Managing E-Mail Hygiene

For most organizations, unsolicited commercial e-mail - or spam - is the single greatest threat to the stability, security, and usefulness of their e-mail system. The spam plague could not have come at a worse time, since most companies now find that e-mail is the single most critical internal communication channel. In fact, results from a recent META Group survey indicate that 80% of respondents find e-mail more valuable than the phone for business communications.

Due to the dire nature of spam (i.e., clogging inboxes and other system components, often with offensive messages), most IT groups are encountering little trouble in finding funding for spam-blocking/filtering tools. We believe this situation can create significant advantages for IT personnel seeking to bring world-class e-mail hygiene and policy management to their messaging infrastructure. All organizations would benefit by addressing not only the spam problem but also numerous other threats to e-mail system stability, security, and productivity. Therefore, as organizations tackle spam, we think it is an ideal time to look for a broader set of e-mail control services as part of a strategic planning effort.

META Trend: As ad hoc electronic communication grows in importance (e.g., e-mail, instant messaging, Web conferencing), organizations will be challenged to create a hygienic and low-cost infrastructure, with special attention through 2005 focused on spam blocking, policy enforcement (e.g., archiving, regulatory compliance), and relevancy (e.g., knowledge management). Through 2007, rising electronic communication volumes will frustrate users coping with information overload. IT groups, struggling to manage resource consumption, will accelerate server consolidation and use of centralized topologies to reduce e-mail and instant messaging costs and risk.

If funding is forthcoming for spam protection, IT groups should capitalize on this opportunity to aggressively target, in addition to spam, other associated threats to e-mail services and operational challenges, such as:

• Denial-of-service prevention
• E-mail classification and retention
• Secure e-mail delivery
• Content filtering
• Virus control

Given the business-criticality of e-mail, we believe organizations will be forced to develop comprehensive policies for mail hygiene and message control. Essentially, companies must deploy e-mail-specific firewalls for Port 25 (SMTP), and therefore must be prepared to devote larger amounts of capital and human resources (increasing from $20/user/year to $50/user/year in 2007) to ensure safe mail practices and policies. Currently, most organizations approach mail hygiene and policy management on a piecemeal, reactive, basis. Ideally, they should choose a single supplier to provide multiple areas of protection, and thereby achieve administration and other efficiencies over a multivendor approach. Yet users will find that no single supplier exists currently that can supply all mail hygiene needs. Therefore, companies should minimize the number of vendors required for comprehensive e-mail hygiene.

Organizations using spam protection as the starting point should use this opportunity to look for vendors that can address numerous e-mail issues. In shopping for appropriate tools, we believe that enterprises should look for best-in-class e-mail hygiene platforms that have the following attributes:

• Flexible message disposition options
• Enterprise scalability
• Deep reporting capabilities
• Frequent updates
• Solid management and monitoring facilities
• Support for e-mail servers (and the e-mail perimeter)
• Easy customization of policies
• Broad third-party support

The remainder of this META Practice is divided into three sections:

• The first section examines in detail the major threats to the efficiency of e-mail systems and recommends appropriate ways to handle these challenges
• The second section presents a closer look at the desirable characteristics of a multipurpose e-mail hygiene and policy management platform
• The final section deals with e-mail hygiene vendor dynamics

We believe that deep understanding of the multifaceted threats to e-mail stability and usefulness, coupled with clear understanding of appropriate features for the e-mail hygiene and policy management server, will enable organizations to vastly improve the stability and effectiveness of the e-mail infrastructure.

Section One: Threats to the E-Mail Environment
Spam

Our research indicates a vast increase during the past six months in the volume of spam e-mail targeted at corporate users. We estimate that the percentage of inbound Internet corporate e-mail classified as spam is 40%-50%, and this is expected to grow to 60%-70% during the next two years. This deluge of spam puts a significant burden (e.g., in bandwidth and storage consumption) on mail relays, SMTP gateways, and internal mail servers. Spam also saps human resources by clogging already overflowing user inboxes, forcing users to delete (or forward) the messages. In addition, spam often has salacious content, which can be offensive to employees, making employers subject to harassment and hostile workplace lawsuits.

