IronPort offering, such as content/policy definition and event management via the enterprise console. The native IronPort DLP quarantine would benefit from a more-advanced capability, such as data redaction and more options for building cases. IronPort s focus on the needs of large enterprises doesn t always scale down well for the midsize organization. Cisco s hosted offering is very new and only available in the U.S. so far. It does not offer any virtual appliances or blade server appliances yet. Clearswift s Secure Gateway offers a clean and logical Web-based management interface and dashboard that manages Web and products. It is easy to use for nontechnical users, and it has a lot of context-sensitive recommendations and help functions. The image manager (software-only) pornographic-imagedetection engine is a bonus, and bounce address tag validation (BATV) is supported. Policy development for content inspection/dlp is very good. Clearswift supports numerous policy constructs and lexicons (for example, the U.S. Sarbanes-Oxley Act, the Gramm-Leach- Bliley Act, the Payment Card Industry [PCI] standard, and the U.S. Securities and Exchange Commission, as well as accounting terms and stock-market terms). Enhanced DLP capabilities, such as partial document matching, are supported with CONTENTsafe server extension. Clearswift recently added end-user whitelists, policy audit logs, anti-spoofing for internal addresses, faster updates and on-box encryption (TLS, S/MIME, PGP and ad hoc encryption). Despite its long history in this market, Clearswift has failed to execute consistently or deliver industry-leading features and functionality that would enable it to break out of the EMEA small to midsize market. Although the interface is easy to use for nontechnical users, it is limited in detail for more-technical enterprise users. Ad hoc reporting is limited, it cannot limit administrator access to specific groups, it does not have a predeveloped ability to report on spam accuracy, and role-based administrator configuration is not reusable. 7 The IronPort management interface would benefit from a moreflexible custom dashboard (although the reporting interface has dashboardlike functionality), and more-granular/reusable rolebased administration that limits administrator access-managed group data only. Cisco does not have an archive solution. Clearswift U.K.-based Clearswift has an established presence in the protection market with small to midsize organizations that are mostly in the U.K. It branched out into the SWG market. The combination of these two products and the provision of good DLP capabilities across both channels make it a reasonable shortlist inclusion for buyers in Europe, the Middle East and Africa (EMEA) looking for both solutions from the same vendor. Considering how long Clearswift has been offering a DLP capability, it has not advanced to best-in-class capability and continues to lack a comprehensive compliance workflow management interface. Image filtering is inherently prone to false positives. Common reporting across and Web appliances is not complete (improvements are due in late 2010). An encryption capability does not support a pull (hosted encryption) option. This is an important criterion for organizations in need of supporting encrypted ad hoc B2C communications. The solution provides limited large file transfer capabilities. Clearswift is planning on making improvements in 3Q10 that may address some of these limitations.

8 8 Fortinet Fortinet offers a broad array of UTM and dedicated appliances for all organization sizes from SMBs to telecommunication carriers. It offers an array of anti-spam technology in various forms from client to UTM. This analysis, however, focuses on the dedicated SEG FortiMail appliances. FortiMail is a reasonable shortlist inclusion for existing Fortinet customers. Fortinet provides strong high-availability and scalability features, such as native clustering, load balancing and high-throughput appliances, as well as UTM and client-based solutions. It is a public company with a broad geographical market presence. Fortinet offers an attractive price-to-performance value, with no user-based service pricing. FortiMail provides on-box or off-box policy-based message archiving that is fully indexed and available from the FortiMail management interface. The product includes some basic DLP capability with RegEx matching via preconfigured and user-definable dictionary profiles. FortiMail supports encryption using TLS and S/MIME. It is difficult for any company to compete in many markets and across many company segments ranging from carriers to the small office/home office market, and to provide market-leading features in each market segment, and Fortinet is no exception. The company is much better known for its firewall/utm market presence, and only a small percentage of its revenue is related to security. Fortinet s published detection rates are below the best-of-breed average for detection rates. The FortiMail appliance does not support PGP or pull (hosted encryption). This is an important criterion for organizations in need of supporting ad hoc B2C communications. (The FortiMail v4.1, which is due by 3Q10, adds identity-based encryption, including push and pull encryption.) Fortinet does not offer a managed service for security or encryption. DLP functionality is relatively basic and lacks partial document matching, delegated administration or hierarchical policies. FortiAnalyzer is required for in-depth, per-domain report and log access, with both short- and long-term trended analysis of all statistics. Google/Postini Google remains one of the market share leaders in the SecaaS SEG market. It has a broad array of customers and a global presence. Although innovation in the SEG solution has slowed since the company acquired Postini, it remains a good choice for any size enterprise