Proofpoint: Security, Compliance and the Cloud

Exciting news to share with you this afternoon about Proofpoint's progress in the Federal space.

In an announcement issued just this afternoon (see, "Proofpoint Receives FISMA Certification from USDA"), Proofpoint announced that its its Proofpoint Enterprise Archive solution has been granted an Authority to Operate (ATO) by the United States Department of Agriculture (USDA).

Proofpoint was granted the ATO on April 19, 2011, based on its ability to meet the stringent requirements of the Federal Information Security Management Act (FISMA) certification and accreditation (C&A) process. FISMA certification and accreditation indicates that a federal agency has approved a particular solution for its use in line with the level of security established by that agency.

As noted in the announcement, Proofpoint Enterprise Archive is the first cloud-based archiving solution to be granted an ATO by a Cabinet-level agency.

The USDA is using Proofpoint’s email archiving solution in conjunction with that department's deployment of  Microsoft's cloud-based Enterprise Messaging Services. This deployment will provide compliant email archiving for 120,000 Microsoft Exchange users spread throughout 21 departments, making it the largest US Federal government implementation of cloud-based enterprise email archiving technology.

Proofpoint Enterprise Archive will allow the USDA to easily access archived email for regulatory requests, retention policy adherence and legal discovery.

Susie Adams, the chief technology officer for Microsoft Federal said, "The U.S. Department of Agriculture has certified and accredited Microsoft’s cloud-based suite for government customers in accordance with FISMA, allowing Microsoft to provide these services to government customers. This milestone is further validation of the high standards of compliance and security within Microsoft’s cloud-based solutions."

You can find more comments from Susie Adams in her blog post in Microsoft's FutureFed blog. See, "USDA Awards FISMA Certification for Microsoft’s Business Productivity Online Suite (BPOS) - Federal."

Andres Kohn, Proofpoint's vice president or archiving and eDiscovery solutions, commented, "Many federal agencies are looking to cloud-based services to help them meet the dual challenges of tightening budgets and more severe and frequent security breaches. By achieving FISMA certification for our e-mail archiving solution in conjunction with Microsoft BPOS-Federal, Proofpoint is opening the door for more rapid adoption of cloud-based e-mail solutions throughout the US Federal community."

As you might imagine, achieving FISMA certification is a complex task, involving third-party assessments of a wide variety of security features and policies. In this case, SecureInfo Corporation assisted with the assessment of Proofpoint's solutions.

SecureInfo CEO Christopher Fountain said, "As a third-party assessor, SecureInfo has conducted thousands of information security assessments and has specific expertise in all aspects of FISMA compliance. As part of our assessment of Proofpoint’s enterprise email archiving solution, Proofpoint successfully demonstrated the effective implementation of the management, operational and technical controls , which was required to realize an ATO at the USDA and is a critical element of FISMA compliance."

Additional comments from SecureInfo's CTO,  Yong-Gon Chon, about the complexity and rigor of these evaluations can be found in his guest post in the Microsoft Online Services Team Blog. See, "What Goes Into a FISMA Certification?" 

We're looking forward to bringing the benefits of Proofpoint's SaaS email archiving solution to the USDA and other US Federal agencies.

eDiscovery and archiving are top-of-mind at Proofpoint today as we issued our predictions about the top ten trends in eDiscovery for 2011. As part of that announcement, we've published a new CEO series video where Gary Steele discusses "Three Key Trends in Archiving and eDiscovery."

Check out the video and then read on after the jump for our top 10 eDiscovery trends for 2011 (see the "Click to Jump" button below...)

The corporate business division of Swisscom, the leading telecommunications provider in Switzerland, announced today that it has entered the cloud computing / Computing-as-a-Service market with a new family of on-demand IT offerings that include cloud-based computing, storage and email archiving features powered by leading SaaS vendors, including Proofpoint.

Swisscom's Cloud Services (see http://www.swisscom.com/cloud for more information) allow companies to build up their computing and storage capacity at any time, without having to make investments in IT infrastructure or specialized staff. The three main components of Cloud Services are:

Our friend Keith Shaw over at Network World has a great new "Panorama" podcast up today where two email archiving experts—Proofpoint's own Andres Kohn and AppRiver's James Dean—talk about the email archiving challenges that both enterprises and SMBs face.

In "E-mail Archiving Challenges: Two Perspectives", Andres takes the enterprise perspective while James represents the SMB space.

You can have a listen by visiting Network World's site here:

http://www.networkworld.com/podcasts/panorama/2010/060710pan-archiving-twosides.html

Or you can download an mp3 version directly to your local machine here:

http://podcasts.networkworld.com/panorama/2010/060710pan-archiving-twosides.mp3

With eDiscovery, archiving and litigation readiness very much in the headlines these days (see my recent posts about BP and Piper Jaffray), you might want to learn more about the issues discussed in this podcast. In our upcoming live web seminar, "Surviving eDiscovery" we'll discuss initial steps for compliance and litigation readiness as well as provide practical advice for both legal and IT teams. To register, please visit:

http://www.proofpoint.com/id/survive-ediscovery/index.php?id=6

Messaging News has an extensive feature this month on "Preserving Email through Hosted Email Archiving" wherein Proofpoint's Andres Kohn is extensively quoted. This article provides a great overview of why more and more companies are looking to hosted email archiving solutions, rather than deploying an archiving solution on-premises.

Lots of good information in this article on the benefits of SaaS email archiving, security concerns, disaster recovery issues, eDiscovery and adoption trends.

Here's a brief excerpt:

For Proofpoint, the company saw the security issue as one of the biggest concerns people think of with SaaS. Kohn describes it this way: “I am now sending a copy of every email that I send and receive to somebody else. People got over that with inbound scanning, because they figured it was coming from the Internet anyway, but when you talk about all your internal email correspondence, that gets scarier. So people were really looking for a high-level of security, and that is where we have stepped into the fray.”

Proofpoint ARCHIVE is a hybrid model, where it is neither all on-premises, nor all in the cloud. “We decided to put what we thought were the right components in the right places,” explains Kohn. “Most of the infrastructure lives in our data centers. We also place a lightweight appliance that sits at the client site. What happens is that the appliance talks to the mail server; it grabs copies of all the messages, and encrypts it with a key that only the appliance has, and sends it to us encrypted. We have no way of ever being able to read any of the content, because the only key sits at the customer site. When a customer wants to do a search, they go to the appliance and the appliance encrypts the search terms and sends that to us. We get the results, but we do not even know what they are searching for.”

Find the whole article here:

http://www.messagingnews.com/story/preserving-email-through-hosted-archiving

We're seeing a lot of questions from organizations that are considering deploying an email archiving solution (such as Proofpoint ARCHIVE) about what impact, if any, Microsoft Exchange 2010 will have on their email archiving plans.

Among the many enhancements in Exchange 2010 are basic email retention features, basic eDiscovery features and a variety of storage management improvements. The question is, will these improvements eliminate the need for third-party archiving solutions?

Proofpoint email archiving expert Rick Dales wrote up a great summary of the new archiving-related features in Exchange 2010 and how well they address the true email archiving and eDiscovery needs that we see in enterprises today.

His comments are summarized in a new Proofpoint TechBrief which you can download by clicking the image in this post, or the link below (this document does not require registration to download):

Proofpoint TechBrief: Email Archiving and Exchange 2010 (PDF document)

This document does a great job of explaining these enhancements in the latest version of Exchange and how, for many enterprises, they won't replace the need for more robust third-party email archiving solutions. There's a lot of great detail in this document, but in short, we feel that:

"Organizations deploy archiving solutions to address three main business problems: Storage management, legal discovery and compliance. For some organizations, Microsoft’s solution may help address some storage management challenges. However, legal discovery seems to be the most pressing driver for recent archiving deployments—and Exchange 2010 only addresses the most basic of legal discovery scenarios. Finally, Exchange 2010 does not address the compliance concerns, particularly for SEC regulated firms, so these organizations clearly need a third-party archive."

Whichever side of this debate you take, I think you'll find this new TechBrief an interesting read! This topic will be the subject of an upcoming live Proofpoint web seminar in the new year. Watch the blog for details.

Posted by Jeremy Hope, VP Operations

Security remains one of the biggest concerns that IT professionals have when a considering Software-as-a-Service solution. As a result, one of the most significant challenges that a SaaS provider must overcome is establishing a high degree of trust that customer data is safe in the vendor’s hands. There are a number of ways to do this, but one of the most important metrics that customers look for is the Statement of Auditing Standards No. 70, Services Organizations ("SAS 70") Type II Certification.

At Fortiva, we formally announced today that we achieved the SAS 70 Type II certification. SAS 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants that validates that a service organization has been through an in-depth audit of its control activities, and demonstrates that they have adequate controls and safeguards when they host or process data belonging to their customers.

As anyone who has gone through this knows, it’s a long, drawn-out process that takes a serious commitment on the part of the service provider. However, it is one of the only independent/third-party metrics a customer can look for in order to establish a level of confidence. As a result, it’s an invaluable tool for SaaS providers and one that is worth every bit of the time and effort required to achieve it.

At Fortiva, we always say that maintaining the integrity, privacy and security of our client’s data is our most important goal. To achieve this, we are constantly reviewing our processes and improving them – but most of this happens “behind the scenes”. Achieving the SAS 70 Type II Certification is an important way for us to demonstrate the care and attention we place in this area.

Posted by Jeremy Hope, VP Operations

I recently got an email from a vendor that I felt I had to comment on, and since it refers to something I have recently been blogging on – storage and backups – I thought I’d dump my thoughts into the blog.  The email I’m referring to was from a vendor inviting me to read a White Paper titled The Risk of a Disk-Only Backup Strategy: the Case for Disk and Tape, extolling the benefits of Tape technology for backups rather than relying only on disk to disk backup solutions.

The synopsis of the report is that Disk drives have a high MTBF (Mean Time Between Failure) rate in their later years (jeez technology gets less healthy as it gets older – go figure) and if you drop disk drives they may break (huh?- what a breakthrough!).   This is their total justification of why you need tape in your environment rather than relying on disk to disk backup alone.

Ok, so I concede these two points might be true (i’m not going to try drop kicking any of my disk drives to prove them wrong) but let’s look at the big picture here. The White Paper fails to mention the MTBF rate of Tape Drives and physical tapes themselves (how many times have you tried to retrieve data from a tape to find out it is corrupt?), or the fact if you drop them they break too (both tape drive and tape).  Never mind the headaches you have to go through when you try to restore that 4 year old tape that was created with a drive you no longer have (it was dropped a while back) and the new latest technology drive won’t read it.

The White Paper also fails to mention readily available technologies and solutions (RAID 6, distributed/cluster file systems, grid computing, multiple redundant copies, etc.) that can be used to improve disk to disk backups.  When these technologies are utilized (if you don’t plan to keep up with technology – get out of the IT business) these simple issues can easily be overcome. In fact there are numerous ways that a disk to disk backup solution can be advantageous and even better than tape for data intensive uses such as archives.

At Fortiva we use current RAID technology, accompanied with a grid computing storage infrastructure to provide multiple redundant copies of data across both Primary and Secondary data centers.  At least 3 copies of data exist at any one time and replication is used to keep the copies current.  This includes copies of disk to disk backups for the various systems.

If data is needed to be moved it is done via gigabit network or portable disk drives (that now provide over a Terabyte in capacity) and the new instances of data (and its redundant copies) are verified before the original is deleted.  This accounts for any possible service or data outages within a primary data center caused by any one set of data as well as providing for Disaster Recovery.  Having the backups running on spinning disk also allows for online verification of the data (when is the last time you loaded all of your tapes from tape storage to verify their integrity?).  This is done at a very affordable price without spending a cent on tape infrastructure and all of its complexities.

In our environment tape isn’t just becoming extinct like the Dodo, it’s already gone and buried.

Posted by Jeremy Hope, VP Operations

As Rick's blog entry from January 28 noted, Fortiva recently introduced an entry-level archiving solution (SmartStore) that is extremely price-competitive. To help people better understand how this is possible, I thought I’d explain the unique storage challenges that email archiving presents, and how we at Fortiva deal with those challenges in a way that allows us to keep costs low.

The majority of companies implement high performance, highly redundant, high priced storage for their transaction-based applications and slower performing, less redundant, lower cost storage for larger amounts of data within file based applications.  The challenge with archived data is that it requires storage with both characteristics, crossing the typical boundaries of storage solutions typically implemented within most IT environments. 

Archive data necessitates storage with high throughput, not only to be able to write the large amounts of data within a reasonable time, but also to allow for the searching of the data.  High redundancy within the archive data storage environment is expected since in most cases only one copy of the data will exist (making tape copies of hundreds of TBs of data is impractical).   Meanwhile the same characteristic, the sheer quantity of data, begs for less expensive storage to stay economical.

This leaves many IT Managers puzzled with how to provide an archive solution at a practical price with reasonable performance.    One solution is the use of a Software-as-a-Service (SaaS) solution like Fortiva, where you let the provider worry about the storage environment.  Still, many may wonder how providers such as Fortiva can provide lower cost per TB solutions (such as our recently announced SmartStore solution) without losing money due to the storage costs alone.

For Fortiva, the solution lies in a grid computing infrastructure that utilizes a large number of 1 or 2U servers with locally attached RAID disk arrays.   This hardware provides for a fast, highly redundant and scalable storage infrastructure.  This storage environment mixed with the Fortiva “secret sauce” – a proprietary Distributed File System at the application layer that tracks where data is within the grid of distributed servers – allows Fortiva to provide multiple redundant copies of data at an extremely low cost.  Another advantage of the solution is the consolidated computing power available by utilizing each CPU within the grid that is used for providing search and other application functionality.

The fact that Fortiva uses a grid environment for all clients distributed throughout a data center provides the economies of scale that no large enterprises can afford to implement themselves – a fact that is reflected in the low pricing Fortiva offers.

Posted by Rick Dales, VP Product Management

In our previous posts, both Chris and I discussed the significant investment in infrastructure that is necessary to provide fast, reliable search of corporate email. Even just a few years ago, this wasn’t a big issue for most businesses because they simply weren’t conducting searches across the entire email repository. However; in our increasingly litigious society, the growing costs that come from e-discovery are forcing more and more businesses to address the notion of "litigation readiness" – which inherently requires the ability to search email to isolate materials relevant to a given case. 

For companies that live under the cloud of a perpetual cycle of lawsuits, a variety of new technologies and processes have emerged to help people manage, collect, review and produce information for litigation.  Unfortunately, these approaches are often very expensive and can't be justified by the majority of businesses that only periodically face litigation hold and/or e-discovery activities -  a point that was reinforced by a recent survey that showed 1 in 5 businesses have settled a case to avoid the cost of searching through and retrieving email. 

For a company with a relatively long standard retention period (something that is becoming the norm), legal must be able to mine through a constantly-growing set of emails. This is particularly problematic because the cost to provide relatively quick searches doesn't grow linearly with the data growth, but instead, in most systems it grows exponentially. As difficult as it often is to justify the costs of "preventative" technologies (such as email archiving for litigation readiness), a system with rapidly increasing costs is even harder to justify.

Software-as-a-Service (SaaS) is a perfect model for addressing these types of challenges. Here’s why. When an e-discovery request comes in, most companies need powerful e-discovery capabilities with very little advanced notice; however, the rest of the time, they’re unlikely to need that search capability. Instead of building a system in-house that is underpowered when it's needed and wasteful the rest of the time, SaaS allows firms to readily access a pool of resources on-demand to meet their needs.

By spreading the cost of a large infrastructure over many customers, each of whom are unlikely to need the system at the same point in time, users get maximum capabilities at a far more justifiable, predictable cost.  To scale without bounds, SaaS companies like Fortiva are forced to build infrastructures whose cost does not grow exponentially (or it would be less and less profitable to take on new business).  This technology investment gets further passed along to the customer base so that costs per unit of data stored/processed go down over time.

Just like buying insurance, litigation readiness is about reducing risk and preventing significant, unexpected (and unplanned) costs.  There is the cost of enforcing a litigation hold; the cost of e-discovery activities and the cost of increased litigation risk by not having (or having access to) critical data – not to mention the costs of negative judgments. So it’s not surprising that litigation readiness – much like insurance again – can be a challenging thing to justify, especially when lawsuits aren't part of your firm's daily life. SaaS solutions can prove to be the best way to balance these needs.

Click here to read Part 6 in the Series on Search