Therefore, companies should immediately implement spam-blocking services. The most important criteria in selecting a spam-blocking service are as follows:

• Trusted-sender lists: These lists enable a user or organization to designate senders that will be immune to the blocking service; that is, communication from these senders will pass through the gateway unmolested. This is critical to help reduce the number of false positives (i.e., e-mail falsely identified as spam), since there is a fine line between legitimate bulk mail (e.g., newsletter subscriptions) and spam. We believe it is important to enable individual users to create their own trusted-sender lists because people have different ideas about what constitutes spam. Some vendors allow trusted-sender lists to be created only at the organizational level and not at the individual user level, an approach we do not endorse.
• End-user quarantine area: All spam filters generate false positives. We believe end users need to be able to see what messages have been filtered so there is no danger of missing legitimate e-mail. Some vendors send a digest of quarantined mail on a regular basis, while others establish spam mailboxes for users that can be checked at any time. Other vendors, however, offer only bulk repositories where the entire organization’s quarantined mail is sent, so individual users cannot see what has been filtered, which is an approach we do not endorse. Organizations must establish a procedure where users can have HR, IT, or other personnel check their quarantined mail for them, so users are not exposed to salacious content, which can lead to hostile-workplace lawsuits. User policies should point out this risk of checking quarantined mail repositories and offer this alternative, to add further protection in case of lawsuits.
• Spam “cocktail”: In 2001, most organizations were able to keep spam at bay by subscribing to blocked-sender lists and doing simple content scanning. But spammers are a clever lot, and they are constantly finding workarounds for new defenses. For example, spammers know that spam blockers employ a “spam signature” approach, whereby a unique hash algorithm for each spam message is generated and then distributed to antispam gateways, which then use the signature to identify spam. Spammers now routinely generate random headers and make the body text 90% different for each message (while leaving the come-on the same), thereby thwarting the signature defense. Of course, to thwart blocked-sender lists, spammers also routinely employ spoofing (i.e., usurping individual user names to send spam). Therefore, we believe the most effective spam blockers use various techniques to block spam - a so-called spam cocktail approach -- including but not limited to trusted-sender lists, blocked-sender lists, content filters, rule sets, reverse Domain Name System lookups, and signatures.
• Update frequency: Because spammers are so aggressive in combating new defenses, best-of-breed vendors frequently upgrade their services. We prefer to see new rules or signatures being distributed on a daily or weekly basis (directly to the gateway, as virus blockers do); rule sets (also known as heuristics) now number in the thousands. We also prefer to see the core engine itself being revved every quarter or two.
• Point system and distribution options: We recommend use of tools that employ various blocking techniques to determine the overall probability of a message being spam. In this way, IT personnel can set different disposal options for different values. A message with a 0.7 probability, for example, can be stamped as probable spam and sent to the user. A message designated 0.8 can be quarantined, and a 0.95 probability can be deleted outright. We also like to see users given the capability to tweak their filter settings, enabling them to put the highest blocking capacity on sexual content, for example, while loosening the filter for money-making offers. This enables users to declare their own tolerance for false positives based on spam type.
• HTML-based spam: Spam volume continues to rise at an alarming rate, and spammers are increasingly using HTML e-mail as a way to evade standard blocking services. Typically, spammers use intricate tagging methods to pass through filters (so called "snowflaking"), but client rendering enables the spam text and URLs to be faithfully displayed. HTML spam is more nefarious than plain text spam, because Web beacons can enable spammers to link Web site interactions with e-mail addresses, which raises privacy issues. Enterprises must erect specific defenses against HTML e-mail spam, including:
  -Decoding the HTML at the gateway (and then applying the usual spam checks)
  -Using rules to detect typical HTML spammer behavior (e.g., use of large, red fonts)
  -Checking destination links within HTML mail against known spammer sites

Denial-of-Service Prevention

Denial-of-service (DOS) attacks basically include any hacker action that prevents use of any part of the e-mail infrastructure. The types and frequency of such attacks are rising rapidly, threatening to debilitate or bring down even the largest mail systems. The most common types of DOS attacks are:

• Buffer-overload attacks: These occur when hackers stuff thousands of characters into server memory, along with an executable program that has a destructive payload. Hygiene servers must block buffer-overload attacks by locking down open fields.
• Mail floods: These attacks incapacitate message-transfer agents by sending more mail than the server can handle. Companies must have multiple queues to handle the flood as well as alerting tools to help mail managers identify the attack and block the domain. Flow control, or tarpitting, can also block mail floods.
• Dictionary attacks: These attacks (also called “harvest” attacks) result from a scripted series of delivery attempts, whereby hackers send large volumes of mail with likely names to a specific domain and see if messages are bounced or not. In this way, hackers harvest real user names for spamming purposes. Tools should alert users in real time to such attacks.
• Mail loops: Mail loops are not malicious in intent but can occur when users set up a rule to forward messages to another mail account that may also have a rule to forward mail back to the initial account, resulting in the forward messages being continually bounced. Like mail floods, mail loops can shut servers down when transaction logs run out of disk space. Hygiene servers should contain services that prevent mail floods (e.g., prohibit auto-replies, set maximum hop counts).

E-Mail Classification and Retention

E-mail messages are now widely considered business records rather than transitory communication. Therefore, industry regulators and internal records management officials are increasingly mandating that certain messages be retained for three or more years for auditing/records compliance purposes. The most heavily regulated industries are government (e.g., open-meeting laws, freedom-of-information acts), financial services, healthcare, and insurance. However, many other industries (e.g., discrete manufacturing, energy, transportation) are also subject to certain e-mail retention laws, particularly related to environmental activities, and new regulations (e.g., USA PATRIOT Act, HIPAA) are emerging. Furthermore, many organizations are considering applying internal corporate records management policies for e-mail.

We believe the retention issue will be resolved during the next several years in the following ways:

• Forced by rigid policy enforcement, Global 2000 companies will adopt sophisticated message classification and archival solutions to meet regulatory and records management requirements.
• In non-regulated industries, the propurging force (citing legal concerns) will generally triumph, meaning that purge cycles will be short (e.g., 60 days for the inbox) and mailbox sizes will be kept under 100MB.
• Many unregulated companies will adopt e-mail retention policies that enable certain types of messages (e.g., those related to human resource issues, financial audits, or business transactions) to be archived according to corporate records management policies.

It is in this climate that we believe the market for e-mail regulatory and records management compliance will flourish during the next five years. Government and internal regulations generally address three areas:

• Archiving of older messages for a specific period of time
• Surveillance of messaging, to prevent abuse
• Auditing, to ensure messages are not tampered with and review efforts are carried out

Still, prior to any investment in policy compliance tools, IT groups must seek corporate legal counsel for guidance on which regulations are to be followed and what compliance actually means. Financial companies, for example, currently interpret laws differently; some archive and monitor all internal and external e-mail activity, while others capture and monitor traffic only as it passes over the SMTP gateway. We believe the following principles should guide policy compliance activities:

• Only messages required by law or internal records management policies should be archived. Messages written by people not subject to regulations should not be archived (to minimize the risk of smoking-gun e-mail messages).
• Messages should be archived only for the period of time mandated by law. Purging must be thorough (extended to all media: disk storage, tape, and optical) and automatic (individuals cannot be relied on to faithfully carry out purging).
• The system should accommodate court-ordered discovery processes (to minimize compliance expenses).

Following are criteria to address for message classification and retention systems that must meet regulatory requirements for surveillance and auditing:

• Auditing: Most regulations stipulate that organizations track all compliance activity and be able to document all steps. Therefore, compliance tools must have deep and granular auditing capabilities, including:
  -Each message being logged into a journal and time/date stamped, with each step in the review process time/date stamped
  -Recording of all message reviewers’ notes, disposition decisions, and other actions associated with flagged messages
  -The core message content being tamper-proof
  -Support existing for indexes of names, companies, places, etc. for easy retrieval of relevant mail
  -Strict access policies being enforced, with recording of all access attempts
  
