Proofpoint: Security, Compliance and the Cloud

Our live web seminar series continues on Wednesday, July 25th at 11 a.m. PT, 2 p.m. ET with a case study presentation about how one of our BlueCross BlueShield customers has tacked their email security, encryption and healthcare privacy issues. Resident data loss prevention and email encryption expert, Ken Liao, presents.

There are numerous solutions that can be used to encrypt email messages and other important data, however, without a robust policy-based encryption strategy, organizations are highly vulnerable to the leakage of sensitive data.

In, BlueCross BlueShield Case Study: Best Practices and Critical Steps to Protect and Secure Sensitive Data , you will learn firsthand how and why a leading BlueCross BlueShield uses Proofpoint solutions including our next-generation, policy-based encryption solution to protect private healthcare information in email.

Ken will also explain how Proofpoint technology ensures message privacy, enforces internal policies, and helps healthcare organizations comply with HIPAA/HITECH and other data protection and privacy regulations.

To register, visit the link above or simply complete the form below. As always, a link to a replay of the webinar will be sent to all registered attendees shortly after the live event.

In this digital age, our smartphones tend to know more information about us than say, our great Aunt Suzie. From your name and location to the interests of you and your closest friends; all of this information is readily available to advertisers and marketers the moment you accept the terms and agreements of certain mobile applications.

The accessibility of such data has sparked a continued dispute between consumer groups and online marketing firms over the access of user information via mobile applications.

On July 12, the National Telecommunications and Information Administration (NTIA) will host the first of several meetings in an effort to develop new codes of conduct for handling private consumer data on the internet and on mobile networks. The meeting will focus primarily on mobile application security and provide a chance for industry stakeholders to voice their concerns regarding access to private consumer data.

The upcoming meetings stem from a Consumer Privacy Bill of Rights released by the Obama Administration in February of this year. Instead of calling for new privacy standards, Obama’s Bill of Rights calls for a multi-stakeholder process to develop general rules and regulations. The process has generated skepticism about whether this system will incorporate the desires of all publics fairly, most importantly the consumers.

The start of the NTIA meetings could not come soon enough. Recent episodes of mobile applications illegally downloading user information has heightened the need for defined mobile privacy standards. The issue of mobile security now goes beyond simply the applications to also include the advertisements shown within them.

As we watch to see if an outcome can be achieved at the NTIA meetings, it will be interesting to see how these standards will reflect on the corporate side of the equation. Right now, companies must decide for themselves which security features to implement for their employees. This increasingly means creating mobile security applications that encrypt, archive, and protect company data on an employee's smartphone will likely become a corporate necessity.

Our friends at Osterman Research recently published a new white paper - How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization- about email encryption and similar topics. You can get a free copy, compliments of Proofpoint, by following the link or by filling out the form at the bottom of this post.

In this new report, Osterman Research notes that investments in encryption "pay for themselves" through a number of different avenues. As regular readers of this blog are aware, encryption technologies can play a crucial role in regulatory compliance and regulatory fine avoidance. But email encryption and other types of encryption can also enable secure business and deliver other forms of business value, as described in this new paper.

If you're looking for help in creating a business case for deploying an encryption solution (such as the Proofpoint Encryption email encryption solution), this 15-page report can be extremely helpful. It includes a good summary of the various US state laws that govern security breach notification (or that may require or imply encryption) as well as the many US and international regulatory obligations (such as GLBA, PCI-DSS, FINRA, HIPAA, the UK DPA, Canada's PIPEDA) that imply similar requirements.

To read a copy of the complete Osterman Research report, register at the following link — How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization — or simply complete the form below:

There are two kinds of people: Those who get up early enough on Sunday to watch the news and policy wonk shows and, well, those of us who don't. If, like me, you find yourself in the second camp, you might have missed Proofpoint's CEO, Gary Steele, discussing "Cloud Computing and the Law" with reporters from NBC, Forbes and Bloomberg on yesterday's edition of NBC's "press:here" interview show.

In this segment, Gary discusses some of the legal issues around cloud computing, including whether an electronic document stored in the cloud is entitled to the same protection as that same file stored in a physical safe. While this conversation is focused on data privacy and legislative issues, a discussion of some of the security concerns around cloud computing and storage also comes up.

The conversation ranges from basics about "the cloud" to the concerns around data locality, search and seizure of data and the evolving state of privacy legislation. You can watch a video replay below:

Regular readers of this blog realize that inadvertent exposures of personal and/or confidential data and violations of regulations (and best practices) for data protection are far from rare (see our annual statistics about data loss, for example), but lately we've seen some huge ones.

In the wake of the recent Epsilon data breach — which exposed only email addresses — comes news of a potential data exposure at the State of Texas involving the email addresses, physical mailing addresses, Social Security Numbers and possibly dates of birth and driver's license numbers of 3.5 million residents.

Kevin Fogarty over at ITworld has a great summary in a blog post from late yesterday (see, "Texas Security Gaffe Dwarfs Epsilon Data Breach"). In short, the Texas state comptroller's office discovered that the records in question had been inadvertently placed on a publicly-accessible server — completely unencrypted — and had been there for as long as a year before being discovered.

As Fogarty notes in his post, this exposure is potentially much more serious than the Epsilon breach, since so much more personally identifiable information was exposed — potentially making those residents prime targets for identity theft, phishing attacks or other forms of fraud. He writes:

"Lost data is often, as with Epsilon, only partial - emails, street addresses or whatever.

Putting full employment and retirement records on a public server, with all the relevant data an identity thief would need to clone and reuse you, and leaving them there for a year?

Texas wins this one hands down over Epsilon. (Although, serendipitously, Epsilon is based in Irving, Texas.)"

