Proofpoint: Security, Compliance and the Cloud

On the heels of Microsoft's official global launch of Microsoft Office 365, the company's newest cloud-based offering that combines productivity apps with hosted Microsoft Exchange email, Proofpoint has introduced a new solution, Proofpoint Compliance for Office 365.

Proofpoint Compliance for Office 365 (Proofpoint's press release here) adds advanced, enterprise-class email privacy, data loss prevention, encryption and archiving/eDiscovery features to any Office 365 deployment.

While much of the coverage of Microsoft's introduction today has focused on the potential for Office 365 in the small- and medium-sized business market, Microsoft is also targeting the enterprise market with, "an array of choices, from simple email to comprehensive suites to meet the needs of midsize and large businesses, as well as government organizations."

Proofpoint specializes in meeting the advanced security and compliance needs of medium and large enterprises and understands that even in a well-specified product like Office 365, there are gaps between actual product functionality and the needs of large enterprises — especially those in regulated industries.

So, to that end, Compliance for Office 365 combines the features of Proofpoint Enterprise Privacy (data loss prevention, email encryption), Proofpoint Enterprise Archive (archiving and eDiscovery) and Proofpoint Enterprise Protection (inbound/outbound email security) to greatly extend the core security and compliance features of Office 365's messaging environment.

In short, it helps ensure compliance for a wide variety of data protection and privacy mandates including the "alphabet soup" of HIPAA/HITECH, SOX, GLBA, PCI, FERPA, FINRA and SEC regulations.

Proofpoint followers won't really be surprised by this, as the concept is very similar to the work we already do with many large Microsoft BPOS customers such as the USDA.

To learn more about the features of Compliance for Office 365, check out our new product page or register for our July 20th live web seminar, Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements, where we'll detail the compliance and security features that come built into Office 365, and  how those match to enterprise requirements for data protection and privacy.

For the PDF-minded, we also have a new datasheet on Compliance for Office 365.

Proofpoint's live web seminar series continues on Wednesday, April 13th with a brand new email security topic, "Enhancing Security & Compliance for Microsoft Email Environments."

Businesses large and small have moved – or are considering moving – their email infrastructure to a hosted Exchange environment such as Microsoft’s own Business Productivity Online Suite (BPOS) or Office 365 to lower costs and minimize burdens on internal IT staff. However, some are concerned about the security of their data in the cloud, and how to best about enhance their current Microsoft offerings.

In this live webinar, we'll explain how Proofpoint’s SaaS email security and compliance solutions complement and extend all types of hosted Exchange deployments, including Microsoft BPOS and the forthcoming Office 365 suite. As always, webinar registrants will receive a link to a replay of the live event as soon as it's available. And Proofpoint product experts will answer your questions live during a Q&A period at the end of the webinar.

To register, please visit the following link — Enhancing Security & Compliance for Microsoft Email Environments — or simply fill out the form below:

First, "Good question!" And second, "Why did I ask this in the first place?"

Ran across two things recently that inspired me to write on this topic...

One:In doing a little research into how web surfers find Proofpoint and the Proofpoint Email Security blog, I discovered some interesting statistics (and regular readers know how I love statistics).

Proofpoint generally describes its solutions as being "Software-as-a-Service (SaaS)" — because that really is the best description for our "on-demand" type offerings — or, in the case of things that are deployed on-premises (like email security appliances) as "cloud-enabled" (because they leverage various cloud services that we've built).

But it turns out that a lot of individuals, when looking for "not on-premises" solutions, use the term "hosted" in their searches. 

For example, Google's search engine reports 85% more searches for "hosted email encryption" than for "SaaS email encryption." In the case of "email archiving" almost 5 times as many users search for "hosted email archiving" over "SaaS email archiving". And for "email security" we see 6 times as many searches for "hosted email security" as for "SaaS email security."

I have to say that I was surprised by these differences. Much higher than I had expected! So, should we just call these things "hosted" and get on with it?

I don't think so...  And here's why...

Two: I recently became aware of a cool blog called Enterprise Features that touches on a lot of the same topics we cover here (see for example, this very interesting interview about Wikileaks and corporate privacy) where I read a really nice summary of the differences between the "hosted" and "SaaS" concepts.

In, "The Difference Between Hosted, SaaS (Software-as-a-Service) and the Cloud," technology blogger Paul Rudo writes, "the most obvious difference between 'SaaS applications' and 'hosted applications' is that one is a 'service' that you use, and the other is a 'product' that you own."

He notes also that there's "some overlap between SaaS applications and hosted applications. You can reasonably say that all SaaS services are hosted, but it would not be accurate to say that all hosted applications are SaaS."

He goes on to give a very easy to understand example around hosting a Wordpress blog versus subscribing to the SaaS version of Wordpress. (Rather than cribbing his entire article, I encourage you to read it here.) In the hosted case, he notes that there might be more control and flexibility, but there's also more maintenance effort. In the SaaS case,  one is taking advantage of the service that Wordpress offers, possibly losing some flexibility but gaining much in the way of convenience, security and lowered total cost of ownership.

It's a great description, but I'd also point out that SaaS solutions also have an element of shared services to them (and this is one of the primary ways that SaaS reduces TCO).

As an example, in the Proofpoint Enterprise Archive SaaS email archiving solution, we leverage a huge grid of servers to enable very rapid searches across an organization's entire mail archive and we guarantee that — no matter how large one's archive grows or how complex the search query — search results will be returned in 20 seconds or less. While each organization's data is held in strict isolation, all customers have access to this elastic pool of computing resources to perform discovery. 

This would be very hard and costly to replicate in a purely "hosted" model. Sure, you could "rack and stack" some archiving appliances in a remote datacenter, but you'd have to buy much more hardware than you would need on a day-to-day basis to ensure that same level of performance. 

I could go on, but I think you can see that the difference between "SaaS" and "hosted" solutions isn't purely a semantic one.

Readers, what do you think? We're always interested in your comments!

Back to my first point, I think it's going to take some time before this difference is fully understood. And, until that time, I guess I have to occasionally call what we do "hosted" simply to expose more people to the concept.

So, how about some resources about "hosted security and compliance" topics? Here are three great whitepapers that address the advantages of various SaaS hosted security versus an on-premises approach:

• Hosted Email Security whitepaper »
• Hosted Email Archiving whitepaper »
• Hosted Email Encryption whitepaper »