E-mail encryption is required to protect private and confidential data communicated to clients, partners and external processors. Gartner's "MarketScope for E-Mail Encryption, 2006" focused primarily on gateway or boundary encryption services; this Magic Quadrant analyzes the blended desktop and gateway solutions portfolio.

The Magic Quadrant is a snapshot of the overall market. Readers will note that two significant acquisitions occurred during the past year, and they'll also note that small, incumbent vendors continue to aggressively maintain their presence through product evolution, strategic partnerships and white label services. Leadership denotes a vendor with a balance of strengths. However, vendors in any category, including those not ranked on the Magic Quadrant (see Figure 1), may suit your enterprise's needs.

The vendors reviewed herein offer products and services that securely encrypt and/or digitally sign business-to-business (B2B) and business-to-consumer (B2C) communications. These products and services often are bundled with e-mail hygiene, anti-spam, content monitoring and filtering, archiving and other value-added services provided by the vendors or through partnerships. With direct e-mail encryption software and licensing revenue for desktop, staging server and self-managed Transport Layer Security (TLS) totaling nearly $120 million in 2006, the e-mail encryption market continues to be a steady but relatively slow growth market of 10% to 15%. Although the vendors' technologies are relatively mature, deployments are still focused on communities of need.

One noteworthy point is that TLS adoption (used to secure gateway-to-gateway communications) has consistently been on the rise during the past two years, and we're seeing a trend in which a majority of large organizations with very dense TLS deployments are outsourcing their TLS service needs to service providers either to reduce the complexity inherent in self-managing these secure connections, or to join trusted communities within their industries. This has resulted in accelerated growth in the managed gateway-to-gateway TLS service market, which we anticipate will continue for the next 12 to 18 months.

Although nearly all solution providers reviewed herein supported native TLS encryption, few directly offered TLS as a managed service, or via third-party technology white label service. As expected, we're finding that e-mail security boundary vendors (such as Postini and MessageLabs, along with others) are stepping in to offer this capability as an add-on service to their bundled offerings.

As in previous years, most organizations embarking on larger-scale e-mail encryption projects continue to consist primarily of governments, military contractors, financial companies and healthcare-related companies; the rest of the deployments typically are targeted to support e-mail encryption services for smaller groups of users (banded around specific functions in the organization, such as HR, finance and benefits administration) or for confidential communications with specific clients or partners.

Pricing continues to vary by solution and vendor, with ranges of $25 to more than $90 per user for 2,500 user desktops, gateways and self-managed TLS offerings — exclusive of maintenance costs, which range from 18% to 30% per year. Pricing typically is broken down into server and user charge components, with the overall average blended pricing typically running closer to $50 per user. Once again this year, a higher acquisition price doesn't necessarily denote a better or more feature-rich solution, and users must negotiate aggressively when finalizing their configurations. We expect pricing to drop to more-standardized option pricing as more e-mail security boundary vendors offer e-mail encryption as a feature in their broader e-mail security solutions.

Although the Health Insurance Portability and Accountability Act (HIPAA) was a significant driver for many deployments, its influence has diminished considerably during the past year as the rush to meet critical compliance targets has passed. Some industries targeting B2C security needs do value the benefits of enhanced, customer-trusted communications, but most organizations still consider e-mail encryption as a check-box solution to address auditors' and compliance officers' identified deficiencies, rather than as a strategic investment. A prime example is organizations' continued practice of allowing customers or partners to self-enroll when they click a URL they received in a clear-text e-mail — without invoking any follow-up identity validation or verification process.

One growth trend in the e-mail encryption market has been through data loss prevention (DLP) projects. Companies that invested in DLP initially monitored traffic for policy violations or to understand how their businesses used sensitive data. However, as soon as companies turn to an enforcement mode, e-mail encryption becomes an important mechanism for allowing the transit of sensitive data. Subsequently, many DLP vendors have partnered with e-mail encryption vendors to allow the automated encryption of sensitive data through filters.

Some vendors have begun integrating e-mail encryption with DLP and e-mail security functionality. For example, Proofpoint "OEMs" Voltage Security's technology into a single appliance, and Code Green Networks incorporates Voltage and the former PostX solution that's now provided by Cisco/IronPort Systems. In September 2007, IronPort integrated a subset of PostX functionality with its core e-mail security appliance. We expect that the native e-mail content monitoring and filtering (CMF)/DLP service capabilities will continue to be rolled into larger, corporate CMF/DLP initiatives that target not only the endpoint and network, but also the data at rest/data discovery segments.

With organizations requiring greater support to address auditing and regulatory requirements, e-mail encryption vendors are beginning to support e-discovery/archiving capabilities proactively as part of their standard offerings, or via third-party integration in their native solutions. Over time, e-mail encryption vendors will offer greater support, and a more varied and flexible set of compliance and data-management-related tools.

Finally, during the past 12 months, two significant acquisitions occurred within the market, and another occurred just outside the scope of this Magic Quadrant, indicating that the market is being viewed more directly as a strategic initiative that must be part of a greater overall security offering. Specifically, Cisco entered this market with the acquisition of IronPort (which had acquired PostX a few months earlier), and Secure Computing entered with its acquisition of CipherTrust. The final acquisition to be noted as of this publication was Google's acquisition of Postini, which possesses a TLS managed service business. (Postini also resells the ZixCorp-managed encrypted e-mail service.) We anticipate a few more targeted acquisitions to occur during the next 18 months as e-mail encryption functionality beyond TLS becomes a mandatory selection criterion for e-mail security boundary solutions.

The vendors reviewed herein offer products and services that securely encrypt and/or digitally sign B2B and B2C communications. These products and services often are bundled with e-mail hygiene, anti-spam, content monitoring and filtering, archiving and other value-added services provided by the vendors or through partnerships. With direct e-mail encryption software and licensing revenue for desktop, staging server and self-managed TLS totaling nearly $120 million in 2006, the e-mail encryption market continues to be a steady but relatively slow growth market. The technology supplied by vendors is relatively mature, but the market itself is still in the early stages of development.

Vendors must meet the following criteria to be included in this Magic Quadrant:

• They must own the technology and provide all three of the following: desktop (this includes "lite" clients, such as "secure envelopes"), gateway (sometimes described as pull models or "staging servers"), and support of TLS and S/MIME (Secure Multipurpose Internet Messaging Extensions) standards.
• They must have at least 75 production enterprise installations of their e-mail encryption products.
• They must have generated at least $2 million in 2006 from their e-mail encryption products.

Vendors won't be included in this Magic Quadrant if they haven't met the following criteria:

• They must return a completed questionnaire, which Gartner uses to collect competitive and historical data.
• They must report seat sales for comparison (in a format requested by Gartner).

Financial data (nine vendors provided the requested information) is necessary to make execution comparisons; however, other factors will be considered, including client interest, overall industry "mind share" and competitive behavior.

IBM Lotus

Although IBM Lotus declined to participate in this year's Magic Quadrant, its Lotus Notes continues to support internal and external e-mail encryption via its enabled architecture. Currently, IBM Lotus has no plans to offer native gateway encryption services, but we anticipate that IBM will address this requirement during the next year via partnerships with established e-mail encryption solution providers.

Novell

Novell provides the still-popular Novell GroupWise e-mail solution with support for S/MIME. Novell has partnered with GWAVA and Messaging Architects for content inspection. However, because Novell doesn't natively support OpenPGP or gateway-based encryption services, it didn't meet the inclusion criteria for this Magic Quadrant.

Marshal

Marshal provides an encrypted e-mail solution via its client support in Microsoft Exchange, along with traditional e-mail hygiene and quarantining services. However, because Marshal doesn't provide an encrypted e-mail gateway solution or support for OpenPGP, it didn't meet the inclusion criteria for this Magic Quadrant.

MessageLabs

MessageLabs provides traditional e-mail hygiene services, and supports managed TLS connection services within its architecture. Clients can opt to include boundary encryption capabilities to support compliance requirements.

Microsoft

Although Microsoft declined to participate in this year's Magic Quadrant, it continues to be a significant presence in the encrypted e-mail arena. Microsoft Outlook has native S/MIME support, and Microsoft Exchange Hosted Services/Exchange Hosted Encryption capabilities obtained via the FrontBridge Technologies acquisition (and expanded since) provide managed e-mail encryption services. We don't expect Microsoft to offer its own gateway-based encryption (push or pull) enterprise-class solution through 2009.

Postini

Postini, which was acquired by Google in 2007, is an e-mail hygiene service provider that offers a managed TLS connection service as part of its Perimeter Manager solution. In addition, Postini has an established partnership with ZixCorp (included in this Magic Quadrant) to address the needs of clients requiring a comprehensive, managed e-mail encryption solution.

Sigaba

Sigaba (Secure Data in Motion) provides desktop and gateway-based e-mail encryption solutions that support identity services and an integrated public-key infrastructure (PKI) for certificate management. However, because Sigaba doesn't offer TLS-secured connections or OpenPGP support, and because it still has a low deployment count, it didn't meet the inclusion criteria for this Magic Quadrant.

Added

• Cisco/IronPort (acquired PostX)
• Secure Computing (acquired CipherTrust)
• ZL Technologies (formerly known as ZipLip)

Dropped

• CipherTrust (acquired by Secure Computing)
• PostX (acquired by IronPort; IronPort acquired by Cisco)
• ZipLip (changed name to ZL Technologies)

Although most of the solutions we reviewed showed relative maturity, the overall e-mail encryption market — even after its 10+ years of existence — is still small and only in the early stages of deployment and adoption.

Vendors that learn to sell their products on the merits of ease of use and platform delivery support win the largest sales across all markets. Other factors, such as the HIPAA and other regulatory compliance requirements, may help to stimulate sales, but they don't substitute for a good business strategy.

Product/Service compares the completeness and appropriateness of core data protection technology. This factor is critical to demonstrating that the vendor can generate market awareness.

Overall Viability considers company history and demonstrated commitment in the market, as well as the difference between a company's stated goals for the evaluation period vs. the company's actual performance compared with the rest of the market. Growth of the customer base and revenue are considered.

Sales Execution/Pricing compares vendors' strength of sales and distribution operations, as well as discounted list pricing for investments in seats ranging from fewer than 100 to more than 10,000. Pricing was compared in terms of first-year, cost-per-concurrent active license seats, including the cost of all hardware and support. When dealing with vendors, buyers want demonstrable "peace of mind" more than bargains, and they respond strongly to sales techniques guided by case studies and return on investment (ROI) projections.

Market Responsiveness and Track Record and Marketing Execution rate competitive visibility as the key factor, including which vendors are most-commonly considered to be top competitive threats by each other, and which vendors respond most effectively to buyers' requests for proposal (RFPs).

Customer Experience is subjectively rated based on client feedback to analysts; on the opinions of Gartner analysts in security, network and platform research groups; and on vendor-supplied references, where needed.

Operations considers a vendor's capability to pursue its goals in a manner that enhances and grows its influence in all execution categories.

Vision is subjectively ranked according to a vendor's capability to show broad investments in technology developments that predict users' wants and needs.

Companies that lead in vision typically own, license or partner products in other security and configuration management markets. They must demonstrate management features that make their products easy to integrate with enterprise infrastructures and easy to interoperate with other enterprise security and management systems.

Market Understanding and Marketing Strategy are ranked together as Marketing Strategy, and assessed through direct observation of the degree to which a vendor's products, road maps and missions anticipate leading-edge thinking about buyers' wants and needs. Gartner subjectively assesses these by several means, including interacting with vendors in briefings and by reading planning documents, marketing and sales literature, and press releases. Incumbent vendor market performance is reviewed year by year against specific recommendations that have been made to each vendor, and against future trends identified in Gartner research. Vendors can't merely state an aggressive future goal; rather, they must enact a plan, show that they're following it and modify the plan as market directions change.

Also considered are vendors' partnerships with other vendors in related e-mail security markets, including antivirus, anti-spam, CMF/DLP, Electronic Discovery Reference Model (EDRM), authentication/authorization, e-mail archiving, e-mail auditing and so on.

Sales Strategy examines the vendor's strategy for selling products, including sales messages, techniques, marketing, distribution and channels. This criterion is considered in execution; it doesn't apply to product vision, which is ranked in terms of investment in functionality.

Offering (Product) Strategy is ranked by examining the breadth of functions, as well as platform and delivery support for encrypted e-mail messages. R&D investments are credited in this category. E-mail-encryption-supported configurations are listed in the Vendor Strengths and Cautions section below.

• Cisco/IronPort Systems
• Tumbleweed Communications
• ZixCorp

• Secure Computing

• Voltage Security

• Entrust
• PGP Corporation
• ZL Technologies

• Long legacy of providing solutions for encrypted e-mail, including configuring some of the first X.509-certificate-based S/MIME deployments in the early 1990s.
• Who's who of Fortune 2000 organizations, government agencies and some of the most security-driven entities on its customer index cards.
• Provides extremely secure encryption services under all its forms, including push/pull, multifeature client, BlackBerry and gateway solutions, and support for file transfers of up to 100MB.
• Can be configured in high-availability clusters for varying client deployment requirements.
• Support for DLP-policy-based encryption.
• Support for a very wide range of standards-based encryption formats.

• Leveraging all value proposed by the Entrust encrypted e-mail solution is best accomplished by using and integrating the company's optional PKI solution as part of an insourced or outsourced model.
• Optional PKI integration can be viewed as complex for some clients with limited experience.
• Still only limited small and midsize business (SMB) deployment.

• Extremely feature-rich capability set for e-mail encryption, including desktop client and push/pull technology. Push solution dominates the majority of IronPort's sales.
• Very strong end-user, administrator and system capabilities, including comprehensive reporting and a lexicon-based, policy-enabled, encrypted e-mail service and DLP support.
• PostX launched managed, encrypted e-mail service that Cisco will host and expand by leveraging its established channels for growth. Competitors will be challenged to ignore the new player in the arena.
• Releasing an integrated appliance supporting e-mail security and push encryption functionality, as well as a newly minted desktop client supporting combined e-mail security, e-mail encryption, and spam and other functionality.
• Combined IronPort/PostX organization is another expression of the e-mail security company that is building ownership of e-mail security and encryption capabilities.

• PostX was a specialized niche, e-mail encryption vendor running its own business, but the new company structure could affect development priorities.
• Limited support for mobile devices.
• Lacks some key elements of a comprehensive, secure communication protection portfolio, such as instant messaging (IM) and others.

• Offering supports a well-integrated push/pull offering, a desktop solution that ties in with established e-mail systems, e-mail staging and large file transfer capabilities via the gateway solution.
• Support for S/MIME and OpenPGP, BlackBerry and self-managed TLS secure links.
• Additional functionality for DLP and policy-based encryption.
• Strong scalability capabilities leveraging the built-in key management component.
• Partnership provides Secure Computing with PGP Universal Server to address Secure Computing client demands for a desktop solution and S/MIME signing.

• Although components can and will work independently of any other installable PGP solution, they all rely on using the PGP Universal Server.
• Perceptions of complexity regarding PGP Universal Server integration in deployments.
• Limited deployment traction and request for information (RFI)/RFP visibility in the marketplace.

• One of the few combined e-mail security and encryption capabilities deployed concurrently in the field.
• Continues to show support for the CipherTrust model of a trusted partner relationship, with a one-stop shopping model for inbound protection across communication protocols and for outbound policy compliance.
• DLP functionality is capable under generalized requirements, and is well-integrated in the overall offering, supporting policy-enabled e-mail encryption as well as bidirectional content inspection across multiple protocol streams.

• Continues to leverage its PGP Corporation and Voltage partnerships to address "holes" in its solution.
• Limited support for mobile device via browser-based technologies only.
• Client report database integration for logging and activity auditing can be challenging.
• Encryption appliance offering that's distinct from the IronMail policy engine solution remains an integration and architecture configuration concern to many clients.

• Single-largest installed base of sizable deployments in large and midsize organizations of any vendor reviewed.
• Provides strong value for complex e-mail encryption needs.
• Very rich encrypted e-mail feature set supporting all deployment options, including push/pull, gateway, staging server, TLS, and desktop and support for all browser types.
• Support for extremely large encrypted file transfers — meaning files of 100GB or more — via AS2 (Applicability Statement 2), FTP/S, HTTP/S and Secure Shell (SSH) is unique among the offerings reviewed.
• Outbound content filtering continues to provide good baseline functionality, but doesn't aim to address the larger corporate communication landscape supported by pure-play CMF/DLP vendors (such as Vericept, Vontu and Websense).

• Encryption support doesn't extend services to non-e-mail-centric environments or channels (such as IM, whole disk or data at rest). Tumbleweed has chosen to adopt partnerships with third parties, such as Akonix Systems and other point solutions, to round out its offering.
• Anti-spam capabilities are considered weak compared with pure-play vendor offerings.
• Serious competition from large vendors entering the e-mail encryption space. Tumbleweed will have to adapt quickly to the challenging landscape to maintain its position in the Leaders quadrant.

• Some very high-profile, big-name accounts already are part of the Voltage customer base.
• Expanding Identity-Based Encryption (IBE) product to include file encryption, application and database encryption, and other selected applications.
• Although IBE created a lot of buzz in the industry and the press, customers continue to report that they're choosing the solution for its perceived ease of use and full feature set, rather than for the use of any specific core technology.
• Support for mobile devices.
• The Voltage Security Network (VSN) provides a hosted key management service that can be leveraged to reduce the complexity of key exchanges among clients.
• Provides a complementary solution to its long-standing partner's (Microsoft's) Exchange Hosted Services (formerly known as FrontBridge Technologies before the Microsoft acquisition).

• Many new deployments continue to be end-user-initiated, as opposed to being a corporate decision.
• Voltage is clearly trying to re-brand itself as an encryption technology vendor, rather than simply a provider of encrypted e-mail products. With all these new initiatives laying claim to planning, development and marketing cycles, Voltage must carefully assess its foothold claims to ensure that it doesn't begin waging product battles on too many fronts.

• Very large installed base of more than 6,000 accounts, with the vast majority of its clients signing up for strategic deployments of sub-500 users in their organizations.
• Strong industry presence and client base in healthcare, insurance organizations (including the Blue Cross and Blue Shield Association) and many hospitals.
• Expanding its vertical-industry coverage into financial services; in addition, ZixCorp includes Federal Financial Institutions Examination Council (FFIEC) agencies and several leading banks among its list of distinguished clients.
• Model includes hosted key management, ZixDirectory, custom portal capabilities (which is a big plus for companies that are unwilling or unable to assume the fixed costs of implementing and managing their own encrypted e-mail infrastructures), and the rich lexicons ZixCorp developed to support policy-enabled e-mail encryption.
• ZixDirectory, at the heart of ZixCorp's secure communication hub, simplifies secure communications with other member organizations.
• Managed TLS service offering.
• White label agreement with Postini (prior to Postini's acquisition by Google) will create new market opportunities.

• Although HIPAA was a big boon for fast growth, the rush to address compliance requirements is slowing significantly.
• Current product limitations regarding support for other communication protocols (such as IM, large file transfers, support for mobile devices and nonactive client content) to be addressed in future releases.
• Stiff competition and pricing pressures are coming from Cisco/IronPort, Microsoft, Secure Computing and the other new entrants into the e-mail encryption service arena.
• ZixCorp must tread the changing market arena carefully to ensure that it manages its resources effectively, invests carefully in future releases, and continues to recover from previous issues (such as the high cash burn rate that alarmed customers in 2005 and early 2006).

• Clients perceive its main values to be ease of installation, use and integration with the other available ZL Technologies modules, such as archiving for compliance.
• Low cost of ownership for the solution.
• Support for an integrated DLP tool; policy-based encryption can be leveraged to reduce and, in some cases, eliminate client involvement in the encryption process.
• Well-rounded solution consisting of push/pull technology, staging server, desktop client, policy-based encryption and self-managed TLS support, considering the size of this solution provider.

• Provides only limited BlackBerry and PDA support.
• Leverages third parties McAfee, Sophos and Trend Micro to provide e-mail hygiene services. Although this strategy is prudent, the overall market is steadily moving toward integrated e-mail security and e-mail encryption solutions, which eventually will force e-mail hygiene vendors to find encryption solutions of their own (and, within the next few years, could leave ZL Technologies with limited partnership options).