looking for a service delivery model, and is a particularly good choice for organizations considering enterprise Gmail and other Google SecaaS offerings. Spam and virus filtering have been consistently rated as being very high. Google s core strength is in its easy-to-use but functional/ rudimentary management interface. Features such hierarchical policy administration, spam thresholds for different types of spam (for example, sexual content, financial gain, special offers and racially insensitive content), a complete policy summary page with shortcuts to policy edits, and rolebased administration are major benefits. Policy changes are automatically propagated and not subject to delays. Google offers extensive routing options for a SecaaS solution. Google has recently released two significant enhancements to its management console: Log Search and Health Check. Through Log Search, log data is encrypted with a customer key, and is stored and accessed on Google s service infrastructure. Health Check allows administrators to triage spam and virus issues to give them an overview of what needs to be addressed in their configurations. Directory synchronization is eased with on-premises software that integrates with local directories and cache change. Delta updates are provided via standard ports (XML over SLL). Google licenses some aspects of ZixCorp s service for encryption, and provides rudimentary DLP capability with the ability to scan attachments for SSN and credit card numbers only. Google is one of the few providers in this analysis that also offers hosted mailbox services (enterprise Gmail). It also offers an expanding array of SaaS office suites (for example, word processing, spreadsheet, calendar and collaboration), as well as Cisco s ScanSafe SecaaS SWG solution. Google s price is typically very good compared with comparable services, especially for broad bundles of related services.

9 Google has not significantly improved its management interface since it acquired Postini in 2007, and it is now overdue for a refresh. In particular, we would like to see better reporting (ad hoc reporting scheduled distribution of saved reports) that is hyperlinked to the dashboard. Google is planning on redesigning the reporting interface based on Google Analytics later in Some customization of the dashboard, including shortcuts to specific functions, would be welcome. Reusable administrator profiles, an Outlook plug-in to report spam and more object-oriented policies would be helpful as well. Web security gateway products and services, and its flagship MailMarshal appliance is a reasonable shortlist inclusion in supported geographies. The Windows-based management interface is very complete and offers some advanced features, such as task shortcuts and support for batch file workflow commands (it is useful for automating order entry). Administrators can be restricted to view only managed group data. Reporting is done in a Webbased interface. 9 Despite the increasing array of Google SecaaS offerings, it is still lacking in continuity services (due in 2H10). Its archiving service is very good, but it lacks the ability to import legacy data, which makes it less appealing to migrating customers. DLP functionality is very rudimentary and disappointing considering Google s experience in content analysis in its search capabilities. It lacks a preconfigured policy for common regulations, extensive dictionaries and number formatenhanced lexicons for detecting Health Insurance Portability and Accountability Act (HIPAA)-protected health information. PCI data is planned for later in Google s policy is not objectoriented. The quarantine is not specific to the task and offers few features to ease compliance management. Not all ZixCorp encryption functionality is instrumented in the management interface. Some elements need to be set up via Google. Google could improve its support. Recent outages and mail delays caused significant disruption for some customers, and communication with affected customers should have been much better handled. Google needs to invest in more telephone technical support and to rely less on online self-service resources. Google is not open with many security assurances that are commonly offered by other providers (it does not allow for site visits, and it does not disclose the location of its data centers). Google (along with numerous other companies) was a target of a recent high-profile attack (aka Aurora) against some specific consumer boxes. Although there was no compromise of the SEG service or enterprise Gmail, it is likely that Google will continue to be a target as it amasses more potentially lucrative information. M86 Security In November 2008, U.K.-based Marshal merged with 8e6 Technologies to become Marshal8e6. In April 2009, Marshal8e6 acquired Avinti, and in September, it renamed itself M86 Security. In November 2009, M86 announced its acquisition of Finjan. M86 s strategy of acquiring good malware detection technology will help with malware detection accuracy. M86 offers and The company has strong anti-spam effectiveness and increased investment in blended threat detection capabilities. By default, it uses an automatically updated whitelist of communications recipients and connecting IP addresses to reduce false positives. Encryption support includes native TLS and S/MIME. It partners with ZixCorp for pull (hosted) encryption. DLP capabilities include basic RegEx matching and identifying system-registered watermarks. They also include numerous predeveloped policies, dictionaries and number formats. M86 launched a hosted security service in Asia/Pacific in 2009, and is currently rolling out the service in U.S. and U.K. data centers to add to its appliance and Windows softwarebased solutions. M86 still has a lot of work to do to improve the management interface to match leaders, and to integrate and rationalize its various corporate acquisitions into a cohesive company and easy-to-use product line. The growth rate of the SEG in the enterprise has been very flat since our last report, and the company does not enjoy significant market or mind share outside of Marshal s native Asia/Pacific region. DLP capabilities are not consistent between the SEG and SWG solutions. The DLP rules defined in MailMarshal must be exported to WebMarshal. Reporting and configuration are in two separate applications, and have a different look and feel. There are limited dashboard elements and no hyperlinked drill-down into reports. Policy development requires multiple windows to complete or to audit. The hosted solutions are brand-new and are only available in Asia/Pacific (expected to expand to the U.S. and U.K. during 2010). The predominant installed base is still on the Windows version of the product, rather than the appliances.

10 10 It lacks PGP and large-file attachment encryption support. McAfee McAfee continues to execute on its strategy to offer a complete range of infrastructure and data protection offerings. It has one of the more-established malware research groups, and is improving its malware and spam detection effectiveness by analyzing data feeds from numerous channels and products, and doing more-effective correlation. The company moved into the Leaders quadrant in this analysis due to the acquisition of a SecaaS SEG provider MXlogic in 2009 and the acquisition of Secure Computing in McAfee is a very strong choice for all enterprise buyers, especially those looking to consolidate security vendors. Integration is still ongoing. Each solution offers its own DLP engine without a common level of capabilities or a common look and feel. epolicy Orchestrator (epo) management integration and look-and-feel synchronization are ongoing. Reporting is synchronized with the SWG, and executive reporting, trending and notifications are integrated into EPO. It is not clear that EPO will be able to scale to handle the moreverbose and expanding McAfee network devices. McAfee s appliance management interface could be streamlined and be more task-based. Dashboard elements did not allow for drill-down into relevant reports, but they did drill into log information. McAfee has a formidable threat research team and is consolidating data from its numerous security services and products for real-time analysis of emerging threats. The Web-based management interface is complete with granular policy options and allows for customization of dashboard elements for each administrator. McAfee s malware and spam-filtering capability is very strong. IP reputation (trusted source) results in up to 98% detection at the connection layer. The solution includes targeted threatdetection capabilities, as well as protection for OWA and inotes transactions. Its native DLP capability is strong and leverages the capabilities of its stand-alone enterprise-class content-aware DLP offering. McAfee provides numerous predefined policies and dictionaries as part of the base product, and supports self-defined content for policy creation. The solution supports delegated administration for distinct event viewing, along with separation of duties. Basic encryption methods (TLS, S/MIME and PGP gateway encryption) are supported along with push (secure envelope) encryption, which was significantly improved in the latest version with an enhanced end-user interface and more options, including reply-and-recipient-initiated encrypted options. The solution is now very complete and is deployable on-box, rather than as a separate solution. It also supports the secure transfer of arbitrarily large files via its encrypted pull capability (hosted encryption). It can also be configured to automatically set up a pull-only encrypted based on a predetermined attachment size. The SecaaS offering provides a simple, clean, Web-based interface that is very easy to use for managing Web and traffic. Ancillary services include archiving and continuity service with a 60-day rolling history. The service can lock message traffic to a specific geography to avoid processing traffic in foreign legal environments. The SecaaS offering does not share the same features as the on-premises appliance solution, and would be improved with more features and granular management options. For example, the spam threshold options are limited to disposition actions on high/medium spam scores only. The DLP capability is limited to keyword detection and does not support RegEx expressions or any synchronization with McAfee s enterprise DLP offerings. There is no ad hoc reporting capability. Directory synchronization is limited to Active Directory and does not offer an on-premises synchronization engine that can export directory updates via XML traffic protected by Secure Sockets Layer (SSL) to reduce potential firewall issues (although it does support native AD integration via SSL). McAfee has to expand the global footprint of its data center to appeal to more international customers and global organizations. Currently, the service is only hosted in six geographies (U.S., Hong Kong, Tokyo, Australia, London and Amsterdam). Messaging Architects Messaging Architects is a privately held Canadian company that offers a full range of infrastructure, from hosted mailboxes to archiving, as well as consulting and migration services that appeal generally to midsize North American organizations. Messaging Architects flagship product, M+Guardian, is offered as a preconfigured Dell hardware appliance, a virtual appliance (VMware) or a hosted solution. Spam thresholds can be delegated to end users, and the quarantine includes a graphical confidence indicator, which helps quickly detect potential false positives. Quarantine can be integrated into any Internet Message Access Protocol client. Encryption capabilities are delivered via a partnership with ZixCorp.

