This document was revised on 5 May 2010. For more information, see the Corrections page on gartner.com.

• The e-mail security market is very mature, and there has been minimal vendor movement in the Magic Quadrant since our last analysis.
• Spam-filtering effectiveness is at an acceptable rate for most organizations.
• Inbound improvements are still needed to detect targeted phishing e-mails, which are an increasing problem.
• Content-aware data loss prevention (DLP) that includes numerous prebuilt dictionaries and regulatory policies is a significant differentiator; however, buyers must understand how these capabilities will be used in context of the broader enterprise DLP strategy.
• Policy-based encryption is an increasingly important capability and a significant differentiator of leading products.
• E-mail security solutions are available in various delivery models. Appliances and security as a service (SecaaS) are the most popular, but the availability of hybrid (combination of on-premises and SecaaS) and virtual appliances is increasing.
• The breadth of the product portfolio is also an important consideration as organizations look to consolidate security buying around fewer, more-strategic vendors, especially in mature product domains.

The market for secure e-mail gateways (SEGs) has matured considerably since our last Magic Quadrant. The penetration rate of SEG capability among Gartner enterprise customers is close to 100%. Few new vendors are moving into the market, and merger and acquisition activity has slowed considerably, as the Leaders quadrant fills up with strategic vendors with broad portfolios and formidable sales channels. Basic spam and virus detection effectiveness is 99% or more for almost all the vendors in this analysis. Although spam detection effectiveness is not perfect, it is within acceptable limits for most organizations, and buying activity is limited to organizations that are replacing aging appliances or are at contract termination.

Although high-volume spam campaigns are getting easier to filter out, one area of deficiency in spam-related functionality is the ability to detect highly targeted phishing attacks. Most solutions rely heavily on reputation and are good at catching high-volume attacks, but few have adapted to changing attack patterns that are more sophisticated. Because reputation filtering is responsible for 80% to 90% of e-mail rejections at the gateway, organizations must be careful to protect their own reputations. An increasingly common attack method is to get credentialed access to e-mail systems via targeted phishing attacks seeking employees' Outlook Web Access (OWA) user names and passwords. Attackers then exploit the lack of outbound spam detection or message throttling on corporate e-mail systems to send spam, damaging the victim organization's reputation. In 2010, vendors will have to improve their defenses by improving outbound spam detection and e-mail throttling policy options, as well as by improving their effectiveness against highly targeted phishing attacks.

One area of significant differentiation among products in this analysis is in outbound e-mail security features, such as content-aware DLP and encryption — both of which are critical for intellectual property protection and privacy-related regulatory compliance.

DLP provides content inspection of an e-mail's body text, headers and attachments to identify sensitive information. Support for advanced DLP capabilities beyond straightforward regular expression (RegEx) matching — such as partial/exact document matching, fingerprint matching, structured data fingerprinting, statistical detection techniques, proximity matching and machine learning — will be a key differentiator in some deployment scenarios to support intellectual property protection and to reduce the number of false positives. However, for most buyers, the inclusion of a predefined policy that meets regulatory requirements, thus simplifying the implementation, will be a bigger differentiator. Buyers must consider how native SEG DLP features will fit within broader enterprise DLP strategies.

Integrated encryption (see Note 1 and Note 2) that can easily secure sensitive content for any recipient is a mandatory requirement for compliance. On-box or hosted encryption from the same vendor is the most desirable; however, partnerships are also often acceptable. Hosted encryption solutions are gaining traction as organizations gain more experience with the actual administrative cost of e-mail encryption support. Hosted solutions can drastically reduce the costs of e-mail encryption solutions. Gartner clients consistently report that the number of users who require e-mail encryption services are typically less than 10% of the overall e-mail user population, so buyers are cautioned not to overbuy this service.

Product form-factor options continue to be a significant differentiator. SecaaS offerings that put all filtering in the "cloud" — along with ancillary services, such as archiving, backup mailboxes and Web filtering — are increasingly popular among larger enterprise buyers, and should be the default form factor for smaller organizations. Leading vendors are all acquiring or building their own SecaaS solutions. Virtual appliances are also getting more attention due to data center consolidation projects and growing virtual server production acceptance. At a minimum, virtual appliances allow for easy testing of prospective solutions, and for inexpensive standby servers.

We have been advising buyers to consider SEGs and secure Web gateway (SWG) purchases together to save costs and improve DLP and communications policy reuse across these two critical channels. As more and more communication traffic moves to Web-based channels, such as social networking, instant messaging, voice over IP (VoIP) and Web conferencing, managing and securing these channels will necessitate improved convergence between these tools. Most of the leading vendors participate in both markets. Organizations with less than 1,000 seats are already attracted to the SWG offerings of their incumbent e-mail providers. However, many larger organizations have different buying centers and consider these domains separately. Larger organizations must take Web communication channels into consideration when they plan their e-mail security solutions.

The SEG market (previously called the "e-mail security boundary" market by Gartner) is defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against inbound and outbound e-mail threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of appliances or software that goes on customer premises, hosted solutions that reside in solution providers' data centers, or multitenancy SecaaS that exists in multiple data centers around the globe. Unified threat management (UTM) devices that combine firewalls with some spam filtering are not included in this market.

The total market size was roughly $1.5 billion in 2009, and was growing at approximately 10%. We expect the growth rate in 2010 to decline to 8% due to market saturation, increased bundling/suite deals and intense competition among market leaders.

• The solution must have its own proprietary capabilities to block or filter unwanted e-mail traffic. Supplementing it with third-party technology is acceptable.
• The solution must provide e-mail virus scanning via its own or a third-party antivirus engine.
• The solution must provide basic intrusion prevention.
• The solution must offer e-mail encryption functionality beyond Transport Layer Security (TLS) on its own or via a third-party relationship.
• The solution must offer the ability to scan outbound e-mail according to a set of basic vendor-supplied dictionaries and common identifiers (for example, U.S. Social Security number [SSN], credit card, bank account and routing numbers).
• Vendors must have at least 2,000 direct (not via OEM) enterprise customers in production for their e-mail security boundary products.
• Multifunction firewalls (also known as UTM devices) are outside the scope of this analysis. These devices are traditional network firewalls that also combine numerous network security technologies — such as anti-spam, antivirus, network intrusion prevention system and URL filtering — into a single box. Multifunction firewalls are compelling for the small or midsize business (SMB) and branch-office markets; however, in most circumstances, enterprise buyers do not consider multifunction firewalls as replacements for SEGs.

Fortinet was added to this Magic Quadrant.

MessageLabs was acquired by Symantec; MX Logic and Secure Computing were acquired by McAfee; and BorderWare was acquired by WatchGuard. These products now appear under the parent companies. Although Sophos has added DLP and encryption capabilities to its e-mail security appliances in the past year, it was dropped because its e-mail security strategy is focused on midmarket requirements, rather than enterprise requirements. Marshal has been renamed M86 Security.

Vertical positioning on the Ability to Execute axis was determined by evaluating the following factors:

• Overall viability was given a heavy weighting, because this is a mature and saturated market. Overall viability was considered not only in terms of the overall company revenue, channel reach, management team and resources of the vendor, but also in terms of the importance of the e-mail security unit at each company.
• Sales execution/pricing scores reflected a comparison of pricing relative to the market.
• Market responsiveness and track record measured the speed in which the vendor has spotted a market shift and produced a product that potential customers are looking for, as well as the size of the vendor's installed base relative to the amount of time the product has been on the market. This weighting takes into account a vendor's performance over time, but performance during the past 18 months was evaluated most significantly.
• Customer experience measured the quality of the customer experience based on reference calls and Gartner client teleconferences. We incorporated research and reference call data on support responsiveness and timeliness, quality of releases and patches, and general experiences when installing and managing the product and service on a day-to-day basis.
• The operations score reflects the corporate resources (in other words, management, business facilities, threat research, and support and distribution infrastructure) that the SEG business unit can draw on to improve product functionality, marketing and sales. We also took into consideration the focus and transitions of the teams in charge of engineering, management, marketing and sales for the relevant product lines.

The Completeness of Vision axis captures the technical quality and breadth of the product, and the vendor's organizational characteristics that will lead to higher product satisfaction among midsize to large enterprise customers, such as how well the vendor understands this market, its history of innovation, and its geographic presence.

In market understanding, we ranked vendors on the strength of their commitment to this market in the form of strong product management, their vision for this market and the degree to which their road maps reflect a solid commitment of resources to achieve that vision.

We heavily weighted the product features of the vendors' flagship solutions in the Completeness of Vision criteria. Product features that Gartner deemed the most important were:

• Anti-spam/phishing effectiveness and investment in malware research
• Management and reporting functionality
• DLP capabilities
• Encryption capabilities
• Delivery form-factor options

Other functionality or solutions relevant to the buyer in the target market of the supplier, such as archiving, disaster recovery and file transfer, were also taken into account.

Leaders are performing well, have a clear vision of market direction and are actively building competencies to sustain their leadership positions in the market. Companies in this quadrant offer a comprehensive and proficient range of e-mail security functionality, and show evidence of superior vision and execution for current and anticipated customer requirements. Leaders typically have a relatively high market share and/or strong revenue growth, own a good portion of their threat or content-filtering capabilities, and demonstrate positive customer feedback for anti-spam efficacy, and related service and support.

Challengers execute well, but they have a less-defined view of market direction, and, therefore, they may not be aggressive in preparing for the future. Companies in this quadrant typically have strong execution capabilities, evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole, or other factors. However, challengers have not demonstrated as rich a capability or track record for their e-mail security product portfolios as vendors in the Leaders quadrant.

Visionaries have a clear vision of market direction and are focused on preparing for that, but they may be challenged to execute against that vision because of undercapitalization, market presence or experience, size, scope, and so forth.

Niche players focus on a particular segment of the client base, as defined by characteristics such as a specific geographic delivery capability or dedication to a more-limited product set. Their ability to outperform or be innovative may be affected by this narrow focus. Vendors in this quadrant may have a small installed base, or be limited, according to Gartner's criteria, by a number of factors. These factors may include limited investment or capability to provide e-mail security threat detection organically, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor's value in the more narrowly focused market they service.

Barracuda Networks is a private California-based company that has focused on producing a range of economical appliance-based solutions that are easy to use. Barracuda's solutions are aimed squarely at cost-conscious SMBs, as well as educational and government institutions, but Barracuda is starting to address larger enterprises and service provider markets.

• Barracuda leverages the open-source and white hat community for its anti-spam technology, along with its own growing security lab. It is one of the few vendors that has a false positive/negative report to monitor spam detection quality.
• Barracuda has branched out into other markets, including archiving, SWG, bandwidth management, backup and Web application firewall appliance. The recent acquisition of Purewire gives Barracuda an emerging SecaaS capability in the SWG market that it will be able to leverage to gain an SEG SecaaS capability.
• The Web-based management interface is designed to be easy to configure, even for nontechnical users, with numerous wizards, context-sensitive help, and clearly visible recommended settings and explanations. It has a very good message-tracking search capability, with granular filters, and fast drill-down into message and header details and log content, as well as contextual right-mouse-click action options. We also like its ability to delegate quarantine management.
• Barracuda Control Center can manage multiple boxes for configuration and reporting.
• Attachments can be quarantined and checked against a cloud-based signature database, which reduces the signature distribution lag time.
• Service prices are per box, rather than per user, making Barracuda a price leader.

• Barracuda only offers appliance-based solutions. SecaaS is expected based on the Purewire platform, but Purewire was only an emerging U.S. startup, so Barracuda will need to invest considerable resources in building the product and its global presence. (A virtual version is due in 2Q10.)
• The management platform is designed for Barracuda's core SMB market. Advanced features for enterprise users are missing, such as dashboard customization capacity, a hyperlinked drill-down, a reusable object-oriented policy, granular role-based administration, group-level-only data access, directory synchronization and a group-level policy.
• Its encryption capability is very weak (TLS-only) and lacks support for a conditional TLS policy. It does not support other push or pull (hosted encryption) mail offerings. This is an important criterion for organizations in need of supporting encrypted ad hoc business-to-consumer (B2C) communications.
• DLP is limited to keyword and RegEx filtering. It is not very flexible. Although it includes four predefined dictionaries, each policy requires its own dictionary. It cannot search inside attachments (due 3Q10).
• Barracuda Control Center does not yet manage the full suite of appliance offerings.

Cisco continues to dominate the market for dedicated on-premises solutions for midsize to large organizations. The company's consolidation of malware research groups into a more cohesive unit analyzing the vast amount of data from its ISP and enterprise customers across a range of network-based products is providing improved native malware intelligence. Cisco also enjoys strategic vendor status with many of its customers and is well-respected in the core network buying centers. Cisco is a good choice for midsize to large enterprise customers looking for appliance form factors.

• Cisco/IronPort appliances continue to deliver very good spam and virus efficacy, with solid scalability/reliability and very granular MTA control capabilities. The management interface is easy to use and provides deep policy control.
• Improvements since our last analysis focused on enhancing IronPort's DLP capabilities via the full integration of the DLP components from its partnership with EMC/RSA, as well as enhancing role-based administration flexibility, mass marketing or bulk-mail protection, targeted phishing detection, and SMS spam detection.
• The PostX acquisition provides IronPort with very flexible, fully integrated native policy-based e-mail encryption delivered on-box or as a service with support for secure e-mail delivery via TLS, S/MIME and PGP (see Note 1), along with hosted pull scenarios. IronPort's support for secure bulk mailings and e-statement delivery will appeal to organizations with a need for frequent secure B2C communications.
• IronPort benefits from Cisco's installed base of network security appliances and the ScanSafe SecaaS SWG to collect a massive amount of Internet traffic information to spot new trends. Moreover, Cisco's broad array of network security components (firewalls, IPSs, SWGs and routers) makes it a strategic vendor for organizations looking to consolidate buying around fewer security vendors.
• IronPort offers integrated content-aware DLP capabilities with numerous (120) predefined policies and identifiers. The policy interface is complete and easy to use. Policy violations are scored on a severity scale of 1 to 5 and can have different disposition actions based on severity. The DLP quarantine can be encrypted for extra data protection. IronPort supports the secure transfer of arbitrarily large file attachments via its encrypted e-mail pull capability (hosted encryption).
• In 2009, Cisco launched its hosted e-mail security service. The acquisition of ScanSafe in late 2009 provides Cisco with an extensive data center footprint (13 data centers), and a provisioning and management framework for future e-mail, Web and other SecaaS offerings.
• Cisco's acquisition of PostPath — which provides hosted e-mail boxes, WebEx and ScanSafe — combined with Cisco's native VoIP and security solutions, as well as Cisco's emerging Nexus data center virtualization program, provide it with considerable resources to create a comprehensive service-based collaboration suite.

• Despite Cisco's deep product and technology offerings, it still has significant work to do to integrate the various components into a comprehensive integrated suite. Today, there is no management integration between IronPort appliances and the other Cisco network security products. Even integration between the two IronPort appliances is weak. Although the M-Series appliance provides common management for IronPort appliances, the DLP policy is not synchronized between these two products, and there is no central quarantine. Cisco does not have an enterprise DLP solution offering of its own; however, it does integrate with EMC/RSA. Organizations that have an enterprise EMC/RSA DLP deployment can manage DLP features incorporated into the IronPort offering, such as content/policy definition and event management via the enterprise console. The native IronPort DLP quarantine would benefit from a more-advanced capability, such as data redaction and more options for building cases.
• IronPort's focus on the needs of large enterprises doesn't always scale down well for the midsize organization.
• Cisco's hosted offering is very new and only available in the U.S. so far. It does not offer any virtual appliances or blade server appliances yet.
• The IronPort management interface would benefit from a more-flexible custom dashboard (although the reporting interface has dashboardlike functionality), and more-granular/reusable role-based administration that limits administrator access-managed group data only.
• Cisco does not have an archive solution.

U.K.-based Clearswift has an established presence in the e-mail protection market with small to midsize organizations that are mostly in the U.K. It branched out into the SWG market. The combination of these two products and the provision of good DLP capabilities across both channels make it a reasonable shortlist inclusion for buyers in Europe, the Middle East and Africa (EMEA) looking for both solutions from the same vendor.

• Clearswift's Secure E-mail Gateway offers a clean and logical Web-based management interface and dashboard that manages Web and e-mail products. It is easy to use for nontechnical users, and it has a lot of context-sensitive recommendations and help functions.
• The image manager (software-only) pornographic-image-detection engine is a bonus, and bounce address tag validation (BATV) is supported.
• Policy development for content inspection/DLP is very good. Clearswift supports numerous policy constructs and lexicons (for example, the U.S. Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Payment Card Industry [PCI] standard, and the U.S. Securities and Exchange Commission, as well as accounting terms and stock-market terms). Enhanced DLP capabilities, such as partial document matching, are supported with CONTENTsafe server extension.
• Clearswift recently added end-user whitelists, policy audit logs, anti-spoofing for internal addresses, faster updates and on-box e-mail encryption (TLS, S/MIME, PGP and ad hoc encryption).

• Despite its long history in this market, Clearswift has failed to execute consistently or deliver industry-leading features and functionality that would enable it to break out of the EMEA small to midsize market.
• Although the interface is easy to use for nontechnical users, it is limited in detail for more-technical enterprise users. Ad hoc reporting is limited, it cannot limit administrator access to specific groups, it does not have a predeveloped ability to report on spam accuracy, and role-based administrator configuration is not reusable.
• Considering how long Clearswift has been offering a DLP capability, it has not advanced to best-in-class capability and continues to lack a comprehensive compliance workflow management interface.
• Image filtering is inherently prone to false positives.
• Common reporting across e-mail and Web appliances is not complete (improvements are due in late 2010).
• An encryption capability does not support a pull (hosted encryption) option. This is an important criterion for organizations in need of supporting encrypted ad hoc B2C communications. The solution provides limited large file transfer capabilities. Clearswift is planning on making improvements in 3Q10 that may address some of these limitations.

Fortinet offers a broad array of UTM and dedicated appliances for all organization sizes — from SMBs to telecommunication carriers. It offers an array of anti-spam technology in various forms from client to UTM. This analysis, however, focuses on the dedicated SEG FortiMail appliances. FortiMail is a reasonable shortlist inclusion for existing Fortinet customers.

• Fortinet provides strong high-availability and scalability features, such as native clustering, load balancing and high-throughput appliances, as well as UTM and client-based solutions.
• It is a public company with a broad geographical market presence.
• Fortinet offers an attractive price-to-performance value, with no user-based service pricing.
• FortiMail provides on-box or off-box policy-based message archiving that is fully indexed and available from the FortiMail management interface.
• The product includes some basic DLP capability with RegEx matching via preconfigured and user-definable dictionary profiles.
• FortiMail supports e-mail encryption using TLS and S/MIME.

• It is difficult for any company to compete in many markets and across many company segments ranging from carriers to the small office/home office market, and to provide market-leading features in each market segment, and Fortinet is no exception. The company is much better known for its firewall/UTM market presence, and only a small percentage of its revenue is related to e-mail security.
• Fortinet's published detection rates are below the best-of-breed average for detection rates.
• The FortiMail appliance does not support PGP or pull (hosted encryption). This is an important criterion for organizations in need of supporting ad hoc B2C communications. (The FortiMail v4.1, which is due by 3Q10, adds identity-based encryption, including push and pull encryption.)
• Fortinet does not offer a managed service for e-mail security or encryption.
• DLP functionality is relatively basic and lacks partial document matching, delegated administration or hierarchical policies.
• FortiAnalyzer is required for in-depth, per-domain report and log access, with both short- and long-term trended analysis of all statistics.

Google remains one of the market share leaders in the SecaaS SEG market. It has a broad array of customers and a global presence. Although innovation in the e-mail SEG solution has slowed since the company acquired Postini, it remains a good choice for any size enterprise looking for a service delivery model, and is a particularly good choice for organizations considering enterprise Gmail and other Google SecaaS offerings.

• Spam and virus filtering have been consistently rated as being very high.
• Google's core strength is in its easy-to-use but functional/rudimentary management interface. Features such hierarchical policy administration, spam thresholds for different types of spam (for example, sexual content, financial gain, special offers and racially insensitive content), a complete policy summary page with shortcuts to policy edits, and role-based administration are major benefits. Policy changes are automatically propagated and not subject to delays. Google offers extensive routing options for a SecaaS solution.
• Google has recently released two significant enhancements to its management console: Log Search and Health Check. Through Log Search, log data is encrypted with a customer key, and is stored and accessed on Google's service infrastructure. Health Check allows administrators to triage spam and virus issues to give them an overview of what needs to be addressed in their configurations.
• Directory synchronization is eased with on-premises software that integrates with local directories and cache change. Delta updates are provided via standard ports (XML over SLL).
• Google licenses some aspects of ZixCorp's service for encryption, and provides rudimentary DLP capability with the ability to scan attachments for SSN and credit card numbers only.
• Google is one of the few providers in this analysis that also offers hosted mailbox services (enterprise Gmail). It also offers an expanding array of SaaS "office" suites (for example, word processing, spreadsheet, calendar and collaboration), as well as Cisco's ScanSafe SecaaS SWG solution.
• Google's price is typically very good compared with comparable services, especially for broad bundles of related services.