As reported by Reuters (see "Private Records of 3.5 Million People Exposed by Texas"), Texas State Comptroller Susan Combs said that there was no indication that any of the information had yet been misused. However, all affected people are being sent letters this week, notifying them of the potential breach.

"I deeply regret the exposure of the personal information that occurred and am angry that it happened," said Combs. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered, and was then moved to a secure location."

See my previous post on the Epsilon breach for a recap of Proofpoint's "Seven Simple Rules for Staying Safe Online."

In our newest Proofpoint CEO Series video, Gary Steele shares his thoughts on some of the cost, scalability, reliability and security advantages offered by cloud computing, especially as it relates to enterprise solutions for IT security and compliance.

More videos in our ongoing CEO series can be found in the blog here:

http://blog.proofpoint.com/ceo-series/

As is traditional during the fourth quarter, IT vendors begin putting out predictions for the coming year and Proofpoint issued a press release today predicting the top 10 privacy issues for 2011 and how enterprises will respond. 

Both consumer privacy concerns and an increasing number of regulations will encourage many organizations to review the way that they handle private information in 2011. As a result, many will deploy new data protection policies, procedures and technology solutions to better protect private and confidential information.

Here are Proofpoint's predictions for the top 10 privacy issues in 2011:

1. The privacy and confidentiality of location-based information will become a major concern for both consumers and corporations. With the rise in mobile GPS information, companies will have to protect both personally identifiable information (PII) of employees, customers and partners, and also create new policies for handling location-based information. Not only will real-time information about location be a vulnerability, but companies will have access to information about where people (or their devices) spend much of their time.

2. At least one major social media site will experience a major breach. According to Neilsen, nearly a quarter (22.7%) of all online time is spent social networking. With more people on social networks and more personal information available via those networks, the potential for exposure of that data is likely.

3. Stricter data privacy regulations will be passed worldwide. Privacy regulations in the healthcare, financial services and critical infrastructure industries like energy and telecommunications will likely see new regulations dictating what needs to be protected and what to do when data loss occurs.

4. Expect a US national data breach notification law. Notification laws like California’s SB 1386 exist in 46 of 50 states today. A federal law is imminent.

5. Blended threats will increase. While email is still the number one threat vector for personal information loss, threats from newer communications channels is increasing, especially in the form of blended threats where the target is first attacked through email, then directed to Web or social media.

6. At least one company will be prosecuted under the broad-reaching Massachusetts Privacy Law (201 CMR 17.00). In March of this year, the Massachusetts Privacy Law went into effect, mandating that any company that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents must comply with its privacy requirements, including notification of breaches and encryption of stored or transmitted personal data. Although the state has yet to enforce the law, 2011 will likely be the year that companies begin seeing penalties. In addition, we may see more laws of this type passed in 2011. Nevada also has a similar law.

To deal with these threats, the following additional trends will emerge among businesses:

7. Companies will move away from outright bans on social networks, IM or web mail to allowing those services, but applying stricter corporate policies on these new services as well as investing in secure web gateways to monitor use. New innovations such as Facebook mail give enterprises yet another good reason to put better policy and technology controls around the corporate email system.

8. More companies will create policy around acceptable use. Email leaks such as the recent Google corporate memo exposure are heightening awareness in companies that policies need to be created about what content is considered sensitive and enforce them both through technology and through training.

9. More companies will encrypt more data. Three factors are converging to make 2011 the year of encryption adoption: (1) More regulations today require encryption. (2) It’s become a best practice in many industries. (3) It’s easier to implement and less confusing for users. With processing power increasing and companies like Proofpoint innovating, encryption has become faster and easier to implement and use.

10. More interest in secure managed file transfer. Driven by privacy considerations and security flaws in FTP, more companies will be implementing reliable ways to send files securely. With data breach notification laws in place in nearly every state, companies cannot risk losing data through FTP security issues.

Related Resource

For some actionable advice about improving privacy protection and guarding against data loss, see Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, which you can download compliments of Proofpoint at the following URL:

 http://www.proofpoint.com/id/gartner-data-loss-prevention-dlp-faq-report/index.php?id=6

This 8-page report describes Gartner's advice about the best approaches and benefits of deploying data loss prevention (DLP) solutions. It lists many of the typical questions asked by Gartner clients and provides answers that are applicable to the most common DLP scenarios.

[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:

“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]

Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.

One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.

And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.

The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.

This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:

"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”

[Update, November 9, 2010: For more on this topic, read Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, compliments of Proofpoint.]

NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.

Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.

The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.

As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).

Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:

Register for Brighttalk webinar replay: A Pragmatic Approach to Compliance with Policy-Based Encryption

Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):

... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.

The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:

http://www.proofpoint.com/magicquadrant

Proofpoint email encryption specialist Ken Liao will be presenting a live web seminar on Thursday, April 29th 2010 on the topic of "A Pragmatic Approach to Compliance with Policy-based Encryption" at 9 a.m. PT / Noon ET.

Ken's a great presenter and if you're at all concerned about email as it relates to compliance with data privacy regulations, you won't want to miss this online event. Here's the brief overview of what Ken will cover:

Email continues to be the number one source of data loss risks. If your organization handles data governed by regulations such as PCI, HIPAA or GLBA, you need to ensure that your email system can protect sensitive information from improper exposure, while also enabling secure communication your customers, clients and business partners. Join this discussion to learn more about requirements for protecting sensitive data in email. You’ll learn how automatic, policy-based email encryption can provide effective protection for sensitive information in email and why it be should be a central part of your approach to compliance. 

To attend, please register by visiting the following URL and clicking the "Register for this event" link:

http://mediazone.brighttalk.com/event/Proofpoint/f87e955fd6-3782-intro