The secure email gateway market is mature. Buyers should focus on strategic vendors, data loss prevention capability, encryption and better protection from targeted phishing attacks.
The secure email gateway (SEG) market is defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against inbound and outbound email threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of software or appliances that go on customer premises, hosted solutions that reside in solution providers' data centers, multitenancy software as a service (SaaS) that exists in multiple data centers around the globe, or a combination of these — often referred to as a hybrid deployment. Unified threat management (UTM) devices that combine firewalls with some spam filtering are not included in this market.
Based on our analysis for this report, the total market showed little growth (less than 2%) in 2011. We have adjusted our total market size down from our estimate last year to $1.5 billion. Last year, we anticipated a slight increase in 2011 because of a recovering economy. However, the market growth rate is now at an effective plateau that accompanies a saturated and mature market. Ancillary services, such as data loss prevention (DLP) and encryption, are the main drivers of growth, while traditional spam and virus-filtering services, and other license and subscription revenue, are declining. The increase in suite bundling, especially with hosted mailboxes, will blur the SEG market, making future growth and market size difficult to identify. As more business goes to Microsoft and Google for cloud mailboxes, those vendors effectively increase SEG market share, to the detriment of all other vendors, because hygiene services come bundled with the mailbox. The solution providers in the Leaders quadrant encompass approximately 70% of the market by revenue. Vendors in the Leaders and Challengers quadrants account for approximately 86% of the market.
The increase in acceptance of the SaaS delivery form factor continues, although it, too, is beginning to plateau. We estimate that the SaaS portion of the market grew at around 5% in 2011 and now represents approximately 41% of the market. We continue to be bullish on this form factor and note that nearly all the vendors in this analysis now offer a SaaS-type delivery option. Moreover, approximately 80% of client inquiries ask when it will be appropriate to migrate to the SaaS or cloud-based delivery services. However, we notice that SaaS is more attractive to smaller organizations and very large federated organizations. Midsize organizations (that is, 5,000 to 20,000 seats) don't see significant advantages or economies of scale, and remain concerned about confidentiality.
Barracuda Networks is a private California-based company that focuses on producing a range of economical, easy-to-use appliances (hardware and virtual) and SaaS solutions aimed squarely at cost-conscious small or midsize businesses (SMBs), as well as educational and government institutions. Barracuda Spam & Virus Firewall appliances are shortlist candidates for organizations seeking "set and forget" functionality at a reasonable price.
- Barracuda leverages the open-source and white-hat community with its anti-spam technology, along with its own growing security lab. It is one of the few vendors that have a false-positive, false-negative report to monitor spam detection quality. It also offers an Outlook plug-in to report spam and false positives.
- The management interface is designed to be easy to configure — even for nontechnical users — with numerous wizards, context-sensitive help, and clearly visible recommended settings and explanations.
- The SaaS offering provides eight categories of spam.
- Barracuda offers an optional cloud-based prefilter, which filters out obvious spam before final filtering is done on-premises.
- Native basic pull-based encryption and DLP capability are free of charge.
- Barracuda Control Center can manage multiple boxes and centralize configuration, logs and reporting, and comes as a free cloud-based offering or an on-premises appliance.
- Service prices are per box, rather than per user, making Barracuda a significant price leader.
- Barracuda also offers an email archiving solution that has an interface with a consistent look and feel that can also be managed from the same Barracuda Control Center.
- Barracuda Labs is still relatively small. It does not offer any other third-party anti-malware engines.
- Advanced features for large enterprise users are missing, such as dashboard customization capacity, a hyperlinked drill-down, a reusable object-oriented policy, granular role-based administration, group-level-only data access, directory synchronization and a group-level policy. Reporting is still quite basic and lacks ad hoc capability to create completely new reports.
- DLP is limited to keyword and regular expression filtering. It is not very flexible. It only includes four predefined DLP dictionaries, and each policy requires its own dictionary. Workflow for compliance officers is limited.
Cisco continues to dominate the market for dedicated on-premises solutions for midsize-to-large organizations. Cisco offers four email security solutions: hardware appliances, cloud delivery, managed appliances, and a hybrid combination of appliance and cloud. Cisco also enjoys strategic vendor status with many of its customers and is well-respected in the core network buying centers. Cisco is a good candidate for midsize-to-large enterprise customers looking for best-of-breed functionality.
- Cisco has excellent scalability/reliability, an easy-to-use management interface, deep policy control and very granular MTA control capabilities.
- Its Outbreak Filters option provides unique targeted attack protection by scanning suspicious URLs in real time with ScanSafe. It has bulk/marketing email protection. Cisco has made improvements on low-volume spam attacks and IPv6-based reputation and spam.
- Cisco provides content-aware DLP capabilities with numerous predefined policies, dictionaries and identifiers, as well as a strong compliance officer interface. Integration with RSA Enterprise Manager for DLP integration exists between Cisco's solutions and RSA, The Security Division of EMC's enterprise DLP.
- It offers native policy-based email push encryption delivered on box or as a service with message recall, read receipt and message expiration, proprietary desktop to desktop encryption capabilities, support for BlackBerry, iOS and Android platforms, and large file attachment handling.
- Cisco Email Security benefits from Cisco's installed base of network security appliances and the Cisco Cloud Web Security (formerly ScanSafe) to collect a massive amount of Internet traffic information to spot new malware and spam trends. Cisco's broad array of network security components (firewalls, intrusion prevention systems [IPSs], secure Web gateways [SWGs] and routers) makes it a strategic vendor for organizations looking to consolidate buying around fewer security vendors.
- Cisco's focus on the needs of large enterprises doesn't always scale down well for SMBs. The user interface can be confusing and nonintuitive for less experienced operators.
- Cisco's hosted email offering only has four data centers in the U.S. and Europe so far.
- The Cisco Email Security management interface would benefit from a more flexible custom dashboard, although the reporting interface has dashboardlike functionality.
- Cisco solutions carry a very high list price relative to the market. Buyers must negotiate effectively to gain competitive pricing. The hosted service is competitive for basic inbound protection, but DLP and encryption come at premium costs.
- Cisco is not likely to offer a vertically integrated email stack (for example, security, archive, disaster recovery and hosted exchange).
- The Hybrid solution requires separate management interfaces.
- Cisco will no longer sell the PostX encryption appliance, which eliminates pull functionality and support for Pretty Good Privacy (PGP) and Secure Multipurpose Internet Messaging Extensions (S/MIME); however, it continues to support on-box push encryption. The former PostX functionality will continue to be available via Cisco partner Totemo.
Clearswift has an established presence in the email protection market primarily in the U.K., Europe and Asia/Pacific. It has also branched out to the SWG market. In November 2011, Clearswift was the subject of a management buyout backed by Lyceum Capital. Clearswift offers a bare metal software or VMware/Hyper-V solution. The combination of SWG and SEG, and the provision of basic DLP capabilities across both channels, make it a reasonable shortlist candidate for buyers looking for both solutions from the same vendor.
- The Web-based management interface provides centralized management, dashboards, and reporting for the Web and email products; a centralized reporting engine; and the content scanning engine. It is easy to use for nontechnical users, and it has a lot of context-sensitive recommendations and help functions.
- The proprietary Clearswift DLP engine provides fast scanning of more than 150 file formats. It contains features to protect against denial-of-service attacks, and provides a selection of prebuilt patterns for common data types (PCI/PII), as well as common Boolean and proximity operators.
- Users can manage their quarantine from any browser or via an iPhone/iPad interface.
- Clearswift exploits Commtouch for a portion of its anti-spam capability and upgraded to the most recent engine.
- The solution includes a "bulk email" category, which is useful for reducing nuisance email.
- The ImageLogic pornographic and registered image detection engine is an extra utility service for organizations with this need.
- On-box encryption with support for S/MIME, PGP and password-protected email encryption with a built-in certificate store was recently improved with automatic certificate and key extraction and lookup. The Echoworx partnership provides enhanced encryption capabilities via a Web portal ("pull") or mailbox ("push").
- Clearswift is recovering its growth due to a focus on the core email and Web gateway business and improving customer support; however, its market and mind share are very low in a rapidly maturing market. It is late to deliver industry-leading features and functionality. It does not directly offer a SaaS-based delivery model or vertical products, such as email archiving. As buyers increasingly look for more strategic integrated vendors, Clearswift may have a difficult time standing out in a crowded market.
- Although the interface is easy to use for nontechnical users, it is limited in detail for more technical enterprise users.
- Advanced encryption provided by Echoworx is not integrated into the management interface. It lacks any control or visibility of sent messages, and it lacks self-service configuration of the encryption experience.
- DLP enhancements are needed in the ability to describe sensitive content beyond regular expressions, along with support for more advanced detection techniques, such as partial document matching. Policy management, workflow reporting and event management are rudimentary.
- Clearswift's list prices are high relative to close competitors and SaaS services.
Dell acquired SonicWALL and now offers a broad suite of network security solutions in the Dell SonicWALL family, including firewalls, virtual private networks, backup and a range of SEGs. It offers several SEG form factors, including hardware appliances, software and VMware versions, and hosted versions. It also offers a subset of SEG functionality delivered as SaaS prefilters for its UTM customers. Dell is a candidate for shortlist inclusion primarily for existing Dell SonicWALL firewall customers.
- Dell is one of the largest resellers of Microsoft Exchange solutions. The acquisition of SonicWALL enables Dell to sell a more integrated email solution stack.
- Dell SonicWALL has its own malware research team developing new spam signatures and detection techniques, which leverage data from its installed base of appliances. The solution leverages contact databases and communication partners to lower false positives.
- The management interface is localized in a number of languages and is easy to use. It has multitenancy support, and reporting is adequate for most organizations' needs.
- The solution includes some basic content-aware functionality for a DLP policy, with two prebuilt dictionaries and a number of predefined number identifiers, including Social Security number (SSN), credit card, phone and others.
- Dell SonicWALL Hosted Email Security was recently launched.
- It is difficult for any company to compete in many markets and across company segments — ranging from large enterprises to small offices — while providing market-leading features in each market segment. Dell SonicWALL does not provide any market-leading SEG functionality. Only a small percentage of its revenue is email-security-related. Its market and mind share are minimal and were not growing prior to the acquisition.
- Dell SonicWALL still does not provide any native encryption, except for Transport Layer Security (TLS), and does not allow TLS rules per domain. It has no real integration with dedicated third-party encryption solutions.
- DLP functionality is basic and supports only regular expression matching. It does not include any predefined policy, and event management is rudimentary.
Fortinet is a public company with a broad geographical market presence that offers a broad array of UTM and dedicated appliances for all organization sizes. It offers an array of anti-spam technology in various forms from client to UTM. This analysis, however, focuses on the dedicated SEG FortiMail appliances. FortiMail is a shortlist candidate for existing Fortinet customers or those looking for a firewall and SEG solution from the same vendor.
- The management interface is similar to other Fortinet products. FortiManager can manage up to 40 Fortinet devices, and FortiAnalyzer provides centralized log storage dashboards and reporting.
- FortiMail appliances benefit from high-availability and scalability features, such as native clustering, load balancing and high-throughput appliances.
- FortiMail includes some basic DLP capability with regular expression matching via preconfigured and user-definable dictionary profiles.
- Identity-based push and pull encryption is included free of charge in the standard feature set.
- Fortinet offers attractive price-to-performance value, with appliance-based, rather than user-based, service pricing.
- Fortinet provides on-box or off-box policy-based message archiving that is fully indexed and available from the FortiMail management interface.
- It is difficult for any company to compete in many markets and across many company segments, ranging from carriers to the small office/home office market, and to provide market leading features in each market segment. Fortinet is no exception. The company is much better known for its firewall/UTM market presence, and only a small percentage of its revenue is related to email security. In addition, it is not growing its market share in a rapidly maturing market.
- The administration interface is not really user friendly and would benefit from enhanced search capability. The FortiAnalyzer component is required for in-depth, per-domain report and log access across multiple logs in a single interface. However, this component costs extra.
- Fortinet uses its own antivirus technology, and it does not have a big research organization, especially when compared with the leaders in this report or their partners. The addition of an optional third-party antivirus engine would be an improvement.
- Fortinet does not offer a hosted or managed service, although some service providers use Fortinet's infrastructure to deliver services to customers.
- DLP functionality is relatively basic and lacks good compliance workflow, notifications, partial document matching, delegated administration and hierarchical policies. DLP notifications employ static messages but lack the ability to dynamically modify the content.
Google remains one of the market and mind share leaders in the SaaS SEG market; however, its growth has been low because of lackluster innovation and feature development, and meager support. In August 2012, Google announced the gradual migration of all existing Postini customers to the Google Apps infrastructure and management console. Essentially, this means that existing Postini and future Google customers' email will be routed to a store-and-forward Gmail inbox for message filtering and then to the corporate mailbox. All administration will now be performed in the Google Apps management interface, making Google a particularly good choice for organizations considering future enterprise Gmail and other Google SaaS offerings.
- Google Postini customers will have the same spam-filtering mechanism as Google's millions of consumer and enterprise Gmail customers. This system relies partly on email user feedback about spam messages. Users will be able to easily submit false positives and false negatives using "is-spam" or "is-not-spam" plug-ins to refine the accuracy of the filters. For virus blocking, Gmail blocks all executables and has extensive malicious URL data from its primary search business.
- The Google Apps management interface and supporting infrastructure and services are foundational to Google's enterprise aspirations and make up the central management platform for enterprise Gmail and its enterprise Apps suite. This platform has been getting development attention that was lacking for Postini. For example, the admin console is in 27 languages versus a single language for Postini, and the policy creation engine is more flexible and modular and includes a richer set of optional rules and disposition actions.
- Gmail offers MAPI integration enabling a local Outlook spam quarantine, in addition to planned email quarantine digest emails and the native Gmail inbox spam quarantine.
- Because Google is sending inbound email to a Gmail inbox, it can become a backup email infrastructure in outages for reading inbound messages and sending messages. This also makes adopting an enterprise Gmail solution very simple, no doubt a significant Google motivator for this transition.
- Gmail includes a rich set of purpose-built tools for objectionable content.
- Gmail uses DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to validate senders.
- Google licenses ZixCorp's service for encryption.
- Google's price is typically very good compared with comparable services, especially for broad bundles of related services.
- The migration to the Gmail infrastructure eliminates a few features that were available to Postini customers. Most notably, email processing will move from in-memory-only processing to a more proxylike, store-and-forward architecture; Google will not guarantee in-geography processing, although it is making strides to comply with EU regulations; and Gmail does not offer spam categories, and industry heuristics rules will be eliminated.
- Gmail does not offer the same SLAs as Postini services or competitors. Gmail offers a 99.9% uptime SLA; however, there are no spam-filtering or virus-specific SLAs.
- At "launch," Google will not offer any synchronization capabilities that would keep the primary mail system updated with email sent from the Gmail inbox during outages.
- The Google/Postini service ranked very low in customer satisfaction in our customer reference survey. The move to a more strategic Google Apps platform may help alleviate some customer frustration, but the migration will likely introduce some short-term issues.
- Although Google offers regular expressions and dictionary policy constructs for basic DLP functionality, it lacks any preconfigured policy dictionaries and number formats for common use cases. The quarantine is not specific to the DLP task, and it offers no real features to ease compliance management workflow.
- Licensed encryption from ZixCorp does not provide any integrated management capability.
- Google does not offer many security assurances that are commonly offered by other providers, and it does not allow for site visits. It does, however, provide SSAE 16 audits and ISO 27001 certification, which serve as third-party attestation and certification.
McAfee, which is a subsidiary of Intel, has a broad range of endpoint and network security products. McAfee has consolidated its two on-premises gateway solutions in its latest version 7.x, which is a free version upgrade that is supported on hardware appliances that are less than three years old. It also offers blade server appliances, virtual versions, and SaaS-based SEG, archiving and disaster recovery services.
- McAfee's respected threat research team consolidates message, network, Web and file reputation data into its Global Threat Intelligence (GTI) system for real-time analysis of emerging threats.
- The Web-based management interface has customization of dashboard elements for each administrator, consolidated message queues and easy-to-understand disposition information.
- Its native DLP capability is strong and leverages the capabilities of its stand-alone enterprise-class, content-aware DLP offering. McAfee provides numerous predefined policies and dictionaries as part of the base product, and it supports self-defined content for policy creation. The solution supports delegated administration for distinct event viewing, along with the separation of duties.
- Basic encryption methods (TLS, S/MIME and PGP gateway encryption) are supported, along with push (secure envelope) encryption. It also supports the secure transfer of arbitrarily large files via its encrypted email pull capability.