• Google has not significantly improved its management interface since it acquired Postini in 2007, and it is now overdue for a refresh. In particular, we would like to see better reporting (ad hoc reporting scheduled distribution of saved reports) that is hyperlinked to the dashboard. Google is planning on redesigning the reporting interface based on Google Analytics later in 2010. Some customization of the dashboard, including shortcuts to specific functions, would be welcome. Reusable administrator profiles, an Outlook plug-in to report spam and more object-oriented policies would be helpful as well.
• Despite the increasing array of Google SecaaS offerings, it is still lacking in continuity services (due in 2H10). Its archiving service is very good, but the ability to import legacy data is offered via an OEM partner, RenewData.
• DLP functionality is very rudimentary and disappointing considering Google's experience in content analysis in its search capabilities. It lacks a preconfigured policy for common regulations, extensive dictionaries and number format-enhanced lexicons for detecting Health Insurance Portability and Accountability Act (HIPAA)-protected health information. PCI data is planned for later in 2010. Google's policy is not object-oriented. The quarantine is not specific to the task and offers few features to ease compliance management.
• Not all ZixCorp encryption functionality is instrumented in the management interface. Some elements need to be set up via Google.
• Google could improve its support. Recent outages and mail delays caused significant disruption for some customers, and communication with affected customers should have been much better handled. Google needs to invest in more telephone technical support and to rely less on online self-service resources.
• Google is not open with many security assurances that are commonly offered by other providers (it does not allow for site visits, and it does not disclose the location of its data centers). Google (along with numerous other companies) was a target of a recent high-profile attack (aka Aurora) against some specific consumer e-mail boxes. Although there was no compromise of the SEG service or enterprise Gmail, it is likely that Google will continue to be a target as it amasses more potentially lucrative information.

In November 2008, U.K.-based Marshal merged with 8e6 Technologies to become Marshal8e6. In April 2009, Marshal8e6 acquired Avinti, and in September, it renamed itself M86 Security. In November 2009, M86 announced its acquisition of Finjan. M86's strategy of acquiring good malware detection technology will help with malware detection accuracy. M86 offers e-mail and Web security gateway products and services, and its flagship MailMarshal appliance is a reasonable shortlist inclusion in supported geographies.

• The Windows-based management interface is very complete and offers some advanced features, such as task shortcuts and support for batch file workflow commands (it is useful for automating e-mail order entry). Administrators can be restricted to view only managed group data. Reporting is done in a Web-based interface.
• The company has strong anti-spam effectiveness and increased investment in blended threat detection capabilities. By default, it uses an automatically updated whitelist of communications recipients and connecting IP addresses to reduce false positives.
• Encryption support includes native TLS and S/MIME. It partners with ZixCorp for pull (hosted) encryption.
• DLP capabilities include basic RegEx matching and identifying system-registered watermarks. They also include numerous predeveloped policies, dictionaries and number formats.
• M86 launched a hosted e-mail security service in Asia/Pacific in 2009, and is currently rolling out the service in U.S. and U.K. data centers to add to its appliance and Windows software-based solutions.

• M86 still has a lot of work to do to improve the management interface to match leaders, and to integrate and rationalize its various corporate acquisitions into a cohesive company and easy-to-use product line.
• The growth rate of the SEG in the enterprise has been very flat since our last report, and the company does not enjoy significant market or mind share outside of Marshal's native Asia/Pacific region.
• DLP capabilities are not consistent between the SEG and SWG solutions. The DLP rules defined in MailMarshal must be exported to WebMarshal.
• Reporting and configuration are in two separate applications, and have a different look and feel. There are limited dashboard elements and no hyperlinked drill-down into reports. Policy development requires multiple windows to complete or to audit.
• The hosted solutions are brand-new and are only available in Asia/Pacific (expected to expand to the U.S. and U.K. during 2010). The predominant installed base is still on the Windows version of the product, rather than the appliances.
• It lacks PGP and large-file attachment encryption support.

McAfee continues to execute on its strategy to offer a complete range of infrastructure and data protection offerings. It has one of the more-established malware research groups, and is improving its malware and spam detection effectiveness by analyzing data feeds from numerous channels and products, and doing more-effective correlation. The company moved into the Leaders quadrant in this analysis due to the acquisition of a SecaaS SEG provider MXlogic in 2009 and the acquisition of Secure Computing in 2008. McAfee is a very strong choice for all enterprise buyers, especially those looking to consolidate security vendors.

• McAfee has a formidable threat research team and is consolidating data from its numerous security services and products for real-time analysis of emerging threats.
• The Web-based management interface is complete with granular policy options and allows for customization of dashboard elements for each administrator.
• McAfee's malware and spam-filtering capability is very strong. IP reputation (TrustedSource) results in up to 98% detection at the connection layer. The solution includes targeted threat-detection capabilities, as well as protection for OWA and iNotes transactions.
• Its native DLP capability is strong and leverages the capabilities of its stand-alone enterprise-class content-aware DLP offering. McAfee provides numerous predefined policies and dictionaries as part of the base product, and supports self-defined content for policy creation. The solution supports delegated administration for distinct event viewing, along with separation of duties.
• Basic encryption methods (TLS, S/MIME and PGP gateway encryption) are supported along with push (secure envelope) encryption, which was significantly improved in the latest version with an enhanced end-user interface and more options, including reply-and-recipient-initiated encrypted e-mail options. The solution is now very complete and is deployable on-box, rather than as a separate solution. It also supports the secure transfer of arbitrarily large files via its encrypted e-mail pull capability (hosted encryption). It can also be configured to automatically set up a pull-only encrypted e-mail based on a predetermined attachment size.
• The SecaaS offering provides a simple, clean, Web-based interface that is very easy to use for managing Web and e-mail traffic. Ancillary e-mail services include archiving and continuity service with a 60-day rolling e-mail history. The service can lock message traffic to a specific geography to avoid processing traffic in foreign legal environments.

• Integration is still ongoing. Each solution offers its own DLP engine without a common level of capabilities or a common look and feel. ePolicy Orchestrator (ePO) management integration and look-and-feel synchronization are ongoing. Reporting is synchronized with the SWG, and executive reporting, trending and notifications are integrated into EPO. It is not clear that EPO will be able to scale to handle the more-verbose and expanding McAfee network devices.
• McAfee's appliance management interface could be streamlined and be more task-based. Dashboard elements did not allow for drill-down into relevant reports, but they did drill into log information.
• The SecaaS offering does not share the same features as the on-premises appliance solution, and would be improved with more features and granular management options. For example, the spam threshold options are limited to disposition actions on high/medium spam scores only. The DLP capability is limited to keyword detection and does not support RegEx expressions or any synchronization with McAfee's enterprise DLP offerings. There is no ad hoc reporting capability. Directory synchronization is limited to Active Directory and does not offer an on-premises synchronization engine that can export directory updates via XML traffic protected by Secure Sockets Layer (SSL) to reduce potential firewall issues (although it does support native AD integration via SSL).
• McAfee has to expand the global footprint of its data center to appeal to more international customers and global organizations. Currently, the service is only hosted in six geographies (U.S., Hong Kong, Tokyo, Australia, London and Amsterdam).

