Proofpoint: Security, Compliance and the Cloud

96 posts categorized "Cloud Computing"

November 25, 2013

Social Media and Compliance: Salesforce Chatter

We just returned from the Financial Services track at Dreamforce, where many speakers  touched on the topic of Archiving for Chatter – and its potential regulatory implications.  This led to many interesting discussions at our booth, with some of the common themes and conclusions summarized here.

  1. The most frequently asked question/comment: “We would like to enable Salesforce Chatter, but our compliance team is concerned about the implications. What can we do?” Not surprisingly, many of the Dreamforce attendees we talked to had recognized the business value of leveraging their investment in SFDC to drive collaboration and productivity via Chatter (or, perhaps, are being pressured by SF users to enable this feature). The reasons are clear within financial services: enabling better customer service, improving communication flow with independent agents, and in sharing account information with peers. But, simply turning that feature on led many into conversations about internal policies pertaining to social media, supervisory obligations addressed under FINRA’s 11-39 guidance on social media, and storage requirements within financial services outlined by SEC 17a3-4. Conclusions: 1) Chatter is easy to enable? Yes. 2) Opening a new collaboration channel within financial services raises regulatory compliance questions? UNEQUIVALLY YES.
  2. Compliance teams are becoming more active in decisions regarding use of Chatter. Again, not surprising, as firms have become accustomed to since FINRA 11-39 in 2011, and as more have acknowledged the futility of blocking social channels including LinkedIn and Twitter. Today, this involvement is moving beyond the yes/no of enabling access toward the issues of social media policy refinement, in determining what specific social media channels can be utilized, which features within those channels are usable by investment professionals whose actions are regulated under FINRA and NASD rules, and how firms intend to monitor, supervise and report on those activities. Simply turning on the capability is the starting point – looking at how you may enable selective access to those users whose activities need to be archived and reported is where many companies appear headed.
  3. Salesforce Communities creates additional risk. As firms iron out plans to enable Salesforce Communities, it’s important to consider regulatory compliance as part of the discussion. Salesforce Communities enables firms to expose parts of their Salesforce environment to the outside world; creating a collaboration portal for customers, vendors or partners. The Chatter feed is an integral component of Communities and, without Chatter, the benefits of enabling Communities diminish. Similar to “internal” Chatter communications, it’s important to ensure that your archiving solution supports the capture of Chatter content that is authored within Communities as well. Moreover, if your firm creates multiple Communities, your archiving solution should be able to capture Chatter content only from the Communities that you specify, thereby eliminating unnecessary noise from your archive.
  4. Archiving of social media goes beyond basic storage. For many, envisioned processes  for manual collection and basic store/retrieve Chatter content would be - in most cases – woefully inadequate. SEC Rule 17a3-4 in particular contains a number of specific provisions about information storage locations being “WORM-like” and actively managed to ensure information retains its integrity. Simply moving captured Chatter content to a network storage location – or copying to DVDs and sending to giant records warehouses via couriers in small vehicles – may not be meeting the risk profiles of your compliance executives.
  5. Firms are seeking leverage across other information sources.  Enabling the capture and archival of Chatter content is not unique discussion. Firms have already been through this with email. But, firms are reluctant to deploy yet another single-purpose repository to manage that information. In fact, most of the attendees we talked to are seeking to aggregate Chatter with other captured social media content – and leverage their existing processes and technology in place that is used for email. This leverage brings familiarity and comfort to compliance teams – and higher likelihood that SFDC teams can roll-out Chatter faster  with fewer compliance obstacles.

Proofpoint, with its Archiver for Chatter solution, can help organizations address these challenges, with a proven track record of capturing and managing content for many leading financial institutions that need to adhere to SEC, FINRA, and other emerging regulatory requirements. For more information about our Social Platform for Archiving solution, please visit



November 20, 2013

Why Archive Social Media?

As noted in the previous post, regulatory requirements that impact the use of social media continue to evolve. Some may argue that only financial services firms should be taking proactive steps to control the risk of social media misuse given existing regulatory mandates. Consider that:

  • FINRA release 11-39 was issued back in August 2011, and outlines record keeping and supervisory requirements for social media. Comparable regulation is also in place in Canada via IIROC.
  • More recently, FINRA raised the regulatory bar with its Targeted Exam Letter notice.  This letter calls for periodic spot-check that will be undertaken to examine the usage of social media by individual brokers, in order to assess whether there is any correlation with performance. FINRA regulated broker-dealers must also provide explanations of the measures that they have adopted to monitor compliance with the firm's social media policies (e.g., training meetings, annual certification, technology).
  • FFIEC: covering banks, savings associations, and credit unions, as well as non-bank entities supervised by the Consumer Financial Protection Bureau and state regulators. Regulations – currently in draft and expected to be final before the end of 2014 - would require that organizations have a documented social media policy in place, along with enforcement and employee training. 

