Postini’s background technology stems from threat assessment and message parsing capabilities, grown through several years as a primary mail provider. There are two major patents, with a variety of [...]]]> Postini is Google’s 2006 acquisition for secure messaging, and a direct competitor to IronPort. All of their offerings surround Software As A Service (SAAS), matching directly with Google’s overall technology strategy. They provide several services, including web security, anti-spam/malware, mail filtering, and archival with indexing. The Data Leakage Prevention capabilities provide privacy protections through outbound communication filters. Additionally, there are management tools and continuity procedures appropriate for enterprise use.

Postini’s background technology stems from threat assessment and message parsing capabilities, grown through several years as a primary mail provider. There are two major patents, with a variety of claims following each one. The first patent surrounds on-demand message scanning and routing. The geographically distributed Postini data centers proxy all communications (corporate, wired, wireless, portal, etc) and filter the communications appropriately, removing viruses, spam etc. The second patent centers on threat detection and control, and methods for generating and processing a sender/ISP/country’s reputation and then acting accordingly.

The technology doesn’t seem that revolutionary today, and the online documentation frequently references the existence of prior art not mentioned in the patents. However, from a security perspective, the techniques Postini uses are sound. Communications between Postini and corporate mail servers are TLS encrypted. This allows additional features for Data Leakage Prevention by both companies. The Intrusion Detection, Anti-virus, and Anti-spam filters are all independent of the networking infrastructure, and likely include best of breed solutions whenever there’s not a better trade secret/patent in-house. Postini uses portals and web services for sending messages to non-subscriber recipients. The portals guarantee messages are not susceptible to a man-in-the-middle attack.

The Message Security and Message Delivery services offer content filtering for Data Leakage Prevention. There are consoles and rule engines for policy definition, as well as canned Personally Identifiable Information (PII) controls for things like Social Security Numbers or credit card information. The GUI apparently delivers enough rule granularity to at least filter attachment types and perform in message word detection.

Postini’s technology does not address malicious insider activities and could be its biggest weakness. This becomes more of an issue when examining the Google addition of archival and search. Site administrators may configure Postini for secure communications between corporate partner mail servers, and even make this a policy based requirement for some message delivery. This secure communication eliminates privacy issues between the corporate email servers and the Postini data centers. It does not, however, account for a messages time on disk or in use. Trusted insiders at the sender’s or recipient’s locations may manipulate or view messages. From a third party point of view, administrators at the Postini sites could possibly have enough access to circumvent many of the same protections. On Postini’s provider end, at least within Google, record access rights are strictly controlled with procedure.

Google’s approach to pricing is the most attractive part of the Postini product.  It follows the principals of scale, expecting more consumers at a lower tipping point. For $3 annually per user, Postini provides inbound email filtering (Message Filtering) for viruses, trojans, spam, etc… At $12 annually, Postini does the same for outbound messaging and adds content and attachment conttrols as well as policy monitoring and centralized administration (Message Security). The $25 per year includes the archival and search features Google threw into the mix (Message Discovery).

I read about capabilities, product offerings, market penetrations, strategic positioning, competitors and magic quadrants. All of this was at the urging of a friend of mine at Cisco, and how this product would drive profits for the company for the next several quarters.

I did a similar [...]]]> Over the weekend, I did a lot of reading on a company in the mail gateway business called Ironport. I mean a lot of reading. This was another consolidation (see Why behemoths buy startups & March 08′s Information Security Magazine’s Schneier/Ranum Face Off), with Cisco snatching up the market leader.

I read about capabilities, product offerings, market penetrations, strategic positioning, competitors and magic quadrants. All of this was at the urging of a friend of mine at Cisco, and how this product would drive profits for the company for the next several quarters.

I did a similar exercise for my boss with respect to Postini, and their SOA mail security capabilities purchased by Google in 2006 (More on Postini in a future post). I expect his interest is due to the encrypted email gateway.

So what did I learn. First, both of these guys lay claim to reputation based filtering. One holds the patent (Postini, more on this in a later post) and one has it widely implemented, maybe even longer than the patent was applied for (if so, of course that would invalidate the patents).

Gartner thinks Postini would only use those patents defensively. I wonder what would happen if a new Executive management team came in at the search giant… Cisco has deep pockets, but Google’s “do no evil” mantra should keep this out of litigation. Why? Because Ironport gateways are installed worldwide, and their reputation filters handle 5 Billion email messages. Per day! They calculate that’s over 40% of the mail traffic worldwide. From that traffic analysis, they push threat updates in near real time (every 5 mins).

I’d say that is doing no evil. John Chambers likes monopolies. Ish (for the Justice Department and the Sherman Anti-trust Act). Cisco has 80% of the router and switch market. A lot of companies say ‘Does it have a Cisco tag on it? Yes? Then it can come into my network…’

In addition to the reputation filters, Ironport has several other unique features. They built their gateways on a modified FreeBSD OS they call AsycOS. AsycOS’ security includes a limited port attack surface, reputation based filtering at the connection level, an LDAP/Active Directory integration that drops mail for invalid addresses without the Exchange & Notes wasting their CPU cycles and disk space. Performance enhancements include a non-blocking I/O write cache (disk access IO is their major bottleneck), and intelligent mail transfers (check to see if a domain is up before sending), and per receiving domain message queuing. Lastly are the management features, including an intuitive, web based GUI (it really is pretty simple), a three tiered rule set deployment, and a peer-to-peer control structure. For disconnected users, there’s also an email gateway. And of course, they have tons of case studies from recognizable names like Dell, Virgin, Ryder, Johns Hopkins, etc…

I expect Cisco will increase Ironport’s distribution throughout the messaging space. Now we just need Microsoft to buy Tumbleweed (the other upper right magic quadrant product) and the big mergers and acquisitions will be complete.