Choosing a Secure Email Gateway
For a number of months now I’ve been looking to implement a more advanced Secure Email Gateway for my company’s email. Our current email security and anti-spam/virus comprises of SpamAssassin and Exchange 2013’s built-in security features, which are now proving insufficient for our size and needs.
We’re currently in the middle of a live FortiNet FortiMail POC, which I plan to write about in the coming weeks, but I thought I’d share a quick “feature matrix” of the other solutions I looked at before deciding on FortiMail.
I had an initial 1-2 hour demonstration with Barracuda, Fortinet, Trend Micro, Symantec, Forcepoint, Mimecast and Proofpoint, along with multiple follow-up calls for those that made the shortlist (namely Barracuda, FortiMail and Symantec).
I had a pretty clear idea of what I wanted going into these demonstrations, and actually had a “wishlist” of items I wanted from a SEG. I found sending this on to the vendor before the demo to be very helpful in addressing my company’s requirements straight off the bat.
There was one large caveat that narrowed the list down immediately; I work in a private hospital, and keeping as much data on-premises was a major requirement for us. Or, rather than ‘us’, I should say it was a major requirement under company policy. So while personally I believe some of the cloud-only features and cloud-only solutions were very impressive, they were a non-starter for this project. Still, it was beneficial giving the cloud-only solutions a chance to show what they could do.
Below is the “matrix” I used to keep track of how each solution addressed our requirements:
Important point to make: the above is to be taken as a very rough guide, it was really only meant as a high-level overview of how the products stacked against each other, and a quick reminder to myself of features between conference calls. Just because an entry has “No” against it doesn’t imply that the product can’t outright fulfill the requirement. It’s just in our circumstances the product wasn’t suitable, whether that was due to an extra cost to implement, not being quite as flexible as we wanted, or requiring another product etc. Case in point; during the demonstration with FortiMail, it was my conclusion that the unit could not do image analysis, which the POC has since proved incorrect.
The above wish-list features weren’t in any particular order of importance to me, but a few key features for us were:
- All features on-premises
- URL link protection – The ability to rewrite URLs, or ideally, open links in a protect environment
- Data Loss Prevention
- Spoof detection and prevention
- Email encryption using an email keyword
- And obviously strong anti-spam/malware/virus
The Symantec solution was actually my first choice, and we were just about to start a POC of their solution. However the acquisition of Symantec by Broadcom made this impossible (I’ve written about this previously, in short: pre-acquisition quotes could not be honoured, and it would be months before new quotes could be issued), and this unfortunately delayed the whole process of choosing a SEG, which I had hoped would be in place by end of 2019. Initial impressions of the FortiMail are good however, and I’ll write up my opinion of it after the POC.