• Compliance efficiency: Ultimately, compliance comes down to a manual task where compliance officers must review flagged messages. Efficiency of the review process is therefore paramount because it boosts message review volume for compliance officers. We look for capabilities such as the following:
  -Content-based rule execution (e.g., if a certain phrase is seen, it is categorized and sent to a queue)
  -Sampling tools that aggregate messages into sets for review by compliance officers
  -Appropriate queuing and single mouse clicks to take action
  -Ability to call up previous messages from the message author under review
  -Automatic highlighting of problem words and phrases
  -Sticky-note capability (with the ability to turn off sticky notes)
  -Browser access to the system for anytime/anywhere access
  -Support of search for name, date, subject, content, categories, departments, account numbers, and full text
  -Configurable management that enables a group of reviewers to audit a pool of messages or allows a manager to review messages from a specific office or organizational entity
  -Application of different filtering rules for different users or groups of users
  
• General criteria: Other capabilities that are important for the compliance/records management process include:
  -Exclusion lists for top executives or non-regulated parts of the business
  -Ability to flag encrypted or foreign language messages
  -Ability to scan attachments and zip files
  -Diagnostic tools for activity and exception handling and capacity management
  -Support for internal and SMTP mail
  -Support for mobile e-mail services such as BlackBerry

Secure E-Mail Delivery

The vast popularity of e-mail has created a burgeoning requirement to send mail securely over the Internet. Sent unencrypted, Internet e-mail is susceptible to interception by casual or targeted efforts. Therefore, most organizations have a prohibition against sending sensitive information over the Internet, which has had two results: 1) users ignore the policy, thereby creating a security risk; and 2) users use more costly (e.g., overnight package delivery services) or less efficient/convenient (e.g., phone/face-to-face meetings) mechanisms for communication. Rapidly increasing e-mail literacy and heightened commitments to business-to-business (B2B) and business-to-consumer (B2C) interaction are creating even more demand for secure message delivery.

Furthermore, grudging governmental and non-governmental regulatory approval of e-mail communication (e.g., in the financial, law, and healthcare industries) often accompanies the requirement to encrypt mail. We are witnessing growing use of secure e-mail delivery for B2C purposes (financial statement delivery, bill presentment, insurance quotes, etc.).

Organizations must first establish a security policy that defines what is appropriate to send over the Internet via e-mail. Most secure e-mail systems require user intervention that creates an unwanted burden on the user. We believe the most effective way to ensure adherence to secure messaging policies is via an automated classification system that identifies and performs appropriate encryption duties as the messages pass through the outbound hygiene and policy management gateway. With this scenario, users are not burdened with decisions on what messages to encrypt; those decisions are made by embedded custom security policies written by the organization and enforced by the hygiene and policy management server.

Content Filtering

The exponential rise in e-mail volume has led to increasing corporate liability from the ill effects that an unregulated content transmission engine can bring: unauthorized disclosure of trade secrets and circulation of offensive material (e.g., sexist, racist), which can expose a company to legal actions. Therefore, companies should consider e-mail content-filtering engines to alleviate some of the potential problems brought on by unfettered mail communication.

Companies have to establish policies on what they want to filter, which often becomes a subject of dispute among various groups. Large companies will also need to dedicate personnel to review quarantined mail, a duty we believe should lie within human resources/compliance rather then within the IT group. Policies should also be set on encrypted e-mail (which cannot be filtered) and foreign language messages (which would make the lexicon useless), both of which can be quarantined for deeper consideration by most packages. Content filtering is also a component of some of the disciplines described above (e.g., secure e-mail transmission, spam protection, message classification/retention). Companies will struggle to balance in-depth filtering and the resources required (both human and computer) to carry out a comprehensive filtering program.

Virus Control

There has been a significant increase in mail-borne virus attacks via the Internet during the past year. Viruses are dangerous because increasingly sophisticated incarnations deliver extremely destructive payloads, rendering mail systems inoperable and destroying data. Virus cleanup can consume hundreds of hours of skilled IT personnel time. Viruses have also become more difficult to detect, since they can be nested in attachments or executables (which makes them particularly destructive because of their ability to self-replicate once inside the firewall). In addition to routinely scanning for viruses at the client and on the message server, users should add a third tier to their defense strategy by scanning all traffic coming from, and going to, the Internet.

About 80% of virus incidents are initiated by Internet-delivered e-mail. Therefore, organizations must have a way of checking e-mail for viruses through the addition of a gateway-based scanner. Capabilities should include the ability to dismantle e-mail into component parts so that all file permutations and compressions including MIME attachments; uuencoded, zipped OLE objects; and embedded DLLs can be scanned. Once the e-mail components are dismantled, the pieces should be passed to a virus scanner. If a virus is found, a red flag is raised. Otherwise, the e-mail is re-assembled and routed on to the recipient.

The steps we would like to see companies take in putting together comprehensive e-mail hygiene include:

• Decide what should be included in a mail hygiene policy and perform a gap analysis
• Dialog with the HR and legal teams about corporate policies and regulatory requirements
• Write and circulate an end-user e-mail policy document
• Ensure that alternative e-mail use (e.g., POP, IMAP, HTTP) is covered
• Develop secure e-mail programs/policies
• Create a multidisciplinary e-mail hygiene team
• Adjust budgets to accommodate increased spending
• Determine a delivery approach - hosted versus on premises
• Perform vendor selections

Section Two: Platform Considerations

In the first section, we outlined the wide range of e-mail threats and the requirements for full-featured messaging protection and policy management. In this section, we will consider the desirable characteristics of a multifaceted e-mail hygiene and policy management server:

• Multifunction: As explained in Section One, we believe a single vendor approach to mail hygiene is desirable, since it create efficiencies through every step of the e-mail control and policy administration process, starting by opening the message only once and performing multiple duties (e.g., spam, virus, content, policy scan), and continuing through a common management and policy-setting engine (including script writing) and use of common disposition options (e.g., quarantine for end-user, human resource, or compliance review). We believe this is far more efficient compared with using one vendor for virus protection, another for spam blocking, another for content filtering, and so on. However, multifunction e-mail hygiene servers must not be inferior to point products for any particular discipline.
• Enterprise scale: Enterprise size varies considerably, of course, but we believe there are common e-mail hygiene and policy management server virtues applicable to organizations of any size. First, the platform must come with a single management console from which policies can be set and updated for all servers - regardless of geographic location - and from which monitoring and reporting can be done across servers. Second, we believe the platform should allow for secure, delegated administration of specific duties, to optimize human resource allocations. Also critical is the ability to failover to another server, in the event of system malfunction, to ensure 100% uptime. The system must use hardware and operating system resources efficiently and create minimal delay in mail processing. Finally, the system must be easily scaled as the number of users grows or the duties of the server increase.
• Reporting: Broad and deep reporting capabilities are critical in an e-mail hygiene server for capacity planning, chargeback, employee monitoring, and security. Hygiene and policy tools should come with a comprehensive set of canned reports as well as the ability to create custom reports via queries to a relational database.
• Currency: E-mail hygiene/policy management is a fast and furious business. Hackers, virus writers, and spammers are constantly devising new mechanisms for bypassing existing hygiene and policy services. Therefore we believe hygiene and policy servers must be combined with aggressive update services (with daily updates at a minimum) that would include spam signatures, virus definition files, spam heuristics, and lexicon entries.
• Monitoring/management: Monitoring of system performance is crucial to the health of the e-mail hygiene and policy infrastructure. Monitoring multiple servers from a single console is imperative, and the server should be able to integrate with existing enterprise network management consoles. The monitoring services should support triggers, which will notify e-mail managers when certain thresholds have been breached, to ensure proactive response before system degradation.
• Scope: Although the immediate requirement for hygiene services is for protection at the perimeter of the messaging infrastructure (for messages that pass to and from the Internet), there are compelling reasons for hygiene services to be applied within the corporation for internal e-mail traffic. Some internal monitoring is required by various regulations, but we believe organizations will increasingly rely on hygiene servers to apply corporate policies to internal messages. As previously mentioned, companies may, for example, want to enforce policies regarding profanity or offensive messages, or clamp down on internal secret disclosure. We also believe enterprises will increasingly apply records management guidelines to messages, mandating that internal e-mail related to financial audits (and other topics) be archived for three to seven years. Consequently, hygiene and policy servers need to handle both external and internal e-mail traffic.
• Customization: Although the hygiene and policy server should come with extensive out-of-the-box features and simple setup, the demanding and specific nature of e-mail policy enforcement requires the ability to write custom rules reflecting corporate policy. These rules (e.g., “Any internal message involving HR reprimands must be archived for three years”) must be combined with flexible disposition options (e.g., “Write all customer e-mail to the appropriate customer file in the customer relationship database”). Furthermore, rule writing must be simple and easily delegated to non-IT personnel (with appropriate oversight).
• Extensibility: Messaging hygiene servers do not exist in isolation. They must interact with various mail relays, firewalls, storage media (for archival services), and e-mail platforms. Therefore, it is critical for mail hygiene server vendors to have a range of partnerships to create maximum flexibility in deployment.

Organizations must draw up a list of requirements for the operational aspects of mail hygiene services and measure vendors against those criteria. In addition, we suggest that many of these disciplines can be applied to instant messaging, and perhaps Web filtering, so organizations may want to expand the scope of mail hygiene to include other types of communication.

Section Three: Vendor Dynamics

By 2007, we expect the mail market to change from an industry characterized by many small suppliers (which currently forces organizations to stitch together complete solutions from multiple vendors) to an industry dominated by six to nine large vendors that will offer a quasi-complete range of e-mail management services. Furthermore, we believe the nature of mail management will shift from a focus on internal systems monitoring to perimeter management, leading to the creation of what META Group calls an “application security gateway” for e-mail.

These large suppliers will address a panoply of needs, including spam and virus blocking, protection from denial-of-service and other malicious attacks, message encryption, message control (e.g., expiration; prohibition of forwarding, printing, and saving to disk), supervision (primarily to meet regulatory requirements), archiving, and content/file blocking - all wrapped inside a comprehensive policy enforcement engine. Eºmail systems monitoring/reporting will be separate from these hygiene needs and will be supplied by the e-mail vendors themselves and by large console vendors. We also anticipate emergence of a healthy hosted market for e-mail hygiene services, since companies will not want to deal with the complexity and constant attention required by on-premises deployments. Market consolidation of single suppliers benefits organizations because broad enterprises will have a common console for most mail management needs, creating administrative (and hardware) efficiencies and facilitating corporate policy execution.

The existing mail management market can be broken down into three categories:

• Small, specialized suppliers (e.g., Tumbleweed, ActiveState, Group Technologies): These suppliers run the gamut from e-mail archival companies (e.g., KVS) to spam protection (e.g., Proofpoint), to Exchange reporting (e.g., eIQ) and represent the most vulnerable category in the e-mail management market. We expect vendors in this space that have competitive advantage or large installed bases to be acquired during the next three years. Corporate interest in best-of-breed, antispam solutions has given a boost to this category, but we expect this success to diminish rapidly as competitive differential evaporates. Some vendors will shift to alternative collaboration tools, such as instant messaging (IM), teamware, and Web conferencing and find some success in those underpopulated markets. Others will try to parlay their initial success in the spam-blocking market into a broader suite of tools: administration automation and self-service capabilities will be areas of innovation. Small vendors that offer monitoring and reporting tools are most at risk of incursion by IBM, Microsoft, and the console vendors’ activities. This market category can be further segmented into vendors that supply suites of tools (e.g., Group Technologies). These small suite suppliers generally have a long history in the market and have grown slowly via acquisition during the past several years (e.g., Tumbleweed with Worldtalk, IntelliReach with Melia, Clearswift with Content Technologies). We believe these vendors will continue to be the leaders in offering a broad spectrum of unified e-mail management services for the next three years, extending services into the archival and supervision markets. Viability concerns will eventually plague this group, and it will face significant challenges in 2006/07 from both the console vendors and midsized general-purpose suppliers.
• Medium-sized, general-purpose vendors (e.g., NetIQ, Quest, Trend Micro): With their capital and sales channels, these vendors will have the broadest market success starting in 2005 (e.g., Quest, NetIQ, SurfControl). Large installed bases will give them the opportunity to up-sell existing customers and offer broader management portfolios (for databases, directories, IM, browsers, etc.), with broad geographic coverage that enables them to offer additional efficiencies. This market category may be further segmented into suppliers with strong antivirus business. These vendors have been slow to recognize the opportunity to expand their presence at the e-mail perimeter into areas beyond virus control. Each of the Big Three virus firms (i.e., NAI, Trend, and Symantec) has rudimentary content-blocking capabilities and is attempting to move into the spam-blocking market via acquisition (NAI bought Deersoft), partnership (Trend OEMs Postini’s heuristics), or in-house development (Symantec). We believe these virus-blocking vendors will be slow to package complete e-mail management services, but they will, for example, supply virus and spam signatures to more comprehensive e-mail management vendors.
• Larger, general-purpose management console suppliers (e.g., CA IBM, Microsoft, HP): These enterprise console vendors will not follow a common path. We expect lBM and Microsoft to invest heavily in reporting and monitoring services for their respective e-mail platforms, in an effort to boost revenues from slowing, per-seat system revenue growth. We expect IBM to focus mostly on Domino/Workplace monitoring, and we anticipate that Microsoft will do the same with Exchange, while also focusing on perimeter management by adding virus and other hygiene services to its IMS gateway. Console vendors without e-mail systems - BMC and HP - will offer limited functionality (mostly monitoring services) on a good-enough basis to round out comprehensive management portfolios. We expect CA to focus on broader perimeter management concerns, encompassing e-mail, IM, and Web browsing.