Also noteworthy within the FFIEC document is a listing of other regulation that should be considered in building social media policies. This list includes  Truth in Savings Act/Regulation DD and Part 707, Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3, Fair Housing Act, Truth in Lending Act/Regulation Z, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, Unfair, Deceptive, or Abusive Acts or Practices – to name just a few.

Meanwhile, in other regulated industries including Pharma and Health Care, specific regulatory guidance outlining social media record keeping and supervisory obligations continues to be lacking.

So, does this imply that organizations outside of financial services do not to take proactive steps to control the use of social media? We’d suggest not, for 3 critical reasons:

  1. Within many industries there is no specific delineation between information sources. In health care, for example, PHI is PHI whether it may be located in the email stream, contained within documents, or be referenced in a post on LinkedIn, and organizations are obligated to control this information per HIPAA guidelines. The same can be stated within other industries where a “business record” is defined according the value or potential risk of its content – and not the specific information type or location.
  2. Similarly, for legal discovery, US Federal Rules of Civil Procedure do not distinguish between specific classes of electronically stored communication (ESI). In fact, Duties to Disclose as outlined in section 26a(A)(II) specifically notes that the duty applies to “all documents…” that may be material to support or defend against a specific legal claim.
  3. Most recently, SEC Regulation Full Disclosure (FD) was referenced in a case involving a CEO posting of material, non-public information. The SEC bottom line – social media is the same as any other communication channels, and its use in disseminating important company information must follow the same protocols as any other recognized “channel of distribution” to investors. (see: Netflix and the SEC)

Should you proactively control and archive social media? If you are a publicly traded US corporation that uses LinkedIn, Chatter, Yammer or other social media for business purposes, the answer is yes.  

November 18, 2013

Social Media and Regulatory Compliance: Where to Begin

The growing use of social media in business today is undeniable. Twitter has over 550 million users sending over 58 million tweets per day,1 while LinkedIn now boasts over 225 million users, including users from over 200 countries and executives from all Fortune 500 companies.2 Companies are also using Salesforce Chatter, Microsoft Yammer, and other collaborative tools to promote products and services, conduct market research, build brand awareness, and resolve customer problems. Social media is fast, ubiquitous, and in many cases produces measurable ROI to your business; however, it also poses significant risks that can become public and propagate virally. Consider the following:

In addition to carrying malicious content to deliver targeted attacks and resource consuming spam, the improper use of social media can lead to damaged brands, regulatory fines and other harsh consequences in terms of eDiscovery. Given the rapidly evolving sets of regulation, what can organizations do to be better prepared?

Here's a start:

  • Step 1: Establish a Clear, Unambiguous Social Media Policy       
    • Engage a team of Subject Matter Experts (e.g. IT, compliance, legal, marketing) to assess the security risks and business goals for social media usage
    • Treat social media governance as a component of IT governance overall
    • Provide specific examples of acceptable and prohibited uses of social media
  • Step 2: Seek Tools that enable flexibility and quick response to change
    • Consider solutions that integrate with your existing communications infrastructure and can evolve as social media technologies continue to evolve
    • Seek tools that can automate policy enforcement in order to speed response to regulatory inquiry
    • Continue to monitor regulatory and legal precedents in order to inform policy change
  • Step 3: Provide On-going Training and Policy Refinement
    • Train employees on best practices, internal policies and relevant industry regulations
    • Engage users for feedback in order to periodically examine social risks vs. returns
    • Talk to your industry peers to leverage experience

To go deeper, talk to us at Dreamforce this week (Financial Services Pavilion) to review how we can help organizations to control social media to address regulatory compliance mandates, or visit for  more info on our social portfolio.



[3] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings, Release No. 69279 (Apr. 2, 2013). 

[4] "SEC Charges Illinois-Based Adviser in Social Media Scam" (Press release),  December 2012



October 09, 2013

Free RSA® Security Expo 2014 Passes, Courtesy of Proofpoint: Use Code SC4PROOFB


It might seem like the far future, but RSA Conference 2014 is only a few months away and registration is now open!

Proofpoint will be exhibiting at the RSA Conference 2014, to be held February 24 thru February 28, 2014 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2014 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code SC4PROOFB or EC4PROOFE when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code SC4PROOFB during the registration process:

Proofpoint will be at RSA 2014 in a big way, with booths in both the South (booths #1527 and #520) and North halls (booth #3615).  Since you won't be able to miss us, we fully expect you to stop by, meet the friendly Proofpoint staff, and take a moment to learn about our latest cloud-based solutions for threat management (including email security and targeted attack protection), compliance (data loss prevention, email encryption), enterprise information archiving & governance, and secure communications.

I also expect we'll be doing our traditional information security survey and we'd love to have you take a few minutes to participate. (If you're interested in the findings from the 2013 survey, you can find them here:

See you in San Francisco next February!

RSAC 2014 Briefing Center invite - fixed - Proofpoint

April 29, 2013

Longline Phishing Infographic: How Industrial-scale Phishing Attacks Work

In conjunction with last week's Infosecurity Europe 2013 show, our UK team put together this really cool infographic that explains how a new class of industrial-scale phishing attacks -- which Proofpoint recently dubbed "longline phishing" attacks -- work, along with tips for avoiding such attacks.

To learn more about this new class of phishing attacks, check out our longer form report, Longline Phishing: Email-borne Threats, Cloud Computing, Big Data, and the Rise of Industrial Phishing Attacks.

Click the infographic image below to view it full size!


January 25, 2013

Some Customer Insights on Improving eDiscovery Process Efficiency in the Cloud

In light of next week’s Legal Tech 2013 event in New York (stop by and see Proofpoint at booth 2607), we wanted to recap some of the really terrific insights from our recent web seminar on eDiscovery process efficiency.

In that webinar (see, "Improving eDiscovery Efficiency in a Cloud-based World"), our special guest speaker,  Jonathan Rudolph, attorney for medical device manufacturer C. R. Bard,  raised some very interesting points that might be useful for those heading to Legal Tech next week.

Jonathan was a key part of the team that selected and deployed Proofpoint Enterprise Archive at C. R. Bard and has a unique role in that he serves as both the eDiscovery manager within the IT organization, as well as an attorney within the legal department for this global manufacturer and marketer of medical products, based in New Jersey.

His role as IT-legal liason makes him uniquely qualified to discuss the challenges faced by organizations attempting to improve discovery processes, as well as offer best practices to get past common obstacles. Some of the key points he highlighted:

  • eDiscovery remains a matter of perspective, with organizations struggling without a common vocabulary and shared priorities. This gap is made more challenging by the fact that it limits the ability to create a shared view of the problem, which then contributes to a set of common priorities across IT and legal teams. Judges, however, remain above the internal fray and bring unpredictable knowledge (and comfort) of how, when, and where technology and eDiscovery processes intersect.
  • For some, today’s processes for identifying and collecting email for discovery can be like a rat maze. He notes that some archiving solutions even return different sets of search results for the same query at different times, leading to completely unpredictable (and clearly incomplete) discovery results. This type of problem not only consumes IT resources, but entails significant organizational risk and can result in multi-million dollar costs to have outside counsel filter through "junk" results.  There are no shortage of recent court rulings that highlight the potential impact (e.g., Samsung v. Apple, Hynix v. Rambus) and costs of "discovery gone wrong."
  • Many organizations cannot “break the monkey machine”. In his remarks, Jonathan refers to unbending organizational processes as "the monkey machine." The monkey machine has always done things a specific way, and has embedded that into the company's organizational culture and fabric. To "break the monkey machine," Jonthan argues that it's imperative to involve both the legal and IT departments  from the outset, and that it's helpful to have an individual who can “speak both languages.” Further, it's critical to be able to quantify savings delivered by any technology-enabled eDiscovery process improvement.
  • The goal of defensibility is a myth:  Defensibility as a goal often leads to reactivity – which provides a poor starting point and places the burden of persuasion with you, not your adversary. Companies are better served in moving toward a position of justifiability in order to better dictate the rules of the game.
  • Security in the cloud is an internal obstacle – that can be overcome. It is inevitable that IT will continue to look for opportunities to cut costs by moving to the cloud. Legal teams - who are often reluctant to embrace cloud-based approaches to eDiscovery - can be persuaded by showing them the advantages of strong service level agreements (SLAs) and security features (such as Proofpoint’s DoubleBlind Key Architecture) which leave data access and control decisions in the hands of legal decision makers – not cloud service administrators.

Using Proofpoint Enterprise Archive, Jonathan and the team at C. R. Bard have already realized the benefits of automating critical, early-stage discovery tasks. After using the system for 4 large matters, he is happy to report that the solution delivers as advertised and has already proven its ability to provide cost reduction and enable greater process efficiency.

To hear all of Jonathan's insights, watch the replay of "Improving eDiscovery Efficiency in a Cloud-based World."

And if you're in NY for Legal Tech next week, please stop by and meet us at booth 2607!

January 23, 2013

Proofpoint Winter 2013 Release Introduces Proofpoint Secure Share: Secure, Managed File Transfer for the Enterprise

In a press release issued today, Proofpoint announced its Winter 2013 release, which includes updates to our entire suite of cloud-based enterprise security and compliance solutions. One of the highlights of the latest release is a new cloud solution for securely transferring large or sensitive files, Proofpoint Secure Share.

Proofpoint Secure Share provides enhanced security and administrative control over traditional file transfer methods, existing on-premises solutions, and public cloud file sharing services. It leverages the advanced data loss prevention features of Proofpoint Enterprise Privacy to automatically enforce DLP rules such as blocking or encrypting sensitive content.

For a quick overview of the capabilities of Proofpoint Secure Share, including the end-user experience, administrative interface and data loss prevention features, check out this brief video demonstration:

In addition to the new secure file transfer capabilities, the Winter 2013 release includes enhancements across our cloud-based threat protection (Proofpoint Enterprise Protection, Proofpoint Targeted Attack Protection), archiving (Proofpoint Enterprise Archive), and governance (Proofpoint Enterprise Archive Content Collection option) solutions.

In our next live web seminar, File Sharing: Getting Data Control Without Frustrating Your Enterprise Users, we'll be taking a closer look at Proofpoint Secure Share and the issues involved in enabling business users to share large files in an easy, secure and compliant way.

December 18, 2012

Gartner 2012 Magic Quadrant for Enterprise Information Archiving: Proofpoint One of Three Leaders

Gartner-Email-Archiving-Magic-Quadrant-Enterprise-Information-Archiving-2012New for December 2012, industry analyst firm Gartner has published its Magic Quadrant for Enterprise Information Archiving. This report provides a detailed overview of the Enterprise Information Archiving (EIA) market and evaluates he key vendors based on their completeness of vision and ability to execute.

In the new report, Proofpoint is one of only three vendors positioned as Leaders.

As usual, Proofpoint has licensed a reprint of the new EIA magic quadrant and you can read the full report, compliments of Proofpoint, at the following URL:

Writing in the 2012 Magic Quadrant for Enterprise Information Archiving, Gartner analysts Sheila Childs, Kenneth Chin, Debra Logan and Alan Dayley note that, "The EIA market is healthy and growing rapidly. EIA has emerged as a commonly used technology underpinning for higher-level use cases supporting information governance, e-discovery, historical preservation of data and application retirement."

In addition to a comparison of the various archiving vendors and their solutions, the report also highlights several key trends in the enterprise information archiving market, including:

Increasing adoption of cloud-based archiving: The analysts write, "Archiving as a service (aka cloud archiving) has rapidly surpassed on-premises archiving as the preferred deployment model for most organizations."

Growing importance of information governance as an important business driver: Gartner says, "Broader information governance concerns (regulatory compliance, business-focused retention and deletion of data, and managing aging data based on a clear understanding of its value) are beginning to surpass e-discovery as the primary driver for deploying EIA."

In-place management of legal holds is also highlighted as an important feature: Gartner says, "Another trend that is emerging as an offshoot of an organization's desire to better manage its archiving and e-discovery processes is in-place legal hold. This functionality offers the ability to identify data wherever it resides and either apply legal holds to the data without moving it to an archive or to move it to a temporary archive at that point."

There's a lot more terrific information about today's enterprise archiving market in this report. To read it now, follow the link above, or simply complete the mini form, below:

About the Magic Quadrant graphic:

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Proofpoint, Inc. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

October 04, 2012

Free RSA® Security Expo 2013 Passes, Courtesy of Proofpoint: Use Code FXE13PRF

RSA-Conference-Free-Exhibit-Passes-2013[Update 10/9/2013: Looking for 2014 passes? Use our new code SC4PROOFB.  Find registration link in this post.] 

In a sure sign that summer is over and that the holidays are nearly here, I am informed that registration is now open for the RSA Conference 2013.

As usual, Proofpoint will be exhibiting at the RSA Conference 2013, to be held February 25 thru March 1, 2013 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2013 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code FXE13PRF when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code FXE13PRF during the registration process:

We look forward to seeing you there! Proofpoint will be exhibiting at booth #739, demonstrating our entire suite of cloud-based data protection solutions, including threat management (email security), compliance (data loss prevention, email encryption), archiving & governance, and secure communications.


October 02, 2012

Cloud Storage and Collaboration Meet Security, Compliance and DLP: Box and Proofpoint Team Up

Box-and-proofpoint-logosOur friends at content sharing leader Box issued a press release about ongoing efforts to improve enterprise adoption of its service by improving visibility and security for files stored in Box's cloud.

A significant part of that effort involves an integration partnership between Proofpoint and Box that extends Proofpoint's cloud-based data loss prevention (DLP) capabilities to content stored in Box. Using these new features, administrators will be able to ensure compliance with a wide variety of corporate policies, comply with data protection/privacy regulations and guard against the loss or exposure of confidential information.

As Proofpoint CEO Gary Steele explained to CIO Today, "We are delivering an advanced layer of security capabilities that enable enterprises to have a full view of what is happening with sensitive information across their organization."

Gary will be talking more about this partnership during a panel discussion at the upcoming Box customer conference, BoxWorks.



Blog Search

Email Security Gateways, 2012

Magic Quadrant


What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption