February 17, 2005
Rockliffe's View: E-Mail Security Product Selection Is A Strategic Issue
E-mail is a strategic product, and its security is business-critical, so you should be very careful when considering an open source solution.
Rockliffe makes what may be called "rock-steady" e-mail server and gateway products that deliver and protect messages inside and outside of the enterprise environments in which they are installed. The company's Mailsite Server and Mailsite Gateway products are installed at over 2,500 corporations world wide.
The company recently published a white paper that questions the use of open source technology for e-mail systems. The company's bias towards commercial software is on the face of it not surprising given the company's own product mix. However, but the paper brings up some useful questions and insights that are summarized here.
E-mail security has become a strategic issue for IT executives, and that makes the risks of making a mistake business-critical. The costs a wrong decision are not measured in terms of wasted IT budgets, but rather by lost revenues, fraud, the leaking of confidential information and, more recently, lawsuits.
Most virus infections are distributed by e-mail, and can cause enterprise business to grind to a halt for hours or even days, and can spread themselves throughout the internet, including to your customers and suppliers. And oday's e-mail security attacks are increasingly sophisticated.
A key issue to consider when making an e-mail security decision is whether to build a custom solution using one or more open source software programs, or to invest in a packaged solution from a commercial vendor. While many commercial-versus-open-source debates focus on the Windows vs. Linux, when it comes to e-mail security the core issue is not operating system preference. Instead the issue is whether to entrust the security of your e-mail system to the open source community or to a commercial vendor.
Here are some questions to think about:
-
Do you need to review your build vs. buy culture?
Rather than working from a general preference for open source or commercial software, security purchasing decisions should be made on the merits of the products and objectives involved.
-
Is building an open source security solution the best use of in-house resources?
Constructing open source e-mail security solution will divert more resources away from other projects than installing a commercial solution. The opportunity cost is the total value of other projects that will be cancelled or delayed, and its size depends on the strategic importance of the projects being cancelled or delayed.
-
Is open source or commercial more reliable?
When it comes to e-mail the major security issue is not so much about which system is most secure, it is about the reliability of data and software maintenance updates. You can reliably hold your e-mail administrator accountable for software updates, but only your software source can provide virus and spam updates, and even though commercial security companies have contract clauses that limit their liability, they are in the business of providing reliable updates to you, and not much else.
-
Is this the best and most cost-effective strategy for your company?
A decision favoring an open source solution involves a long-term commitment to in-house development resources, whereas commercial solutions risk a lock-in to a single vendor. Lock-ins can result in escalating license and support fees, but in-house development costs can also escalate as the resource demands for other projects move people around.
-
Is there a satisfactory disaster recovery strategy?
Even the most comprehensive and sophisticated e-mail security solutions can not guarantee 100% protection against infection, so if one does occur or data becomes otherwise corrupted the key issue is speed of recovery. The in-house skill set and level needed to implement disaster recovery will almost inevitably be higher, and thus cost more, for an open source solution than for a commercial one.
-
Are deployment and update time estimates accurate?
While the tools developed by the open source community make deployment of an open source solution much faster, it will most often take far longer to deploy than commercial solutions which have multiple security modules integrated in one package. And, commercial packages may include documented, standards-based APIs that facilitate integration with existing infrastructures, all of which make deployment and update timelines for commercial solutions should be significantly shorter than open source.
-
Is there adequate provision for creating and maintaining the documentation?
A challenge for in-house solutions of all types is ensuring that documentation is created and maintained on an ongoing basis. Even when the best of intentions prevail the realities of resource utilization defeats documentation projects. A commercial solution will have administration manuals that are regularly updated. The lack of documentation might turn a masterpiece of e-mail security into an expensive liability, especially if its authors cease to be employees.
-
Will this solution make you a stronger competitor?
Security threats can be distributed globally in seconds; within a few hours the same threat can be redistributed having morphed into a dozen different variations each with a different signature. Protecting your company and its reputation with customers and suppliers against these threats requires the best you can get for your budget.
If you'd like to read the white paper in its entirety, visit .
13%
25%
38%
25%
