Byron Acohido at USA Today has an interesting article out today (see "Cybersecurity Stocks Look Hot in 2010") positing that tech security companies are "poised to become Wall Street darlings this year, thanks in part to Google's tiff with China."

Quoting an analyst at FBR Capital Markets, he says the Google-China row has underscored the already positive outlook for stock price performance of diversified security vendors such as McAfee, Symantec and Check Point and that the security sector is underinvested. As we point out at Proofpoint quite often, IT security (including email security and data loss prevention) solutions simply aren't optional and large enterprises and government organizations can't delay purchases of such solutions.

 Statistics from IDC are also quoted, noting that worldwide spending on IT security rose 6% in 2009 and is expected to grow another 9% in 2010.

The article notes that prospects for privately-held security companies are also looking very positive:

"Meanwhile, the rising incidence — and visibility — of cyberattacks also is boosting prospects for privately held tech-security firms, says Asheem Chandna, a partner at Greylock Partners, a leading Silicon Valley venture capital firm.

Private firms with strong balance sheets and good growth prospects that might be viewed as viable candidates to float an initial public stock offering include Sophos, Barracuda Networks, Qualys, Proofpoint and Tripwire, Chandna says. He estimates 30 to 50 tech firms could go public this year, including three to five tech-security companies."

Proofpoint's growth has been extremely strong over the past few years as Proofpoint watchers already know. We recently closed our 26th consecutive quarter of record revenue as I noted in a recent blog post (see "Proofpoint News this Week: Another Quarter of Record Proofpoint Revenue, Updated Channel Partner Program).

You can read the full USA Today story here: Cybersecurity Stocks Look Hot in 2010

I sat down recently with Dave Champine, Proofpoint's product manager for our SaaS email security solutions for an extensive interview about the security of cloud computing-based solutions and the issues enterprises should consider when moving security functions "to the cloud." I'll be posting excerpts from that discussion over the next few days.

First up, Dave had some really interesting things to say about specific features that enterprises need to look for when buying "in the cloud" security solutions (or any other type of SaaS solution, for that matter). As Dave notes in this video, large enterprises have different concerns that, say, small businesses or consumers when they are looking at deploying a cloud computing-based (or SaaS) solution.

To summarize the main points that Dave discusses in the video, there are four interrelated characteristics of an enterprise-quality cloud. He describes them as:

Isolation: Look for solutions that offer both physical and logical separation of your data and the application itself from other customers. This helps to ensure that your enterprise's capacity and performance needs being met, regardless of what's going on with other customers of the same solution.

Flexibility: Look for solutions that can support the high level of complexity found in the large enterprise. For example, in the email world, large enterprises can have very complex policy environments due to regulatory requirements, best practices for data protection and corporate governance concerns. So that means being able to do things like set and enforce different email disposition policies for different business units, support secure transmission to business partners, support policy-based encryption, etc. Flexibility also means having flexibility in terms of how things are deployed (e.g., could I deploy some things "in the cloud" but leave other features on-premises).

Control:Large enterprises need SaaS solutions that let them maintain the same level of control as they would get with an on-premises solution. That includes having what Dave calls "transparency of operations," including visibility into logging, auditing and alerts so administrators can ensure that systems are operating as expected.

Distribution:Enterprises should look for cloud-based solutions that use distributed components. For example, make sure that the architecture includes geographically distributed datacenters, redundant components, etc. The goal is to go beyond the usual "five nines" availability goal and ensure 100% availability if possible. Dave suggests that enterprises should think not just about disaster recovery, but about disaster avoidance as well.

If you're interested in this topic, you'll also be interested in the next Proofpoint live web seminar, happening on Wednesday, November 18th. We'll be discussing the pros and cons of Security-as-a-Service and how next-generation SaaS solutions can actually deliver superior security, better performance and lower costs compared to on-premises approaches. To register, please visit the link below:

• Register for "Cloud Computing Confusion: Is SaaS Email Security Right for Your Enterprise?"

So the big IT news this week is, of course, the launch of Microsoft's Windows 7 operating system tomorrow (Thursday, October 22, 2009). While the jury's still out on whether widespread Windows 7 adoption will improve security in a global sense, it does look like there are some solid new security features that could definitely help decrease malware propagation as well as preventing data breaches from lost or stolen devices (with the inclusion of BitLocker drive encryption that can now support USB removable devices, i.e., "BitLocker to Go").

PC World has a nice overview of some of the core Windows 7 security features including a short primer on how to protect drives with BitLocker. This seems like one of the most dramatic improvements to me (as our own research found that more than 20% of large enterprises investigated a data breach due to lost or stolen devices and media in just the past 12 months). Find that overview here:

PC World: A Guide to Windows 7 Security

CNET's download.com site has a slideshow tour of some of the security-related interfaces in Windows 7 including shots of the security Action Center and User Account Control panel with some easy-to-digest commentary:

CNET: Security in Windows 7 Slideshow

Of course, some things haven't changed over previous versions of Windows. Our friends at F-Secure have previously pointed out that the Windows Explorer default of hiding file extensions for known file types represents a security problem because that makes it more likely for users to inadvertently run malware executables that are masquerading as document or media files (e.g., GIFs, JPEGs or WMVs).

This default continues in Windows 7. Personally, I don't know how folks can even deal with Windows when you can't see file extensions and this is one of the first things I change on a new system or fresh Windows install.

Find F-Secure's commentary on this issue here:

F-Secure Blog: Windows 7 Fail

I haven't had much time to mess about with Windows 7 yet, though I've been pretty impressed with it based on my experience installing the 64-bit version of the Win 7 beta on a new drive. It definitely offers snappier performance over XP on the same hardware and the ability to address huge amounts of memory is a huge win for folks like me who do a lot of multimedia work.

That being said, as with any new install of Windows, your first stop should after installation of Win 7 should be to install a good desktop anti-virus solution. I was pleased to find that F-Secure's Internet Security 2010 already supports Windows 7 (both 64-bit and 32-bit versions) and installed with no hassles. I'm sure that many of the other major anti-virus solutions offer the same support, but I continue to be a big fan of F-Secure because it's very effective, doesn't hog system resources and has a slick user interface.

Tip 'o' the black hat to biztech writer George Hulme who pointed out on Twitter today that videos of presentations from the 2008 Black Hat security conference are now online here:

https://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html

Lots of really interesting stuff in this list and it's not just for hardcore security types (though it helps).

For the truly hardcore security types out there:  Seeing a lot of interesting tweets today coming out of the sessions being held at the SOURCEBoston security conference. This looks like one to watch.

If you want to spy, see: http://search.twitter.com/search?q=%23SOURCEBoston

Of course, you can always follow us on Twitter as @Proofpoint_Inc.

NWW notes a really dangerous new practice dubbed "swatting" (making phony 911 calls about hostage or similar situations) as well as recapping the Microsoft bounty on the creators of the Conficker work... which has apparently also spawned a new version. NWW also recaps their top 2008 tech crime stories. Interesting stuff!

Tech crime blotter: February's top 15 stories - Network World.

We regularly warn consumers and enterprises about the dangers of email-based phishing attacks and provide tips for staying safe online, but it's easy to forget that phishing emails are really just an evolution of the classic confidence scam. The social engineering techniques that are behind every sort of phishing scam (whether it's a Nigerian "419" scam or a more sophisticated spoof aimed at online banking users) have analogs in the real world.

A friend in the travel and tourism industry told me about an identity theft scam that hit one of their hotels—and a hotel guest—in the last couple of days:

During the night shift, the hotel received a phone call asking for "Mr. Jones." The night auditor working the font desk transferred the call to a room where one "Mr. Jones" was, in fact, staying.

When the guest answered the call, the caller identified himself as the night auditor and explained that the hotel was having trouble with the guest's credit card... and could he please verify the card number, expiration date, etc.

The next day, Mr. Jones was contacted by his credit card company because they had seen suspicious use of the card -- to the tune of several thousand dollars.

Now, if you received an email like this, you wouldn't answer it, of course. But I wonder how many of us—awakened in the middle of the night—might not bat an eye at providing that info over the phone.

The hotel has since adopted stricter phone screening measures to avoid this type of thing in the future, but it's always good, as a consumer, to be reminded of how scams work... and that, really, you can't be too careful when it comes to protecting personal information. Security begins with education.

Posted by Jeremy Hope, VP Operations

Security remains one of the biggest concerns that IT professionals have when a considering Software-as-a-Service solution. As a result, one of the most significant challenges that a SaaS provider must overcome is establishing a high degree of trust that customer data is safe in the vendor’s hands. There are a number of ways to do this, but one of the most important metrics that customers look for is the Statement of Auditing Standards No. 70, Services Organizations ("SAS 70") Type II Certification.

At Fortiva, we formally announced today that we achieved the SAS 70 Type II certification. SAS 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants that validates that a service organization has been through an in-depth audit of its control activities, and demonstrates that they have adequate controls and safeguards when they host or process data belonging to their customers.

As anyone who has gone through this knows, it’s a long, drawn-out process that takes a serious commitment on the part of the service provider. However, it is one of the only independent/third-party metrics a customer can look for in order to establish a level of confidence. As a result, it’s an invaluable tool for SaaS providers and one that is worth every bit of the time and effort required to achieve it.

At Fortiva, we always say that maintaining the integrity, privacy and security of our client’s data is our most important goal. To achieve this, we are constantly reviewing our processes and improving them – but most of this happens “behind the scenes”. Achieving the SAS 70 Type II Certification is an important way for us to demonstrate the care and attention we place in this area.

Posted by Chris Tebo, CTO

Security and SaaS solutions have been getting a fair bit of attention of late, especially with the recent admission that data stored on Salesforce.com was breached through a series of phishing attacks targeting Automatic Data Processing Inc. (ADP) and SunTrust Banks Inc.

This attention is well-deserved; there's much to be said about security in general.  There’s no question that securing infrastructure and the processes that surround it requires diligence on the part of both those who administer systems as well as those who use them.  However, more importantly, it requires technology vendors to continue to take steps to move the state of the art forward to address these threats.

Our mailboxes are a testament to this - on a daily basis we all receive some amount of Viagra Spam, Stock Scams and Phishing Attacks that the tech savvy know how to avoid and ignore.   It is clear though, that by their sustained volume, there still must be a large number of users that fall prey to these attacks.

For the average end-user dealing with this deluge, we've seen technology move forward to address the issue.  It started with simple junk mail filters, then Bayesian filters to the current advanced suite of content analysis tools that seem to be keeping my inbox fairly palatable.

So what does this have to do with SaaS security?  I think that there are huge opportunities for SaaS providers to deliver technology innovations that move the security of SaaS solutions forward to overcome some of the kind of attacks described in the article above. 

I've written here several times about DoubleBlind Encryption™ technology as we've implemented it at Fortiva.  It allows us to provide a SaaS-based email archive where we store and provide access to the data for our customers. At the same time, DoubleBlind Encryption makes it impossible for us to view the content of any of the data we host.  It also means that if someone actually managed to breach our infrastructure, they would only see encrypted information. To access unencrypted archived information requires a user to have access to their company network and authenticate with their network user name and password (through Active Directory) before viewing the archive. Assuming the customer has appropriate security in place to protect their network, the SaaS archive is protected too.

We've taken one approach here, and there are others.  The point is that SaaS providers need to move their technology towards ensuring that they have less access or visibility to their customer's data.  At Fortiva, we go so far as to provide our customers with a Data Privacy Guarantee.

A clear opportunity for improvement lies in managing user authentication and permissioning, especially since phishing scams are usually focused at weaknesses in this area. For SaaS solutions targeting the enterprise, it just doesn't make sense to introduce another layer of user administration and authentication that lives outside the corporation. 

Most corporations today manage all of this user information in Active Directory.  Savvy SaaS consumers are starting to see the value of having their SaaS providers integrate with this permissioning data in the corporation.  It allows them to unify their security policies and manage permissioning in a cohesive way.  As a simple example, consider what happens when an employee leaves a company.  As they are removed or disabled in the corporate infrastructure, their account is locked out of email, vpn and other internally managed solutions.  How likely is it that their corresponding accounts in corporate SaaS solutions will be locked out at the same time?

Paying attention to SaaS and the security implications that come with it are critical.  There's certainly room for improvement, but there are clearly innovations to come that will move SaaS forward on this front.

 

Posted by Chris Tebo, CTO

In his posting of June 15, titled, "Can the appliance put SaaS on-premise?", Phil Wainewright makes the point that,

Delivering software as an appliance brings many of the same benefits as delivering software as a service. In fact, in recent weeks and months I’ve spoken to some people who’ve talked as if the two models were interchangeable. I wouldn’t go that far, but I would say that they’re different facets of the same trend towards making software easier to install and use, and I would also add, perhaps controversially, that if you believe in using the Web to deliver software functionality, then like it or not you’re probably going to end up delivering software appliances within your range of offerings.

Wainewright comes to the conclusion that both software as an appliance and software as a service have their place, and they shouldn’t be seen as competing with one another. While I agree with Wainewright on the points he makes in both that and a follow-up posting, I think it’s important to consider the possibilities offered by a third option, one that combines software as an appliance with software as a service. This is the model we use at Fortiva, and it’s one that I believe will continue to gain traction with vendors that want to provide the convenience of SaaS with a level of integration and data security that can only be achieved with an on-premise component.

In his posting, Wainewright makes the point that,

“The appliance model provides many of the benefits of SaaS without forcing customers to store and access their data outside of the firewall.”

This is true – and very useful for applications that involve small amounts of data. However, many SaaS solutions tackle challenges that involve large amounts of data by offering a large, centralized infrastructure. Since IT departments can face considerable challenges managing and maintaining a large data set, these customers get significant benefits from SaaS solutions that address the management of both the software and the data. In fact, a key value proposition for SaaS often involves not having to worry about procuring and managing large amounts of storage, which in turns allows the customer to avoid having to address the full suite of data management tools. So in these cases, the appliance model alone is not an option.

While SaaS allows you to benefit from “worry-free,” fully scalable storage on demand, it also has its issues.  The SaaS model can lead to isolated solutions that suffer from administrative challenges and a logical disconnect from the way other corporate information is managed and used. It also presents obvious security challenges. Overcoming these limitations requires an integration point within the corporation.  To do this, without losing ease of setup and maintenance benefits of a SaaS solution, some vendors (Fortiva included) have started to introduce in-house appliances (software as an appliance) that act as a gateway to their centralized services (software as a service).

In Fortiva’s case (a SaaS email archiving solution), we ship a “plug-and-play” style appliance that integrates directly with the customer’s Microsoft Exchange and Active Directory. The appliance also encrypts all the data before sending it over a secure transmission to Fortiva’s data centers. I’ve explained in my last two posts how this works, and how the combined SaaS/appliance approach allows us to provide rich functionality (including advanced search) to data that remains encrypted at all times outside the firewall.

So maybe it’s not SaaS OR software as an appliance (SaaA?) that companies should be considering…maybe it’s the two together.