Proofpoint: Security, Compliance and the Cloud

In light of next week’s Legal Tech 2013 event in New York (stop by and see Proofpoint at booth 2607), we wanted to recap some of the really terrific insights from our recent web seminar on eDiscovery process efficiency.

In that webinar (see, "Improving eDiscovery Efficiency in a Cloud-based World"), our special guest speaker,  Jonathan Rudolph, attorney for medical device manufacturer C. R. Bard,  raised some very interesting points that might be useful for those heading to Legal Tech next week.

Jonathan was a key part of the team that selected and deployed Proofpoint Enterprise Archive at C. R. Bard and has a unique role in that he serves as both the eDiscovery manager within the IT organization, as well as an attorney within the legal department for this global manufacturer and marketer of medical products, based in New Jersey.

His role as IT-legal liason makes him uniquely qualified to discuss the challenges faced by organizations attempting to improve discovery processes, as well as offer best practices to get past common obstacles. Some of the key points he highlighted:

• eDiscovery remains a matter of perspective, with organizations struggling without a common vocabulary and shared priorities. This gap is made more challenging by the fact that it limits the ability to create a shared view of the problem, which then contributes to a set of common priorities across IT and legal teams. Judges, however, remain above the internal fray and bring unpredictable knowledge (and comfort) of how, when, and where technology and eDiscovery processes intersect.
• For some, today’s processes for identifying and collecting email for discovery can be like a rat maze. He notes that some archiving solutions even return different sets of search results for the same query at different times, leading to completely unpredictable (and clearly incomplete) discovery results. This type of problem not only consumes IT resources, but entails significant organizational risk and can result in multi-million dollar costs to have outside counsel filter through "junk" results.  There are no shortage of recent court rulings that highlight the potential impact (e.g., Samsung v. Apple, Hynix v. Rambus) and costs of "discovery gone wrong."
• Many organizations cannot “break the monkey machine”. In his remarks, Jonathan refers to unbending organizational processes as "the monkey machine." The monkey machine has always done things a specific way, and has embedded that into the company's organizational culture and fabric. To "break the monkey machine," Jonthan argues that it's imperative to involve both the legal and IT departments  from the outset, and that it's helpful to have an individual who can “speak both languages.” Further, it's critical to be able to quantify savings delivered by any technology-enabled eDiscovery process improvement.
• The goal of defensibility is a myth:  Defensibility as a goal often leads to reactivity – which provides a poor starting point and places the burden of persuasion with you, not your adversary. Companies are better served in moving toward a position of justifiability in order to better dictate the rules of the game.
• Security in the cloud is an internal obstacle – that can be overcome. It is inevitable that IT will continue to look for opportunities to cut costs by moving to the cloud. Legal teams - who are often reluctant to embrace cloud-based approaches to eDiscovery - can be persuaded by showing them the advantages of strong service level agreements (SLAs) and security features (such as Proofpoint’s DoubleBlind Key Architecture) which leave data access and control decisions in the hands of legal decision makers – not cloud service administrators.

Using Proofpoint Enterprise Archive, Jonathan and the team at C. R. Bard have already realized the benefits of automating critical, early-stage discovery tasks. After using the system for 4 large matters, he is happy to report that the solution delivers as advertised and has already proven its ability to provide cost reduction and enable greater process efficiency.

To hear all of Jonathan's insights, watch the replay of "Improving eDiscovery Efficiency in a Cloud-based World."

And if you're in NY for Legal Tech next week, please stop by and meet us at booth 2607!

New for December 2012, industry analyst firm Gartner has published its Magic Quadrant for Enterprise Information Archiving. This report provides a detailed overview of the Enterprise Information Archiving (EIA) market and evaluates he key vendors based on their completeness of vision and ability to execute.

In the new report, Proofpoint is one of only three vendors positioned as Leaders.

As usual, Proofpoint has licensed a reprint of the new EIA magic quadrant and you can read the full report, compliments of Proofpoint, at the following URL:

http://www.proofpoint.com/email-archiving-magic-quadrant

Writing in the 2012 Magic Quadrant for Enterprise Information Archiving, Gartner analysts Sheila Childs, Kenneth Chin, Debra Logan and Alan Dayley note that, "The EIA market is healthy and growing rapidly. EIA has emerged as a commonly used technology underpinning for higher-level use cases supporting information governance, e-discovery, historical preservation of data and application retirement."

In addition to a comparison of the various archiving vendors and their solutions, the report also highlights several key trends in the enterprise information archiving market, including:

Increasing adoption of cloud-based archiving: The analysts write, "Archiving as a service (aka cloud archiving) has rapidly surpassed on-premises archiving as the preferred deployment model for most organizations."

Growing importance of information governance as an important business driver: Gartner says, "Broader information governance concerns (regulatory compliance, business-focused retention and deletion of data, and managing aging data based on a clear understanding of its value) are beginning to surpass e-discovery as the primary driver for deploying EIA."

In-place management of legal holds is also highlighted as an important feature: Gartner says, "Another trend that is emerging as an offshoot of an organization's desire to better manage its archiving and e-discovery processes is in-place legal hold. This functionality offers the ability to identify data wherever it resides and either apply legal holds to the data without moving it to an archive or to move it to a temporary archive at that point."

There's a lot more terrific information about today's enterprise archiving market in this report. To read it now, follow the link above, or simply complete the mini form, below:

About the Magic Quadrant graphic:

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Proofpoint, Inc. 

We had the chance recently to speak with Rob Franch, Senior Director for Unified Collaboration & Communications at Aon Corporation about his company's use of the Proofpoint Enterprise Archive cloud-based archiving solution. Aon Corporation is a Fortune 500 provider of risk, reinsurance and human resources services.

In this video case study, Rob discusses the business issues that led Aon to standardize on Proofpoint Enterprise Archive to email and other information produced by more than 60,000 employees across 120 countries worldwide. The deployment of Proofpoint was part of Aon's transition from Lotus Notes to hosted Microsoft Exchange and, in the process, Rob and his team greatly streamlined Aon's archiving infrastructure — replacing a variety of legacy systems including IBM Common Store and Symantec Enterprise Vault.

In addition to describing how Aon solved its archiving and eDiscovery challenges, Rob also discusses regulatory compliance, supervision, the partnership between Proofpoint and Microsoft, and his enterprise's ongoing relationship with Proofpoint.

My thanks, once again, to Rob for taking the time to share his story with us and to Aon Corporation for allowing us to share it with you!

In the financial services industry, maintaining control over private data is crucial to both your customers and your organization's reputation. As the security landscape continues to change, companies need to be prepared to protect their most sensitive business data with the most advanced approaches available today.

To ensure financial industry enterprises are aware of these leading technologies, our next live web seminar, this Wednesday, will focus on best practices for creating the right policies for data privacy and encryption. As new technologies are created that help make encryption efforts easier — and as widely publicized breaches of private data continue to come to light — more financial enterprises are considering these features.  

Our resident data privacy expert, Ken Liao, will discuss how Proofpoint’s financial industry customers use Proofpoint solutions to comply with existing and emerging regulations and ensure the highest standards of security for their companies. Please join us on August 8th 11 AM PST (2 PM EST).

To register, visit the link above or simply complete the form below. As always, a link to a replay of the webinar will be sent to all registered attendees shortly after the live event.

Posted by Chris Tebo, CTO

So in my last post I took the time to explain how we addressed the issue of data security in a SaaS model. Basically, we found a way to apply a rich feature set – including advanced, real-time search – to encrypted data. By doing this, we can store and manage all the data in encypted format, so even our own staff can’t access the content. At the same time, we can offer the same (or better) feature set as an on-premise, internally managed solution.

By removing the data security issue – which in the past was a major barrier to adoption – we’re finding that customers (yes, even large enterprise customers) are suddenly open to considering using a SaaS solution for their most sensitive data (ie. email). In fact, the argument has been made that with the safeguards Fortiva offers, the SaaS solution is more secure than in-house.

This is because Fortiva tracks and audits all activity in an unalterable format, so even if an internal resource (ie. your disgruntled IT guy) decides to read or steal a bunch of emails, you’ll know exactly when it happened and by who. And since that same disgruntled IT guy won't be able to delete the record of what happened, he's going to think twice about stealing that data in the first place. At the same time, Fortiva applies a level of data redundancy and integrity that goes well beyond what any individual organization could reasonably achieve, guaranteeing multiple copies of all data and applying continuous data validation to prevent corruption.

So why is this relevant to anyone outside Fortiva and our customers? Well, typically, barriers to SaaS adoption have revolved around data security. Corporations generally don't want their highly-sensitive data to be transmitted over any network but their own. And while you can argue that Salesforce.com, the most successful SaaS application on the market, stores fairly sensitive data (ie. customer and prospect info), it has still only penetrated a small percentage of the larger CRM market.

So while the analysts and the industry pundits are all projecting major growth for SaaS, the question I would ask is – if you have a choice between three solutions: in-house; SaaS with your data exposed on a vendor's network; and SaaS with your data fully encrypted on a vendor's network, which would you choose?
IMO, until SaaS vendors take a more serious look at securing the data they’re dealing with, the larger market – ie. the enterprise – will remain untapped. In fact, I believe the vendors that will achieve real success in SaaS won’t win because they offer the same level of security as an in-house offering – they’ll win because they offer better security and integrity than what you could ever hope to achieve in-house.

Posted by Chris Tebo, CTO

When you start talking to IT people about SaaS, one of the most commonly mentioned concerns that comes up is security. I mentioned in an earlier post that I spent a lot of time developing technology to address those security concerns for a SaaS email archive. Since the problem of security and SaaS is something I’d like to explore further through this blog, I figure I should first explain how we dealt with the issue at Fortiva.

The challenge for us came up when we originally started looking at email archiving as business opportunity. It seemed to us that it was an obvious application to outsource, since so many things about email archiving lend themselves to managed services. Dealing with large volumes of data and dealing with data that is idle for long periods of time are perfect examples. In fact, they’re some of the same reasons why businesses have for years used third parties to store their documents and backup tapes (think Iron Mountain or Recall).

The problem was that when we starting thinking about what we’d be storing, we realized that in many cases it would be a company’s most critical business data – everything from details on mergers and acquisitions to intellectual property. Even more importantly, we’d be storing it in a format that is easy to search through in seconds, unlike the boxes of data or backup tapes at traditional third-party data storage companies. So to gain the trust of customers, we knew the onus was on us to prove that we could offer the highest levels of data security.

We came to the conclusion that a pure outsourcing approach just wouldn’t work - this required more than simply asking customers to trust that we have put appropriate security measures in place. We needed to have a technology that could be put to task, a technology that was built from the ground up to prevent us, as the vendor, from having visibility into the customer’s data.

So we started by looking at other solutions where this problem comes up. The closest example we could find was remote offsite backups. The security problem there has been addressed by encrypting data before it leaves the customer site, and leaving it encrypted during storage. This works well for third-party backup providers because they don’t do anything with the data other than store it and send it back to you when necessary. 

The problem is, when you’re talking about email archiving, you need to provide rich functionality and workflow around the data that’s in the archive. A great example is search – we needed to provide a way for our customers to search through messages in the archive. We also needed to provide a way to apply policy and workflow to the archived data based on the content of the messages. So somehow we needed to find a way to “see” the data, without being able to access the content of the data. 

All of this led to us developing DoubleBlind Encryption™ technology. What this allows us to do is to encrypt the data on an appliance before it leaves the customer site, and then store it in encrypted form, much like the traditional third-party backup provider does. Since the customer has the encryption key (Fortiva doesn’t have a copy), we have no way to decrypt the data stored on our network.

The appliance that encrypts the data is also used to prepare an index of the data before it leaves the customer site.  When a customer types in a search request, the request goes through the appliance, is encrypted, and then the encrypted search terms cross-reference the encrypted archive to return the results, decrypt them on the appliance before returning them to the end-user. All this happens in seconds, because we built the system on a scalable grid architecture.

To put it more simply, imagine that we were using pig latin as the encryption key (of course, we don’t use pig latin, because that’s not particularly safe or secure). In this example, if we wanted to archive a message with the phrase “the quick brown fox,” it would be encrypted to “ethay ickquay ownbray oxfay”. So we then build an index that maps back to the same encryption. So when a user types in a query for “brown fox”, the request is encypted at the customer site to “ownbrey oxfay” and that query is sent to the system, any matches are found and returned to the customer network, decrypted by the appliance and returned to the end user.

If our staff or any other outside party were to try to access the data, or even the search terms that a company uses, all they could access would be meaningless data that’s encrypted using the highest standards in encryption technology. All of that together gives our customers the confidence that they don’t have to “trust us”, but rather, they can feel confident that the technology is in place to keep their data just as secure – if not more secure – than it is on their own corporate network.