11 Native DLP capability provides multilingual support and includes a number of dictionaries (HIPAA, SSN, profanity and others), along with number identifiers. It also supports user-customized dictionaries on a request basis. M+Archive provides archiving and e-discovery software. Messaging Architects is one of the smaller organizations in this analysis, and is limited mostly to the North American market, although it does have a U.K. support department. Market share and mind share in larger enterprise customers are limited to the education market. Hosted solutions are limited to one data center in Dallas, Texas. The solution is reliant on partners for spam detection capability and encryption. Some functions work better with the Command Line interface to perform batch functions, necessitating some Linux knowledge. Product development is slow, and the latest major release is two years in the making. Advanced enterprise features, such as role-based administration, have only recently been added to the product. Administrator visibility into specific groups is not yet available. The dashboard could be improved with more graphical information linked to log data and reports. Microsoft Microsoft offers two complementary security solutions. Its flagship product is Forefront Online Protection for Exchange (FOPE), which is a SecaaS-based solution. Forefront Protection for Exchange (FPE) is a software solution that is typically run on Exchange. FOPE is a good shortlist inclusion, especially for Microsoft-centric customers that purchase premium licensing. It is a default choice for organizations considering Microsoft s Exchange Online or the Business Productivity Online Suite. Enterprise customers should consider FPE only as an additional layer of antivirus protection for the Exchange message store and for internal federated Exchange filtering. FOPE is a multitenancy infrastructure where each data center has a copy of the customer s data, allowing for continuous uptime, even in the event of a data center failure. Mail-processing data centers are located in Texas, Virginia, Singapore, Amsterdam and Dublin. Microsoft supports guaranteed in-geography mail processing for its U.S. customers that do not want mail to be processed in other countries. Microsoft made improvements to its spam-detection capabilities, policy engine and scheduled reporting since our last analysis. It now supports 13 languages. Exchange, Outlook, and the FOPE and Exchange Hosted Services Encryption (EHSE) network all support TLS, S/MIME and PGP. FOPE also offers a Hosted Encryption solution that is built on an early implementation of Voltage Security s certificateless identity-based encryption (IBE) technology. FOPE supports large file attachment transfer up to 150MB. The recent release of FPE includes significant improvements in spam detection (Microsoft supports bidirectional spam filtering in both solutions) and an improved Win32 management interface. It also is much better integrated with FOPE with a common provisioning wizard, policy configuration, reporting and a trusted stamp to avoid duplicate scanning. FPE is useful on an Exchange hub for internal spam and virus filtering. Microsoft s security solutions are part of the Enterprise client access license (CAL), the Exchange CAL and the Forefront Protection Suite. A large number of customers already pay for components of Microsoft s security solutions but have not deployed them. Users should check their license entitlements before they consider alternatives. Microsoft Exchange Hosted Archive (EHA) is available as an optional service for and IM archiving, as well as e-discovery. Microsoft has been relatively slow at improving the features of its FOPE management interface, improving the FPE spam capability and providing interoperability. Despite recent improvements, there are still a number of improvements it could make. FPE and the Exchange Edge role have different interfaces for managing MTA functionality vs. competitive integrated appliances. FOPE still does not allow end users to create their own safe senders through the Web portal (although Outlook 2003, Exchange Server 2007, and supported safe senders and administrators can set up a per-user Allow Policy and upload via the FOPE Directory Synchronization Tool) or consolidated quarantine for aliases and distribution lists. There is no ad hoc reporting capability. The is spam button for Outlook 2007 clients is late. Message trace can be improved with moreflexible searching options and accelerated search speeds. FOPE does not allow for individual-user spam thresholds for different categories of spam. It doesn t allow for an AD groupspecific disclaimer (although the solution does include the ability to set up virtual domains to segment users for policy purposes). Microsoft has only five geographical data centers, and in-geography-only routing is only available in the U.S. (Microsoft plans to add European-Union-only processing in Amsterdam in 3Q10). 11

