Proofpoint: Security, Compliance and the Cloud

December 01, 2014

Enterprise Governance Award Highlights ROI of Targeted InfoGov Initiatives

Thanks to readers of Redmond Magazine, who voted Proofpoint Enterprise Governance as a winner of the Third Party Reader’s Choice Award: http://finance.yahoo.com/news/proofpoint-enterprise-governance-recognized-excellence-130500445.html?soc_src=mediacontentstory&soc_trk=tw.

As stated well by Proofpoint’s Darren Lee (GM and EVP of the InfoGov Business Unit): "Proofpoint's technology provides powerful insights into where risky and sensitive data is stored across the enterprise, including shared drives and SharePoint. We leverage an innovative, cloud-based approach for data classification and remediation that greatly simplifies the historically difficult task of automatically identifying and quarantining an organization's most sensitive data."

This selection by the Microsoft IT community also highlight the ROI that is achievable with prioritized IG efforts that target high value content that can leak into unmanaged locations. For example, professional services firms that have targeted SharePoint locations to monitor and secure IP and client-sensitive content contained within in-process work product. Or a financial service firms regulated by FFIEC that must ensure that it can comply with regulatory-driven policies by preventing documents from leaving their managed environment via integration with DLP technology. Or CUNA Mutual Insurance that implemented ‘clean-up days’ to attack a networked file share dumping ground and eliminated 160TB (including 40+% of file duplicates and 45% of files older than 5 years old) – yielding a first year savings of $2.1M in storage costs alone.

The award – as well as the cases mentioned above – also demonstrate the maturation of information governance initiatives over earlier attempts that entailed ocean-boiling and human-dependent action. They also highlight how IG and classification can help organizations to gain the upper hand over uncontrolled data growth - while enabling improved visibility over the higher value/risk items that demand greater organizational control.

How Proofpoint Can Help
Throughout its history, Proofpoint has enabled organizations to protect critical information against inbound threats and outbound leaks of sensitive information, as well as enabling improved readiness to address regulatory compliance and eDiscovery demands. This sole focus in protecting information includes Proofpoint Enterprise Governance, allowing organizations to proactively monitor and control critical information—wherever it resides. With Enterprise Governance, organizations can efficiently track, classify, monitor and apply policies to unstructured information across the enterprise.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

November 21, 2014

Gartner MQ on Enterprise Information Archiving: Top 5 Take-Aways

Given the dynamic world of malicious, targeted attacks and daily incidents of data breach, you may have missed the most recent release of the Gartner Magic Quadrant for Enterprise Information Archiving. (In case you did, it can be downloaded here: http://www.proofpoint.com/id/gartner-email-archiving-enterprise-information-archiving-magic-quadrant/index.php)

EIA MQ 2014

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from [insert client name or reprint URL].

No doubt, you are asking yourself “why archive when we have our email in Office365 (or gmail + Vault)?” or  “what does archiving have to do with data protection?”, or “cloud is nice, but my day job is to keep our 100TB(+?) in EV alive”, or “only small companies archive data in the cloud”.  All good questions, which I will address in the Top 5 Take-Aways from the Gartner Enterprise Information Archiving report. Here goes:

1. Why do I need an archive? Not a new question for some, but as noted in the report, organizations are increasingly viewing archiving investments as “active” or “near-line” sources of data that will continue to create greater separation from the simple, infrequent access of historical data on back-up data storage. That frequent, time-sensitive access requires features that will satisfy legal and compliance users as well as safeguards to ensure that data can be preserved in real-time. As regulatory complexity and unique data privacy mandates continue to grow these features will continue to  evolve beyond the basic  “good enough” capabilities provided natively by Microsoft and Google.

2. It’s about information value:  the need for this frequent access is quickly extending beyond the realm of email due to rapid expansion of sanctioned employee communication channels as well as the broadened regulatory purview (e.g. FINRA, FFIEC, FDA guidance on social media). As is being now being stated too frequently: the goal is manage information according to its value – regardless of its location. This goal extends beyond email, to files, collaboration applications, IM, social media and Web page content given the sensitivity and value of content increasingly delivered through those channels.

3. Scattered Clouds: It is no surprise that cloud-based archiving continues to shift spending from outdated on-premise legacy technologies to those are proving to deliver lower TCO and removal of IT hassle . In fact, the report notes that “Gartner sees 60% to 70% of new or replacement email archiving implementations as being cloud-based (1)”, which is up from small percentages only a few years ago. However, what is clear from this year’s report is that cloud offerings are not homogenous. Commentary provided on each vendor shows greater stratification of capabilities, where some are noted to provide solutions appropriate for small firms primarily to outsource the management of email, versus those designed to meet complex regulatory compliance, eDiscovery, and information governance demands. I’d expect that this stratification to accelerate as due diligence processes mature and non-IT stakeholders (e.g. legal, compliance, IT security) increasingly shape cloud requirements.

4. Migration friction falling: the time, cost, and disruption of moving off over-grown, poorly performing on-premise legacy systems has represented the largest – and most uncertain – variable in the 1-3 year archive planning cycles for many organizations. Consequently, some have stayed with outdated systems even when those products had reached end-of-life, end-of-support, or had been sold off to small consulting outfits (e.g. http://capaxdiscovery.com/pdfs/Capax%20HP%20EAS,%20Nearpoint,%20and%20CAMM%20announcement%2019%20Sept%202014%20v2.pdf). But, that switching cost is falling as more migration options are available, migration tools improve, and firms with eDiscovery pedigrees (e.g. DTI) become more active in the migration market.

5. Convergence is coming:  As witnessed daily, data security and privacy are becoming top C-level priorities for more and more organizations. This is also impacting the information archiving market, as CISOs become more active in buying cycles and firms look at how potential risks of cyber-attack or data breach can be mitigated across their information management investments. As one tangible example, Gartner, for the first time, publishing an accompanying piece titled “Financial Services Context”, where they called out capabilities uniquely suited to complex regulatory compliance. This need for integrated security and compliance will drive a greater shared view of information value and risk, and will lead more firms to create cross-functional forums in attempt to reconcile priorities in areas such as policy management and data classification.

1 Source: Magic Quadrant for Enterprise Information Archiving by Alan Dayley, Garth Landers, Anthony Kros, and Jie Zhang, Gartner, Inc., November 10, 2014

How Proofpoint Can Help

Proofpoint Enterprise Archive is a next generation archiving solution that addresses three key challenges—legal discovery, regulatory compliance, and end user email access—without the headaches of managing archiving in-house. Built with an architecture explicitly designed to leverage the cloud, Proofpoint Enterprise Archive is up-and-running in days, delivering low, predictable lifetime cost, and scales to handle the largest global organizations. All data stored in the archive is secured via Proofpoint’s patented DoubleBlindTM Key Architecture ensuring only customers have keys to access unencrypted information. Backed by a search performance guarantee, Proofpoint Enterprise Archive searches are sustainably fast and reliable across email, documents, instant messages and social media content. This functionality scales even as archived data volume reaches to hundreds of terabytes in size.

To further extend visibility and security, many organizations complement Proofpoint Enterprise Archive with Proofpoint Enterprise Governance. This full information governance suite allows organizations to proactively monitor and control critical information—wherever it resides. With Proofpoint, organizations can efficiently track, classify, monitor and apply policies to unstructured information across the enterprise. Most recently, Proofpoint further enhanced its social media compliance and security offerings with the acquisition of Nexgate. This addition allows Proofpoint customers to harness social media opportunities, mitigate information risks and satisfy evolving regulatory mandates.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

November 17, 2014

Social Risk & Compliance: Webinar Recap

A big thank you to all who attended our webinar co-hosted with Forrester Research on Social Media Risk & Compliance.  For those that registered and could not make it, we will have a replay link available at http://www.proofpoint.com/id/Webinar-Q414-Archive-Forrester/index.php?id=2  where you can catch a very interesting dialog with Forrester’s Nick Hayes along with the General Manager of our Nexgate division, Devin Redmond on the lessons learned from social media adopters in 2014, along with some of the priorities and concerns that will carry into 2015. I thoroughly enjoyed moderating the discussion.

The webinar was very well attended across multiple industries and senior-level business functions, and we were able to capture some very interesting feedback from those who filled in a post-webinar survey indicating their social media challenges and priorities. This data complements the just released Research Paper produced by Nexgate on the current state of Social Media Infrastructure – Part 1: Benchmarking the Social Communication Infrastructure of the F100.  The full Research Paper can be accessed here: http://go.nexgate.com/F100ReportPart1. The report highlights that:

  • Only 30% of social publishing done by the Fortune 100 on its branded accounts is through a professional tool – and -
  • Brand-generated content accounts for less than seven percent of total content contained within branded social media channels

However, organizations remain liable for the other 93 percent of user and partner-generated content generated outside of approved processes and channels - which partially explains why the high level of interest in forums such as the Forrester webinar. Here are some of the interesting conclusions drawn from those filling out the survey at the end of the session (25 responses in total).

1. Social has cross-functional attention and visibility – illustrated by responses to the question: Who is Driving Social Media Projects inside your organization?

1

The Cross functional ownership – in particular the heavy involvement of marketing and security functions – highlight how social reward and risk are both key project requirements.

2. Protection against data leakage is a top challenge – from both data protection and regulatory perspectives. 45% of respondents indicated that data leakage was the greatest challenge from a data security perspective:

2

While 25% of respondents also indicating that potential data leaks is their highest regulatory and legal challenge, 2nd only to the challenge of leveraging current tools and workflows to address social.  Clearly, the protection of sensitive information that may reside within social impacts information security, regulatory compliance, as well as legal stakeholders.

3. From a legal and compliance perspective, policy enforcement is the top priority, followed by the archiving and supervision of social content.

3

Although the sample size of this webinar survey was fairly small, the data does reflect that many respondents are still in early stages of modifying policies to reflect the unique aspects of social, and examining systems that can automate the capture and review of content that is captured according to policy.  This is also an indicator that more are realizing that the use of social is inevitable, and investments now need to focus on enabling proactive readiness and control – before the organization ends up in the headlines.

Look forward to more information in Nexgate’s upcoming installments of Social Media Infrastructure that focus on the steps necessary to mitigate the security threats as well as compliance risks while maximizing social media ROI.

How Proofpoint Nexgate Can Help

Throughout its history, Proofpoint has enabled organizations to protect critical information against inbound threats and outbound leaks of sensitive information, as well as enabling improved readiness to address regulatory compliance and eDiscovery demands. This sole focus in protecting information is now extended with the addition of Nexgate, ensuring that social media can be harnessed by your business - while ensuring that information risks and evolving regulatory mandates are satisfied.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

November 06, 2014

Social Media Risk and Compliance: Are you in Control?

Thanks to those who have registered for our webinar with Forrester Research on "Enterprise Social Media Risk and Regulatory Compliance in 2015" .  As demonstrated by the broad, cross functional interest, the topic is becoming front and center for more organizations and the undeniable appeal of enterprise social continues to gather momentum.

Why the high level of interest? Good question. I'll offer five key reasons why the topic of social media risk and compliance (SRC) will continue to gain visibility in 2015, not only amongst security and risk professionals, but also with those responsible for eDiscovery and regulatory processes, as well those simply attempting to harness Chatter, LinkedIn, and Twitter to enhance their brand and improve communication with customers and prospects.

1. Social visibility is often limited: in spite of numerous studies and statistics highlighting the mushrooming growth of social within organizations, those with responsibility for management of security and communication risks are not always aware of how social is being used. In fact, according to a 2014 survey from Osterman Research(1), 85% of IT professionals indicated limited or no visibility into how social is currently being used by employees.

Socialawareness

Limited visibility means limited control over risks, as well as a greater challenge in determining the scope and scale of that risk.

2. Regulatory Complexity Continues; 2014 marked a very active year for new social regulations and guidance for broker dealers and other financial services, Pharma/Life Sciences, and other regulated industries - both within the US and internationally. However, companies continue to press the need for greater clarity and less taxing methods of compliance. In fact, in the case of FINRA, a summer sweep of social media activity amongst broker dealers highlighted the need for both improved advisor training as well as better integration of social into current supervisory practices (2). Aside from additional regulatory guidance, more work is clearly needed to ensure that employees and processes have adjusted to meet new regulatory mandates.

3. Threats increasingly targeting social: the increased focus on data protection today has evolved beyond the known world of spam and malware to the rapidly evolving and sophisticated realm of targeted and malicious attacks. In fact, social media is today an essential tool for launching sphere phishing campaigns, and Proofpoint's Human Factor Report noted that "social media invite" phishing templates were far and away the most effective phishing template (3). As in the case of compliance, information security protocols and investments will need to extend to new communication channels to stay a step ahead of those with intent to do harm.

4. Cross-functional exposure challenges existing processes: risks introduced by the use of social impact multiple functions, from legal and compliance to security, IT and operations as noted in the graphic below:

Risk concerns will remain high in 2015

With each function bringing their own distinct processes, technology selection criteria, and tracking requirements, the challenge of establishing an on-going, cross-functional forum to reconcile priorities can be overwhelming. Scaling these efforts with manual processes and duplicative tools given the growth of social and increased likelihood of policy violation and security exposure is simply not sustainable.

5. Existing solutions are evolving: As noted in the Forrester's Wave™ for Social Risk And Compliance Solutions, the available market offerings are emerging, which can often lead to a confusing an overlapping set of choices.  Forrester advises companies to seek balance in evaluating "SRC solutions that provide controls for organizations to empower users to engage with customers through social media effectively and efficiently, within the bounds of risk tolerance and compliance requirements" (4). 

How Proofpoint Nexgate Can Help

Throughout its history, Proofpoint has enabled organizations to protect critical information against inbound threats and outbound leaks of sensitive information, as well as enabling improved readiness to address regulatory compliance and eDiscovery demands. This sole focus in protecting information is now extended with the addition of Nexgate, ensuring that social media can be harnessed by your business - while ensuring that information risks and evolving regulatory mandates are satisfied.

-------

(1)  Osterman Research, "Best Practices for Social Media Management and Archiving", February 2014

(2) http://www.forbes.com/sites/joannabelbey/2014/09/03/yes-finra-and-the-sec-like-social-media/

(3) http://www.proofpoint.com/id/proofpoint-human-factor-report/index.php

(4)  Forrester Research, Inc., "The Forrester Wave™: Social Risk And Compliance Solutions, Q2 2014"

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

October 27, 2014

Regulatory Driving InfoGov Agendas

With #ARMA14 now underway, it is a good time to address some of the key forces that are leading organizations to re-examine their records and information governance initiatives.

Driving force #1: Regulatory

I'll give this top spot as it has been noted in numerous recent surveys indicating that increasing regulatory complexity is a top concern. There are multiple CIO-focused surveys (e.g. CIO Magazine, Gartner, Forrester) where this is noted, but here's a few other C-level examples:

  • CEO: Gartner's 2014 CEO and Senior Executive Survey: "'Risk-On' Attitudes Will Accelerate Digital Business" lists regulatory change as the #2 external trend shaping business strategies (following macroeconomic growth)(1)
  • GC/CLO: Norton Fulbright's 10th Annual Survey of Litigation trends cites regulatory/ investigations as a top concern for 41% of corporate litigators surveyed, up from 23% in 2013)(2)
  • CFO: Deloitte & Touche LLP's 2014 CFO Signals Survey notes, “Concerns about additional regulations, lack of clarity, costs of compliance and unintended consequences made regulatory concerns the most consistently voiced” (http://deloitte.wsj.com/riskandcompliance/files/2014/07/signals_Q2_2014_high_level.pdf)(3)

These concerns are not without merit. In fact:

So, what key InfoGov preventative actions can be extracted from this data? Here's the top 4:

  1. Automate Policies: the importance of automated policy definition and - as importantly - enforcement has never been higher given the continuing explosion of data growth and increasingly complex regulatory environment. Regulatory risk calls not only the remediation of junk, but - more importantly - the classification of data that is potentially sensitive to regulators
  2. Robust Systems: several of the noteworthy cases within the sanctions totals above directly related to dependence on systems that were not designed to deal with the volume and variety of data in use by organizations today. Examining how current systems will address an environment where data is expected to double again in the next 18 months is something worth examining before your next support renewal arrives
  3. Extended Control: clearly, regulatory risk lives beyond managed repositories - as can be illustrated by cases such as the "Tweeting Broker" and Regulation FD mishap of NetFlix. Social, cloud, BYOD will only continue to press the need to expand compliance control into the wild;
  4. Enhance Reporting: as simple as it sounds, reporting systems must be nimble, flexible and enabling fast response to the increased frequency and unpredictable arrival rate of regulatory inquiry. FINRA, SEC, FFIEC, HIPAA, FDA and other regulators are all stepping up their game and improvement of reporting rigor and inquiry response time should be key requirements in the evaluation of any new information governance project

How Proofpoint Can Help

Proofpoint’s Information Governance portfolio helps regulated organizations to address compliance complexity with solutions to manage information according to policy, enabling more efficient discovery and supervision, with unsurpassed data privacy and information security protection. This includes Proofpoint Enterprise Archive to securely manage email, IM, and social media, Enterprise Governance to track and control files and documents in place and the Social Platform for Archiving to capture and control leading social media channels including Twitter, LinkedIn, Facebook, Salesforce Chatter, and Microsoft Yammer.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

October 24, 2014

What do naked mole rats teach us about information governance?

ARMA 2014: Stephen Chan, senior director of Products and Information Governance, will present “Informational Convergence—corporate departments are increasingly in need of corporate wide classifications that span the needs of security, legal and records management.” His presentation will take place at 11:15 a.m. PDT (2:15 p.m. EDT) on Sunday, October 26 in the San Diego Convention Center, Hall Room 528.

---

Naked mole rat

Despite being named 2013’s Vertebrate of the Year, this little fellow did not appear on the cover of People, US, or other checkout counter fare.

Still, some of you may already know of the naked mole rat, a unique and unusual species and one of the best examples of convergent evolution.

Apart from their singular appearance, naked mole rats have quite a few remarkable characteristics. They are insensitive to pain. They do not get cancer. They live as much as 30 times as long as typical rats. They are like little yogis, decreasing their heart rate and metabolism when needed to survive periods of shortage.

But what’s most interesting, however, is that they are eusocial animals, living in colonies much like bees or ants with a single queen, a few males, and otherwise sterile workers and soldiers.

Despite their similarities, naked role mats, which are mammals, evolved this behavior independently from bees and ants, which are both part of the order Hymenoptera. This type of coincident in evolutionary biology is called convergent evolution, which describes biological systems that independently evolve similar traits to adapt to similar environments or to overcome similar survival challenges. It’s when a behavior is so advantageous that more than one organism evolves it.

Now what does this little guy have to do with our blog? Well, in the same way that convergent evolution exists in nature, so too can it come about in technology, and I believe we’re seeing the same thing happening with information governance, specifically with regards to content classification, which can be called Informational Convergence.

Whether you’re an attorney, a records manager, or a CISO, you’re a stakeholder who is highly concerned with risk and looking for tools that can help classify and identify where information breaches would be most disruptive and damaging. To do this, companies are demanding strong, sophisticated classification tools to identify important or sensitive data. Where informational convergence comes into play is despite the broad types of stakeholders that need classification, all need the same thing, accurate classification. It does not matter what topics firms are classifying for, so long as it is accurate. What organizations do with their content after classification has taken place, such as legal hold, quarantine, disposition, etc.  is still important, of course, but the domain where the most improvements are being demanded and must be made are with new, accurate, and cost effective classifying technologies.                                                                                                                               

While convergent evolution in nature occurs where two different organisms evolve similar characteristics or behaviors, informational convergence describes how groups or departments within organizations are demanding the same or similar capabilities. As technology vendors, we want to identify and meet new customer needs. As Proofpoint, we’re identifying the organizational domains with the greatest need when it comes to classification, particularly where our current coverage areas are strong. In Proofpoint’s case, this in the areas of e-discovery, security, and records management.

Over the next year, technologies related to classification both novel and tried will continue to pop up. Proofpoint will look to innovate in ways that can best provide customers with a holistic solution that classifies across a broad range of roles and in a highly accurate and cost effective manner, creating a robust and durable solution, just like the naked mole rat.

---

Stephen Chan Blue Bckgnd

Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption