Proofpoint: Security, Compliance and the Cloud

30 posts categorized "Security"

March 17, 2014

Office365 and eDiscovery? The confusion continues…



Speaking to many customers considering Microsoft Office365 and its new features for eDiscovery leads me to one and only one conclusion: the confusion continues.

Articles published by Microsoft and others that have seen preview of the technology reinforce this point. (See here, referencing a Microsoft webinar where “no specifics were provided”). Hmmm.

Those looking for a simple, straight forward answer as to whether Office365 alone is sufficient to address one’s eDiscovery burdens will be greatly disappointed. No one likes to see a response of “it depends” to a simple RFP question. But, it depends. So, here are 5 simple questions to ask yourselves to determine whether Office365 could be sufficient to address your specific demands.

First, a simple question – do you work for a financial services provider? If yes, stop here. Office 365 and Exchange 2013 do not address requirements outlined by SEC 17a3-4 that outline how data must be stored immutably, or supervisory review requirements under FINRA. You should be engaging with archiving or data storage providers to address these requirements.

1. Do you need to conduct real-time, iterative search against multiple matters concurrently? Office 365 relies upon a batch-based searching process that is not designed for  large scale search – nor unlimited search against concurrent matters. IT must break up requests into multiple smaller searches, introducing multiple points of failure and unknown performance. Limits of 2 concurrent searches is difficult if you have (hmmm) 3 time sensitive matters.

2. Do you need to conduct keyword search against an entire enterprise or large department? Again, the number of mailboxes that can be searched is limited (and continues to be changed by Microsoft – is it 50 mailboxes? 500?). Not ideal for investigative purposes where a set of keywords are known, but the custodian scope/scale is not yet defined.

3. Do you need to search against non-Microsoft office content types? On average, organizations deal with 400+ different attachment types within email alone, and must be able to capture and extract text of these file types prior to sending to a storage environment in order to search and retrieve later. Office 365 cannot help you here.

4. Do you have strict retention and enforcement mandates? Within Office365, email is archived only after a configured time period (default is 2 years). Users can delete or otherwise do as they chose beforehand. In fact, per Microsoft’s own documentation: “Important   MRM doesn’t guarantee retention of every message. For example, a user can delete or remove a message from their mailbox before the message reaches its retention age; MRM isn't designed to prevent users from deleting their own messages.”

5. Do you need it now? Short term, inflexible discovery demands are challenged when all content sources must be within Exchange 2013 to be useable. And, when Microsoft lacks tools to migrate data from earlier versions of Exchange and third party archives that leverage the accepted industry standard approach of journaling. And, when IT command line tools must be used when tasks exceed the existing features – such as creating and managing multiple retention policies through Microsoft’s rolling hold features. And, when archived data needs to be manually segregated for ethical wall or local data privacy adherence. And, when non-Microsoft content must be manually collected, searched, and processed through other systems.

Like with any other early stage software, it is easy for technologists to give the “yes, it can be done” or “yes, on our roadmap” response question to address functional requirements that today do not exist in the product. But, is this adequate to address the immediate, real-time, and unpredictable nature of eDiscovery that your company faces?

“It depends”, as they say.

January 23, 2014

Top 5 reasons Why Your eDiscovery Tool May Not be Sufficient for Information Governance

With LegalTech New York (#LTNY14) fast approaching, I find it a bit odd that to see some of same vendors at LegalTech as at ARMA and MER. With technology that, hmmm, looks pretty much the same at both. This raises some interesting questions about how eDiscovery tools may or may not address information governance (IG) objectives. Some use cases appear more plausible than others – for example, applying advanced analytics to the task of migrating a legacy information repository to enhance visibility into the contents of those repositories (e.g. what is duplicative, what is aged, transitory, etc.).  But, attempting to point predictive eDiscovery tools at raw content sources in order to implement policies for information tracking and control is a bit more daunting – especially for those experiencing unrelenting data growth and explosion of content in unmanaged locations (as would be the case for most corporations today).

So, here are the top 5 reasons why eDiscovery tools may not be sufficient to address your short term information governance objectives (noting that capabilities evolve over time. M&A happens, product portfolios expand, OEM deals are forged, etc.):

  1. Volume: Most analytically driven eDiscovery tools have been well designed to plow through, analyze and accelerate review of clean, contextually specific data sets – let’s say a matter involving 20 custodians and 100 GB.  But attempting to apply that same technology to plow through a billion items (as many corporations can easily accumulate) is more complex than just adding more processing power or spending additional time to train the system to produce a sufficient indexing rate. Data repositories tend to contain information that is highly duplicative, poorly indexed – and growing at a rate of 44x over the next several years per IDC. Analytically driven eDiscovery tools can enhance visibility (after being properly resourced with processing power and $$), but do little to address the high priority of gaining control over unchecked data growth

  2. Context: eDiscovery tools operate best with a defined context of a matter or investigation, but there is no easily discernible context around the word ‘windows’ when pointing at an information repository. In fact, defining and separating the ‘high value’ from the ‘digital ROT’ within a typical IG initiative is often the product of input from legal, regulatory, IT, and business unit representatives melding their own definitions of information value and risk. IG is more than just improving eDiscovery efficiency and reducing expense by looking at upstream data patterns. And using analytics when context has been separated from content makes the technological challenge exponentially more challenging to produce measurable results.

  3. Wild Data: Organizations today are struggling not only with the absolute growth of information, but also the fact that material information is increasingly being created (and is uniquely maintained) in unmanaged locations (e.g. social media, IM, networked fileshares, mobile, nomadic SharePoint sites, etc.).  While it is true that eDiscovery today continues to be dominated by email, patterns of everyday business communications are changing dramatically as can be noted by actions from various regulatory entities including the SEC, FINRA, and FFIEC.  eDiscovery tools work well in processing centrally stored data, but collecting and moving information from unmanaged locations is rarely practical or without risk. Technologies to enable management in-place are emerging, but few have yet achieved significant market presence.

  4. Control: Many effective IG initiatives have focused not just on producing critical content when required, but understanding how information moves throughout its life cycle so that organizations can be proactive in managing information risks.  Enhanced visibility from analytics tools is helpful to understand where the eDiscovery needles exist in the data haystack – but do little to understand how the pins, needles, and other sharp objects move within and across haystacks in order to determine how to best define policies and procedures to manage information risk and enhance control.

  5. Cloud: It appears that much of the interest in the application of eDiscovery analytics to IG is due to failed enterprise content management implementations. Information life cycle management was a good idea, but ultimately failed because of poor user acceptance and on-premise technology design that became too expensive and complex to manage as data grew. Hence, the appeal of cloud-based information repositories that take advantage of shared resources and scale-on-demand benefits that are not attainable behind the firewall. To date, it does not appear that any leading eDiscovery analytics tool has been designed for the cloud (which is significantly different from simply offering a hosted version of the same on-premise technology through a service provider). Consequently, companies must deploy more servers requiring more storage and IT overhead – which appears to be a repeat of same failures of the 1990s. This will no doubt change – but evidence of leadership on this front is still scant.


eDiscovery and Information Governance will continue to become more tightly intertwined over time as more companies realize that the ‘keep everything forever’ strategy is not sustainable. Focus is beginning to shift from optimizing review efficiency to enhancing insight into data repositories so that value can be separated from junk earlier. But you should take care in ensuring that your short-term IG risk reduction goals can be delivered with the capabilities offered today by the eDiscovery tool providers.


December 16, 2013

FFIEC Raises the Bar on Social Media and Regulatory Compliance

On Wednesday, the Federal Financial Institutions Examination Council (FFIEC) issued its long awaited guidance "Social Media:  Consumer Compliance Risk Management Guidance", covering the use of social media within financial services. The guidance applies to banks and nearly every other financial entity that fall under the regulatory umbrellas of the Office of the Comptroller of the Currency (OCC), FDIC, NCUA, and Consumer Financial Protection Bureau (CFPB).

While the guidance imposes no new obligations upon firms, it does a very thorough job of highlighting the plethora of existing regulations whose rules should be considered in assessing the risks of using social media for firm business. Amongst these include:

Applying to Deposit and Lending:

  • Truth in Savings Act/Regulation DD
  • Fair Lending Laws: Equal Credit Opportunity
  • Fair Housing Act
  • Truth in Lending Act/Regulation Z
  • Real Estate Settlement Procedures Act
  • Fair Debt Collection Practices Act
  • FTC Section 5 on Unfair, Deceptive, or Abusive Acts
  • FDIC requirements on Deposit Insurance

Applying to Payment Systems:

  • Electronic Fund Transfer Act
  • Check Transactions rules

Applying to Data Privacy:

  • Children's Online Privacy Protection Act
  • CAN-SPAM Act
  • Gramm-Leach Bliley Act (GLBA)

On the GLBA point, the FFIEC noted specific relevance when social media has been integrated into the over-all customer experience. In this case, firms should clearly disclose the use of social media within its privacy policies as required under GLBA.

Most importantly, the ruling outlines the compliance, operational, and reputational risks associated within social media, and encourages the use of risk management programs to assess the potential exposure to the firm. Components of this program should include:

  • Design with participation from stakeholders from compliance, technology, information security, legal, human resources, and marketing,
  • A governance structure with clear roles and responsibilities
  • Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations
  • A risk management process for selecting and managing third-party relationships in connection with social media
  • An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate
  • Periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

The net effect of the FFIEC should be to encourage firms to think holistically about social media as an integrated component of its information risk management strategy. As a component of this strategy, firms should also evaluate available technologies that allow for the proactive capture and secure storage of social media content - as is provided today for email, instant messages and other mature communication technologies.

The business use of social media is undeniable - and the FFIEC guidelines clearly demonstrate that regulated firms should take proactive steps now to ensure issues with existing regulations are avoided.

November 25, 2013

Social Media and Compliance: Salesforce Chatter

We just returned from the Financial Services track at Dreamforce, where many speakers  touched on the topic of Archiving for Chatter – and its potential regulatory implications.  This led to many interesting discussions at our booth, with some of the common themes and conclusions summarized here.

  1. The most frequently asked question/comment: “We would like to enable Salesforce Chatter, but our compliance team is concerned about the implications. What can we do?” Not surprisingly, many of the Dreamforce attendees we talked to had recognized the business value of leveraging their investment in SFDC to drive collaboration and productivity via Chatter (or, perhaps, are being pressured by SF users to enable this feature). The reasons are clear within financial services: enabling better customer service, improving communication flow with independent agents, and in sharing account information with peers. But, simply turning that feature on led many into conversations about internal policies pertaining to social media, supervisory obligations addressed under FINRA’s 11-39 guidance on social media, and storage requirements within financial services outlined by SEC 17a3-4. Conclusions: 1) Chatter is easy to enable? Yes. 2) Opening a new collaboration channel within financial services raises regulatory compliance questions? UNEQUIVALLY YES.
  2. Compliance teams are becoming more active in decisions regarding use of Chatter. Again, not surprising, as firms have become accustomed to since FINRA 11-39 in 2011, and as more have acknowledged the futility of blocking social channels including LinkedIn and Twitter. Today, this involvement is moving beyond the yes/no of enabling access toward the issues of social media policy refinement, in determining what specific social media channels can be utilized, which features within those channels are usable by investment professionals whose actions are regulated under FINRA and NASD rules, and how firms intend to monitor, supervise and report on those activities. Simply turning on the capability is the starting point – looking at how you may enable selective access to those users whose activities need to be archived and reported is where many companies appear headed.
  3. Salesforce Communities creates additional risk. As firms iron out plans to enable Salesforce Communities, it’s important to consider regulatory compliance as part of the discussion. Salesforce Communities enables firms to expose parts of their Salesforce environment to the outside world; creating a collaboration portal for customers, vendors or partners. The Chatter feed is an integral component of Communities and, without Chatter, the benefits of enabling Communities diminish. Similar to “internal” Chatter communications, it’s important to ensure that your archiving solution supports the capture of Chatter content that is authored within Communities as well. Moreover, if your firm creates multiple Communities, your archiving solution should be able to capture Chatter content only from the Communities that you specify, thereby eliminating unnecessary noise from your archive.
  4. Archiving of social media goes beyond basic storage. For many, envisioned processes  for manual collection and basic store/retrieve Chatter content would be - in most cases – woefully inadequate. SEC Rule 17a3-4 in particular contains a number of specific provisions about information storage locations being “WORM-like” and actively managed to ensure information retains its integrity. Simply moving captured Chatter content to a network storage location – or copying to DVDs and sending to giant records warehouses via couriers in small vehicles – may not be meeting the risk profiles of your compliance executives.
  5. Firms are seeking leverage across other information sources.  Enabling the capture and archival of Chatter content is not unique discussion. Firms have already been through this with email. But, firms are reluctant to deploy yet another single-purpose repository to manage that information. In fact, most of the attendees we talked to are seeking to aggregate Chatter with other captured social media content – and leverage their existing processes and technology in place that is used for email. This leverage brings familiarity and comfort to compliance teams – and higher likelihood that SFDC teams can roll-out Chatter faster  with fewer compliance obstacles.

Proofpoint, with its Archiver for Chatter solution, can help organizations address these challenges, with a proven track record of capturing and managing content for many leading financial institutions that need to adhere to SEC, FINRA, and other emerging regulatory requirements. For more information about our Social Platform for Archiving solution, please visit



October 09, 2013

Free RSA® Security Expo 2014 Passes, Courtesy of Proofpoint: Use Code SC4PROOFB


It might seem like the far future, but RSA Conference 2014 is only a few months away and registration is now open!

Proofpoint will be exhibiting at the RSA Conference 2014, to be held February 24 thru February 28, 2014 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2014 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code SC4PROOFB or EC4PROOFE when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code SC4PROOFB during the registration process:

Proofpoint will be at RSA 2014 in a big way, with booths in both the South (booths #1527 and #520) and North halls (booth #3615).  Since you won't be able to miss us, we fully expect you to stop by, meet the friendly Proofpoint staff, and take a moment to learn about our latest cloud-based solutions for threat management (including email security and targeted attack protection), compliance (data loss prevention, email encryption), enterprise information archiving & governance, and secure communications.

I also expect we'll be doing our traditional information security survey and we'd love to have you take a few minutes to participate. (If you're interested in the findings from the 2013 survey, you can find them here:

See you in San Francisco next February!

RSAC 2014 Briefing Center invite - fixed - Proofpoint

July 10, 2012

Mobile Privacy Standards to be Discussed this Week

Increase-in-use-of-smartphones-making-their-security-more-vulnerable_16000464_800778764_0_0_14000264_300In this digital age, our smartphones tend to know more information about us than say, our great Aunt Suzie. From your name and location to the interests of you and your closest friends; all of this information is readily available to advertisers and marketers the moment you accept the terms and agreements of certain mobile applications.

The accessibility of such data has sparked a continued dispute between consumer groups and online marketing firms over the access of user information via mobile applications.

On July 12, the National Telecommunications and Information Administration (NTIA) will host the first of several meetings in an effort to develop new codes of conduct for handling private consumer data on the internet and on mobile networks. The meeting will focus primarily on mobile application security and provide a chance for industry stakeholders to voice their concerns regarding access to private consumer data.

The upcoming meetings stem from a Consumer Privacy Bill of Rights released by the Obama Administration in February of this year. Instead of calling for new privacy standards, Obama’s Bill of Rights calls for a multi-stakeholder process to develop general rules and regulations. The process has generated skepticism about whether this system will incorporate the desires of all publics fairly, most importantly the consumers.

The start of the NTIA meetings could not come soon enough. Recent episodes of mobile applications illegally downloading user information has heightened the need for defined mobile privacy standards. The issue of mobile security now goes beyond simply the applications to also include the advertisements shown within them.

As we watch to see if an outcome can be achieved at the NTIA meetings, it will be interesting to see how these standards will reflect on the corporate side of the equation. Right now, companies must decide for themselves which security features to implement for their employees. This increasingly means creating mobile security applications that encrypt, archive, and protect company data on an employee's smartphone will likely become a corporate necessity.

June 27, 2012

Protecting Your Most Sensitive Data: 5 Hot Password Protection Tips


[Editor's note: Please welcome intern Courtney Klosterman as a new, regular contributor to the blog. Courtney is a recent graduate of Purdue University working with us on public relations and social media. Take it away, Courtney!]

What is your philosophy on passwords? Do you stick to simplicity or maintain a mixture?

Depending on your answer, you may or may not be surprised to learn that the passwords people choose are often easy to figure out. According to a recent story on NPR News regarding password safety, among the grand champions in popularity include patterns on the keyboard—such as 123456—and terms of endearment, with princess topping the charts.

Like a lot of people, I used to be unconcerned about the thought of someone hacking into and manipulating my online information. But today, I'm definitely more mindful of this issue as I've become aware of just how many Internet users have had issues with password security. Whether you've personally had experience with a compromised account or not, you can't ignore the constant stories in the media about passwords being compromised from even the most reputable banks, enterprises and social sites.

The recent password hack attacks on social media sites LinkedIn and eHarmony have prompted social media giant, Facebook, to ramp up its own security features.  Within the next few weeks the company will be asking users to provide a mobile phone number so that in the instance that a person’s account is hacked, the confirmed phone number will allow Facebook to wipe out the user’s password immediately and send them a new one via SMS.

So how do we stay one step ahead of the ever broadening force of hackers? Here are five of the latest and greatest password tips to ensure your accounts are highly protected.

1. Avoid all aspects of the phrase “Reduce-Reuse-Recycle.”

With more personal information available on the internet than ever before, it is crucial to increase the number of passwords used for different accounts. Refrain from reusing and recycling old passwords as it heightens the possibility of re-using a compromised password.

2. Use an open source password manager.

For those of us who are much too wary to keep an aggregated list of usernames and passwords hidden in our desk drawer, there are secure software programs to help keep track. An example of such a program is KeePass, a free program that retains all of your passwords in one database, which is encrypted and only opened with a master password. The program can also generate random, highly-secure passwords for separate accounts with a user specified amount of characters, numbers and symbols.

3. Create strong security questions.

An account is less likely to be hacked if you provide less personal information. Instead of providing the answer to the infamous your mother’s maiden name, think up a question that is less obvious to the public, such as what street did you live on in third grade? Of course, there is nothing wrong - if you can remember it - with using a fictional answer to these questions. Mitt Romney's email was allegedly hacked when someone guessed the correct answer to one of his security questions. The NPR news story makes a similar suggestion worth checking out.

 4. Mix up the characters.

If you have anything less than a photographic memory, i.e. you have difficulty remembering an ambiguous mixture of numbers, letters and symbols then instead try to replace symbols and numbers for letters within a word. For example, if you wanted to use PROOFPOINT as a strong(er) password, it could be written as Pro0fp0!nt.

5. Variance is key.

Refrain from setting yourself up for a single point of failure. In many instances, a hacker will steal passwords from sites with weak security and then try the same username and password combos on other more secure sites. By using a program such as KeePass you can make sure to avoid this possibility by having different, strong, automatically-generated passwords for every account.


November 08, 2011

Free RSA® Security Expo 2012 Passes, Courtesy of Proofpoint: Use Code EC12PRF

RSA-Conference-Free-Exhibit-Passes[Update 10/9/2013: Looking for 2014 passes? Use our new code SC4PROOFB.  Find registration link in this post.]

Wow, is it almost the end of 2011? Looking forward to 2012 for a moment, once again Proofpoint will be exhibiting at the RSA Conference 2012, to be held February 27 thru March 2, 2012 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2012 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code EC12PRF when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code EC12PRF during the registration process:

We look forward to seeing you there! Proofpoint will be exhibiting at booth #850, demonstrating our latest SaaS-based threat management (email security), compliance (data loss prevention, email encryption), archiving & governance, and secure communication solutions.


August 22, 2011

Cloud Computing and the Law: Gary Steele Discusses Cloud Privacy and Security on NBC's Press Here

There are two kinds of people: Those who get up early enough on Sunday to watch the news and policy wonk shows and, well, those of us who don't. If, like me, you find yourself in the second camp, you might have missed Proofpoint's CEO, Gary Steele, discussing "Cloud Computing and the Law" with reporters from NBC, Forbes and Bloomberg on yesterday's edition of NBC's "press:here" interview show.

In this segment, Gary discusses some of the legal issues around cloud computing, including whether an electronic document stored in the cloud is entitled to the same protection as that same file stored in a physical safe. While this conversation is focused on data privacy and legislative issues, a discussion of some of the security concerns around cloud computing and storage also comes up.

The conversation ranges from basics about "the cloud" to the concerns around data locality, search and seizure of data and the evolving state of privacy legislation. You can watch a video replay below:



June 27, 2011

Microsoft Data on Phone Phishing Scams: No, Security Engineers from Legitimate Companies Won't Call & Request Your Credit Card Number

Our partner Microsoft recently published results of a survey revealing a new kind of internet scam that involves criminals calling people at home to tell them their computers are not fully protected from security threats.  The callers request remote access to users’ computers and credit card information by posing as computer security engineers from legitimate companies.

And, of course, once granted access to that information they "run through a range of deception techniques designed to steal money," according to Microsoft's announcement.

Out of 7,000 users surveyed in the U.K., Ireland, U.S. and Canada, 15 percent received a call from scammers and 3 percent fell for the scam.  The average amount of money stolen was $875 and the average cost of repairing damaged computers was $1,730.

Richard Saunders of Microsoft says, “Criminals have proved once again that their ability to innovate new scams is matched by their ruthless pursuit of our money.” 

The line between legitimate calls and malicious schemes can be blurry at times as we often give out credit card information over the phone to pay for bills and order products.  This is especially true with older generations that may not be technically savvy enough to distinguish the difference. 

Microsoft offers some tips on how to protect yourself:

  • Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company.
  • Never provide personal information, such as credit card or bank details, to an unsolicited caller.
  • Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue.

You can also protect yourself online by following Proofpoint's “seven simple rules for staying safe online.”



Blog Search

Email Security Gateways, 2012

Magic Quadrant


What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption