Proofpoint: Security, Compliance and the Cloud

Happy Earth Day, 2011! In keeping with this observance of making better use of our planet's resources, I wanted to share a few interesting conservation-related tips from around the web.

Over at Microsoft's Viewpoints blog, Robert Bernard has a thoughtful post on "Earth Day 2011: Cloud Computing... Can it Help?" In that post, he talks about the various ways that cloud computing can impact IT efficiency and, in turn, help create a more energy efficient world. Among his comments:

"So what is “cloud computing?” Think about the services that run on your PC or handheld device - email, websites, social networks, news services, search results, business infrastructure, banking systems, text messaging. All of these, and many more, are powered by the cloud. But this is just the beginning.  Building management systems, transportation systems, energy grids, water monitoring, ocean health tracking, air quality, crop yields, human health implications of pollution -- all of these computational resources can be delivered on demand in the cloud.

The cloud will allow us to rethink the role of IT and energy, so that we’re not just thinking about how to reduce the impact of IT, but also about how IT can reduce the impact of the other 98 percent of the energy consumed by buildings, transportation, industrial processes, etc. At Microsoft, I get to work with people and teams who can envision a highly integrated, energy-smart landscape that maximizes efficiency and performance in a resource-constrained world. Information technology is key to making that future possible."

I thought the whole piece was well worth a read.

And over at PC World, Tony Bradley shares some tips for reducing your office's impact on the environment in, "Five Ways You can Embrace Earth Day Every Day." Among his suggestions, "using newer hardware that is more environmentally-conscious and energy efficient. You can also cut down on your organization's carbon footprint by embracing virtualization so you can run multiple virtual servers from a single physical server."

Many of Proofpoint's customers have moved to the cloud computing-based or virtual versions of our security and compliance solutions, in part because of the energy, efficiency and cost advantages of those platforms. Simply consolidating multiple security features on a single platform can also reduce infrastructure and costs.

One example: Princeton Universityconsolidated multiple email security functions such as email firewall, anti-virus and anti-spam using a combination of Proofpoint's hardware and virtual appliances and saved $20,000 per year in maintenance costs, alone.

And finally, I thought you might enjoy this "recycled" video from the Proofpoint archives... Here's our friend Richi Jennings telling me about his 2009 (but still quite interesting) research into "the carbon footprint of spam." Yes, pretty much all human activity has an energy cost and environmental impact. Do something good for the planet today, OK?

Exciting news to share with you this afternoon about Proofpoint's progress in the Federal space.

In an announcement issued just this afternoon (see, "Proofpoint Receives FISMA Certification from USDA"), Proofpoint announced that its its Proofpoint Enterprise Archive solution has been granted an Authority to Operate (ATO) by the United States Department of Agriculture (USDA).

Proofpoint was granted the ATO on April 19, 2011, based on its ability to meet the stringent requirements of the Federal Information Security Management Act (FISMA) certification and accreditation (C&A) process. FISMA certification and accreditation indicates that a federal agency has approved a particular solution for its use in line with the level of security established by that agency.

As noted in the announcement, Proofpoint Enterprise Archive is the first cloud-based archiving solution to be granted an ATO by a Cabinet-level agency.

The USDA is using Proofpoint’s email archiving solution in conjunction with that department's deployment of  Microsoft's cloud-based Enterprise Messaging Services. This deployment will provide compliant email archiving for 120,000 Microsoft Exchange users spread throughout 21 departments, making it the largest US Federal government implementation of cloud-based enterprise email archiving technology.

Proofpoint Enterprise Archive will allow the USDA to easily access archived email for regulatory requests, retention policy adherence and legal discovery.

Susie Adams, the chief technology officer for Microsoft Federal said, "The U.S. Department of Agriculture has certified and accredited Microsoft’s cloud-based suite for government customers in accordance with FISMA, allowing Microsoft to provide these services to government customers. This milestone is further validation of the high standards of compliance and security within Microsoft’s cloud-based solutions."

You can find more comments from Susie Adams in her blog post in Microsoft's FutureFed blog. See, "USDA Awards FISMA Certification for Microsoft’s Business Productivity Online Suite (BPOS) - Federal."

Andres Kohn, Proofpoint's vice president or archiving and eDiscovery solutions, commented, "Many federal agencies are looking to cloud-based services to help them meet the dual challenges of tightening budgets and more severe and frequent security breaches. By achieving FISMA certification for our e-mail archiving solution in conjunction with Microsoft BPOS-Federal, Proofpoint is opening the door for more rapid adoption of cloud-based e-mail solutions throughout the US Federal community."

As you might imagine, achieving FISMA certification is a complex task, involving third-party assessments of a wide variety of security features and policies. In this case, SecureInfo Corporation assisted with the assessment of Proofpoint's solutions.

SecureInfo CEO Christopher Fountain said, "As a third-party assessor, SecureInfo has conducted thousands of information security assessments and has specific expertise in all aspects of FISMA compliance. As part of our assessment of Proofpoint’s enterprise email archiving solution, Proofpoint successfully demonstrated the effective implementation of the management, operational and technical controls , which was required to realize an ATO at the USDA and is a critical element of FISMA compliance."

Additional comments from SecureInfo's CTO,  Yong-Gon Chon, about the complexity and rigor of these evaluations can be found in his guest post in the Microsoft Online Services Team Blog. See, "What Goes Into a FISMA Certification?" 

We're looking forward to bringing the benefits of Proofpoint's SaaS email archiving solution to the USDA and other US Federal agencies.

Following up on my previous video post featuring some great anti-phishing and password tips from Proofpoint customer Tony Hidlesheim of Redwood Credit Union, here are two more videos where Tony talks about how his organization uses Proofpoint to secure inbound email while preventing data loss via outbound email and HTTP traffic.

Redwood Credit Union is the 10th largest credit union in the state of California. In part one of our video interview, Tony explains how the credit union uses Proofpoint for email security while also applying those same security policies to HTTP (web or "port 80") traffic. Tony also shares some security insights about social media and the security.

Thanks again to Tony and the rest of our friends at Redwood Credit Union for taking the time to share these perspectives with me!

(And as a reminder: If you're a customer and would like to share your Proofpoint story with us, do send us an email to pr@proofpoint.com!)

Recently, Proofpoint customer Redwood Credit Union was kind enough to host me at their headquarters in sunny Santa Rosa, California, where Senior Vice President of IT, Tony Hildesheim took time out of his busy schedule to talk with me about how his organization uses Proofpoint to keep both employees and credit union members secure.

As part of that interview, Tony talked about some of the most serious threats that he sees to his members' security. In this excerpt, Tony gave some terrific advice about one of the most important things that web users can do to protect their safety: Use best practices for passwords.

 Check out this short video and feel free to share it with your friends, staff, users, etc.

In this short video, Tony explains how phishing attacks (and variations like vishing and smishing) attempt to get users to give up account credentials by appealing to greed, fear and/or charity.

Using best practices for your passwords can help protect you from these attacks. Tony recommends the following: Use strong passwords (that combine alpha, numeric and special characters), change them often and always use different passwords for different accounts.

Great advice, especially in light of some of the big security breaches we've seen in 2011 (for more on this topic, see my posts State of Texas Exposes Personal Information on 3.5 Million Residents - More Serious than Epsilon Breach? and Stay Safe from Email Threats in the Wake of Epsilon Email List Breach).

I've got more video with Tony talking about how his organization uses Proofpoint, too. Will post those to the blog shortly, but you can also go see them right now at http://www.proofpoint.com/youtube(along with many other interesting Proofpoint videos).

Today's Proofpoint press release announces that Guaranty Bank, a leading financial services institution serving southwest Missouri, has switched from a competing solution to the Proofpoint Enterprise Protection and Proofpoint Enterprise Privacy email security and data loss prevention suites.

Guaranty Bank chose to deploy Proofpoint's virtual appliance version, because it offered a cost-effective, rapid way to protect both inbound and outbound email with "no hardware to add."

Like other enterprises that have recently made the switch to Proofpoint, Guaranty Bank had grown frustrated with its previous email security and DLP solution, finding that it didn't provide the level of flexibility and control the organization needed. Ease of administration and quality of support were also issues, with some simple support requests taking 24 hours to resolve.

Kenneth Johnston, Guaranty Bank's CIO and VP of information systems says, "We really needed a more user- and administrator-friendly solution that would allow us to have better granular control over our outbound messages. Proofpoint offered us a lot of flexibility to do that and also offered us a comprehensive feature set for both privacy and protection."

You can find the full press release here:

"Guaranty Bank Secures Inbound and Outbound Email with Virtual Proofpoint Solutions"

Over at the Huffington Post this week, there have been a couple of posts about Google having collected partial Social Security Numbers of children as part of the entry requirements for the company's "Doodle-4-Google" contest. (Helpful to start with Larry Magid's post today, "Why Google Stopped Collecting the Last 4 Digits of Kids' Social Security Numbers" which is a follow-up to Bob Bowdon's article, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?").

As Bob Bowdon pointed out, collecting even partial SSNs can be a pretty big data security and privacy issue since the complete, accurate SSN can often be guessed based on other data such as the person's city and year of birth (which, apparently, Google was also requesting). See this Datamation article, "Social Security Numbers Easy to Hack", which talks about some really interesting research about predicting social security numbers from publicly-available data.

Apparently what the Google contest organizers were trying to do is use partial SSNs as a way of uniquely identifying contest entrants and "de-duplicating" duplicate/multiple entries. Yeah, probably a bad idea on several levels and I won't belabor that point.

Of course, there are many organizations that do have to collect and ensure the security of private identity, healthcare and financial information about children. Recently, I had the chance to interview Proofpoint customer Matt Johnston,who is the senior security analyst for Children's National Medical Center, a leading pediatric hospital based in the metro Washington DC area.

One of the most interesting things that he told me is that children are one of the top targets for identity theft. I hadn't really thought about this before, but it makes sense.

As Matt told me, children have new or "clean" records. They don't have established credit histories and outside of core identifiers like a social security number and birth record, there aren't many other public records associated with a child's identity. This makes that data easier to use in identity theft/fraud and, as a result, personal identity information about children fetches a premium on the black market.

So organizations like Children's National Medical Center have to take privacy protection and data security extremely seriously. As a healthcare organization, CNMC has to comply with HIPAA healthcare privacy regulations, but as Matt explained to me, they go to great lengths to protect their patients' data not just because its required by law but because its part of their core mission of protecting and caring for children.

Matt talks about these issues, how his organization uses Proofpoint's SaaS email security and email encryption solutionsand why he chose Proofpoint (and why deploying those solutions in the cloud was the right decision for CNMC) in this short video:

My thanks once again to Matt for graciously taking the time to share his insights with us!

Regular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).

Financial services firm National Financial Partners has been a long-time user of Proofpoint's SaaS email archiving solution and, more recently, also deployed Proofpoint's SaaS solutions for inbound and outbound email security. 

Dán Salomon, NFP's Senior Vice President of Technology, kindly took the time to speak with me about how his organization uses Proofpoint's SaaS solutions and why he feels that performing email archiving and email security functions "in the cloud" is more secure than taking an on-premesis approach. Beyond the cost advantages of SaaS, Dán explains the other business drivers for adopting Software-as-a-Service in this video (recorded on location at Proofpoint's 2010 "Inner Circle" customer event in New York).

My thanks to Dán and NFP for his willingness to discuss his approach and for allowing us to share this interview here!

Earlier this month, we held our annual customer "Inner Circle" events in New York and San Francisco, which was a great opportunity to sit down with Proofpoint customers and talk about how they use the product. Assistant vice president and IT manager John Vander Velde of Lake Michigan Financial Corporation graciously agreed to chat with me about how his organization uses Proofpoint to secure both inbound and outbound email.

Lake Michigan Financial Corporation has been a Proofpoint customer for several years now and have, over time, adopted more and more of Proofpoint's email security product suite (see our 2007 press release about Proofpoint and Lake Michigan Financial Corp).

In this video, John talks about how his organization uses Proofpoint for inbound email protection (anti-spam, anti-virus) as well as outbound data loss prevention and email encryption, to ensure the safety of account holder data as well as compliance with data protection regulations such as Gramm-Leach-Bliley (GLBA).

John talks with me about how LMFC selected Proofpoint, some of the policy issues involved in outbound email compliance, consolidating email security functionality onto a single platform and how the rise in spear phishing activity is once again making end-user education an important part of his overall approach to IT security.

Today's Proofpoint press release presents information about Proofpoint customer easyJet, who have been using Proofpoint's SaaS email security solution for several years now.

In case you're not familiar with easyJet, the company is the leading low-fare airline in Europe, serving more than 27 countries on more than 500 routes. And with 7000 employees across the globe, easyJet's IT team of just 59 is always looking for ways to streamline its operations while improving service.

When easyJet first evaluated Proofpoint's email security solutions, the company was looking to improve performance against inbound spam and viruses, but also to simplify their IT infrastructure, simplify ongoing maintenance and reduce costs.

IT services manager Mark Beard told us that moving email security functions including anti-spam and anti-virus to a SaaS model was the right way to go.

"It means one less thing for our IT team to worry about while greatly reducing our overall costs of providing email security. Proofpoint’s solution has reduced the administrative strains placed on the team while still retaining complete control over our email environment. Anti-spam and anti-virus performance has been excellent, resulting in a greatly improved experience for our email users."

By using Proofpoint ENTERPRISE Protection, easyJet has been able to get all those benefits without giving up the level of control and customization that large enterprises require. Features such as LDAP integration, so they can apply different sets of email filtering rules to different groups of end users, and multi-lingual end-user interfaces (to support easyJet's international staff) were important.

You can read the full press release here:

Press release: easyJet Looks to Proofpoint's Cloud for Email Security