Proofpoint: Security, Compliance and the Cloud

Proofpoint's live web seminar series continues on Wednesday, May 18th with "Healthcare Privacy 2011: Top 5 Messaging and Collaboration Risks." Proofpoint data loss prevention expert Rami Habal will discuss:

• How hospitals, HMOs and other medical providers can manage email and social media content in compliance with privacy regulations

• How advances in policy-based email encryption can greatly simplify administration, reduce costs and improve usability for both desktop and mobile email recipients

• The impact of regulations—including HIPAA/HITECH—on data privacy and retention policies in the healthcare industry

• Recommendations for taking a proactive approach to archiving email and other communications in the event of litigation or regulatory investigation

• Trends in inbound threats that could compromise your email and messaging infrastructure, and expose private data

• How other leading healthcare organizations have tackled today’s critical messaging and collaboration challenges, while improving patient care.

To register, follow the link above, or simply fill out the form in this blog post.

Exciting news to share with you this afternoon about Proofpoint's progress in the Federal space.

In an announcement issued just this afternoon (see, "Proofpoint Receives FISMA Certification from USDA"), Proofpoint announced that its its Proofpoint Enterprise Archive solution has been granted an Authority to Operate (ATO) by the United States Department of Agriculture (USDA).

Proofpoint was granted the ATO on April 19, 2011, based on its ability to meet the stringent requirements of the Federal Information Security Management Act (FISMA) certification and accreditation (C&A) process. FISMA certification and accreditation indicates that a federal agency has approved a particular solution for its use in line with the level of security established by that agency.

As noted in the announcement, Proofpoint Enterprise Archive is the first cloud-based archiving solution to be granted an ATO by a Cabinet-level agency.

The USDA is using Proofpoint’s email archiving solution in conjunction with that department's deployment of  Microsoft's cloud-based Enterprise Messaging Services. This deployment will provide compliant email archiving for 120,000 Microsoft Exchange users spread throughout 21 departments, making it the largest US Federal government implementation of cloud-based enterprise email archiving technology.

Proofpoint Enterprise Archive will allow the USDA to easily access archived email for regulatory requests, retention policy adherence and legal discovery.

Susie Adams, the chief technology officer for Microsoft Federal said, "The U.S. Department of Agriculture has certified and accredited Microsoft’s cloud-based suite for government customers in accordance with FISMA, allowing Microsoft to provide these services to government customers. This milestone is further validation of the high standards of compliance and security within Microsoft’s cloud-based solutions."

You can find more comments from Susie Adams in her blog post in Microsoft's FutureFed blog. See, "USDA Awards FISMA Certification for Microsoft’s Business Productivity Online Suite (BPOS) - Federal."

Andres Kohn, Proofpoint's vice president or archiving and eDiscovery solutions, commented, "Many federal agencies are looking to cloud-based services to help them meet the dual challenges of tightening budgets and more severe and frequent security breaches. By achieving FISMA certification for our e-mail archiving solution in conjunction with Microsoft BPOS-Federal, Proofpoint is opening the door for more rapid adoption of cloud-based e-mail solutions throughout the US Federal community."

As you might imagine, achieving FISMA certification is a complex task, involving third-party assessments of a wide variety of security features and policies. In this case, SecureInfo Corporation assisted with the assessment of Proofpoint's solutions.

SecureInfo CEO Christopher Fountain said, "As a third-party assessor, SecureInfo has conducted thousands of information security assessments and has specific expertise in all aspects of FISMA compliance. As part of our assessment of Proofpoint’s enterprise email archiving solution, Proofpoint successfully demonstrated the effective implementation of the management, operational and technical controls , which was required to realize an ATO at the USDA and is a critical element of FISMA compliance."

Additional comments from SecureInfo's CTO,  Yong-Gon Chon, about the complexity and rigor of these evaluations can be found in his guest post in the Microsoft Online Services Team Blog. See, "What Goes Into a FISMA Certification?" 

We're looking forward to bringing the benefits of Proofpoint's SaaS email archiving solution to the USDA and other US Federal agencies.

Our Director of Channel & International Marketing, Dave Crilley sent me this shot of Proofpoint's InfoSecurity Europe stand under construction. I trust that by now Dave and his team have things completely put together and are ready for the first day of the InfoSec show!

If you're in London for the InfoSecurity Europe 2011 event this week, do make a point of stopping by the Proofpoint stand, #F50, at Earls Court, London.

Our international team will be on hand to demonstrate our latest SaaS email security, email encryption, data loss prevention, email archiving & eDiscovery solutions... And while you're there, take our survey for a chance to win a new Apple iPad 2!

In addition to presentations and demos at our booth, Proofpoint will also be represented in the Technical Theater where Andres Kohn, our VP of Technology, will be presenting his talk, "Can Data Be More Secure in the Cloud?" on April 19th at Noon.

If you're in London and would like to attend the Infosecurity Europe 2011 for free, you can get a free pass courtesy of Proofpoint by visiting the following link:

Free Infosecurity Europe 2011 registration, courtesy of Proofpoint »

Hope to have more reports from the show floor for you as the week progresses!

 We recently launched a new newsfeed called "Proofpoint Security, Compliance and the Cloud News."

Each weekday our editors publish new, original articles about topics that readers of this blog will appreciate. Subjects include cloud computing, SaaS, IT security, compliance, archiving, eDiscovery, email security and data loss prevention issues.

There are several ways to stay up to date with this newsfeed:

You can read the articles online in your web browser by visiting:

http://www.proofpoint.com/news-and-events/security-compliance-and-cloud-news/index.php

Or you can subscribe to our Security Compliance and the Cloud RSS feed and read the articles in your favorite RSS reader.

If you're more social media oriented, follow our @ProofpointNews Twitter account, which automatically tweets headlines and links whenever new articles are published. (Unlike our main  Twitter account, @ProofpointNews only tweets headlines from the  Security, Compliance and the Cloud newsfeed... Follow @Proofpoint_Inc for those and a whole lot more...)

Tuesdays often bring new music and movie releases, Microsoft patches and, here at Proofpoint this particular Tuesday brings some new mobile apps and video demonstrations of the same.

In my previous blog post, I mentioned we'd be drilling down on some of these new features. In these short videos, Proofpoint product marketing manager Namson Tran walks us through the highlights of our mobile archiving, mobile dashboard and mobile encryption capabilities. Check it out!

This is the Proofpoint Mobile Archive app, which extends Proofpoint Enterprise Archive to iPhone users, allowing for search anytime, anywhere...

Proofpoint administrators can use the Proofpoint Mobile Dashboard app to keep up with Proofpoint news and global spam detection effectiveness, status of their support tickets and view information on their Proofpoint Enterprise deployments:

Making on-the-go access to encrypted email easy for mobile users is another goal of Proofpoint Mobile and here, Namson demonstrates the Proofpoint Decrypt Assist features of Proofpoint Encryption. Decrypt Assist works with any mobile smartphone with a web browser (including Android, BlackBerry, iPhone and Windows 7 Phone)...

To learn more about the capabilities of Proofpoint Mobile, see our new information page here.

And Android users, we've heard your requests for 'droid versions of Proofpoint apps... but it never hurts to share your requests once again. Let us know what platforms and capabilities you'd like to see Proofpoint support in future apps by commenting here in the blog!

Those of you who are litigators or legal IT professionals based on the east coast (and I know there are a few of you out there) may be interested in this Thompson Reuters event - Litigation Project Management for In-House Counsel-being held tomorrow (March 3, 2011) at the Westin Times Square in New York City. 

Our director of eDiscovery solutions, Robert Cruz, and Proofpoint customer Steven Heller, head of IT for legal firm Graubard-Miller will be participating, presenting a workshop on "Controlling the Costs of Data Identification and Collection."

More details and registration info on this event here -- http://westlegaledcenter.com/program_guide/course_detail.jsf?courseId=33705658 -- including the day's agenda.

For those of you who can't attend the NY event, but are interested in legal IT issues and eDiscovery in particular might want to register for our live web seminar next week:

Robert Cruz and Rami Habal (our director of product management and expert on all things DLP) will be on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

Tip 'o' the blog to our resident eDiscovery expert, Robert Cruz, who pointed out an interesting Gartner press release from last week — see "Gartner Says by Year-End 2013, Half of All Companies Will Have Been Asked to Produce Material from Social Media Websites for E-Discovery" — that had slipped by me.

Gartner's announcement references a recent piece of Gartner research, authored by analyst Debra Logan, and published during December of 2010.

Not sure why they're just getting around to promoting that report now, but it's an interesting piece (Gartner subscribers can access a full copy of Social Media Governance: An Ounce of Prevention at http://www.gartner.com/resId=1498916). Many of the most interesting points in the full document are actually made in the press release. These include:

1. Social media content isn't special when it comes to eDiscovery: Says analyst Debra Logan, "Social media content is like all other content that is created by companies and individuals and is subject to the same rules, laws and customs." So, just as with email, companies will need to be able to quickly discover and produce social media content in response to legal or regulatory discovery requests.
   
   "In e-discovery, there is no difference between social media and electronic or even paper artifacts. The phrase to remember is 'if it exists, it is discoverable'," says Logan.
   
   
2. Keep social media policies simple and consistent: On the topic of policies, Logan suggests that, "Policymakers need to keep policies simple when it comes to what should and should not be done online. A good rule of thumb is that  whatever the company code of conduct is for in-person encounters, and whatever the rules are for general good behavior and common sense, apply in the online world as well."
   
   Additionally, Logan notes that the "legal landscape" around social media remains in flux due to "overlapping, conflicting and contradictory laws and regulations." Because there is no clear guidance, "the safest option is to have a consistent policy and apply it consistently."
   
   
3.  In the absence of technology controls, banning access might be appropriate: Says Logan, "If... a technology creates content that cannot be captured for archival purposes and that archive is required by law, then the organization must tell employees... not to use the technology, even unofficially." Gartner's press release also notes that Gartner estimates that, by the end of 2012, 50% of companies will attempt to block access to some or all social networking sites.
   
   Proofpoint's own research on this subject (see page 13 of our Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 report) shows that roughly half of large enterprises already have policies that prohibit the use of popular social networking sites such as Facebook (53% ban by policy), YouTube (53% ban by policy) and Twitter (49% ban by policy) — whether they actually attempt to block access to such sites.

Of course, the problem with banning or blocking employee access to social media sites is that one is sacrificing the many benefits of social media in favor of security and compliance. As a result, many employees will attempt to "work around" such blocks and restrictions.  Over time, such situations won't be sustainable.

But the good news is that the technology to monitor, enforce compliance rules and retain/archive social media content actually exists today and is getting easier and less costly to deploy.

We'll be discussing this topic in detail in our upcoming (March 9, 2011) live web seminar, "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers." To register, click the preceding link, or simply fill out the form below:

Our live web seminar series continues on Wednesday, March 9th at 11 AM Pacific Time, 2 PM Eastern Time, with "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers."

We post here about social media risks, policies and trends fairly regularly here (see the social media category), and our annual research on data loss issues shows that social media channels (including Facebook, LinkedIn, Twitter and other sites) are increasingly the source of data breaches (see this post for a video overview of our 2010 findings).

In response, about half of organizations simply prohibit access to popular social media sites. But over the long term, that approach will be less effective as social media becomes more and more ingrained into how companies do business. So our feeling is that companies need to address social media risks in the same way that most of them address email security risks—via a combination of policy and technology.

In addition to data loss and compliance issues, one very new area of concern is the archiving, retention and discovery of social media content. In many cases, social media communications such as corporate tweets, Facebook posts/messages, etc. can be considered business records and could be subject to the same sorts of discovery rules as corporate emails.  (See this recent CIO article for an interesting overview and introduction to this topic, "Why Your Records Retention Policy Should Include Social Media").

Our upcoming webinar will have both Robert Cruz, our director of eDiscovery solutions, and Rami Habal, our director of product management and expert on all things DLP, on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

Three new things to share with you today: First, Proofpoint announced a new partnership with  Clearwell Systems, a leading provider of eDiscovery solutions, to deliver integrated, cloud-based litigation-readiness services for email.

The companies will work together to better integrate the Proofpoint Enterprise Archive SaaS email archiving solution with Clearwell's eDiscovery Platform, delivering a solution that will reduce the time, costs and risks associated with electronic discovery.

You can read more about that partnership in our full press release.

In conjunction with that announcement, we also published a new whitepaper that explains how the adoption of cloud computing applications can complicate electronic discovery if not handled correctly. In What Every Enterprise Should Know about Cloud Computing and eDiscovery we explain these risks and offer practical advice on how to evaluate cloud service providers and the features and service level agreements you should look in cloud-based solutions, so that eDiscovery risks are minimized while meeting your organizations business, legal and IT goals.

As usual, you can get a copy of this whitepaper by clicking the link above... But (and here's the third new thing), you can also get a copy right now, simply by filling out the form below. How's that for efficiency?

Complete this form and click "Submit" to read our new cloud computing and eDiscovery whitepaper:

Proofpoint's senior director of eDiscovery solutions, Robert Cruz, recently presented a web seminar with legal publication InsideCounsel.

In "What are Your Obligations to Retain Email and Other Forms of Electronic Content?", Robert discusses the content retention challenges faced by organizations in the midst of stringent litigation and regulatory compliance demands, and offers practical advice for how to address those challenges.

Topic covered included:

• Key legal, business and regulatory drivers for archiving email and other electronic content
• The impact of regulations—including FINRA, HIPAA and newer or less well known regulations—on your organization’s retention policies
• Recommendations for taking a proactive approach to content retention and litigation hold procedures
• Given the sweeping impact of the Dodd Frank Wall Street Reform Act and introduction of "preventative compliance," what steps can you take to prepare your organization for greater regulatory information access and transparency?
• How organizations in both regulated and previously non-regulated industries are tackling retention challenges

To watch this replay now (no registration required!) visit the following link:

http://webcast.streamlogics.com/audience/index.asp?eventid=52552431