Proofpoint: Security, Compliance and the Cloud

At our recent "Proofpoint Inner Circle" customer events, we had a great opportunity to interview several of our enterprise customers about how and why they use Proofpoint Enterprise solutions for email security, data loss prevention, email encryption, regulatory compliance, archiving and electronic discovery.

I've collected several of them in this YouTube playlist. In these videos, representatives from Amalgamated, Liberty Health, PETCO, Graubard Miller, MED3000, Zions Bank and Scottsdale Healthcare share some of the reasons they rely on Proofpoint.

Thanks again to all of our terrific customers who took the time to share their stories with us... And you can find a lot more Proofpoint video content in our YouTube channel at http://www.proofpoint.com/youtube.

Our friends at Osterman Research recently published a new white paper - How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization- about email encryption and similar topics. You can get a free copy, compliments of Proofpoint, by following the link or by filling out the form at the bottom of this post.

In this new report, Osterman Research notes that investments in encryption "pay for themselves" through a number of different avenues. As regular readers of this blog are aware, encryption technologies can play a crucial role in regulatory compliance and regulatory fine avoidance. But email encryption and other types of encryption can also enable secure business and deliver other forms of business value, as described in this new paper.

If you're looking for help in creating a business case for deploying an encryption solution (such as the Proofpoint Encryption email encryption solution), this 15-page report can be extremely helpful. It includes a good summary of the various US state laws that govern security breach notification (or that may require or imply encryption) as well as the many US and international regulatory obligations (such as GLBA, PCI-DSS, FINRA, HIPAA, the UK DPA, Canada's PIPEDA) that imply similar requirements.

To read a copy of the complete Osterman Research report, register at the following link — How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization — or simply complete the form below:

We had a great webinar this week on "Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements" (click the link to register to watch the replay). Hyatt Hotels Corporation CIO, Mike Blake, kindly joined us to relate some of his experiencewith moving Hyatt's 30,000 email inboxes to Microsoft's next-generation hosted email solution and using Proofpoint to help comply with PCI data security standards and protect customer credit card information. 

It's really interesting stuff, so I've extracted Mike's portion of the webinar, which you can watch here:

Mike and his team needed an integrated solution that easily fits with Microsoft Office 365 and found that Proofpoint met all of their criteria in terms of ease-of-use, ability to support large global organizations and cost-effectiveness.

"Proofpoint works with a seamless integration to that solution," says Mike. "It also has a proven track record. I was able to talk to some of my friends in the insurance industry and they, too, highly recommended Proofpoint, which helped us get comfortable with... their ability to support large installations."

To get the rest of this web seminar replay, which includes a lot more information and a good live Q&A session, register here.

On the heels of Microsoft's official global launch of Microsoft Office 365, the company's newest cloud-based offering that combines productivity apps with hosted Microsoft Exchange email, Proofpoint has introduced a new solution, Proofpoint Compliance for Office 365.

Proofpoint Compliance for Office 365 (Proofpoint's press release here) adds advanced, enterprise-class email privacy, data loss prevention, encryption and archiving/eDiscovery features to any Office 365 deployment.

While much of the coverage of Microsoft's introduction today has focused on the potential for Office 365 in the small- and medium-sized business market, Microsoft is also targeting the enterprise market with, "an array of choices, from simple email to comprehensive suites to meet the needs of midsize and large businesses, as well as government organizations."

Proofpoint specializes in meeting the advanced security and compliance needs of medium and large enterprises and understands that even in a well-specified product like Office 365, there are gaps between actual product functionality and the needs of large enterprises — especially those in regulated industries.

So, to that end, Compliance for Office 365 combines the features of Proofpoint Enterprise Privacy (data loss prevention, email encryption), Proofpoint Enterprise Archive (archiving and eDiscovery) and Proofpoint Enterprise Protection (inbound/outbound email security) to greatly extend the core security and compliance features of Office 365's messaging environment.

In short, it helps ensure compliance for a wide variety of data protection and privacy mandates including the "alphabet soup" of HIPAA/HITECH, SOX, GLBA, PCI, FERPA, FINRA and SEC regulations.

Proofpoint followers won't really be surprised by this, as the concept is very similar to the work we already do with many large Microsoft BPOS customers such as the USDA.

To learn more about the features of Compliance for Office 365, check out our new product page or register for our July 20th live web seminar, Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements, where we'll detail the compliance and security features that come built into Office 365, and  how those match to enterprise requirements for data protection and privacy.

For the PDF-minded, we also have a new datasheet on Compliance for Office 365.

Following up on my previous video post featuring some great anti-phishing and password tips from Proofpoint customer Tony Hidlesheim of Redwood Credit Union, here are two more videos where Tony talks about how his organization uses Proofpoint to secure inbound email while preventing data loss via outbound email and HTTP traffic.

Redwood Credit Union is the 10th largest credit union in the state of California. In part one of our video interview, Tony explains how the credit union uses Proofpoint for email security while also applying those same security policies to HTTP (web or "port 80") traffic. Tony also shares some security insights about social media and the security.

Thanks again to Tony and the rest of our friends at Redwood Credit Union for taking the time to share these perspectives with me!

(And as a reminder: If you're a customer and would like to share your Proofpoint story with us, do send us an email to pr@proofpoint.com!)

Earlier this year, Ken Liao and I presented a webinar on our "Top Ten Privacy Predictions for 2011" and one of those predictions was that we'd see at least one enforcement action under the Massachusetts data protection law (201 CMR 17).

While that predication has not exactly come to pass, today's announcement from the attorney general of Massachusetts shows that the state is extremely serious about enforcing its data privacy laws.

A press release from the Mass AG's office today, "Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement with AG Coakley," announces that the restaurant group Briar Group, LLC will pay a $110,000 fine, ensure compliance with Massachusetts data security regualtions, ensure compliance with PCI-DSS and will upgrade their computer security systems.

“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” said Massachusetts attorney general, Marth Coakley in the statement.  “In this instance, the Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”

As the Mass AG's press release points out, the data breach at Briar Group happened prior to the effective date of the Massachusetts data security regulations (and, hence, my prediction has not quite come true yet), but the data security standards set forth in those regulations were used in the settlement.

For more info on 201 CMR 17 and other privacy and data protection resources, see the privacy predictions link I mentioned earlier in this post.

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6

In this first of a series of videos about security and compliance issues in today's enterprise, Proofpoint CEO Gary Steele talks about why consumer privacy is such a hot-button issue, some of the implications for enterprises and gives several tips for how companies can better protect confidential and private information.

As Gary notes, "Today's consumer expects, when they give their information to you, that you'll properly control and manage that."

Viewers concerned about protecting private data may also find the following Proofpoint resources useful:

Gartner 2010 Content-Aware Data Loss Prevention FAQs: This complimentary Gartner report shares best practices for preventing data loss.

Outbound Email and Data Loss Prevention in Today's Enterprise: Proofpoint's 2010 statistics on enterprise data loss events, policies and much more.

Protecting Enterprise Data with Proofpoint Encryption: This whitepaper provides information on how enterprises can better protect confidential data using email encryption and how Proofpoint's SaaS-powered email encryption technology works. 

Leading pet specialty retailer PETCO has been using Proofpoint's email security solution for several years to protect several thousand inboxes from spam, viruses and other email threats. Today's Proofpoint press release, "PETCO Keeps Email Security Needs on a Leash with Proofpoint Enterprise Protection," describes several exciting changes to that deployment.

First, PETCO (like many other longtime Proofpoint customers) has moved its deployment from an on-premises deployment using appliances to Proofpoint's SaaS (Software-as-a-Service) version. In doing so, PETCO has simplified its IT environment and will reduce costs.

Lyndon Brown, PETCO's senior IT manager says, “Like most enterprises today, PETCO has been looking for ways to simplify its IT infrastructure and reduce costs using SaaS and cloud computing technologies, and Proofpoint helped us achieve both goals. ”

In addition to moving inbound email security features to the cloud, PETCO has also adopted Proofpoint's SaaS-powered email encryption solution, Proofpoint Encryption. Proofpoint's outbound email scanning and email encryption features will help PETCO protect confidential information and personally identifiable information (PII) in email, helping the company comply with data protection regulations such as PCI-DSS, Sarbanes-Oxley and FTC rules.

“By moving both inbound email security and outbound email encryption to the cloud, our IT department is better able to focus on the core needs of our business while also reaping immediate benefits, such as decreased datacenter cooling, power and IT administration costs.”

Read more about PETCO's use of Proofpoint in the full press release.

And, as the illustration accompanying this post reminds us (courtesy of PETCO's holiday shop), the holiday season is upon us and email security threats are escalating as usual. To learn more about the latest spam, phishing and blended threat attacks, attend our live web seminar this Wednesday, November 17th. Register at the following link:

Register for Proofpoint webinar: Holiday Threats - Why Fruitcake is the Least of Your Worries

The New York Times reported yesterday that  the names and Social Security Numbers of the entire staff at the General Services Administration (GSA)—more than 12,000 people—were apparently emailed by an agency employee to a private email address. (See, "GSA workers' Social Security numbers e-mailed.")

The Times reports that technicians discovered the email containing the names and SSNs while reviewing logs on September 22, 2010, one week after the message was sent. The GSA explained to employees that a worker had sent the file containing the personal data by accident.

While this is a potentially massive exposure of private information, these sorts of email exposures are far from rare. Proofpoint's latest research in this area found that nearly one third (32%) of large US enterprises had investigated a suspected violation of privacy or data protection regulations involving email in the preceding 12 months. (For this data and many other statistics about similar data loss events see our report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010.)

Given the frequency of this type of exposure, organizations (especially those in regulated sectors such as healthcare, financial services, retail and government) should ideally have technology in place to detect private information. This sort of massive, inadvertent exposure of personal information via email is easily stopped using modern email security solutions.

For example, users of the Proofpoint Enterprise Privacy email data loss prevention and email encryption solution will often have a rule configured to block any outbound email found to contain multiple Social Security Numbers.

Typically, messages with Social Security Numbers should always be sent in encrypted form. Handling personal data in this way is not just a best practice, but is mandated by data protection standards and regulations including HIPAA, GLBA, PCI-DSS and various US state data privacy laws.

For more on why it's so important to protect Social Security Numbers, see this new BankInfoSecurity article, "Incidents Prove Link Between Social Security Numbers, ID Theft." In that article, information privacy expert Mari Frank says that SSNs are, "the key to medical-benefit theft, government-benefit theft, you name it."