- The SaaS offering provides a simple, clean, Web-based interface that is very easy to use for managing Web and email traffic. It is hosted in seven geographies (U.S., China/Hong Kong, Japan, New Zealand, Australia, England and the Netherlands). The service can lock message traffic to a specific geography to avoid processing traffic in foreign legal environments. The DLP capability is included in the base package, and policy-based pull/push email encryption is an optional add-on. McAfee customers can switch between solutions without any additional charge.
- McAfee has not expanded its market share in the enterprise SEG market since the Secure Computing acquisition, and it does not show up on Gartner client shortlists or competitive large enterprise deals as often as we would expect, given McAfee's channel reach. We believe that the McAfee network security portfolio may be less well-aligned with Intel's priorities.
- The McAfee and IronMail platforms have been consolidated in v.7, which is the first major new release in three years. The development focus of v.7 left some customers with outstanding issues on the previous version. We anticipate a more rapid release schedule; however, for former CipherTrust customers, it has been a long road.
- DLP integration across products is not fully complete. The email products share the same DLP engine, but content is not synchronized across products — meaning changes in one content list will not be replicated.
- Several Gartner clients and some reference customers have expressed concern about McAfee support capabilities. McAfee scored very low in customer satisfaction in our reference customer survey.
Microsoft offers two complementary email security solutions. Its flagship product is Forefront Online Protection for Exchange (FOPE), which is a SaaS-based solution. Forefront Protection 2010 for Exchange Server (FPE) is a software solution that is run on Exchange. FOPE is a good shortlist inclusion, especially for Microsoft-centric customers that purchase premium licensing. It is a default choice for organizations considering Microsoft's Exchange Online or the Office 365 suite. Enterprise buyers should consider FPE primarily as an additional layer of antivirus protection for the Exchange message store and for internal federated Exchange filtering, rather than as a stand-alone SEG solution. Microsoft's dominance in the email market makes it a strategic provider of SEG solutions.
- FOPE mirrors email across multiple data centers for redundancy. Mail-processing data centers are located in the U.S. and Europe. Microsoft supports in-geography mail processing for its U.S. customers.
- Exchange, Outlook, and the FOPE and Exchange Hosted Encryption (EHE) network all support TLS, S/MIME and PGP. FOPE also offers a Hosted Encryption solution that is based on Voltage Security technology. FOPE supports large file attachment transfer up to 150MB.
- Forefront Protection Server Management Console 2010 (FPSMC) provides multiserver management for FPE 2010 and integrates with the FOPE Administration Center.
- The Junk E-Mail Outlook plug-in enables users to directly report junk email to Microsoft for analysis.
- FPE is useful on an Exchange hub for internal virus filtering.
- Microsoft's email security solutions are part of the enterprise client access license (CAL), the Exchange Enterprise CAL and the Forefront Protection Suite. Users should check their license entitlements before they consider alternatives.
- Microsoft is capable of tighter integration of SEG functions with Exchange/Outlook than competitors. Gartner anticipates significant improvements in DLP and encryption capabilities that are tightly integrated with the Outlook client, as well as integrated management of FOPE/FPE and Exchange in Microsoft's next version of Exchange/Outlook (which Gartner estimates will be available in early 2013).
- Microsoft is not on the leading edge of functionality in this market and is very slow to offer major new improvements.
- Microsoft only has data centers in the U.S. and the EU, and in-geography-only routing is only available in the U.S.
- Buyers that have not standardized on Active Directory require Forefront Identity Manager to consolidate directories in a single addressable entity for synchronization with the service.
- The DLP capability is very limited in the current release. It does not provide extensive workflow or predeveloped policies and notifications. The licensed encryption solution is not integrated into the management console and lacks self-service configuration of the encryption experience and significant control or visibility of sent messages.
- Policy changes take some time to propagate through the network, which lacks a feedback loop to certify that the changes have been implemented.
- The FOPE spam detection SLA at 98% is lower than the industry norm of 99%.
Mimecast is a U.K.-based dedicated email security vendor that is expanding into North America. It offers a range of SaaS-based email security services, including SEG, archiving/e-discovery and disaster recovery. Mimecast is a good fit for organizations looking for a full suite of services, and those looking to provide end users with a set of email security utilities.
- Mimecast provides a multitenant SaaS email infrastructure with simple administration across the range of email security services. It is hosted in 10 data centers in the U.S., the U.K., South Africa and the Channel Islands.
- It provides a set of email utilities for end users via its Outlook plug-in, making it seamless for users to manage their email without leaving Outlook. This integration allows users to specify how messages are handled at the gateway by using message actions that let users choose encryption types, what stationary to apply, document conversion options, and large file attachment handling. Archive, search and disaster recovery are also integrated into Outlook, so the end user has only one interface for all tasks.
- DLP and encryption capabilities are available at an additional cost and are adequate for most compliance tasks. DLP includes attached file content analysis and comes with numerous dictionaries available for import. Encryption is Web pull-based, or TLS and can be invoked by end users via the Outlook plug-in or policy.
- Message tracing is enhanced by a rolling archive that enables administrators to search on any part of an email, including the body.
- Although it is growing faster than the market, Mimecast is one of the smallest vendors in this analysis, and it has very low mind share and market share. As buyers increasingly look for more-strategic integrated vendors, Mimecast will have a difficult time standing out in a crowded market.
- Mimecast only has a small malware/spam research team. It is dependent on partners for a portion of its spam and malware detection capability.
- List pricing for basic SEG services at lower volumes (less than 501 seats) is above average. DLP, encryption and setup costs are extra.
- DLP capability could be improved with embedded dictionaries and policies that are updated by Mimecast, rather than downloadable. It does not support partial hashes or referenced data (database), and it can't import or export rules or events to enterprise DLP solutions.
- Reference customers cited reporting, multiple account administration and simpler administration as areas that could be improved.
Proofpoint continues to lead the market with innovative features and a singular focus on email security issues — resulting in one of the highest growth rates in this market. In addition to SEG capabilities, the company offers archiving, document discovery/governance, large file transfer and mailbox hosting. Proofpoint's flagship email security solution (Proofpoint Enterprise) is available as a hosted service; as on-premises appliances, virtual (VMware) appliances and software; or as a hybrid combination of these versions. Proofpoint is a very good candidate for organizations looking for a full range of best-of-breed SEG functionality in supported geographies.
- Spam and malware accuracy has always been a consistent strength of Proofpoint, and the company is one of the few that publicly reports its anti-spam effectiveness (see www.proofpoint.com/products/livespamstats.php). Proofpoint provides spam classifiers (adult, bulk mail, phish and suspected spam) to enable more granular policy. The company continues to invest in new techniques for spam and spear phishing detection, including a new Targeted Attack Protection service to detect and report on targeted attack activity.
- Its recently updated Web-based management interface continues to be one of the best, with numerous innovations and unique features. We particularly like the completely customizable dashboards for each administrator.
- Proofpoint offers integrated, push policy-based encryption that incorporates the features traditionally associated with pull offerings, and is optimized for mobile devices. The solution also supports TLS, S/MIME and PGP secure email delivery.
- DLP features are very strong and include numerous prebuilt policies, dictionaries, number identifiers and integrated policy-based encryption. Policy development is object-oriented and similar across spam and DLP. The DLP quarantine is very sophisticated for a channel solution, and it includes highlighted policy violations and the ability to add comments to incidents. DLP policy can be enforced on Web traffic via a dedicated network sniffer or Internet Content Adaptation Protocol (ICAP) integration with a proxy server.
- SaaS data centers are located in the U.S., Canada, Germany and the Netherlands.
- Proofpoint's dedicated focus on email is both a strength and a weakness. Although it continues to define best-of-breed functionality, in a rapidly maturing market, best-of-breed often becomes overkill to some customers. Concurrently, numerous enterprise buyers are looking for opportunities to consolidate product purchases around fewer, more strategic vendors.
- Despite good growth rates, Proofpoint continues to have a smaller market and mind share, especially outside North America.
- Proofpoint is a poor fit for smaller organizations that do not require advanced controls due to corporate focus and high prices.
- The archiving service does not yet have a shared management interface with the hosted or on-premises solutions, and customers commented that the hybrid experience should be more seamless.
- Despite improvements in reporting, it still lacks a completely ad hoc reporting capability. Several customers commented on the complexity of the upgrade process.
Sophos has been in the SEG market since 2003 and recently entered the UTM market with the acquisition of Astaro. It has a relentless focus on simplifying the management of its solutions. Its current flagship solution, the Sophos Email Appliance, is offered as hardware and virtual appliances. The company also offers PureMessage software versions for Unix, Exchange and Lotus. Sophos is a shortlist candidate for SMBs and larger enterprises looking for low-administration appliance-based solutions.
- The management interface is very easy to use for a nontechnical user. Dashboards are very graphical and allow for some level of linked drill-down into log or reporting data. We particularly like the included appliance-monitoring service and authorized remote access, which allows Sophos to proactively monitor box health and provide optional remote assistance when needed. Software version updates and database updates are all pushed to the appliances, which significantly reduces administration time and allows for more incremental updates.
- Spam and malware detection technology includes bulk email detection.
- DLP and encryption are included with the license. Sophos provides a very rich set of DLP dictionaries, lexicons and compliance policies, which are continuously updated by SophosLabs.
- Secure PDF Exchange (SPX) encryption functionality provides a very easy-to-use, push-based model that captures email content and converts it to a password-protected PDF file attached to the original email.
- Sophos gets very high marks for customer service and support.
- Despite a long presence in the market, Sophos has minimal mind share or market share.
- Sophos' focus on providing simple-to-manage appliances can be limiting for larger organizations. Advanced enterprise-class features, such as dashboard customization, log data visibility restrictions, and advanced reporting, are all missing or weak. It does not allow for per-user sending limits. Sophos still does not support DKIM or SPF, which are important standards for detecting spoofed messages.
- DLP workflow is weak compared with the Leaders in this Magic Quadrant. There is no compliance officer role or a specific quarantine to enable compliance-related workflow, such as building cases, annotating events or custom actions for email. Notifications for policy compliance are created for each event, rather than created as objects and referenced in policy.
- Although Sophos includes its SEG product with several suites, it does not yet provide a common interface to manage and monitor multiple products.
- Sophos does not offer a SaaS-based delivery option.
Symantec is one of the largest SEG vendors by market share and continues to grow faster than the market. It has one of the broadest ranges of mature SEG offerings, including hardware appliances, SaaS, virtual appliances (VMware), and software for Exchange and Domino. Symantec also offers archiving and e-discovery solutions and disaster recovery email services. Continuous improvements in the Symantec Messaging Gateway (SMG) and the Symantec.cloud SaaS service make Symantec a good candidate for most organizations.
- Symantec has a very large and sophisticated malware research team that has access to a significant amount of telemetry data from its very large consumer, Internet service provider, SMB and enterprise customer base.
- The vendor has spam categories for marketing and newsletters to quarantine nuisance email. Recently, it made improvements in non-English spam, including Chinese image spam.
- The submission process for false positives/negatives is much improved. It now includes a full cycle reporting capability that highlights resulting changes and enables the creation of custom rule sets based on submitted samples.
- Symantec offers complex content-filtering policy constructs, such as negative-filtering conditions, multiple simultaneous content-filtering policies and early exit branches to stop further processing.
- SMG is offered as part of an endpoint and SWG package deal that is very attractively priced.
- Symantec is a leader in the enterprise DLP market, and leverages the same content inspection engine and predefined content in its SEG solution. Recently, it improved the synchronization of quarantine management, incident status and the workflow with the enterprise DLP solution.
- Symantec.cloud offers very strong SLAs, and it is hosted in 18 data centers.
- Both solutions get high marks from customers for support and services, and ease of use.
- Symantec offers PGP encryption capability in addition to a partnership with ZixCorp or Echoworx.
- Symantec management does not integrate across on-premises and service offerings for hybrid deployments or offer pricing that allows users to swap between deployment types.
- DLP integration is improving for workflow but not policy and content synchronization. The Symantec.cloud DLP solution lacks granular policy options.
- The licensed encryption solutions are not integrated into the management console and lack self-service configuration of the encryption experience and significant control or visibility of sent messages.
- The SMG management console could be improved with better reporting, an email disposition summary that provides clear indicators of why email is quarantined, per-user sending limits and less-dense DLP policy configuration.
Trend Micro is a major provider of anti-malware protection solutions and was an early entrant in the SEG market. Its current InterScan Messaging Security Suite (IMSS) is offered on a broad range of delivery form factors, including software (Windows, Linux, Solaris and Exchange), virtual appliances (VMware), software appliance for installation on any bare metal hardware, and a SaaS and hybrid offering. Recent initiatives demonstrate a renewed SEG focus. Trend Micro remains a shortlist candidate for most organizations.
- Trend Micro has a large and well-respected malware and spam research team.
- IMSSs can perform live queries against the cloud-based database (Smart Protection Network) to reduce threat distribution lag time.
- The new optional Dynamic Threat Analysis System (DTAS) inspects suspect files in a sandbox to provide more detailed inspection and forensic information.
- Software and virtual versions come with an optional hybrid deployment option, which provides reputation and course content filtering, with integrated on-premises quarantine, management and reporting.
- Trend Micro offers a widget-based graphical management interface that each administrator can customize with predefined widgets.
- Trend Micro's DLP module was recently integrated with its Control Manager, enabling DLP management across its endpoint, Web and email solutions. Trend Micro also expanded the number of predefined DLP content.
- Although Trend Micro had an early presence in this market, its market share has been relatively flat, and it has failed to gain mind and market share — keeping it out of the Leaders quadrant.
- Reference customers requested more granular reporting and better centralized management for multiple sites, simpler updating, and simpler and more intuitive configuration.
- The SaaS offering is focused on SMBs. It does not offer archiving, mailbox hosting or disaster recovery/continuity services. Although many of the component parts of the service are the same as the on-premises solution, the management interface is different.
- Corporate and user allow lists are not synchronized between the SaaS-based prefilter and the enterprise solution, although they can be imported and exported.
- Native IMSS workflow capabilities are weak without integration with Trend Micro's Control Manager.
- The offline sandbox DTAS is very new and costs extra.
In March 2012, Trustwave acquired M86 Security. Based in Illinois, Trustwave is a large and rapidly growing service provider that focuses primarily on PCI compliance requirements. It has accumulated a number of security products, including UTM firewalls for application security and compliance products. In addition, Trustwave offers a large number of managed services. Trustwave also offers a cloud solution that is branded and sold by service providers and channel partners.
- The Windows-based management interface is capable and offers some advanced features, such as task shortcuts and support for batch file workflow commands. Role-based and multitenant management capability is a core strength.
- Its Blended Threats Module uses URL rewriting to analyze potentially malicious URLs at the time of access using the SWG service. By default, it uses an automatically updated whitelist of communication recipients and connecting IP addresses to reduce false positives.
- Antivirus is provided as an option by Kaspersky, Sophos, McAfee or Norman.
- Existing DLP capabilities, which include basic regular expression matching and some predeveloped policies, dictionaries and number formats, will be augmented by Trustwave's enterprise DLP solutions.
- M86 was struggling to gain broad brand recognition and sales momentum in the SEG market. The Trustwave acquisition is not likely to increase the level of product investment or momentum outside Trustwave's managed security service provider clients. Trustwave has very little channel support outside the PCI and payment processing verticals.
- The solution has three management interfaces with little integration. There are limited dashboard elements and no hyperlinked drill-downs into reports. The policy interface is a tired-looking Windows application with pop-up, Windows-style workflow.
- DLP capabilities are limited to a keyword analysis and do not include many predefined policies, dictionaries or lexicons, nor do they offer much workflow support for compliance officers.
- On-box encryption is limited to TLS, and advanced encryption provided by ZixCorp is not integrated into the management interface. Thus, it lacks any control or visibility of sent messages, and it lacks self-service configuration of the encryption experience.
- The SaaS service is limited to the New Zealand and Australian markets, and list pricing is well above global averages.
WatchGuard, which is better known for its multifunction firewalls, also offers an appliance-based combined email and Web gateway called Extensible Content Security (XCS). WatchGuard's primary user base is SMBs. However, the XCS SEG solution has a good mix of midsize and large North American enterprise customers. WatchGuard XCS is a good shortlist option for existing WatchGuard customers.
- XCS provides SEG and SWG functionality in the same appliance (hardware or virtual version), and relevant policies can be set for both channels in the same management interface. The management interface was improved with more wizards to simplify deployment and management, a frequent task screen, and improved message tracking and reporting.
- XCS provides native clustering that creates a virtual machine mail queue. The message queue is mirrored across devices in clustered deployments for high availability.
- The DLP policy is shared across Web and email traffic, and includes financial and medical term dictionaries, and predefined number formats for common data types, such as credit cards and SSNs.
- WatchGuard's mind share and market share remain very small, and it is not growing. It is difficult for any company to compete in many markets and across many company segments, and to provide market-leading features in each market segment. The company is much better known for its firewall/UTM market presence, and only a small percentage of its revenue is related to email security. It is not growing its market share in a rapidly maturing market.
- The management dashboard could be improved with a customization capability, role-specific views and more-hyperlinked drill-down capabilities into relevant reports. Role-based administration could be improved with reusable role definitions, more options for role policies and the ability to limit an administrator's log data access to just the groups managed.
- Its DLP policy could be improved with more predeveloped dictionaries and policies for common regulations, as well as better quarantine management options for compliance officers and broader content support.
- Advanced encryption provided by Voltage is not integrated into the management interface. Thus, it lacks any control or visibility of sent messages and self-service configuration of the encryption experience.
- WatchGuard does not have SaaS offerings.
Websense offers a number of delivery options: Cloud Email Security (CES), which is a SaaS offering; Websense Email Security (WES), which is an on-premises software solution; and the Websense Email Security Gateway Anywhere (ESGA) hybrid solution, which combines a prefilter SaaS with an on-premises appliance-based solution. It also offers a similar set of service with SWG functionality. However, Websense's primary focus is on the flagship Triton solution, which combines email, Web and data security as part of a single, unified content security solution. Websense is an excellent candidate solution for buyers looking for integrated SWG and SEG functionality, and advanced DLP capability.
- All the various Websense solutions are tied together with the Triton management interface and reporting engine, which has numerous advanced features, including bulk email detection, malicious URL analyses at the time of access, static code analysis of suspicious documents and drip DLP protection to detect data leaked in smaller chunks.
- Websense has 15 data centers located in 11 countries.
- Websense offers very strong DLP capabilities for this market. It includes numerous predefined DLP content dictionaries in 12 languages, plus additional compliance templates for items such as PCI DSS, state data privacy laws, HIPAA and the Gramm-Leach-Bliley Act.
- Native encryption provides TLS, as well as basic push and pull functions.
- Websense recently added an archival service (via an OEM partner) and a disaster recovery/business continuity service that provides an Outlook Web Access-type view into messages queued, with the service and outbound email functionality.
- It is one of the few solutions in this report that enables administrators to view a false-negative and false-positive report in the dashboard.
- Websense has a long history in the Web security market, but its mind share and market share in the SEG market are comparatively low. However, Websense is showing good growth in the enterprise market among customers looking for converged SEG, SWG and DLP.
- The Triton management interface can be very complex and involve numerous steps to create policies. The dashboards have only limited customization, and there is no ad hoc reporting capability. CES message search is not quite in real time and could experience as much as a five-minute delay.
- Advanced encryption provided by Voltage is not integrated into the Triton management interface. Thus, it lacks any control or visibility of sent messages and self-service configuration of the encryption experience.
- Off-box SQL log storage is recommended for larger deployments of on-premises solutions.
- Without the hybrid Triton solution, there are management and configuration differences between the capability of the SaaS offering and the on-premises appliance solution. For example, SaaS-based DLP and reporting capabilities are not as complete as the on-premises offering.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
Mimecast reached our inclusion criteria minimum customer threshold and recently unbundled its suite to allow customers to buy SEG-only services. Dell acquired SonicWALL, and Trustwave acquired M86 Security. These solutions now appear under the new names.
Webroot is refocusing the company on its endpoint protection solutions and has closed its SaaS email services to any future business. It is in the process of helping customers migrate to other providers. Dell acquired SonicWALL, and Trustwave acquired M86 Security. These solutions now appear under the new names.
This Magic Quadrant is not intended to be an exhaustive analysis of every vendor in this market, but rather a focused analysis of solutions that are most interesting to the majority of our clients. Other vendors were not included in this analysis because they do not fit the technical inclusion criteria. Sendmail is one that has a respectable large enterprise presence but takes a unique approach by offering a platform that enables enterprises to plug in various email security applications from other vendors. This approach enables enterprises to build their own solutions from component vendors, while offering an overall management framework and underlying scalable messaging transfer agent. Vendors such as Spamina, Axway, eleven, and AppRiver focus on a particular geographic or vertical market niche.
- The solution must have its own proprietary capabilities to block or filter unwanted email traffic.
- Supplementing the solution with third-party technology is acceptable.
- The solution must provide email virus scanning via its own or a third-party antivirus engine.
- The solution must provide basic intrusion prevention.
- The solution must offer email encryption functionality beyond TLS on its own or via a third-party relationship.
- The solution must offer the ability to scan outbound email according to a set of basic vendor-supplied dictionaries and common identifiers (for example, SSN, credit card, bank account and routing numbers).
- Vendors must have at least 2,000 direct (not via OEM) enterprise customers in production for their email security boundary products.
- Multifunction firewalls (also known as UTM devices) are outside the scope of this analysis. These devices are traditional network firewalls that also combine numerous network security technologies — such as anti-spam, antivirus, network IPS and URL filtering — into a single box. Multifunction firewalls are compelling for the SMB and branch office markets. However, in most circumstances, enterprise buyers do not consider multifunction firewalls as replacements for SEGs.
Vertical positioning on the Ability to Execute axis was determined by evaluating the following factors:
- Overall viability was given a heavy weighting, because this is a mature and saturated market. Overall viability was considered, not only in terms of the overall company revenue, channel reach, management team and resources of the vendor, but also in terms of the importance of the email security unit at each company.
- Sales execution/pricing scores reflected a comparison of pricing relative to the market.
- Market responsiveness and track record measured the speed in which the vendor has spotted a market shift and produced a product that potential customers are looking for, as well as the size of the vendor's installed base relative to the amount of time the product has been on the market. This weighting takes into account a vendor's performance over time, but performance during the past 18 months was evaluated most significantly.
- Customer experience measured the quality of the customer experience based on reference calls and Gartner client teleconferences. We incorporated research and reference call data on support responsiveness and timeliness, quality of releases and patches, and general experiences when installing and managing the product and service on a day-to-day basis.
- The operations score reflects the corporate resources (in other words, management, business facilities, threat research, and support and distribution infrastructure) that the SEG business unit can draw on to improve product functionality, marketing and sales. We also took into consideration the focus and transitions of the SEG teams in acquired companies.
Source: Gartner (August 2012)
The Completeness of Vision axis captures the technical quality and breadth of the product, and the vendor's organizational characteristics that will lead to higher product satisfaction among midsize to large enterprise customers, such as how well the vendor understands this market, its history of innovation and its geographic presence. In market understanding, we ranked vendors on the strength of their commitment to this market in the form of strong product management, their vision for this market and the degree to which their road maps reflect a solid commitment of resources to achieve that vision.
We heavily weighted the product features of the vendors' flagship solutions in the Completeness of Vision criteria. Product features that Gartner deemed the most important were:
- Anti-spam/phishing effectiveness and investment in malware research, especially targeted attack detection
- Management and reporting functionality
- DLP capabilities
- Encryption capabilities
- Delivery form factor options
Other functionality or solutions relevant to the buyer in the target market of the supplier, such as archiving, disaster recovery and file transfer, were also taken into account.
Source: Gartner (August 2012)
Leaders are performing well, have a clear vision of market direction and are actively building competencies to sustain their leadership positions in the market. Companies in this quadrant offer a comprehensive and proficient range of email security functionality, and show evidence of superior vision and execution for current and anticipated customer requirements. Leaders typically have a relatively high market share and/or strong revenue growth, own a good portion of their threat or content-filtering capabilities, and demonstrate positive customer feedback for anti-spam efficacy and related service and support.
Challengers execute well, but they have a less defined view of market direction. Therefore, they may not be aggressive in preparing for the future. Companies in this quadrant typically have strong execution capabilities, evidenced by financial resources, and a significant sales and brand presence garnered from the company as a whole or other factors. However, Challengers have not demonstrated as rich a capability or track record for their email security product portfolios as vendors in the Leaders quadrant.
Visionaries have a clear vision of market direction and are focused on preparing for that, but they may be challenged to execute against that vision because of undercapitalization, market presence, experience, size, scope and so forth.
Niche Players focus on a particular segment of the client base, as defined by characteristics such as a specific geographic delivery capability or dedication to a more limited product set. Their ability to outperform or be innovative may be affected by this narrow focus. Vendors in this quadrant may have a small installed base or may be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investment or capability to provide email security threat detection organically, a geographically limited footprint or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendors' value in the more narrowly focused market they service.
- The total market revenue is peaking as it reaches saturation and primary feature maturity. Buyers should focus on more-strategic vendors that will continue to accumulate market share.
- Consider incumbent cloud-based email platforms that will typically offer good enough spam and malware protection for most organizations.
- SaaS solution are very attractive to smaller organizations (less than 2,000 seats) that tend to have lower customization requirements, fewer resources to manage solutions and larger organizations that favor outsourcing.
- Pay careful attention to outbound email requirements such as DLP and encryption. These features are very differentiated across products.
- Organizations concerned about targeted attacks should consider this attack prevention capability as a primary differentiator among Leaders.
The SEG market is a mature market. The penetration rate of commercial SEG solutions is close to 100% of enterprises. Buyers are becoming more price-sensitive; 80% of recently surveyed reference customers (see Note 1) said that price was important or very important. The market growth rate has leveled off, and there are no significant entrants into the market or acquisitions — all classic symptoms of a mature market.
Despite market maturity, SEGs are not a solution companies can do without. Global spam volumes declined in 2011, as spammers moved to other mediums such as social networks, but spam still represents as much as 75% of email and email viruses. Phishing attacks continue to oscillate, while more targeted phishing attacks increase. Better protection from targeted phishing attacks is the most critical new inbound protection capability (72% of respondents indicated that this was a very important capability), but only a few vendors have advanced the state of the art against these attacks. Also, leading vendors continue to invest in anti-spam techniques to maintain high detection and low false-positive rates.
Interest in outbound email hygiene continues. Outbound capabilities such as DLP and encryption capabilities remain the single biggest feature differentiators and are the primary reason we have not yet moved to a MarketScope format for this analysis. Of the respondents (see Note 1), 32% indicated that they already use DLP, and 35% plan on adopting DLP in the next 24 months. Thirty-two percent of respondents already use email encryption beyond TLS, while another 28% plan on adopting it in the next 24 months.
Form factors are also differentiators, with interest and deployment of virtual solutions and SaaS solutions continuing. Leading vendors in this market are expanding their offerings vertically into adjacent markets (such as mailbox hosting, hosted archiving, e-discovery and continuity services) and horizontally into SWG (see "Magic Quadrant for Secure Web Gateway") solutions linked by common DLP and management. However, buyer demand for these services from their same vendor is mixed, and purchase decisions rarely coincide.