Proofpoint: Security, Compliance and the Cloud

Our friends at Osterman Research recently published a new white paper - How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization- about email encryption and similar topics. You can get a free copy, compliments of Proofpoint, by following the link or by filling out the form at the bottom of this post.

In this new report, Osterman Research notes that investments in encryption "pay for themselves" through a number of different avenues. As regular readers of this blog are aware, encryption technologies can play a crucial role in regulatory compliance and regulatory fine avoidance. But email encryption and other types of encryption can also enable secure business and deliver other forms of business value, as described in this new paper.

If you're looking for help in creating a business case for deploying an encryption solution (such as the Proofpoint Encryption email encryption solution), this 15-page report can be extremely helpful. It includes a good summary of the various US state laws that govern security breach notification (or that may require or imply encryption) as well as the many US and international regulatory obligations (such as GLBA, PCI-DSS, FINRA, HIPAA, the UK DPA, Canada's PIPEDA) that imply similar requirements.

To read a copy of the complete Osterman Research report, register at the following link — How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization — or simply complete the form below:

There are two kinds of people: Those who get up early enough on Sunday to watch the news and policy wonk shows and, well, those of us who don't. If, like me, you find yourself in the second camp, you might have missed Proofpoint's CEO, Gary Steele, discussing "Cloud Computing and the Law" with reporters from NBC, Forbes and Bloomberg on yesterday's edition of NBC's "press:here" interview show.

In this segment, Gary discusses some of the legal issues around cloud computing, including whether an electronic document stored in the cloud is entitled to the same protection as that same file stored in a physical safe. While this conversation is focused on data privacy and legislative issues, a discussion of some of the security concerns around cloud computing and storage also comes up.

The conversation ranges from basics about "the cloud" to the concerns around data locality, search and seizure of data and the evolving state of privacy legislation. You can watch a video replay below:

Regular readers of this blog realize that inadvertent exposures of personal and/or confidential data and violations of regulations (and best practices) for data protection are far from rare (see our annual statistics about data loss, for example), but lately we've seen some huge ones.

In the wake of the recent Epsilon data breach — which exposed only email addresses — comes news of a potential data exposure at the State of Texas involving the email addresses, physical mailing addresses, Social Security Numbers and possibly dates of birth and driver's license numbers of 3.5 million residents.

Kevin Fogarty over at ITworld has a great summary in a blog post from late yesterday (see, "Texas Security Gaffe Dwarfs Epsilon Data Breach"). In short, the Texas state comptroller's office discovered that the records in question had been inadvertently placed on a publicly-accessible server — completely unencrypted — and had been there for as long as a year before being discovered.

As Fogarty notes in his post, this exposure is potentially much more serious than the Epsilon breach, since so much more personally identifiable information was exposed — potentially making those residents prime targets for identity theft, phishing attacks or other forms of fraud. He writes:

"Lost data is often, as with Epsilon, only partial - emails, street addresses or whatever.

Putting full employment and retirement records on a public server, with all the relevant data an identity thief would need to clone and reuse you, and leaving them there for a year?

Texas wins this one hands down over Epsilon. (Although, serendipitously, Epsilon is based in Irving, Texas.)"

As reported by Reuters (see "Private Records of 3.5 Million People Exposed by Texas"), Texas State Comptroller Susan Combs said that there was no indication that any of the information had yet been misused. However, all affected people are being sent letters this week, notifying them of the potential breach.

"I deeply regret the exposure of the personal information that occurred and am angry that it happened," said Combs. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered, and was then moved to a secure location."

See my previous post on the Epsilon breach for a recap of Proofpoint's "Seven Simple Rules for Staying Safe Online."

In our newest Proofpoint CEO Series video, Gary Steele shares his thoughts on some of the cost, scalability, reliability and security advantages offered by cloud computing, especially as it relates to enterprise solutions for IT security and compliance.

More videos in our ongoing CEO series can be found in the blog here:

http://blog.proofpoint.com/ceo-series/

As is traditional during the fourth quarter, IT vendors begin putting out predictions for the coming year and Proofpoint issued a press release today predicting the top 10 privacy issues for 2011 and how enterprises will respond. 

Both consumer privacy concerns and an increasing number of regulations will encourage many organizations to review the way that they handle private information in 2011. As a result, many will deploy new data protection policies, procedures and technology solutions to better protect private and confidential information.

Here are Proofpoint's predictions for the top 10 privacy issues in 2011:

1. The privacy and confidentiality of location-based information will become a major concern for both consumers and corporations. With the rise in mobile GPS information, companies will have to protect both personally identifiable information (PII) of employees, customers and partners, and also create new policies for handling location-based information. Not only will real-time information about location be a vulnerability, but companies will have access to information about where people (or their devices) spend much of their time.

2. At least one major social media site will experience a major breach. According to Neilsen, nearly a quarter (22.7%) of all online time is spent social networking. With more people on social networks and more personal information available via those networks, the potential for exposure of that data is likely.

3. Stricter data privacy regulations will be passed worldwide. Privacy regulations in the healthcare, financial services and critical infrastructure industries like energy and telecommunications will likely see new regulations dictating what needs to be protected and what to do when data loss occurs.

4. Expect a US national data breach notification law. Notification laws like California’s SB 1386 exist in 46 of 50 states today. A federal law is imminent.

5. Blended threats will increase. While email is still the number one threat vector for personal information loss, threats from newer communications channels is increasing, especially in the form of blended threats where the target is first attacked through email, then directed to Web or social media.

6. At least one company will be prosecuted under the broad-reaching Massachusetts Privacy Law (201 CMR 17.00). In March of this year, the Massachusetts Privacy Law went into effect, mandating that any company that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents must comply with its privacy requirements, including notification of breaches and encryption of stored or transmitted personal data. Although the state has yet to enforce the law, 2011 will likely be the year that companies begin seeing penalties. In addition, we may see more laws of this type passed in 2011. Nevada also has a similar law.

To deal with these threats, the following additional trends will emerge among businesses:

7. Companies will move away from outright bans on social networks, IM or web mail to allowing those services, but applying stricter corporate policies on these new services as well as investing in secure web gateways to monitor use. New innovations such as Facebook mail give enterprises yet another good reason to put better policy and technology controls around the corporate email system.

8. More companies will create policy around acceptable use. Email leaks such as the recent Google corporate memo exposure are heightening awareness in companies that policies need to be created about what content is considered sensitive and enforce them both through technology and through training.

9. More companies will encrypt more data. Three factors are converging to make 2011 the year of encryption adoption: (1) More regulations today require encryption. (2) It’s become a best practice in many industries. (3) It’s easier to implement and less confusing for users. With processing power increasing and companies like Proofpoint innovating, encryption has become faster and easier to implement and use.

10. More interest in secure managed file transfer. Driven by privacy considerations and security flaws in FTP, more companies will be implementing reliable ways to send files securely. With data breach notification laws in place in nearly every state, companies cannot risk losing data through FTP security issues.

Related Resource

For some actionable advice about improving privacy protection and guarding against data loss, see Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, which you can download compliments of Proofpoint at the following URL:

 http://www.proofpoint.com/id/gartner-data-loss-prevention-dlp-faq-report/index.php?id=6

This 8-page report describes Gartner's advice about the best approaches and benefits of deploying data loss prevention (DLP) solutions. It lists many of the typical questions asked by Gartner clients and provides answers that are applicable to the most common DLP scenarios.

[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:

“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]

Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.

One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.

And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.

The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.

This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:

"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”

[Update, November 9, 2010: For more on this topic, read Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, compliments of Proofpoint.]

NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.

Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.

The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.

As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).

Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:

Register for Brighttalk webinar replay: A Pragmatic Approach to Compliance with Policy-Based Encryption

Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):

... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.

The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:

http://www.proofpoint.com/magicquadrant

Proofpoint email encryption specialist Ken Liao will be presenting a live web seminar on Thursday, April 29th 2010 on the topic of "A Pragmatic Approach to Compliance with Policy-based Encryption" at 9 a.m. PT / Noon ET.

