Proofpoint: Security, Compliance and the Cloud

Today's Proofpoint press release announces that Guaranty Bank, a leading financial services institution serving southwest Missouri, has switched from a competing solution to the Proofpoint Enterprise Protection and Proofpoint Enterprise Privacy email security and data loss prevention suites.

Guaranty Bank chose to deploy Proofpoint's virtual appliance version, because it offered a cost-effective, rapid way to protect both inbound and outbound email with "no hardware to add."

Like other enterprises that have recently made the switch to Proofpoint, Guaranty Bank had grown frustrated with its previous email security and DLP solution, finding that it didn't provide the level of flexibility and control the organization needed. Ease of administration and quality of support were also issues, with some simple support requests taking 24 hours to resolve.

Kenneth Johnston, Guaranty Bank's CIO and VP of information systems says, "We really needed a more user- and administrator-friendly solution that would allow us to have better granular control over our outbound messages. Proofpoint offered us a lot of flexibility to do that and also offered us a comprehensive feature set for both privacy and protection."

You can find the full press release here:

"Guaranty Bank Secures Inbound and Outbound Email with Virtual Proofpoint Solutions"

Over at the Huffington Post this week, there have been a couple of posts about Google having collected partial Social Security Numbers of children as part of the entry requirements for the company's "Doodle-4-Google" contest. (Helpful to start with Larry Magid's post today, "Why Google Stopped Collecting the Last 4 Digits of Kids' Social Security Numbers" which is a follow-up to Bob Bowdon's article, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?").

As Bob Bowdon pointed out, collecting even partial SSNs can be a pretty big data security and privacy issue since the complete, accurate SSN can often be guessed based on other data such as the person's city and year of birth (which, apparently, Google was also requesting). See this Datamation article, "Social Security Numbers Easy to Hack", which talks about some really interesting research about predicting social security numbers from publicly-available data.

Apparently what the Google contest organizers were trying to do is use partial SSNs as a way of uniquely identifying contest entrants and "de-duplicating" duplicate/multiple entries. Yeah, probably a bad idea on several levels and I won't belabor that point.

Of course, there are many organizations that do have to collect and ensure the security of private identity, healthcare and financial information about children. Recently, I had the chance to interview Proofpoint customer Matt Johnston,who is the senior security analyst for Children's National Medical Center, a leading pediatric hospital based in the metro Washington DC area.

One of the most interesting things that he told me is that children are one of the top targets for identity theft. I hadn't really thought about this before, but it makes sense.

As Matt told me, children have new or "clean" records. They don't have established credit histories and outside of core identifiers like a social security number and birth record, there aren't many other public records associated with a child's identity. This makes that data easier to use in identity theft/fraud and, as a result, personal identity information about children fetches a premium on the black market.

So organizations like Children's National Medical Center have to take privacy protection and data security extremely seriously. As a healthcare organization, CNMC has to comply with HIPAA healthcare privacy regulations, but as Matt explained to me, they go to great lengths to protect their patients' data not just because its required by law but because its part of their core mission of protecting and caring for children.

Matt talks about these issues, how his organization uses Proofpoint's SaaS email security and email encryption solutionsand why he chose Proofpoint (and why deploying those solutions in the cloud was the right decision for CNMC) in this short video:

My thanks once again to Matt for graciously taking the time to share his insights with us!

Regular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).

Leading pet specialty retailer PETCO has been using Proofpoint's email security solution for several years to protect several thousand inboxes from spam, viruses and other email threats. Today's Proofpoint press release, "PETCO Keeps Email Security Needs on a Leash with Proofpoint Enterprise Protection," describes several exciting changes to that deployment.

First, PETCO (like many other longtime Proofpoint customers) has moved its deployment from an on-premises deployment using appliances to Proofpoint's SaaS (Software-as-a-Service) version. In doing so, PETCO has simplified its IT environment and will reduce costs.

Lyndon Brown, PETCO's senior IT manager says, “Like most enterprises today, PETCO has been looking for ways to simplify its IT infrastructure and reduce costs using SaaS and cloud computing technologies, and Proofpoint helped us achieve both goals. ”

In addition to moving inbound email security features to the cloud, PETCO has also adopted Proofpoint's SaaS-powered email encryption solution, Proofpoint Encryption. Proofpoint's outbound email scanning and email encryption features will help PETCO protect confidential information and personally identifiable information (PII) in email, helping the company comply with data protection regulations such as PCI-DSS, Sarbanes-Oxley and FTC rules.

“By moving both inbound email security and outbound email encryption to the cloud, our IT department is better able to focus on the core needs of our business while also reaping immediate benefits, such as decreased datacenter cooling, power and IT administration costs.”

Read more about PETCO's use of Proofpoint in the full press release.

And, as the illustration accompanying this post reminds us (courtesy of PETCO's holiday shop), the holiday season is upon us and email security threats are escalating as usual. To learn more about the latest spam, phishing and blended threat attacks, attend our live web seminar this Wednesday, November 17th. Register at the following link:

Register for Proofpoint webinar: Holiday Threats - Why Fruitcake is the Least of Your Worries

Proofpoint customer Jeff Bell, executive vice president of clearing and technology for financial services firm Wedbush Securities, was kind enough to host me at his San Francisco office recently and allowed me to interview him about his use of Proofpoint's email security and compliance solutions.

Wedbush has been using Proofpoint for email security since 2004 (protecting more than 1000 employees) and recently added our SaaS email archiving solution, Proofpoint Enterprise Archive. Wedbush Securities is a leading financial services and investment firm that provides private and institutional brokerage, correspondent clearing, investment banking, equities research, public finance, fixed income sales and trading, and asset management to individual, institutional and issuing clients.

As such, there are a host of email retention regulations with which they have to comply. While we don't get into that in the video, Proofpoint has just published a new email archiving whitepaper that gives a good overview of the regulatory and best practices drivers for using email archiving technology in financial services firms (see, "Why Email Archiving and eDiscovery are More Important than Ever" to download a copy).

 Jeff and I also discussed his views on other IT threats that are on his radar and I'll share that video in a future post.

And by the way, if you're a Proofpoint customer and would like to share your Proofpoint story, we're always happy to hear from you! Drop us a line at pr@proofpoint.com.

Financial services firm National Financial Partners has been a long-time user of Proofpoint's SaaS email archiving solution and, more recently, also deployed Proofpoint's SaaS solutions for inbound and outbound email security. 

Dán Salomon, NFP's Senior Vice President of Technology, kindly took the time to speak with me about how his organization uses Proofpoint's SaaS solutions and why he feels that performing email archiving and email security functions "in the cloud" is more secure than taking an on-premesis approach. Beyond the cost advantages of SaaS, Dán explains the other business drivers for adopting Software-as-a-Service in this video (recorded on location at Proofpoint's 2010 "Inner Circle" customer event in New York).

My thanks to Dán and NFP for his willingness to discuss his approach and for allowing us to share this interview here!

At Proofpoint's recent Inner Circle New York customer event I got a chance to talk with Thomas Wonica, director of information technology for Moelis & Company, an investment bank that specializes in mergers and acquisitions, restructurings and other strategic investments. Moelis uses Proofpoint's SaaS email archiving solution, Proofpoint ARCHIVE, as well as our Proofpoint ENTERPRISE email security solution.

In this video, Tom talks about how they use Proofpoint for archiving and eDiscovery to radically reduce the time it takes to find email during discovery events. He also talks about consolidating both archiving and email security with Proofpoint to simplify his organization's email environment.

Today's Proofpoint press release presents information about Proofpoint customer easyJet, who have been using Proofpoint's SaaS email security solution for several years now.

In case you're not familiar with easyJet, the company is the leading low-fare airline in Europe, serving more than 27 countries on more than 500 routes. And with 7000 employees across the globe, easyJet's IT team of just 59 is always looking for ways to streamline its operations while improving service.

When easyJet first evaluated Proofpoint's email security solutions, the company was looking to improve performance against inbound spam and viruses, but also to simplify their IT infrastructure, simplify ongoing maintenance and reduce costs.

IT services manager Mark Beard told us that moving email security functions including anti-spam and anti-virus to a SaaS model was the right way to go.

"It means one less thing for our IT team to worry about while greatly reducing our overall costs of providing email security. Proofpoint’s solution has reduced the administrative strains placed on the team while still retaining complete control over our email environment. Anti-spam and anti-virus performance has been excellent, resulting in a greatly improved experience for our email users."

By using Proofpoint ENTERPRISE Protection, easyJet has been able to get all those benefits without giving up the level of control and customization that large enterprises require. Features such as LDAP integration, so they can apply different sets of email filtering rules to different groups of end users, and multi-lingual end-user interfaces (to support easyJet's international staff) were important.

You can read the full press release here:

Press release: easyJet Looks to Proofpoint's Cloud for Email Security

We issued a press release today (see, "Bank of China New York Deploys Proofpoint to Solve Spam, Data Loss Prevention and Email Encryption Challenges in Days") about Proofpoint customer Bank of China New York Branch's use of Proofpoint for anti-spam, anti-virus and email encryption.

Bank of China New York (http://www.bocusa.com), the US branch of the world's fifth largest bank, uses Proofpoint to block incoming spam and viruses, prevent exposure of private information and encrypt sensitive outbound emails to achieve compliance with data privacy regulations including the Gramm-Leach-Bliley Act (GLBA).

Last week, I was at Proofpoint's East Coast "Inner Circle" customer event and I had a chance to sit down with Kostas Georgakopoulos, Director of Information Security at Bank of China's US branch and talk with him about how the bank is using Proofpoint. You can view the resulting video embedded in this post.

Writer Penny Crosman at Bank Systems & Technology also spoke with Kostas last week and her article, Bank of China Steps Up Email Securityis also out today. In the article, Kostas says:

"Like other financial institutions, we're targeted by spammers and people who send us spearing attacks... Our concern is to protect the integrity of our data, our customers' confidential information, and the availability of our systems... We needed something that would scale, that would provide additional capabilities, for example to help us meet regulatory concerns such as Gramm Leach Bliley."

If your organization faces similar data protection and regulatory compliance challenges, you'll probably be interested in the Proofpoint whitepaper, Protecting Enterprise Data with Proofpoint Encryption, which you can register to download here:

http://www.proofpoint.com/emailencryption

I shot quite a few more Proofpoint customer videos at last week's event (and hope to this week at our West Coast "Inner Circle" meeting), so stay tuned for more.

We issued a press release today about Proofpoint customer University Hospital of Zurich (aka USZ), about their deployment of Proofpoint Messaging Security Gateway email security appliances to protect 7000 email users at the hospital from spam, viruses and other inbound email risks.

Additionally, the hospital uses Proofpoint Secure File Transfer as a way to transfer large files, or files that require enhanced security/encryption, "out of band" from their SMTP email system. Like healthcare organizations in the US, University Hospital of Zurich wants to ensure that confidential, personal healthcare information isn't improperly exposed. Proofpoint Secure File transfer lets staffers send information such as patient data, medical test results, insurance information and other sensitive info in a secure fashion.

Jens Grundtvig, the manager of network security for University Hospital of Zurich says that the hospital chose Proofpoint because of a combination of ease of administration, security and cost reasons.

“The combination of an easy-to-deploy appliance, ability to enforce policies for individual users and groups, the price-performance ratio and the option for secure file transfer gave Proofpoint a strong advantage over the other four suppliers [that the hospital considered],” says Grundtvig.

You can read the full press release at the Proofpoint site here:

 "University Hospital of Zurich Deploys Proofpoint for Inbound Email Security and Secure File Transfer"