Welcome to SaaS thoughts

Whether you call it Software as a Service (SaaS), Managed Service Provider (MSP) or On-Demand Services, your organization uses the service running “in the cloud”. This blog will discuss these services, their benefits, drawbacks and operations. Are we biased? Yes. We believe that some services make sense for most organizations. Email security is one of those. However as Mark Twain said, “All generalizations are false, even this one.” Each Tuesday we will post information and questions about Software as a Service. Occasionally, we will have a "Guest Post" from either a consultant or vendor posting her/his thoughts on Managed Services generally as well as some degree of specificity based on her/his unique perspective. We encourage your insights, comments and feedback. Welcome.

RSS Subscribe to RSS

Evaluating an Email Security Service


What criteria should you use to select an email security service? Price? Ability to stop spam? If only it were that simple.

Deciding on an email security service has two sets of criteria: those common with all email security systems and those specific to email security services. We’ll spend more time on comparing a SaaS email security system with an appliance in an upcoming blog.

Criteria in common with all email security systems

We won’t spend much space on these. Suffice it to say that if a managed service can’t do better than an appliance, there is little to differentiate or recommend it.

  • High percentage of stopping spam
  • Low percentage of mis-identifying valid email messages as spam (false positives)
  • Ability to stop “directory Harvesting” (phishing)
  • Ability to withstand Denial of Service attacks
  • Ability to handle expected and unexpected email traffic
  • Handling of quarantined messages
  • Ease of administration
  • Price

Criteria specific to email security services

Superior processing compared to an email appliance — After all, the service has (or should have) large capacious file servers in data centers with huge transmission pipes.

Purpose-built MTA — There are some manged service providers offering nothing more than a collection of commercially available appliances. Where’s the benefit in that?

Location and number of data center(s) — Where are the services data centers? How many are there? Are all the customers going through the same few data centers? What does that do for the CPU load on the servers?

Data replication among data centers — Does the service replicate or mirror your data among data centers?

If one data center goes down, can you still get your email? One of the benefits of using a Managed Service instead of an appliance is sustainability of service. September 11th taught that having your backup in “the other tower” was not adequate. If the MSP has a limited data center there is little benefit over an cluster of appliances in a Co-Lo.

Data latency — Will the processing of your email be slowed by going through the service?

It’s great to have clean email but, email must also be delivered in a timely manner. The vast majority of legitimate email traffic through a MSP should be less than 10 seconds.

Availability of other options — Since the MSP has huge transmission pipes, capacious servers and data stores what other services do they provide?

Business continuity gives you the customer the availability to connect to the MSP’s server via a portal to send and receive email if your email server is unavailable. This service is critical when email is the primary mode of transportation between you and your clients and suppliers. Questions to ask:

  • How long are email messages stored so you can retrieve and act on them?
  • When your email system comes back up, how do all these new messages sync back up with your email server?

Personal or compliance archive gives you the ability to either quickly find your personal email messages or to meet regulatory compliance rules. Questions to ask here are:

  • Is the archive non-repudiatable?
  • How can outside researchers gain valid access to the email messages?
  • Is there a non-changeable log kept of every action and query?
  • Is the archive charged by the user or by the Mb, Gb, or Tb?
  • How long can the data be kept on the archive server?

Email encryption — Two types of encryption should be available: data center to email server and sender to recipient. Questions to ask:

Data center to email sever

  • Is bi-directional data center to server TLS available?
  • Is it automatic?
  • Is there an extra charge for it?

End-user encryption

  • Can the user easily send an encrypted message?
  • What does the recipient have to do to retrieve the message?
  • Does setting up this encrypted link require additional administrative time?

Reports —You need to have data available when you need it. You will be asked all the standard questions of any email administrator.

  • Why didn’t I get that message?
  • We lost the Acme bid because YOUR email system didn’t deliver our answer to their RFP!

Questions you should ask:

  • What canned reports can I get?
  • Can I modify/create report criteria?
  • Can I save reports?
  • Can I have reports sent via email periodically?
  • How far back can I go on report data?
  • Can I find/report data on specific messages?

Security — One of the greatest concerns some have regarding using a MSP is, “How secure is my data?” This is a legitimate question that should be asked of any MSP you are considering. We discussed this very question in an earlier blog: Do You Lose Control When You Use A Managed Service?

What do you think? Considering a Managed Service for email? What are the benefits? What are the drawbacks? What’s your experience with SaaS?

Next Post: The Email Management Issue, Gerhard Eschelbeck, CTO and Senior VP of Engineering – Webroot

Posted on : Apr 28 2008
Tags: , , , , ,
Posted under Email security, Managed Services, SaaS, Security |


Get every new post on this blog delivered to your Inbox.

Join other followers: