How to Assess Cloud-Based E-Mail Security Vendors
The economic returns of deploying IT security to a cloud platform are clear, including elimination of up-front capital expense, minimization of operational costs and fewer technical resources required. We have heard the benefit statements time and time again from both the vendor and analyst communities.
For example, in a recent survey, it was found that large companies can easily save 50 to 80 percent by moving e-mail security to the cloud and more than 40 percent by moving e-mail archiving to the cloud (versus on-premises approaches).
Despite the benefits, the adoption of cloud-based e-mail security solutions is still a very gradual process for most companies. It can be hard to cut through the marketing hype when nearly every vendor seems to be making a cloud claim. The following are some key questions enterprise IT buyers should ask when evaluating cloud-based e-mail security services. These will help IT buyers to find a service that's trustworthy, reliable and, most importantly, effective.
There is a major misconception in organizations across industries that data stored in the cloud is inherently risky. However, the truth of the matter is that it depends on the type of cloud and the quality of the encryption services that protect the data. In most cases, data in the cloud may be safer than storing it on-premises since there are additional security measures such as double-blind encryption to ensure that customer data is properly protected. On-premises breaches can cause even worse nightmares if appropriate disaster recovery or backup measures are not taken.
The key security questions to ask cloud vendors are 1) how they are protecting your data and 2) what tools they use to protect it from third-party access.
Now that your data is stored in the cloud, how dependable is the vendor service? It is crucial to ask how much downtime their services have experienced. What are the protocols for customer data protection when there is downtime?
Service outages are not completely avoidable, unfortunately. Otherwise, there would not be a debate on software as a service (SAAS) versus on-premises services. However, there must be a level of reliability to ensure that the data is protected even during the downtime.
The best way to assess resiliency is through the vendor's service-level agreements (SLAs). A key metric to look for is uptime or availability. Anything shy of "five nines" (that is, 99.999 percent) availability might not be the right solution. In many cases, the SLA provided by the cloud vendor could exceed that provided internally.
Note that, when scrutinizing SLAs, looking at the metric is not sufficient. Ask your vendor what happens if an SLA is not met and what type of remuneration is received. In other words, read the fine print.
Each company is unique in terms of what they want to move to the cloud and when they want to move to the cloud. For most companies, the first area to use cloud services begins with inbound threat protection: eliminating spam, viruses and other threats. At the same time, companies can ensure data loss prevention with an appliance. When ready, all these services can be migrated into the cloud. Other companies may choose a two-layered approach: SAAS for eliminating spam and providing capacity on demand, coupled with appliances for flexible, global administration.
The question to ask here is, does the cloud provider have the level of customization that your enterprise needs? Large enterprises have completely different needs than small and midsize businesses. Not all cloud vendors have the capability to offer the two-layered approach, scale to the needs of a growing organization or offer a phased approach to moving services to the cloud.
Looking at your own organization, can you identify what services should be moved to the cloud first? If not, will the vendor help you determine what kind of customization is necessary for your enterprise? Will the vendor help you consolidate a range of services in the cloud?
It's worth looking at these different scenarios to adopt the right long-term cloud solution. Imagine what a nightmare it would be to move from cloud to cloud as your company grows.
If your organization is willing to hand over all administration of the services to the vendor, do you trust your vendor enough let them take the reins? It is really convenient and cost-effective to use the vendor's expertise for remote monitoring or management, but you really need a team that understands what your organization requires.
Traditionally, organizations had to choose between full control and low TCO. On-premises deployments offer complete control. You are in charge of your own destiny. However, as outlined earlier, on-premises do not necessarily provide low TCO. Conversely, SAAS-based deployments provide organizations with low TCO but erode control. Most cloud solutions abstract away the lower layers of the stack: the operating system, patching, etc. That's a good thing. But they also hide other important configuration and policy controls as well as detailed analysis into logs and reports. That's a bad thing.
We all know that no two organizations are the same. Every organization needs the ability to customize its configuration and requires complete control over the infrastructure. Ask your vendors if they are able to deliver cost savings and provide you with the control over the cloud-based infrastructure. In short, seek those vendors that can give you complete control and low TCO.
5. Customer support
Another area where organizations often compromise when moving to the cloud is customer support. Vendors cannot just "bolt on" a customer support team and expect current support staff to understand cloud computing and SAAS issues overnight. The quality of customer support becomes a huge differentiator between different cloud-based solution providers. Support is essential to maintaining customer satisfaction and data security, especially when things go wrong.
Assessing Vendor Cloud Experience
Assessing vendor cloud experience
In the rush to meet this demand, many vendors who previously provided only on-premises software or appliance-based solutions are jumping on the cloud computing bandwagon. However, are vendors really grasping the business implications and embracing the changes required to deliver cloud services? Or are they simply repositioning themselves as cloud providers? Look at the history of the vendor. Does it have a good track record with cloud services? Ask for customer case studies. You'll want to go with the vendor that has the most experience so you don't get caught in marketing hype.
Of course, the shift to cloud-based services does not have to be an all-or-nothing proposition. Consider, for example, a hybrid e-mail archiving service that combines on-premises and cloud computing features. Such services use an appliance installed at the customer's site (which may provide enhanced security features such as encrypted communication) combined with secure data storage in the cloud.
Similarly, many organizations are moving inbound e-mail filtering to the cloud while retaining a certain number of on-premises appliances for internal mail routing, outbound e-mail scanning and data loss prevention features. While both inbound and outbound functions can be delivered entirely in the cloud, offering such hybrid options provides the service provider and the customer with a stepping stone to an eventual, fully cloud-based deployment.
It is clear that companies are rushing to provide cloud services. It is not a new add-on that traditional vendors can offer, especially those that are not willing to adapt to the fundamental changes required by a subscription-based model. Hardware and software providers are rushing to provide these services to their customers but can they actually do it effectively? It is up to you as a customer to vet these services and choose the vendor that is most appropriate for your organization. Choose a vendor that can provide you with SAAS without compromise.
Rami Habal is Director of Product Marketing at Proofpoint. Rami is responsible for several company solutions. Prior to Proofpoint, Rami held various operating roles at high-tech companies, worked as a venture capitalist at a top-tier Silicon Valley venture capital firm, and has started several businesses. Rami continues to advise early-stage startups. He holds advanced degrees from MIT and Harvard. He can be reached at firstname.lastname@example.org.