Welcome to SaaS thoughts

Whether you call it Software as a Service (SaaS), Managed Service Provider (MSP) or On-Demand Services, your organization uses the service running “in the cloud”. This blog will discuss these services, their benefits, drawbacks and operations. Are we biased? Yes. We believe that some services make sense for most organizations. Email security is one of those. However as Mark Twain said, “All generalizations are false, even this one.” Each Tuesday we will post information and questions about Software as a Service. Occasionally, we will have a "Guest Post" from either a consultant or vendor posting her/his thoughts on Managed Services generally as well as some degree of specificity based on her/his unique perspective. We encourage your insights, comments and feedback. Welcome.

RSS Subscribe to RSS

The Email Management Issue


By Gerhard Eschelbeck, CTO Webroot

It’s a mistake to think of “email management” distinct from general document management. Email is just company documentation and must be treated as such. Email documents can commit the company just as much as a written contract can. And, regulations about personal data, for example, apply equally to data in paper and in electronic form. Unfortunately, people tend to be careless with electronic mail and email management technology is useful to inculcate company “good practice” policies and procedures.

Content filtering

An important aspect of email management is content filtering. Manual inspection of email is impractical but a rule-based program can inspect the contents of an email, detect specific user-applied labels (such as “Highly Confidential”) or particular authors, roles, originating departments or recipients and act accordingly (perhaps by encrypting the message, or refusing to transmit it). You can even detect potentially pornographic images – even if a single image slips past the heuristics, you will soon identify someone downloading hundreds of illegal images from the Internet.

An important issue is the possibility of the staff managing content filtering (or their friends) being the subjects of sensitive email – which can lead to trouble. Use of a “trusted third party” to deliver a hosted SaaS management solution can eliminate some of the human risks.

The biggest issue with content filtering, however, is its “big brother” connotations – implemented badly, it can seriously affect staff morale. It is important to train your staff in email management and to explain why you need content filtering, ahead of implementation. If just one person is storing child pornography on company servers, for example, everybody’s job could be at risk, and if you explain this, gaining staff buy-in should be easy. But if your staff is surprised to discover that its email is being read without advance warning, you’ll have problems. And, it’s a good idea to check that your “terms of employment” cover email monitoring.

Malware control

In addition to content filtering, email management should address the “malware” threat – malware is a generic term for unauthorized programs designed to damage your computer or steal information from it.

Originally, viruses were designed to damage computers and bring their authors notoriety; these represent only a basic threat. Such viruses advertise their presence and are thus easy to control. But the threat is changing. Viruses (and similar programs) are now built to remain hidden, and are increasingly authored by criminals instead of mere vandals. Instead of trashing a computer, they may monitor keystrokes and capture online banking or other passwords.

Such “trojan horses” are harder to detect and using external malware experts can ensure that the latest, important, threats are addressed; not merely what made the papers yesterday. And, because these “trojans” are easily modified and it takes time to update malware detection logic, you should run several detection engines (which sometimes clash with each other, making the use of external experts to choose and run them a good idea) and implement “defense in depth”. “Defense in depth” means, simply, that even if your email etc is checked externally, you still run anti-malware software on your PC, in case something gets through your defenses.

SaaS – Why and What?

You should think of SaaS in business terms – as an “email management service”, say, not as rented smart switch or router for email. A subscription or rental model is usual, so you’ll need some sort of service level agreement to manage the relationship against – currently, this may be limited to availability; but, in future, expect a more sophisticated agreement around “quality of service” or the “business value delivered”.

You choose SaaS for 3 reasons:

  • You like the pricing model (you get what you pay for, with low cost of entry and exit
  • You appreciate its low hardware costs (your supplier hosts the hardware and should achieve economies of scale)
  • You benefit from its low management overheads (you subscribe to a managed service and your supplier can employ management specialists and spread the cost of the best people and technology over all its customers).

SaaS addresses email management quickly and cheaply (there’s no software or hardware to buy), and you aren’t reliant on in-house expertise, which may be out of date. And, if you don’t like the service, you can cancel it cheaply and find a better provider.

A good SaaS provider should guide you on deployment and policy, as part of its service – perhaps even a hybrid (part hosted, part in-house) solution would suit your needs. Email management must be driven primarily by business needs, not technology.


Gerhard Eschelbeck, CTO and Senior VP of Engineering

As chief technology officer and senior vice president of engineering at Webroot Software, Inc., Gerhard is responsible for developing and driving the company’s overall product strategy. He also manages Webroot’s development and threat research teams, and further expands the capabilities of Webroot’s Phileas, the industry’s first and only automated spyware research system.

Gerhard most recently served as chief technology officer and vice president of engineering of Qualys, Inc., where he pioneered the company’s Software as a Service based vulnerability management platform. Prior to joining Qualys, Gerhard was senior vice president of engineering for security products at Network Associates, vice president of engineering of anti-virus products at McAfee Associates, and founder of IDS GmbH, a secure remote control company acquired by McAfee.

Widely regarded as one of the foremost experts on vulnerabilities and network security, Gerhard has presented his research to the U.S. Congress and at numerous major security conferences including RSA, Black Hat and CSI. He was named one of InfoWorld’s 25 Most Influential CTOs in 2003 and 2004, and received this honor a third time in 2006 as Webroot chief technology officer and senior vice president of engineering. Gerhard is a frequent contributor to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. Gerhard is also a highly regarded author and is perhaps best known for publishing the “Laws of Vulnerabilities.” He is one of the inventors of the Common Vulnerability Scoring System (CVSS) and holds numerous patents in the field of managed network security.

Gerhard holds masters and PhD degrees in computer science from the University of Linz, Austria.


Get every new post on this blog delivered to your Inbox.

Join other followers: