Proofpoint: Security, Compliance and the Cloud

At our recent "Proofpoint Inner Circle" customer events, we had a great opportunity to interview several of our enterprise customers about how and why they use Proofpoint Enterprise solutions for email security, data loss prevention, email encryption, regulatory compliance, archiving and electronic discovery.

I've collected several of them in this YouTube playlist. In these videos, representatives from Amalgamated, Liberty Health, PETCO, Graubard Miller, MED3000, Zions Bank and Scottsdale Healthcare share some of the reasons they rely on Proofpoint.

Thanks again to all of our terrific customers who took the time to share their stories with us... And you can find a lot more Proofpoint video content in our YouTube channel at http://www.proofpoint.com/youtube.

Our friends at Osterman Research recently published a new white paper - How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization- about email encryption and similar topics. You can get a free copy, compliments of Proofpoint, by following the link or by filling out the form at the bottom of this post.

In this new report, Osterman Research notes that investments in encryption "pay for themselves" through a number of different avenues. As regular readers of this blog are aware, encryption technologies can play a crucial role in regulatory compliance and regulatory fine avoidance. But email encryption and other types of encryption can also enable secure business and deliver other forms of business value, as described in this new paper.

If you're looking for help in creating a business case for deploying an encryption solution (such as the Proofpoint Encryption email encryption solution), this 15-page report can be extremely helpful. It includes a good summary of the various US state laws that govern security breach notification (or that may require or imply encryption) as well as the many US and international regulatory obligations (such as GLBA, PCI-DSS, FINRA, HIPAA, the UK DPA, Canada's PIPEDA) that imply similar requirements.

To read a copy of the complete Osterman Research report, register at the following link — How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization — or simply complete the form below:

On the heels of Microsoft's official global launch of Microsoft Office 365, the company's newest cloud-based offering that combines productivity apps with hosted Microsoft Exchange email, Proofpoint has introduced a new solution, Proofpoint Compliance for Office 365.

Proofpoint Compliance for Office 365 (Proofpoint's press release here) adds advanced, enterprise-class email privacy, data loss prevention, encryption and archiving/eDiscovery features to any Office 365 deployment.

While much of the coverage of Microsoft's introduction today has focused on the potential for Office 365 in the small- and medium-sized business market, Microsoft is also targeting the enterprise market with, "an array of choices, from simple email to comprehensive suites to meet the needs of midsize and large businesses, as well as government organizations."

Proofpoint specializes in meeting the advanced security and compliance needs of medium and large enterprises and understands that even in a well-specified product like Office 365, there are gaps between actual product functionality and the needs of large enterprises — especially those in regulated industries.

So, to that end, Compliance for Office 365 combines the features of Proofpoint Enterprise Privacy (data loss prevention, email encryption), Proofpoint Enterprise Archive (archiving and eDiscovery) and Proofpoint Enterprise Protection (inbound/outbound email security) to greatly extend the core security and compliance features of Office 365's messaging environment.

In short, it helps ensure compliance for a wide variety of data protection and privacy mandates including the "alphabet soup" of HIPAA/HITECH, SOX, GLBA, PCI, FERPA, FINRA and SEC regulations.

Proofpoint followers won't really be surprised by this, as the concept is very similar to the work we already do with many large Microsoft BPOS customers such as the USDA.

To learn more about the features of Compliance for Office 365, check out our new product page or register for our July 20th live web seminar, Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements, where we'll detail the compliance and security features that come built into Office 365, and  how those match to enterprise requirements for data protection and privacy.

For the PDF-minded, we also have a new datasheet on Compliance for Office 365.

Following up on my previous video post featuring some great anti-phishing and password tips from Proofpoint customer Tony Hidlesheim of Redwood Credit Union, here are two more videos where Tony talks about how his organization uses Proofpoint to secure inbound email while preventing data loss via outbound email and HTTP traffic.

Redwood Credit Union is the 10th largest credit union in the state of California. In part one of our video interview, Tony explains how the credit union uses Proofpoint for email security while also applying those same security policies to HTTP (web or "port 80") traffic. Tony also shares some security insights about social media and the security.

Thanks again to Tony and the rest of our friends at Redwood Credit Union for taking the time to share these perspectives with me!

(And as a reminder: If you're a customer and would like to share your Proofpoint story with us, do send us an email to pr@proofpoint.com!)

In this first of a series of videos about security and compliance issues in today's enterprise, Proofpoint CEO Gary Steele talks about why consumer privacy is such a hot-button issue, some of the implications for enterprises and gives several tips for how companies can better protect confidential and private information.

As Gary notes, "Today's consumer expects, when they give their information to you, that you'll properly control and manage that."

Viewers concerned about protecting private data may also find the following Proofpoint resources useful:

Gartner 2010 Content-Aware Data Loss Prevention FAQs: This complimentary Gartner report shares best practices for preventing data loss.

Outbound Email and Data Loss Prevention in Today's Enterprise: Proofpoint's 2010 statistics on enterprise data loss events, policies and much more.

Protecting Enterprise Data with Proofpoint Encryption: This whitepaper provides information on how enterprises can better protect confidential data using email encryption and how Proofpoint's SaaS-powered email encryption technology works. 

The New York Times reported yesterday that  the names and Social Security Numbers of the entire staff at the General Services Administration (GSA)—more than 12,000 people—were apparently emailed by an agency employee to a private email address. (See, "GSA workers' Social Security numbers e-mailed.")

The Times reports that technicians discovered the email containing the names and SSNs while reviewing logs on September 22, 2010, one week after the message was sent. The GSA explained to employees that a worker had sent the file containing the personal data by accident.

While this is a potentially massive exposure of private information, these sorts of email exposures are far from rare. Proofpoint's latest research in this area found that nearly one third (32%) of large US enterprises had investigated a suspected violation of privacy or data protection regulations involving email in the preceding 12 months. (For this data and many other statistics about similar data loss events see our report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010.)

Given the frequency of this type of exposure, organizations (especially those in regulated sectors such as healthcare, financial services, retail and government) should ideally have technology in place to detect private information. This sort of massive, inadvertent exposure of personal information via email is easily stopped using modern email security solutions.

For example, users of the Proofpoint Enterprise Privacy email data loss prevention and email encryption solution will often have a rule configured to block any outbound email found to contain multiple Social Security Numbers.

Typically, messages with Social Security Numbers should always be sent in encrypted form. Handling personal data in this way is not just a best practice, but is mandated by data protection standards and regulations including HIPAA, GLBA, PCI-DSS and various US state data privacy laws.

For more on why it's so important to protect Social Security Numbers, see this new BankInfoSecurity article, "Incidents Prove Link Between Social Security Numbers, ID Theft." In that article, information privacy expert Mari Frank says that SSNs are, "the key to medical-benefit theft, government-benefit theft, you name it."

Regular readers of this blog know that I've been following the legal proceedings around a text messaging privacy case involving City of Ontario, California police officer Jeff Quon and his employer, the Ontario (California) Police Department. Last year, the 9th Circuit Court sided with several police officers (including Quon) who had sued the department for reading hundreds of personal text messages (many of which were of a sexually explicit nature) that officers had sent and received on department-issued pagers.

The City appealed that ruling to the Supreme Court, which has issued its ruling today in City of Ontario v. Quon, U.S. Supreme Court case No.08-1332. In its ruling, the high court reversed the 9th Circuit's Court finding, ruling that the City's search and audit of Quon's text messages was reasonable. (You can read the full text of the court's decision here: City of Ontario, California, v. Quon (PDF format).)

Business and Legal Reports has a good summary of this case in the article, "Supreme Court Rules on Text Message Privacy Case." And, of course, the court's findings have been reported widely today in other media (for example, this LA Times article). 

Though this particular case involved the privacy of text messages and the privacy of government employees that send them, the outcome of this case will have an impact on workplace monitoring policies in all types of industries – not just government – and for all types of electronic communication mediums.

One of the main take-aways from the Supreme Court’s ruling today is that the employer’s policies, and the clarity with which those policies are communicated, are crucial to establishing what sort of “reasonable expectation of privacy” employees should have.

In this particular case, the court found that the City of Ontario’s search and audit of text transcripts was reasonable, not excessively intrusive and had a clearly work-related purpose (the City was trying to determine if employees’ text messaging limits were too low  and should be increased – during this audit, the content of Quon’s personal messages came to light).

The court also found that Quon did not have a reasonable expectation of privacy, in part because Quon had signed the city’s Computer Usage, Internet and Email Policy, which stated that the City “reserves the right to monitor and log all network activity… with or without notice.”

My advice to employers and employees is as follows:

1. Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices, this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
2. Additionally, as part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
3. Employees should be aware that, even in the absence of a formal policy, their employer may be monitoring or auditing their electronic communications. For example, Proofpoint’s own research (http://www.proofpoint.com/outbound) finds that 46% percent of large US companies perform regular audits of outbound email content.

Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.

In our 2009 research on this topic, Proofpoint found that 43% of US companies had investigated a suspected email leak of confidential or proprietary information in the past 12 months and 34% had investigated an email-based violation of privacy or data protection regulations in the past 12 months.

With respect to text messaging, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.

More such statistics are available in Proofpoint’s 2009 Outbound Email and Data Loss Prevention in Today’s Enterprise report, which is available from http://www.proofpoint.com/outbound. (The 2010 edition of this report will be available in the coming weeks.)

If that darn volcano hasn't interfered with your travel plans and you're in London for this week's Infosecurity Europe 2010 show, do make sure you visit Proofpoint at stand L90 to learn about our latest SaaS solutions for email security, data loss prevention, email encryption and email archiving.

In an announcement we issued yesterday, Proofpoint introduced its Proofpoint 6.1 platform (which powers our flagship Proofpoint ENTERPRISE email security solution) to the European market. New features include multi-protocol (email and Web) DLP capabilities, a new data loss prevention dashboard, an Outlook plug-in for easier access to on-demand email encryption (via Proofpoint Encryption) and other security and performance enhancements. You can read all about it (in English) at the following URL:

http://www.proofpoint.com/InfoSecurity2010News

That release is also available in French and German, as well.

Now today, we've announced a new partnership with Titus Labs, an company that provides email classification and document classification solutions. I have to admit that, before we started working with Titus Labs, I didn't know much about issues such as email classification, protective markings and such, but it turns out that there are a wide variety of regulations that government organizations and other types of enterprises need to comply with that involve the proper classification and marking of both communications (such as email) and documents themselves.

Titus makes some really great solutions in this area and, as you might imagine, there are some terrific synergies between solutions like this and data loss prevention, email encryption and archiving. For example, our press release today describes a couple of use cases:

Titus Labs Message Classification and Document Classification products are widely used by government, military and commercial organizations to classify and protectively mark Microsoft Outlook messages and Office documents. Explicit visual labels and corresponding metadata properties that are applied to email messages and their attachments by Titus Labs solutions can automatically trigger a wide variety of policy enforcement, data loss prevention, encryption and archiving policies applied by Proofpoint solutions.

For example, using Proofpoint ENTERPRISE™ Privacy, protectively marked emails and documents can be automatically encrypted, blocked or quarantined for further review before transmission via email, depending upon what labels have been applied. Similarly, different data retention periods can be enforced based on the classification of a message or its attachments (using Proofpoint ARCHIVE™).

Applications include compliance with a wide variety of regulations including the UK’s GPMS (Government Protective Marking Scheme) and Data Protection Act, the Australian E-Protective Marking standard, ITAR (International Traffic in Arms Regulations), HIPAA and other healthcare privacy rules and GLBA, PCI-DSS and other financial data privacy regulations. 

You can learn more about this partnership by reading our full press release, Titus Labs and Proofpoint Partner to Deliver Interoperable Email Classification, Email Security and DLP Solutions to Enterprise and Government Customers Worldwide. Or, better yet, visit our stands at the Infosecurity Europe exhibition, in London’s Earls Court stand L90 (for Proofpoint) or stand J30 (for Titus Labs).

This is a really interesting new area and Titus Labs will be joining us for an upcoming webinar to explain how their solution works and the benefits of using email classification and email security technology together to better protect data.

When you visit Proofpoint's booth, you can also be entered to win an Apple iPad, just by taking our Infosecurity Europe email security trends survey. We have a couple of the new tablet computers on hand that you can use to take our short survey about email security trends in Europe and one lucky respondent will get to take one home!