IT director Lance LeBlanc balks at the notion that he would ever even consider turning off his Google Message Security spam filter – to do so would overwhelm his 250 employee real estate company with a daily mass of e-mails a company of 10,000 might receive.
Montreal-based real estate firm Canderel reached its tipping point in 2004, when it was receiving on average between 200 and 300 spam messages a day. With the business communications hamstrung as a result of the problem, LeBlanc sought out the services of Postini, a company that provided a hosted service promising to filter out the spam and let through legitimate e-mails.
It took just two days to put the new service into place and Canderel immediately stopped receiving spam, LeBlanc recalls. He hasn’t looked back since.
“I don’t even want to imagine what would happen if I turned off Google today,” he says.
Google acquired Postini on Sept. 13, 2007 and has rebranded the company’s services under its Google Apps for Enterprise line. If there have been changes made to the service since then, LeBlanc hasn’t noticed.
“They did a good job of transitioning,” he says. “It was transparent and there was zero downtime.”
Cases like Canderel are commonplace these days, with corporate e-mail servers overburdened by the deluge of spam messages received. A hosted, or cloud, option such as that offered by Google is an appealing way to shift that burden off of the IT department and free up company resources. Google’s system gives end-users the tools needed to control how discriminating their spam filter works, freeing IT workers from configuration duties.
Many companies are wary of cloud-based services, with the thought of corporate data residing with a third-party raising security and privacy concerns. But Google addresses that problem with a “pass-through architecture” that doesn’t store the legitimate e-mail messages being sent to the company – it scans messages as they’re being sent directly to the company.
Companies like Canderel are embracing the cloud because of its ability to take the burden of spam off the back of the company’s network, says Adam Swidler, product marketing manager with Google.
“Don’t let spam consume any bandwidth or storage,” says the former Postini employee. “It makes sense to put your security screens in the cloud, directly in the path between the malware and your organization.”
Postini was founded in 1999 and began seeing real success in 2003 and 2004 when spam passed a significant threshold – it became more than half of all e-mail sent. Today spam accounts for about 85 to 90 per cent of all e-mail messages sent, according to many security vendors.
With that much spam, it’s no wonder that many IT departments are looking to get the job of stopping it off their hands.
“There is zero competitive advantage to IT dealing with spam,” says David Senf, director of research for Canadian security and infrastructure software at IDC Canada. “Cloud-based approaches to spam filtering reduce the time and learning headaches normally faced by in-house IT staff.”
That’s been LeBlanc’s experience, who says he hasn’t had to deal with so much as even a help desk call since implementing Google’s hosted service. The company had been facing a particularly bad spam problem since it had been using the same Internet Service Provider (ISP) as some spammers. As a result, not only was the company being flooded with spam (95 per cent of messages received) but it also was being blocked out by other companies.
“We were automatically classified as a spam organization, we were getting non-deliverables all the time, even though we had nothing to do with the companies that were spamming,” he says. “When we started using Postini as an e-mail proxy, that problem was eliminated immediately.”
There were also the peripheral benefits of eliminating spam from the company servers. Canderel employees carry BlackBerrys that have e-mail pushed directly to them, and the spam messages going to the devices were driving up the data charges on the phone bill. Now those extra charges have gone the way of spam messages at Canderel.
Like many other companies considering a hosted service, Canderel was concerned about privacy and security issues around its data.
“The main concern we had was if the e-mail was being hosted on another service, what were the security implications?” recalls LeBlanc.
Those worries are echoed by many potential clients, Swidler says. But some of the largest financial companies in the world use Google’s service. Although they can’t be publically disclosed, having the recommendation of those companies in confidence goes a long way in reassuring clients of their privacy.
The system uses a type of pass-through architecture that acts as a middleman in every e-mail transaction without disrupting the flow of data.
“For a legitimate message we never store it, we never write it to disk,” Swidler says. “We do all the analysis as it passes through our data centre and it won’t get caught there.”
Still, the spam messages are still kept on Google’s servers for a period of 14 days typically. Swidler says that false positive – messages flagged as spam that are actually legitimate – are rare, but not zero. That may be enough to stop some companies from adopting the service.
“Any time that there is an additional party that can (even if the potential is remote) read a firm’s data, then a red flag needs to be raised,” Senf says. “If a spam solution is being applied to a firm’s e-mail the legitimate e-mail should be protected through encryption where possible.”
At Canderel, employees are trained on how to use the e-mail system when they’re hired to the company. That includes a demonstration of how to set their spam filter and access their quarantined e-mails on Google’s online message centre.
Through their Web browsers, employees choose on a simple scale how strict they want their spam filters to act. This is an easy-to-use approach that means IT doesn’t have to get involved. But if the IT department does want control of what end-users are doing, that’s also an option, Swidler says.
“It can be quite granular,” he says. “It can be given on an individual user level, or it can be done by groups of users.”
Users can also white list e-mail addresses they want to ensure get through, or black list addresses they always want blocked.
The experience at Canderel has been so good that LeBlanc is now considering Google Web Security, which would keep out malware and block out non-work related sites from the company’s network.
“You can actually tweak what users can view or not view,” he says.
It is unlikely that Canderel will give their end users similar granular control over this security function. It harkens back to another time.