We believe a fourth market category will emerge for hosted/managed providers, a category that is currently populated by small suppliers such as Postini, Message Labs, and FrontBridge. Other possible contenders include network equipment suppliers (e.g., Cisco, Nokia) and firewall vendors. Because this market is in a state of flux, care must be taken in procurement. When product functionality is equivalent, companies should opt for larger, multifunction vendors; however, if a strong differential exists, a best-of-breed choice is still appropriate. To maximize management efficiencies, companies should plan to migrate to suites of services during the next several years.

Conclusion

To ensure a healthy e-mail infrastructure, organizations must develop a comprehensive plan for e-mail hygiene and policy management that encompasses e-mail classification and retention as well as secure delivery, virus protection, content filtering, prevention of DOS attacks, and spam protection. Furthermore, IT groups must endeavor to make policy and hygiene management as unobtrusive to the user as possible. To accomplish these goals, corporations must work through a multistep process:

• IT executives, e-mail managers, and business people as well as human resource and legal personnel must work together to produce a comprehensive e-mail policy management program.
• The policy must be effectively communicated to the end-user community.
• IT groups must procure and operate necessary tools for enforcing the e-mail policy management program.

We believe use of policy management tools that handle multiple duties (assuming rich feature sets and good performance) are a better bet than use of multiple tools from multiple vendors. Tools that handle multiple duties promote efficiencies at the operational level (e.g., open a message once to scan for spam, viruses, and content) and at the management level (e.g., common interface, single point of control) as well as minimize vendor product conflicts. Single-vendor e-mail hygiene and policy management also makes it easier to tune performance and add capacity, which are two incredibly important factors in light of rapidly rising e-mail volumes. Furthermore, we believe a hygiene and policy management tool that is independent of the underlying messaging system is critical because it buffers mail managers from changing mail systems and makes policy management far easier in a heterogeneous mail environment. Still, the tool must also work with internal e-mail. Finally, we believe it is in the best interest of organizations to automate as much policy management as possible, and thereby eliminate dependencies on individual policy compliance.

No matter what tools and techniques are used, the critical point is that companies acknowledge that e-mail is a business-critical communication system that will only grow in importance during the next decade. Therefore, organizations must pro-actively set and enforce e-mail hygiene policies to ensure a healthy and productive e-mail infrastructure.

Business Impact: E-mail is the most critical communication channel within an organization. Enterprises must be more aggressive in deploying e-mail hygiene services to ensure dial-tone reliability and adherence to internal and external communication policies.

Bottom Line: Enterprises must develop a comprehensive approach to mail hygiene to increase e-mail system uptime, create operational efficiencies, and ensure broad and deep compliance with internal and external communication policies and regulations.

META Group originally published this article on 26 September 2003.