Email security remains a threat

Proofpoint Shield is another example, a cloud-based service that reduces by a claimed 80 to 90 per cent the volume of inbound email that must be processed by on-premises email security gateways. The company claims it can be deployed in minutes in front of any on-premises email security appliance, including solutions from Cisco (IronPort), McAfee (Secure Computing/CipherTrust), Symantec, Trend Micro and Tumbleweed.

Proofpoint says that after processing, the remaining messages are delivered to the customer's on-premises email security gateway, which can apply additional features. Administrators retain full control of routing, policy, reporting and end-user functions delivered by their existing on-premises gateway.

Even Google has attempted to move into this market, launching a Message Security product, a cloud-based service based on Postini technology.

Encryption
Once the preserve of secretive government agencies, strong encryption has now firmly entered the corporate mainstream as a method of protecting data at rest - especially stored customer data and emails. Increasing media interest in data breaches has raised awareness of the necessity of encryption, a de facto standard in the US, due to disclosure laws. Recent European and UK regulation also requires many sectors, such as financial services, to store customer communications for several years - a potential problem if such data were unencrypted. These pressures have produced a huge expansion in email encryption products, both for storage and for PKI-based communication architectures.

One example is PGP's Desktop Email, a transparent email encryption solution using open standards. The desktop software can be deployed by the PGP Universal Server, which takes care of key management, policy and software updates and supports the two global email encryption standards, OpenPGP and S/MIME, automatically discovering keys and certificates, says PGP.

Old favourites such as PGP's have come under increasing attack from competitors, such as Trend Micro Email Encryption, developed by cryptographers at the University of Bristol. It uses identity-based encryption (IBE) to avoid the pre-registration and certificate management of earlier Public Key Infrastructure (PKI) technology. Encrypted content is simply pushed from senders to recipients.

PineApp offers another centralised mail encryption solution, which can be integrated with its Mail-SeCure appliance that provides perimeter security and anti-spam, anti-virus, content filtering and email management tools. The encryption product is designed to protect only sensitive content, so system administrators can define rules that determine what gets encrypted, for example all email coming into or leaving the legal department. Once configured, the encryption process is automatic, although recipients need to register with the system.

Other standalone products for the SME market include Steganos, whose latest standalone software suite comes with mailbox encryption.

Data loss prevention (DLP)
After encryption, the latest hot topic is data loss prevention (DLP). Similar market drivers have spurred corporate interest, and the huge fraud at Société Générale last year - when a rogue trader separated the French bank from £3.7bn - has drawn attention to the importance of DLP strategies and technology.

One recent launch has been InterGuard's Datalock desktop product, which screens all email, email attachments and removable media for types of data rather than proscribed documents. This has a significant advantage over traditional document "fingerprinting" methods, which depend on the compilation and availability of a list of an organisation's highly sensitive documents.

Mobile
Once a novelty sideline, mobile email has been business-critical for some time, and products to secure access and content are readily available. Many AV companies offer handset-based endpoint clients with centralised management to prevent attacks on email content and corporate address books. F-Secure, Sophos and McAfee all offer AV clients for Symbian and Windows.

However, the popularity of the iPhone and BlackBerry as business tools has changed the game. BlackBerry claims its Enterprise Solution has FIPS 140 validation and a Common Criteria certification, in addition to a Secure Information Technology (SIT) certificate from the Fraunhofer Institute. Apple has made few security claims on behalf of the iPhone, and experts are divided - many point to the higher penetration of Symbian and BlackBerry devices as a mitigating factor in the short term, as well as the lack of an SDK for the iPhone. However, various vulnerabilities have been widely reported to date.