12 12 Buyers that have not standardized on Active Directory require Forefront identity manager to consolidate directories into a single addressable entity for synchronization with the service. The DLP capability for FPE is limited to keyword searching, and FOPE DLP only includes a single predefined policy (HIPAA). Microsoft cannot scan within attachments for DLP violations and only uses true-type file detection for executable files. It does not have a DLP-specific quarantine. The announcement of an OEM deal with EMC/RSA for its DLP capabilities may yield better functionality support in the future. Some customers complained that policy changes take some time to propagate through the network, and that they would like a feedback loop to certify that the changes have been implemented. PineApp PineApp is a relatively small vendor in this market that is focused mainly in EMEA, with an emerging presence in North America. It is an acceptable solution for SMBs in supported geographies. PineApp spam-detection signatures come from a combination of Commtouch, a global reputation system from other PineApp appliances, and traditional real-time blacklists (for example, SpamCop and Spamhaus). Local connection management includes connection hurdles to detect spamming MTAs and backscatter protection. The product uses F-Secure, Kaspersky Lab and Commtouch Zero-Hour for antivirus protection. PineApp s Mail-SeCure appliances are managed with a browser-based graphical user interface that is designed for SMBs and is simple to use. It includes a few customizable dashboard graphs, with hyperlinks to details and contextbased, right-click shortcuts to common management tasks. The product can work in a central manager/director role for consolidated reporting and quarantine management. The management interface is common for , SWG, and archive products, and appliances can assume multiple or single roles, although archiving needs a separate storage device. Policy is created mostly via check-box and drop-down lists. Compliance capabilities include pornography image/video detection. The company recently launched a SecaaS SEG offering, with archiving and disaster recovery, as well as VMware versions of its products. Other recent improvements include per-domain policy, reverse proxy (for publishing exchange server OWA), archiving support and integration encryption service via TLS secure service or PGP gateway. PGP secure delivery capabilities include secure PDF for clientless secure delivery. Large file attachments have limited support via PGP Messenger infrastructure. PineApp is one of the smaller companies in this analysis. It has very low market and mind share, especially in North America or in midsize and large global enterprises. Having a very broad spectrum of clients ranging from large ISPs to SMBs makes it difficult for a company of this size to focus equally on all customer segments. Spam accuracy is very good; however, we would like to see higher efficacy at blocking spam during the initial connection. PineApp does not support a pull (hosted encryption) mail offering. This is an important criterion for organizations in need of supporting encrypted ad hoc B2C communications. Although the management interface is good, it could use some enhancements for larger enterprise use. The dashboard could use more graphical information and statistics, with a better ability to drill down. There is no ability to create ad hoc reports, only to change filter elements. Although there are numerous roles, there is no way to create a custom role, name it and then assign it to different users. It is not possible to limit administrator access to reporting data and quarantines at the group level. PineApp s DLP capability is not very robust. It lacks comprehensive dictionaries and lexicons, and provides limited predefined regulatory content policies. DLP compliance quarantine is not separate from spam and virus quarantine. There are no special DLP queue management options for compliance managers. The PineApp SecaaS data center is only in Israel. Proofpoint Proofpoint, a private California-based company, is one of the last remaining dedicated SEG companies. It continues to lead the market with innovative features and is growing significantly faster than the overall market. Proofpoint recently added native encryption, SecaaS archiving and mailbox hosting, as it builds out a complete portfolio of solutions. It has a very loyal installed base of large and small enterprise customers mostly in North America. Proofpoint is an excellent choice for organizations looking for a full range of best-of-breed SEG functionality in supported geographies. Proofpoint s flagship security solution (Proofpoint Enterprise) is available as a hosted service; as on-premises appliances, virtual (VMware) appliances, and software; or as a hybrid combination of these versions.