Messaging Architects is a privately held Canadian company that offers a full range of e-mail infrastructure, from hosted mailboxes to archiving, as well as consulting and migration services that appeal generally to midsize North American organizations.

• Messaging Architects' flagship product, M+Guardian, is offered as a preconfigured Dell hardware appliance, a virtual appliance (VMware) or a hosted solution.
• Spam thresholds can be delegated to end users, and the quarantine includes a graphical confidence indicator, which helps quickly detect potential false positives. Quarantine can be integrated into any Internet Message Access Protocol client.
• Encryption capabilities are delivered via a partnership with ZixCorp.
• Native DLP capability provides multilingual support and includes a number of dictionaries (HIPAA, SSN, profanity and others), along with number identifiers. It also supports user-customized dictionaries on a request basis.
• M+Archive provides e-mail archiving and e-discovery software.

• Messaging Architects is one of the smaller organizations in this analysis, and is limited mostly to the North American market, although it does have a U.K. support department. Market share and mind share in larger enterprise customers are limited to the education market. Hosted solutions are limited to one data center in Dallas, Texas.
• The solution is reliant on partners for spam detection capability and encryption.
• Some functions work better with the Command Line interface to perform batch functions, necessitating some Linux knowledge.
• Product development is slow, and the latest major release is two years in the making. Advanced enterprise features, such as role-based administration, have only recently been added to the product. Administrator visibility into specific groups is not yet available. The dashboard could be improved with more graphical information linked to log data and reports.

Microsoft offers two complementary e-mail security solutions. Its flagship product is Forefront Online Protection for Exchange (FOPE), which is a SecaaS-based solution. Forefront Protection for Exchange (FPE) is a software solution that is typically run on Exchange. FOPE is a good shortlist inclusion, especially for Microsoft-centric customers that purchase premium licensing. It is a default choice for organizations considering Microsoft's Exchange Online or the Business Productivity Online Suite. Enterprise customers should consider FPE only as an additional layer of antivirus protection for the Exchange message store and for internal federated Exchange filtering.

• FOPE is a multitenancy infrastructure where each data center has a copy of the customer's data, allowing for continuous uptime, even in the event of a data center failure. Mail-processing data centers are located in Texas, Virginia, Singapore, Amsterdam and Dublin. Microsoft supports guaranteed "in-geography" mail processing for its U.S. customers that do not want mail to be processed in other countries.
• Microsoft made improvements to its spam-detection capabilities, policy engine and scheduled reporting since our last analysis. It now supports 13 languages.
• Exchange, Outlook, and the FOPE and Exchange Hosted Services Encryption (EHSE) network all support TLS, S/MIME and PGP. FOPE also offers a Hosted Encryption solution that is built on an early implementation of Voltage Security's certificateless identity-based encryption (IBE) technology. FOPE supports large file attachment transfer up to 150MB.
• The recent release of FPE includes significant improvements in spam detection (Microsoft supports bidirectional spam filtering in both solutions) and an improved Win32 management interface. It also is much better integrated with FOPE with a common provisioning wizard, policy configuration, reporting and a "trusted stamp" to avoid duplicate scanning. FPE is useful on an Exchange hub for internal spam and virus filtering.
• Microsoft's e-mail security solutions are part of the Enterprise client access license (CAL), the Exchange CAL and the Forefront Protection Suite. A large number of customers already pay for components of Microsoft's e-mail security solutions but have not deployed them. Users should check their license entitlements before they consider alternatives.
• Microsoft Exchange Hosted Archive (EHA) is available as an optional service for e-mail and IM archiving, as well as e-discovery.

• Microsoft has been relatively slow at improving the features of its FOPE management interface, improving the FPE spam capability and providing interoperability. Despite recent improvements, there are still a number of improvements it could make. FPE and the Exchange Edge role have different interfaces for managing MTA functionality vs. competitive integrated appliances.
• FOPE still does not allow end users to create their own safe senders through the Web portal (although Outlook 2003, Exchange Server 2007, and supported safe senders and administrators can set up a per-user "Allow Policy" and upload via the FOPE Directory Synchronization Tool) or consolidated quarantine for aliases and distribution lists. There is no ad hoc reporting capability. The "is spam" button for Outlook 2007 clients is late. "Message trace" can be improved with more-flexible searching options and accelerated search speeds. FOPE does not allow for individual-user spam thresholds for different categories of spam. It doesn't allow for an AD group-specific disclaimer (although the solution does include the ability to set up virtual domains to segment users for policy purposes).
• Microsoft has only five geographical data centers, and in-geography-only routing is only available in the U.S. (Microsoft plans to add European-Union-only processing in Amsterdam in 3Q10).
• Buyers that have not standardized on Active Directory require Forefront identity manager to consolidate directories into a single addressable entity for synchronization with the service.
• The DLP capability for FPE is limited to keyword searching, and FOPE DLP only includes a single predefined policy (HIPAA). Microsoft cannot scan within attachments for DLP violations and only uses true-type file detection for executable files. It does not have a DLP-specific quarantine. The announcement of an OEM deal with EMC/RSA for its DLP capabilities may yield better functionality support in the future.
• Some customers complained that policy changes take some time to propagate through the network, and that they would like a feedback loop to certify that the changes have been implemented.

PineApp is a relatively small vendor in this market that is focused mainly in EMEA, with an emerging presence in North America. It is an acceptable solution for SMBs in supported geographies.

• PineApp spam-detection signatures come from a combination of Commtouch, a global reputation system from other PineApp appliances, and traditional real-time blacklists (for example, SpamCop and Spamhaus). Local connection management includes connection hurdles to detect spamming MTAs and backscatter protection. The product uses F-Secure, Kaspersky Lab and Commtouch Zero-Hour for antivirus protection.
• PineApp's Mail-SeCure appliances are managed with a browser-based graphical user interface that is designed for SMBs and is simple to use. It includes a few customizable dashboard graphs, with hyperlinks to details and context-based, right-click shortcuts to common management tasks. The product can work in a central manager/director role for consolidated reporting and quarantine management. The management interface is common for e-mail, SWG, and archive products, and appliances can assume multiple or single roles, although archiving needs a separate storage device. Policy is created mostly via check-box and drop-down lists. Compliance capabilities include pornography image/video detection.
• The company recently launched a SecaaS SEG offering, with archiving and disaster recovery, as well as VMware versions of its products. Other recent improvements include per-domain policy, reverse proxy (for publishing exchange server OWA), archiving support and integration e-mail encryption service via TLS secure e-mail service or PGP gateway. PGP secure delivery capabilities include secure PDF for clientless secure delivery. Large file attachments have limited support via PGP Messenger infrastructure.

• PineApp is one of the smaller companies in this analysis. It has very low market and mind share, especially in North America or in midsize and large global enterprises.
• Having a very broad spectrum of clients — ranging from large ISPs to SMBs — makes it difficult for a company of this size to focus equally on all customer segments.
• Spam accuracy is very good; however, we would like to see higher efficacy at blocking spam during the initial connection.
• PineApp does not support a pull (hosted encryption) mail offering. This is an important criterion for organizations in need of supporting encrypted ad hoc B2C communications.
• Although the management interface is good, it could use some enhancements for larger enterprise use. The dashboard could use more graphical information and statistics, with a better ability to drill down. There is no ability to create ad hoc reports, only to change filter elements. Although there are numerous roles, there is no way to create a custom role, name it and then assign it to different users. It is not possible to limit administrator access to reporting data and quarantines at the group level.
• PineApp's DLP capability is not very robust. It lacks comprehensive dictionaries and lexicons, and provides limited predefined regulatory content policies. DLP compliance quarantine is not separate from spam and virus quarantine. There are no special DLP queue management options for compliance managers.
• The PineApp SecaaS data center is only in Israel.

Proofpoint, a private California-based company, is one of the last remaining dedicated SEG companies. It continues to lead the market with innovative features and is growing significantly faster than the overall market. Proofpoint recently added native e-mail encryption, SecaaS archiving and mailbox hosting, as it builds out a complete portfolio of e-mail solutions. It has a very loyal installed base of large and small enterprise customers mostly in North America. Proofpoint is an excellent choice for organizations looking for a full range of best-of-breed SEG functionality in supported geographies.

• Proofpoint's flagship e-mail security solution (Proofpoint Enterprise) is available as a hosted service; as on-premises appliances, virtual (VMware) appliances, and software; or as a hybrid combination of these versions.
• Spam and malware accuracy has always been a consistent strength of Proofpoint, and the company is one of the few that publicly reports their anti-spam effectiveness (see www.proofpoint.com/products/livespamstats.php).
• Its Web-based management interface is one of the best in this market, with numerous innovations and unique features. We particularly like the Ajax-based dashboards that are completely customizable for each administrator. All reports are available as a dashboard widget. The Proofpoint information channel provides Really Simple Syndication feed news items on global threats or product information. Administrators have complete control over the look and feel of the end-user quarantine and secure e-mail interface, including color logos, terms, field identifiers, help content and support for numerous languages.
• Proofpoint offers integrated, push policy-based encryption that incorporates the features traditionally associated with pull offerings. The solution also supports TLS, S/MIME and PGP secure e-mail delivery.
• DLP features are very strong, and include numerous prebuilt policies, dictionaries, number identifiers and integrated policy-based encryption. Policy development is object-oriented and similar across spam and DLP. The DLP quarantine is very sophisticated for a channel solution, and includes highlighted policy violations and the ability to add comments to incidents. Quarantine can also be encrypted.
• The SecaaS service provides the same controls and policies as the on-premises appliance, including bidirectional spam filtering and outbound DLP functions. The installed base for this offering is expanding among G2000 customers, including some very large enterprises.
• Proofpoint has made several astute acquisitions recently that put it on a path to provide a full range of e-mail infrastructure, hygiene and compliance offerings delivered as a SecaaS service. It acquired Everyone.net in 2009, which provides mailbox hosting and has a large installed base (3 million mailboxes). It acquired Fortiva, a leading enterprise archiving/e-discovery SecaaS provider, in June 2008 and continues to offer this as Proofpoint Archive. It acquired technology assets, patents and staff from Sigaba (Secure Data in Motion) in 2009 and has integrated its gateway-based push e-mail encryption solutions, which provide key management in the cloud with local policy management integrated into the core offerings. Prior to the Sigaba integration, Proofpoint relied on Voltage Security and other partners to provide encryption.
• Proofpoint supports the transmission of large file attachments (100MB or larger) natively via its Proofpoint Secure File Transfer solution.
• Proofpoint has a high customer satisfaction rate.

• Proofpoint's dedicated focus on e-mail is both a strength and a weakness. Although it continues to define best-of-breed functionality, in a rapidly maturing market, best-of-breed often becomes overkill to some customers. Concurrently, numerous enterprise buyers are looking for opportunities to consolidate product purchases around fewer, more-strategic vendors.
• Proofpoint is not able to offer product breadth horizontally, such as SWG solutions, nor is it able to offer in-depth integrated products, such as enterprise DLP that goes beyond the e-mail channel.
• Despite good growth rates, Proofpoint continues to have a very small market and mind share, compared with early market competitors. Proofpoint needs to improve its delivery through the channel, rather than its dedicated sales force to accelerated market share growth, especially outside North America.
• Although Proofpoint's feature set is designed for large global customers, its installed base is primarily in North America.
• Its data center footprint is limited to the U.S. (Santa Clara, California; and Atlanta, Georgia), Canada (Toronto), Germany (Frankfurt) and the Netherlands (Amsterdam), and not all services are available in all data centers.
• The archiving service does not yet have a shared management interface with the hosted or on-premises solutions.
• The management interface would benefit from ad hoc reporting; dashboard drill-down into log data, reusable administrator profiles; and improved DLP quarantines.

SonicWALL offers a broad suite of network security solutions, including firewalls, virtual private networks, backup and a range of SEGs. SonicWALL is a reasonable shortlist inclusion, particularly for SMBs in North America and Europe that are existing SonicWALL Firewall customers.

• SonicWALL leverages its installed base of appliances to identify new spam campaigns. It has its own malware research team developing new spam signatures and detection techniques. The solution leverages contact databases and communication partners to lower false positives.
• SonicWALL offers several delivery form factors, including hardware appliances, software, and a new virtual appliance for VMware. It also offers a subset SEG functionality delivered as SecaaS for UTM devices.
• The management interface is localized into a number of languages and is easy to use. It has numerous check boxes and drop-down menus, and reporting is adequate for most organizations' needs.
• The solution includes some basic content-aware functionality for a DLP policy, with two prebuilt dictionaries (Medical Terms and Financial Terms) and a number of predefined number identifiers, including SSN, credit card, phone and others.

• It is difficult for any company to compete in many markets and across company segments ranging from large enterprises to small offices, while providing market-leading features in each market segment. SonicWALL does not provide any market-leading functionality. The company is much better known for its SMB firewall/UTM market presence, and only a small percentage of its revenue is e-mail-security-related. Efforts to grow into larger enterprise accounts are ongoing.
• SonicWALL does not provide any native encryption, except for TLS, and it has limited integration with dedicated third-party encryption solution providers (PGP and Voltage Security). Plans for 2010 include the possibility of a closer partnership with PGP.
• Its Comprehensive Anti-Spam Service (SecaaS) is only a subset of e-mail functionality. It does not compare with other SecaaS offerings in this analysis and is limited to U.S. data centers (in Miami, Florida; and San Jose, California, with one due in Japan at the time of this writing).
• DLP functionality is basic and supports only RegEx matching. It does not include any predefined policy.
• The management capability is designed for SMBs, and it will be limiting for larger enterprises to develop more-complex policies. The dashboard is not customizable.

Symantec is a large diversified vendor with a broad range of security solutions, including one of the broadest ranges of mature SEG and DLP offerings. The company has a very large and sophisticated malware research team. Recent improvements in product development of the Brightmail appliances, and the acquisition of MessageLabs in 2008, make Symantec a good strategic choice for almost any organization.

• Symantec offers a broad range of SEG products, including hardware appliances, SecaaS, virtual appliances (VMware), and software for Exchange and Domino. All Brightmail licenses and security suite licenses with Brightmail include the right to use the VMware-based "virtual edition," which can be used in production or as a standby or test platform, lowering the total cost of ownership (TCO).
• It has one of the most established malware research groups, and is improving its malware and spam detection effectiveness by analyzing data feeds from numerous channels and products and doing more-effective correlation.
• There have been significant improvements in the Brightmail v8 and v9 management interface, MTA functionality, directory integration, and log search capabilities. The management interface is now one of the better ones in this analysis. The move of global reputation to an on-box solution, combined with local reputation/connections management, has resulted in substantially improved detection rates at the connection layer.
• Native Brightmail Gateway DLP capability is very strong, with the inclusion of Symantec's Vontu dictionaries and content inspection engine. The MessageLabs DLP capability has similarly been improved, with the adoption of Symantec's Vontu templates and predefined policies.
• The Symantec Hosted Services SecaaS offering (formerly MessageLabs) is very broad and includes SEG, SWG, IM hosting and filtering, archiving, e-mail continuity, online backup, and encryption.
• MessageLabs offers very strong SLAs and good support services.
• E-mail services are hosted in 13 data centers in seven regions (U.K., U.S., Germany, Netherlands, Oman, Hong Kong and Australia). The service has very good mail routing and IP-domain management capabilities that do not require support to set up. It also offers an on-premises directory synchronization tool to ease implantation.
• Symantec offers an integrated hosted encryption service for both MessageLabs and Brightmail Gateway customers via its ZixCorp and Echoworx partners.

• Symantec's acquisition history has resulted in a patchwork of management interfaces and partial integration across products. Some frustration remains in the Symantec user base regarding lethargic feature growth when compared with the early promise of Brightmail prior to the Symantec acquisition. A first version of a common management and reporting framework across Web and e-mail gateways and client products, Symantec Protection Center, partially exploiting the technology foundation acquired with Alteris, was recently launched and provides a portal for product management and a converged reporting engine. MessageLabs is updating the SecaaS management interface to provide deeper integration and more-granular reporting and policy setting across protocols, and to enhance usability; however, a solid road map for integration across on-premises and service offerings for hybrid deployments is missing.
• DLP integration to date has involved the reuse of common DLP modules that are available from its Vontu enterprise DLP solution, but it lacks full integration of policy and management for clients that have deployed the Vontu solution within their environments. Symantec's longer-term road map for DLP integration, and even the intended goal of DLP integration, is still not well-defined.
• Symantec is putting a significant effort into improving service and support — an issue that was negatively affecting many clients of its diverse solution portfolio. This effort is showing some early success; however, it takes significant and consistent long-term effort for an organization the size of Symantec to change market perception. In our experience, customers that acquire premium support are generally the most satisfied with Symantec support.
• The Brightmail management console could be improved with better role-based administration, such as reusable administrator profiles, and reporting limited to specific managed groups/users.
• Large file attachment transfer support is limited to 50MB attachments or less.

Trend Micro is one of the top providers of malware protection solutions and was an early entrant in the e-mail gateway protection market. Its current InterScan Messaging Security Suite (IMSS) offering provides excellent spam and virus protection in a broad range of software platforms, as well as an emerging SecaaS offering. However, lack of product feature leadership, especially in data leak prevention and encryption, keeps Trend Micro in the Challengers quadrant for this analysis. Trend Micro remains a solid choice for SMBs or enterprises with basic SEG needs.

• IMSS is offered on a very broad range of delivery form factors, including software (Windows, Linux, Solaris, Exchange), virtual appliances (VMware Ready), software appliance for installation on any "bare metal" hardware and a SecaaS offering, Trend Micro Hosted E-mail Security (TMHES).
• Trend Micro has a large and well-respected malware and spam research team, and it has now integrated IMSS into the Trend Micro Smart Protection Network, which allows for local IMSSs to perform live queries against the cloud-based threat and spam database to reduce signature distribution lag time. Trend Micro has also combined its URL reputation service with its traditional IP sender reputation.
• For encryption, IMSS offers basic TLS for inbound and outbound e-mails, as well as the optional Trend Micro Encryption for Email Gateway, which is a virtual appliance that provides policy-driven push encryption support using S/MIME and its own version of IBE.
• Its Data Leak Protection module includes a few dictionaries, as well as 10 regional templates, and only includes a subset of the capabilities supported in its enterprise content-aware DLP solution (LeakProof).
• Trend Micro has a large global channel and support presence, and it has the strongest presence in Asia/Pacific.

• Trend Micro's tendency to rely on in-house development, combined with very conservative development investments and an over-reliance on partnerships versus acquisitions, has resulted in lethargic feature growth. It rarely leads the market with major innovation, keeping it out of the Leaders quadrant.
• The SecaaS offering is focused on xSP organizations and does not have a global footprint. (By the end of April 2010, Trend Micro is expected to have two data centers in EMEA, four in the U.S. and two in Japan.) It does not offer archiving, mailbox hosting, disaster recovery services or a SecaaS SWG. Although many of the component parts of the service are the same as the on-premises solution, the management interface is different, and there is no option for a hybrid deployment model (due in 4Q10).
• Trend Micro retreated from a disastrous foray into its own hardware appliances, and Trend-Micro-branded hardware appliances are only available in China. Dell and other OEM partners, however, will sell IMSS on hardware.
• The management interface is improving but still lags the interfaces from vendors in the Leaders quadrant. It does not allow for customization of the dashboard elements, it does not allow for hyperlinked drill-down into relevant data or reports, and it only supports a maximum of two LDAP servers.
• Although Trend Micro offers a broad suite of protection products, it does not provide a common console to integrate its various offerings.
• Considering Trend Micro made some early investments in DLP capabilities via its Provilla acquisition, the current capabilities are weak and have only limited preconfigured policies. Integration with Trend Micro's enterprise content-aware DLP solution (LeakProof) is planned for future releases in late 2010.
• Trend Micro's encryption capability does not include staging server pull options.

WatchGuard, which is better known for its multifunction firewalls, acquired dedicated SEG vendor BorderWare in 2009. WatchGuard's primary user base is SMB, while BorderWare had a good mix of midsize to large enterprise customers that were mostly in North America. WatchGuard continues to sell the BorderWare appliance under the brand WatchGuard XCS and is a good option for existing WatchGuard customers.

• The WatchGuard XCS provides SWG functionality in the same appliance as the SEG solutions, and relevant policies can be set for both in the same policy interface. Appliances can take both roles or be dedicated to a specific role. Centralized management and reporting are available in any appliance and do not require a separate stand-alone management server. Changes are automatically propagated across all servers in a deployment.
• The XCS provides native clustering that creates a "virtual machine mail queue." The message queue is mirrored across devices in clustered deployments, providing no message loss on failover.
• The WatchGuard Reputation Authority system scores reputation based on content, volume and behavior, and results in a very high detection rate at the connection layer.
• DLP policy is shared across Web and e-mail traffic, and includes financial and medical term dictionaries and predefined number formats for common data types, such as credit cards and SSNs.
• WatchGuard XCS provides native TLS/SSL and S/MIME, as well as PGP encryption support. It partners with Cisco to provide pull-based encryption (Cisco Registered Envelope Service).

• Like other multifunction firewall vendors, the difficulty for WatchGuard will be in maintaining multiple product lines aimed at multiple market segments.
• The SWG functionality of the XCS is not as robust as other providers in that market.
• The management dashboard could be improved with more action-oriented information, a customization capability, role-specific views, and more-hyperlinked drill-down capabilities into relevant reports.
• Role-based administration could be improved with reusable role definitions, more options for role policies and the ability to limit an administrator's log data access to just the groups managed. Logs could be improved with easier-to-read e-mail disposition actions for help desk and policy tuning. There is no ad hoc report generation capability or the ability to join multiple reports into a single scheduled report package. False positive and false negative message handling could also be improved. Spam messages need to be sent to an e-mail address to fine-tune the system, but there is no automatic submission mechanism of these messages to WatchGuard for further analysis. Outlook and Notes plug-ins to report spam would be welcome.
• Quarantine message tracking could be improved with better indicators of policy violations and improved workflow for compliance managers.
• Its DLP policy could be improved with more predeveloped dictionaries and predeveloped policies for common regulations, as well as better quarantine management options for compliance officers.
• WatchGuard only offers branded hardware appliance solutions. It does not have software, virtualized versions or SecaaS offerings.

Perhaps better known for its endpoint protection (spyware) roots, Webroot entered the SEG and SWG markets with the acquisition of SecaaS-based Email Systems in 2007. With the combination of Web and e-mail in a single management console, Webroot represents a good shortlist inclusion for SMBs in supported geographies.

• Webroot offers a complete, yet simple to use, converged management interface for its SEG and SWG SecaaS solutions. In particular, it has a granular administrator rights capability, including the ability to limit administrator visibility into specific managed groups, and a reporting interface that is much better than some of the leaders in the SecaaS SEG market. The solution also offers an optional inbound and outbound image scanning service. Spam filtering is bidirectional.
• The service is currently hosted in seven data centers in five countries (U.K., Ireland, Netherlands, Australia and U.S.) and can support forced in-country failover.
• Webroot supports TLS delivery natively, and partners for policy-based encryption services (ZixCorp) and large file attachment encrypted delivery.
• It offers a Webroot-branded archive service via a partnership, and a native continuity/disaster recovery service.
• The solution comes standard with content-filtering capabilities, including the ability to set policy based on dictionary lexicon and basic RegEx patterns. It also offers an optional ability to scan attachments to support content filtering/DLP policies within more than 300 document types.

• While the Webroot brand is recognizable from their spyware solutions, its SEG and SWG capabilities are less well-known. Webroot needs to improve its marketing and channel programs to increase its mind share in this market. A very large percentage of its customers have less than 500 seats and are mostly in Europe.
• Although Webroot has good malware research capabilities, it is reliant on third parties (Commtouch, Cloudmark and Mailshell) for most of its content-aware spam detection capability.
• While adequate for SMBs, the management interface could be improved for enterprise customers. In particular, we would like to see more dashboard information, customization and hyperlinks from the dashboard into relevant logs or reports, as well as ad hoc reporting. Outlook and Notes client plug-ins to reporting spam and false positives would be helpful. A local on-premises directory synchronization tool would also be beneficial. Its policy management could be improved to allow for more reusable objects, which would better serve larger enterprises with more-complex policies.
• The archive service is licensed from third-party vendors and is not integrated into the management interface.
• Its DLP capability could be enhanced with more predeveloped policies for various regulations and additional content analysis methods.

Websense moved into the on-premises and SecaaS SEG markets in 2007 with the acquisition of SurfControl. The company has kept a low profile in the SEG market, while undertaking a significant integration effort, interface redesign and spam accuracy improvements. With most of this effort behind it, we expect to see Websense more active in this market in the future. Websense is a good shortlist inclusion for customers looking for integrated SWG and SEG functionality with an advanced DLP capability.

• Websense offers two delivery options: Hosted Email Security (HES), which is a SecaaS offering, and Websense Email Security (WES), which is an on-premises e-mail security software (Windows server) solution. The company has significantly improved its product development in both solutions, although more attention has been on the HES solution, with a number of improvements planned for WES in late 2010. Websense is aggressively integrating all its products (SEG, SWG and DLP) into a single management solution (Triton) that has a consistent look and feel, and a common reporting engine, regardless of the delivery form factor. WES integration is planned for late 2010.
• The Triton management interface is very complete and compares favorably to other on-premises solutions, and is considerably more complete than competitive SecaaS offerings. The dashboard allows for fast drill-down on graphs into more detail. The reporting engine is good, with a number of predefined reports, including the ability to put multiple reports together for scheduled distribution. The message-tracing search engine is very good compared with other SecaaS offerings.
• Directory synchronization is eased with on-premises software that integrates with local directories and cache changes, and provides delta updates via standard ports (XML over SSL).
• Websense has 10 data centers located in the U.S., Germany, France, Switzerland, the U.K., Australia and Hong Kong.
• Exploiting its PortAuthority acquisition (an early DLP solution provider), which is integrated into its Web solutions, Websense offers very strong DLP capabilities for this market. HES and WES include 20 predefined DLP content dictionaries in 12 languages, plus additional compliance templates for items such as PCI DSS, state data privacy laws, HIPAA and the Gramm-Leach-Bliley Act.
• Native encryption is included with DLP, and provides TLS, as well as basic push and pull functions. Advanced encryption is provided via licensing of a partner's technology, and includes clientless secure delivery and large file attachment handling.
• HES recently added an archival service (via an OEM partner) and a disaster recovery/business continuity service that provides an OWA-type view into messages queued, with the service and outbound e-mail functionality.
• Websense has a very strong security research capability for Web-based threats and is the only provider that can address Web 2.0 "comment spam" with its Defensio product. Because most e-mail threats have a Web destination, data from these activities should translate into solid e-mail security.

• Although Websense has a strong presence in the Web security market and is a well-known brand with enterprise networking groups, it does not have as much cachet within the enterprise e-mail group. It has not managed to grow much mind or market share since the SurfControl acquisition; however, we do see momentum picking up with the completion of the Triton project.
• Its HES management interface is different from its WES interface, and both are different from the eventual Triton management interface due in 4Q10, which will unify the solutions with the Web gateway solutions. We expect the Triton management interface integration to be the point at which the brand can really be relaunched.
• Although Websense has very rich DLP capability, not all of it will be integrated into the SEG product line until the Triton version.
• The dashboards are not customizable, and there is no ad hoc reporting capability. HES message search is not quite in real time and could experience as much as a five-minute delay.
• Its WES offering is only Windows software. There are no virtual solutions or appliances yet.
• Native encryption is lacking an encrypted reply function, or advanced key management and reporting.