Ken's a great presenter and if you're at all concerned about email as it relates to compliance with data privacy regulations, you won't want to miss this online event. Here's the brief overview of what Ken will cover:

Email continues to be the number one source of data loss risks. If your organization handles data governed by regulations such as PCI, HIPAA or GLBA, you need to ensure that your email system can protect sensitive information from improper exposure, while also enabling secure communication your customers, clients and business partners. Join this discussion to learn more about requirements for protecting sensitive data in email. You’ll learn how automatic, policy-based email encryption can provide effective protection for sensitive information in email and why it be should be a central part of your approach to compliance. 

To attend, please register by visiting the following URL and clicking the "Register for this event" link:

http://mediazone.brighttalk.com/event/Proofpoint/f87e955fd6-3782-intro

Earlier this week, the US Department of Health and Human Services (HHS), which is now charged with enforcing the US healthcare privacy laws known as HIPAA and HITECH, began posting a list of organizations that have notified the HHS about breaches of unsecured health information that affected more than 500 individuals (as required by section 13402(e)(4) of the HITECH Act, which requires the Secretary of the HHS to "post a list of breaches of unsecured protected health information affecting 500 or more individuals.")

The editors of HealthcareInfoSecurity.com (which is an awesome resource, BTW) have a good summary in their article, "Breach Reports: We've Only Just Begun."

You can find the HHS's list of reported breaches here:

HHS: Healthcare Information Breaches Affecting 500 or More Individuals

Causes for these breaches run the gamut from thefts of paper printouts, hacks and misdirected email messages to losses or thefts of laptops and mobile devices (which would seem to be the most common problem from my cursory scan of the list).

If you're interested in HIPAA/HITECH compliance issues and how they impact email security, you should check out the replay of Proofpoint's recent web seminar, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" at:

http://www.proofpoint.com/id/beyondhipaa/index.php.

Some of that same information is covered in whitepaper form in our paper of the same name. You can download that whitepaper here:

Whitepaper: HIPAA and Beyond - An Update on Healthcare Security
Regulations for Email, 2009

So the big IT news this week is, of course, the launch of Microsoft's Windows 7 operating system tomorrow (Thursday, October 22, 2009). While the jury's still out on whether widespread Windows 7 adoption will improve security in a global sense, it does look like there are some solid new security features that could definitely help decrease malware propagation as well as preventing data breaches from lost or stolen devices (with the inclusion of BitLocker drive encryption that can now support USB removable devices, i.e., "BitLocker to Go").

PC World has a nice overview of some of the core Windows 7 security features including a short primer on how to protect drives with BitLocker. This seems like one of the most dramatic improvements to me (as our own research found that more than 20% of large enterprises investigated a data breach due to lost or stolen devices and media in just the past 12 months). Find that overview here:

PC World: A Guide to Windows 7 Security

CNET's download.com site has a slideshow tour of some of the security-related interfaces in Windows 7 including shots of the security Action Center and User Account Control panel with some easy-to-digest commentary:

CNET: Security in Windows 7 Slideshow

Of course, some things haven't changed over previous versions of Windows. Our friends at F-Secure have previously pointed out that the Windows Explorer default of hiding file extensions for known file types represents a security problem because that makes it more likely for users to inadvertently run malware executables that are masquerading as document or media files (e.g., GIFs, JPEGs or WMVs).

This default continues in Windows 7. Personally, I don't know how folks can even deal with Windows when you can't see file extensions and this is one of the first things I change on a new system or fresh Windows install.

Find F-Secure's commentary on this issue here:

F-Secure Blog: Windows 7 Fail

I haven't had much time to mess about with Windows 7 yet, though I've been pretty impressed with it based on my experience installing the 64-bit version of the Win 7 beta on a new drive. It definitely offers snappier performance over XP on the same hardware and the ability to address huge amounts of memory is a huge win for folks like me who do a lot of multimedia work.

That being said, as with any new install of Windows, your first stop should after installation of Win 7 should be to install a good desktop anti-virus solution. I was pleased to find that F-Secure's Internet Security 2010 already supports Windows 7 (both 64-bit and 32-bit versions) and installed with no hassles. I'm sure that many of the other major anti-virus solutions offer the same support, but I continue to be a big fan of F-Secure because it's very effective, doesn't hog system resources and has a slick user interface.