Hosted Web security vendor Zscaler has added a hosted e-mail security service, featuring anti=spam, anti-virus, policy-based encryption, distribution control and forensics. Zscaler is touting the integration of the two services, claiming stronger security, unified policy and common management controls. A number of security vendors typically offer both hosted Web and e-mail security services. There's some natural synergy. Many Web-based attacks originate with spam or phishing messages that lure users to malicious or compromised Web sites, a far more serious attack vector now than e-mail attachments.
"Both are commodity-scanning services that are easy to package in a service or on-premises appliance because traffic normally flows through the same pipe," said security expert Adam Ely, a Network Computing analyst. "Companies that have insight into both spam and e-mail filtering, and insight to the Web and where Web malware and threats are coming from can apply rules across both products and services for more comprehensive protection."
The two types of services also converge around data loss prevention (DLP), as organizations attempt to detect and block customer information and other confidential material from going out to unauthorized recipients, for both security and regulatory compliance. Zscaler's Web security service features DLP in outbound Web content, including Microsoft documents and PDFs. E-mail is considered the primary exposure for data leakage, and many companies that can't afford the investment in time, personnel and money for a full-fledged DLP deployment will look for a "DLP light" approach built around e-mail.
In addition to applying the same scanning engine to Web and e-mail, combining e-mail and Web DLP allows organizations to work off common dictionaries and compliance templates and apply uniform policies on detection, response, exceptions, etc. "DLP is a prime example of a good integration point," said Ely. "You can set DLP strategy across e-mail and Web in one place."
Integrated web and email security presents considerable management advantages. Companies can set individual and group policies through Active Directory through the same administrative interface. So, for example, an organization can set rules for URL filtering and Web 2.0 application usage on the one hand, and email distribution permission and prohibition on the other.
Zscaler's e-mail service includes policy-based encryption. So, for example, you can set a rule that says any e-mail leaving the legal department must go over an encrypted channel. Conversely, you could set a rule that blocks any e-mail using personal client encryption because you don't know what the message contains. Finally, the services consolidate and correlate logs for comprehensive reporting for security posture, audit and regulatory compliance, as well forensics, facilitating investigations.