Securing a Virtualized E-mail System

The optimal solution for most companies looking to lower the operating expenses associated with an e-mail environment through virtualization is to deploy a hybrid approach.

by Greg Olsen

Data center virtualization is still one of the hottest trends in enterprise IT today. Virtualization has moved from the lab to production environments for many applications in large enterprises. Initially, less-critical applications were migrated to a virtual platform; today, more mission-critical applications, notably e-mail servers (where e-mail is delivered into users' inboxes), are more often being migrated to a virtual platform. Over the next few years, many more applications are expected to be moved to a virtualized platform. The primary motivation driving this industry shift is the promised reduction in operating costs that result from running enterprise apps on virtual platforms.

Virtualization initiatives are typically sold as a means of lowering costs by increasing server utilization rates, and permitting server consolidation while keeping applications separate. That is less important for e-mail servers, which are rarely underutilized. Instead, the primary benefit for e-mail server virtualization has been the added ability to manage the e-mail server environment.

Using virtualization technology, e-mail servers are more easily provisioned, storage space is better allocated, and high-availability architectures are more easily created. These improvements, made possible by virtualization technology, cost-effectively address the ever-increasing demand for storage and added complexity of current e-mail systems in large enterprises.

As the e-mail server (along with much of the data center) has gone virtual, the next challenge will be how to secure that e-mail environment in a virtualized data center. Since 2005, enterprise buyers of e-mail security products have preferred utilizing e-mail appliances and turnkey packages of hardware and software for implementing e-mail security. Where does that leave an enterprise company that wants to implement its messaging security on a virtual platform?

There are four options:

  1. Return to the "bad old days" of open source software running on a UNIX (now Linux) platform, only in a virtual machine instead of on bare iron
  2. Implement one of the remaining enterprise software solutions in a virtual machine
  3. Choose one of a few virtual appliance products that are available in the marketplace
  4. Choose a SaaS provider to outsource the security functions

Each strategy has advantages and disadvantages.

Option 1

The primary benefits of an open source software solution are low acquisition costs and deployment flexibility. The software is usually freely available, although most licenses have restrictions on commercial redistribution in some way. A good mix of open source tools can be combined to provide a very tailored, high-quality solution for basic security functions (e.g., anti-spam, anti-virus, attachment filtering, and sender authentication).

The primary problem with the open source software approach is supportability. Maintenance and support must be provided in-house or with contractors. Furthermore, solutions for more complex requirements, such as records retention and e-discovery, are not effectively provided in open source, particularly in regulated industries. Consequently, companies are forced to invest in the development of their own software to address the more complex requirements. Maintenance of tools developed in-house then becomes an on-going operational cost.

The bottom line: open source does not provide an effective support model and requires companies to keep open source tools and expertise in-house in order to address the problems.

Option 2

An enterprise software solution used to be the preferred method large enterprises deployed in their messaging security infrastructure, but it has been replaced by purpose-built appliances. The primary benefit to an enterprise software solution is that deployment is flexible, because there are many hardware and operating system configurations supported. Given that the enterprise software solutions were built with the large firm in mind, they typically feature superior scalability and may be customized for special purposes.

The primary problem with enterprise software solutions is that there aren't many left in the marketplace. The rise of the e-mail security appliance made software vendors uncompetitive. A software vendor must invest in supporting multiple platforms with its software; consequently, software must be tested to ensure it works on every supported version of an operating system. This puts the software firm at a competitive disadvantage to an e-mail appliance vendor that has a much shorter test cycle because the appliance vendor controls the hardware platform and operating system the software application runs on.

The bottom line: many of the enterprise software vendors have either exited the market or transformed themselves into e-mail appliance vendors. This limits choice.

Option 3

This option is by far one of the most attractive overall solutions for a company making the transition to a virtualized data center. There are a few e-mail security appliance vendors today that offer virtual appliances. These products offer the same advantages of e-mail security appliances in terms of simplicity, ease of use, and innovation while permitting the virtualization of the environment.

Bottom line: with these products, the e-mail security appliance can be separated from its hardware and run on a virtual machine and managed in a virtualized data center like any other application.

Option 4

For enterprises considering option four, the selection of SaaS as a security solution is always a trade-off between cost and control. SaaS is a particularly attractive solution for filtering inbound messages from the Internet because it shifts the burden of removing ever-increasing quantities of unwanted e-mail to a third party rather than requiring larger and larger deployments of servers in the data center to handle the increased load.

Anti-spam and anti-virus functions are only a small fraction of the overall security requirements for most enterprises. Large businesses need to consider the best approach for managing all of its security requirements including, encryption, records retention, e-discovery, data leak prevention, auditing, internal content controls, regulatory compliance, and acceptable use policy enforcement.

To meet all the requirements, a patchwork of SaaS solutions must be integrated, adding complexity and cost rather than reducing them. Furthermore, in areas of data-leak prevention, auditing, internal content controls, regulatory compliance, and acceptable user policy enforcement, companies typically have a hard time satisfying these requirements with a SaaS solution because SaaS solutions are one-size-fits-all and offer limited customization. Finally, data protection and safe harbor issues still have yet to be addressed. In many cases, the data being monitored should not be exposed to an outside the firm, which then necessitates using a hybrid approach of SaaS and on-premises virtual solutions.

In general, the optimal solution for most companies looking to lower the operating expenses associated with an e-mail environment through virtualization is to deploy a hybrid approach. SaaS is mature and has the greatest ROI for basic e-mail filtering on an inbound Internet e-mail stream. An on-premises virtual appliance approach allows for the implementation of complex e-mail routing and policy enforcement on internal e-mail and outbound Internet e-mail.

When the two techniques are combined, the firm achieves the greatest benefit with lower costs thanks to the elimination of the greatest driver of server count -- fighting spam -- while effectively deploying a smaller on-premises virtual infrastructure for the implementation of internal and outbound content policy.

Greg Olsen is the director of business development of Sendmail, Inc. You can contact the author at

Must Read Articles