Proofpoint: Security, Compliance and the Cloud

October 27, 2014

Regulatory Driving InfoGov Agendas

With #ARMA14 now underway, it is a good time to address some of the key forces that are leading organizations to re-examine their records and information governance initiatives.

Driving force #1: Regulatory

I'll give this top spot as it has been noted in numerous recent surveys indicating that increasing regulatory complexity is a top concern. There are multiple CIO-focused surveys (e.g. CIO Magazine, Gartner, Forrester) where this is noted, but here's a few other C-level examples:

  • CEO: Gartner's 2014 CEO and Senior Executive Survey: "'Risk-On' Attitudes Will Accelerate Digital Business" lists regulatory change as the #2 external trend shaping business strategies (following macroeconomic growth)(1)
  • GC/CLO: Norton Fulbright's 10th Annual Survey of Litigation trends cites regulatory/ investigations as a top concern for 41% of corporate litigators surveyed, up from 23% in 2013)(2)
  • CFO: Deloitte & Touche LLP's 2014 CFO Signals Survey notes, “Concerns about additional regulations, lack of clarity, costs of compliance and unintended consequences made regulatory concerns the most consistently voiced” (http://deloitte.wsj.com/riskandcompliance/files/2014/07/signals_Q2_2014_high_level.pdf)(3)

These concerns are not without merit. In fact:

So, what key InfoGov preventative actions can be extracted from this data? Here's the top 4:

  1. Automate Policies: the importance of automated policy definition and - as importantly - enforcement has never been higher given the continuing explosion of data growth and increasingly complex regulatory environment. Regulatory risk calls not only the remediation of junk, but - more importantly - the classification of data that is potentially sensitive to regulators
  2. Robust Systems: several of the noteworthy cases within the sanctions totals above directly related to dependence on systems that were not designed to deal with the volume and variety of data in use by organizations today. Examining how current systems will address an environment where data is expected to double again in the next 18 months is something worth examining before your next support renewal arrives
  3. Extended Control: clearly, regulatory risk lives beyond managed repositories - as can be illustrated by cases such as the "Tweeting Broker" and Regulation FD mishap of NetFlix. Social, cloud, BYOD will only continue to press the need to expand compliance control into the wild;
  4. Enhance Reporting: as simple as it sounds, reporting systems must be nimble, flexible and enabling fast response to the increased frequency and unpredictable arrival rate of regulatory inquiry. FINRA, SEC, FFIEC, HIPAA, FDA and other regulators are all stepping up their game and improvement of reporting rigor and inquiry response time should be key requirements in the evaluation of any new information governance project

How Proofpoint Can Help

Proofpoint’s Information Governance portfolio helps regulated organizations to address compliance complexity with solutions to manage information according to policy, enabling more efficient discovery and supervision, with unsurpassed data privacy and information security protection. This includes Proofpoint Enterprise Archive to securely manage email, IM, and social media, Enterprise Governance to track and control files and documents in place and the Social Platform for Archiving to capture and control leading social media channels including Twitter, LinkedIn, Facebook, Salesforce Chatter, and Microsoft Yammer.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

October 24, 2014

What do naked mole rats teach us about information governance?

ARMA 2014: Stephen Chan, senior director of Products and Information Governance, will present “Informational Convergence—corporate departments are increasingly in need of corporate wide classifications that span the needs of security, legal and records management.” His presentation will take place at 11:15 a.m. PDT (2:15 p.m. EDT) on Sunday, October 26 in the San Diego Convention Center, Hall Room 528.

---

Naked mole rat

Despite being named 2013’s Vertebrate of the Year, this little fellow did not appear on the cover of People, US, or other checkout counter fare.

Still, some of you may already know of the naked mole rat, a unique and unusual species and one of the best examples of convergent evolution.

Apart from their singular appearance, naked mole rats have quite a few remarkable characteristics. They are insensitive to pain. They do not get cancer. They live as much as 30 times as long as typical rats. They are like little yogis, decreasing their heart rate and metabolism when needed to survive periods of shortage.

But what’s most interesting, however, is that they are eusocial animals, living in colonies much like bees or ants with a single queen, a few males, and otherwise sterile workers and soldiers.

Despite their similarities, naked role mats, which are mammals, evolved this behavior independently from bees and ants, which are both part of the order Hymenoptera. This type of coincident in evolutionary biology is called convergent evolution, which describes biological systems that independently evolve similar traits to adapt to similar environments or to overcome similar survival challenges. It’s when a behavior is so advantageous that more than one organism evolves it.

Now what does this little guy have to do with our blog? Well, in the same way that convergent evolution exists in nature, so too can it come about in technology, and I believe we’re seeing the same thing happening with information governance, specifically with regards to content classification, which can be called Informational Convergence.

Whether you’re an attorney, a records manager, or a CISO, you’re a stakeholder who is highly concerned with risk and looking for tools that can help classify and identify where information breaches would be most disruptive and damaging. To do this, companies are demanding strong, sophisticated classification tools to identify important or sensitive data. Where informational convergence comes into play is despite the broad types of stakeholders that need classification, all need the same thing, accurate classification. It does not matter what topics firms are classifying for, so long as it is accurate. What organizations do with their content after classification has taken place, such as legal hold, quarantine, disposition, etc.  is still important, of course, but the domain where the most improvements are being demanded and must be made are with new, accurate, and cost effective classifying technologies.                                                                                                                               

While convergent evolution in nature occurs where two different organisms evolve similar characteristics or behaviors, informational convergence describes how groups or departments within organizations are demanding the same or similar capabilities. As technology vendors, we want to identify and meet new customer needs. As Proofpoint, we’re identifying the organizational domains with the greatest need when it comes to classification, particularly where our current coverage areas are strong. In Proofpoint’s case, this in the areas of e-discovery, security, and records management.

Over the next year, technologies related to classification both novel and tried will continue to pop up. Proofpoint will look to innovate in ways that can best provide customers with a holistic solution that classifies across a broad range of roles and in a highly accurate and cost effective manner, creating a robust and durable solution, just like the naked mole rat.

---

Stephen Chan Blue Bckgnd

Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

September 26, 2014

Bash Code Injection Vulnerability Security Update

On Wednesday September 24, a security vulnerability in the bash command interpreter used in Linux systems was disclosed on various internet channels. This vulnerability has been identified as CVE-2014-6271 in the Common Vulnerabilities and Exposure database. CVE-2014-6271 is a flaw found in the way bash evaluates certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. This is an Internet wide vulnerability that affects everyone with Internet facing applications using recent versions of Linux and is not limited to Proofpoint. More information on this vulnerability can be found here and here.

A second vulnerability was identified later in the day. According to Redhat, patches shipped for CVE-2014-6271 vulnerability are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been identified as CVE-2014-7169 as in the Common Vulnerabilities and Exposure database. More information can be found here.

Proofpoint immediately began to assess which products are impacted and has released emergency patches to secure them against both vulnerabilities.

The following Proofpoint services and products have been patched:

  • Proofpoint Enterprise Protection and Privacy (PPS) versions 6.3, 7.0.2, 7.1, 7.2 and 7.5
  • Proofpoint On Demand (PoD) services
  • Proofpoint Targeted Attack Protection
  • Proofpoint Secure Share and Cloud Based Smart Search
  • Proofpoint Essentials services
  • Proofpoint Enterprise Archive and Governance services

Proofpoint has released hotfixes for Sentrion versions 4.2.x, and 4.3.x. Please visit the Sendmail customer portal for hotfix download instructions.

Customers with physical and virtual appliance deployments of PPS 6.3, 7.0.2, 7.1, 7.2 and 7.5 on their premises with patch auto deploy turned ON: No action is required from customers.

Customers with physical and virtual appliance deployments of PPS 6.3, 7.0.2, 7.1, 7.2 and 7.5 on their premises with patch auto deploy turned OFF: Customers have been notified to apply the applicable patches by following the steps below.

  • Go to your Proofpoint Admin Console GUI
  • Navigate to System - Licenses and Updates - General
  • Click the Checkbox on the left-hand side next to the patch
  • Click the Apply Update(s) button on the menu

Customers with physical and virtual appliance deployments of PPS 6.3, 7.0.2, 7.1, 7.2 and 7.5 on their premises: Customers running PPS software on their own hardware should patch their operating systems.

Customers using Proofpoint on Demand services, Proofpoint Targeted Attack Protection, Proofpoint Secure Share, Proofpoint Essentials and Proofpoint Enterprise Archive and Governance services: No action is required from customers. We are closely monitoring this issue and will provide updates as they become available.

Keeping your data secure is our top priority. If you have any additional questions or concerns, please contact Proofpoint Support.

Sincerely,
Proofpoint Inc.

September 21, 2014

Latest in the Microsoft v US Govt Odyssey: LEADS Act

The unanswered question of whether the US Government can access your email stored in a non-US location took a new twist on Thursday with the introduction of new legislation that attempts to limit that access - http://www.hatch.senate.gov/public/_cache/files/1f3692d5-f41f-4c73-acf2-063c61da366f/LEADS%20Act,%20September%2018,%202014.pdf

The bi-partisan Senate bill, called the Law Enforcement Access to Data Stored Abroad (LEADS) Act, would amend the woefully outdated Stored Communications Act of 1986, would require that courts issue warrants when requesting content from service providers for both US and foreign citizens when data is stored in the US - or to notify users directly if a warrant is not issued. As significantly, it calls for warrants for data of US citizens stored abroad to be modified or vacated if found to violate the laws of a foreign country.

Not surprisingly, the Act was quickly applauded by Microsoft's General Counsel Brad Smith (http://blogs.microsoft.com/on-the-issues/2014/09/18/new-milestone-conversation-electronic-privacy-laws/), who stated:

“It is important that government demands for customer data comply with the laws of countries where the data are stored. And these laws must provide adequate legal protections for the privacy and human rights of users”

If enacted, the Act would apply only to data of US citizens - with warrants for non-US data of non-US citizens continuing to be addressed by the Mutual Legal Assistance Treaties (MLATs).

Implications

The LEADs Act would provide a big step forward in transparency by requiring warrants for data stored in the US ("warrant for content"), and in creating more uniform guidance for US citizen data stored abroad in light of data privacy mandates in those jurisdictions. However, its passage would accompanied by complications including;

  • The ability to quickly and accurately identify nationality and status of end user data
  • Reaction from foreign governments to processes that can be used by the US government to collect their citizen's data stored in the US
  • The potential impact on new data locality requirements
  • The unequal processes for US citizens and foreign nationals, in particular in light of a slow and inefficient MLAT system

These complications- along with the simple challenge of determining the location of data stored by a cloud provider utilizing a multi-tenant storage model - will no doubt be thoroughly debated as the LEADs Act makes its way through congress.

However, in light of LEAD Act, organizations evaluating cloud providers now are well served to:

  • Determine if the cloud provider has the ability to store data exclusively in the jurisdiction of your choosing
  • Prioritize cloud providers that do not have readable access to information through the separation and client control of encryption keys
  • Investigate policy management capabilities, in particular the ability to provide role-based access privileges to limit access to regional data to those with knowledge of data privacy mandates in those regions

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

September 17, 2014

More FOIA: New Fed Email Guidance Issued

As an update to the previous post– yesterday, the Federal Government’s Office of Management and Budget (OMB) issued new Guidance on Managing Email (http://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-16.pdf). It states that the OMB will begin to more actively enforce Government agency progress in implementing systems to ensure that email is being managed in an electronically accessible format to meet FOIA requirements.

Immediate actions outlined by the OMB require that agencies have made progress in initiated NARA Records Certifications and implemented training programs by December 31, 2014. Ultimately, agencies must have programs and processes in place to meet all legal and FOIA obligations by December 2016.

The bulletin also reiterates the importance of implementing automated approaches to records management given the limitations of user-dependent approaches. According to the newly issued NARA Bulletin 2014-06 attached to the guidance:

NARA recognizes that places the responsibility of making decisions on email-by-email basis can create a tremendous burden. NARA therefore recommends that agencies immediately begin to adopt automated or rule-based records management policies for email management.

Implications

While the guidance yesterday serves primarily as a reminder to Federal government agencies on the actions they should be taking now, it is also very timely given the recent auto delete missteps making the news.

However, a key point of emphasis from the guidance is the concept that information should be stored in manner to be electronically accessible for search and retrieval in accordance with FOIA and legal discovery requirements. - reinforcing points made in the previous post. Dependence on back-up tapes, restoration of computer hard drives, or on-going reliance on outdated systems operated on-premises provide neither the accessibility nor the automated policy management to deliver to this standard mandated by NARA.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

September 15, 2014

Freedom of Information: Defeat the Auto Delete

Interesting news from the great state of PA (http://www.post-gazette.com/news/state/2014/08/29/Pennsylvania-eyes-purchasing-email-archiving-system/stories/201408280307 ), who has just discovered that it needs a system to preserve email of 80,000 employees across 47 agencies beyond the current Auto Delete practice after 5 days. According to the Post-Gazette article,

  • Employees are themselves determining what are business records;
  • Email is retained for only 5 days on department servers then Auto Deleted;
  • It has no interim plan to preserve deleted email past the 5 days while an archiving system is deployed

The implications in lacking such a system have already been felt by the State of PA – whether pertaining to the most recent issues surrounding the Pennsylvania Education Department’s ability to produce a grand total of 5 emails over a 1 year time frame pertaining to a specific matter, or missing documents that arose during the Sandusky trial.

Not to be outdone, New York State has also undergone criticism for implementing an auto-delete process after 90 days for items not flagged by users as meeting one of 218 different records classes (http://www.propublica.org/article/why-is-cuomo-administration-automatically-deleting-state-employees-emails). This, even after implementing Microsoft Office 365 and being provided with an ample quantity of email storage per user. The justification, according to an unnamed state official in the article:

"Just because you have a big house doesn't mean you have to shove stuff in it".

Good argument. Even if storage costs continue to fall, searching through a large quantity of Office 365 data to respond to a time-bounded FOIA request can be a challenge. But clearly, the ability to address Freedom of Information requests can be compromised, at best, if the Auto Delete function does its work.

It should be noted that some states (Florida, Washington, Connecticut, as examples) do not automatically dispose of items reaching the end of retention periods – all require a review process by authorized representative with visibility into potential litigation or other business reasons that would necessitate that the information continue to be retained.

A useful resource listing of records policy for each state can be found here:http://rc.statearchivists.org/Resource-Center/Topics/Records-schedules/State-records.aspx

Implications

When you add the States of PA and NY to the well publicized email retention challenges of the IRS and Veterans Administration, we clearly have a long way to go in effectively managing retention and disposition policy. As a starting point, State, Local, and Federal Government agencies are well served to:

  • Explore archiving technology that automatically assigns specific retention periods to individual items so that dependence on users to understand unwieldy retention procedures is reduced
  • Examine cloud-based archival solutions that removes storage cost as a variable in the retention policy decision
  • Understand the performance capabilities of these archival systems to know which are suitable to address broad, time-sensitive FOIA requests
  • Ensure that a specific authorized individual retains the responsibility to hit the red button - based upon their knowledge of whether that information has potential value in satisfying an investigative or public right to know.

And, visit http://www.proofpoint.com/products/archive-governance/enterprise-archive/index.php to learn more about how to defeat the Auto Delete.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption