NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.

Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.

The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.

As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).

Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:

Register for Brighttalk webinar replay: A Pragmatic Approach to Compliance with Policy-Based Encryption

Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):

... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.

The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:

http://www.proofpoint.com/magicquadrant

Our live web seminar series continues on Wednesday, May 26th. Join Proofpoint and our new partner Titus Labs to learn about how email classification, email security and email archiving intersect. Find out how these technologies can help your organization better protect sensitive data and comply with an increasingly complex global regulatory environment. 

To register for "End-to-end Email Security: Ensuring Data Privacy and Compliance," please visit the following link:

http://www.proofpoint.com/id/end2end/index.php?id=6

As with all of our web seminars, a replay will be made available to all registrants shortly after the live event.

Proofpoint email encryption specialist Ken Liao will be presenting a live web seminar on Thursday, April 29th 2010 on the topic of "A Pragmatic Approach to Compliance with Policy-based Encryption" at 9 a.m. PT / Noon ET.

Ken's a great presenter and if you're at all concerned about email as it relates to compliance with data privacy regulations, you won't want to miss this online event. Here's the brief overview of what Ken will cover:

Email continues to be the number one source of data loss risks. If your organization handles data governed by regulations such as PCI, HIPAA or GLBA, you need to ensure that your email system can protect sensitive information from improper exposure, while also enabling secure communication your customers, clients and business partners. Join this discussion to learn more about requirements for protecting sensitive data in email. You’ll learn how automatic, policy-based email encryption can provide effective protection for sensitive information in email and why it be should be a central part of your approach to compliance. 

To attend, please register by visiting the following URL and clicking the "Register for this event" link:

http://mediazone.brighttalk.com/event/Proofpoint/f87e955fd6-3782-intro

 Proofpoint's live email security web seminar series continues in April with "Control Tomorrow's Spam Risks Today." 

Join Proofpoint spam expert Nithin Rao and Proofpoint machine learning scientist Vipul Sharma (see also my previous post with a video featuring Vipul) for a look at the latest spam techniques, targeted attacks, threats from social media and the growing need for outbound spam protection.

Vipul will explain the basics of machine learning and will discuss how Proofpoint applies these advanced statistical techniques to the problem of fighting spam.

As always, your questions will be answered during the live Q&A session. And, if you can't make it to the live event, remember that registered attendees will receive a link to the replay as soon as it's available.

Register now for this web seminar, being held at 11:00 a.m. PT / 2:00 p.m. ET on Wednesday, April 21, 2010. Click the link below for the registration page:

Register for Proofpoint's webinar:
Control Tomorrow's Spam Risks Today - Using Machine Learning to Beat Spam

Our live web seminar series continues on March 24th, 2010 with an important topic that we haven't covered in a while, compliance with PCI (Payment Card Industry) data security standards. If your company handles credit cards and cardholder data, you should be aware of these requirements.

We'll discuss the critical role that email security plays in PCI-DSS compliance. You'll also hear real-world examples of how Proofpoint customers use integrated email encryption and data loss prevention technologies to tackle a wide variety of compliance challenges, securely transmit sensitive data via email and improve the levels of service and convenience they deliver to their customers.

Find more details and register by visiting the link below: 

Register for Proofpoint's PCI-DSS and Email Security Webinar

As 2009 winds down, it's a good time to take a look at your organization's IT plans for 2010 and, in the world of email, one of the biggest considerations (at least, for those enterprises that use Microsoft Exchange) is when and how to migrate to Exchange 2010. Exchange 2010 offers a wide variety of improvements over previous versions and among the most anticipated features are the addition of more sophisticated email retention and improved storage management.

Because email archiving has become a "must have" feature for so many organizations today, email administrators and other IT professionals are wondering whether Exchange 2010 will provide all of the email archiving features that they need to meet their eDiscovery, email retention and storage management needs. Many others wonder if they should hold off on the purchase of a third-party email archiving solution or if they'll be able to migrate off of an existing email archiving solution in 2010.

In our first live web seminar of 2010 (Wednesday, January 13th) we'll be discussing these issues. If email archiving is on your "to do" list for 2010, you won't want to miss it. Register here:

Email Archving in Exchange 2010: Are Third-party Solutions Still Necessary?

Attend this webinar to learn:

• Top 10 reasons you’ll still need third-party email archiving—even with Exchange 2010.

• How you can get all the archiving-related benefits of Exchange 2010 and more, without having to migrate.

• What critical factors and features you need to consider when evaluating any email archiving solution for your organization.

• How choosing the right email archiving solution can reduce business risk, increase Exchange performance and reduce costs associated with storage and eDiscovery.

• Which types of email archiving solutions deliver the lowest total cost of ownership.

I've been following the rather long and confusing story of millions of "missing" emails from the George W. Bush White House off and on in the blog for some time. This week, the White House settled lawsuits relating to these missing emails that had been brought by two groups, the National Security Archive and Citizens for Responsibility and Ethics in Washington.

The loss of these email messages and eventual recovery of 22 million "newly found" messages seems to have been extremely costly and serves as a reminder to all organizations that, if they haven't thought about and planned for electronic discovery of email, it's probably time to do so. As I've noted repeatedly here and in the press, at least 25% of enterprises are faced with a subpoena each year that requires them to produce employee email. (You can find this and other related statistics in our annual Outbound Email and Data Loss Prevention report.)

Media coverage of the White House's settlement of these lawsuits has exposed some interesting information about the White House's IT and email security practices that are worth sharing here.

Computerworld has a good article ("'Lost' Bush e-mail settlement requires that White House reveal IT practices") that notes that the emails in question went missing due to "what may have been one of the messiest e-mail platform migrations ever," saying:

The e-mail problem began in 2002 and 2003 after the White House moved from Lotus Notes to Microsoft Exchange. As it moved to the new platform, the President's IT staff also discontinued use of legacy, circa 1994, electronic management and archiving system, called Automated Records Management Systems (ARMS.) Development began on a new archiving system that ran into its own issues and wasn't implemented.

Without an automated archiving system, the White House relied on manual processes to archive e-mails, and that's when the problems evidently began. Files were mislabeled and commingled on back-up tapes containing all types of information. 

If that sort of manual email retention and recovery process sounds familiar, maybe it's time for your organization to consider a more robust technology solution for email archiving. (Email archiving is the topic of our next live webinar, being held January 13, 2010 - you can register for that free web seminar here.)

For a good summary of the entire saga of the missing White House emails, see this Atlantic Wire story which includes links to a number of external articles that reflect on a number of different legal, technological and political dimensions of this story. See, "The Strange Story of 22 Million Misplaced White House Emails."

One more related media item that I thought was interesting is this audio interview that played on NPR this morning wherein Meredith Fuchs, general counsel of the National Security Archive, talks to NPR's Ari Shapiro about the missing Bush emails and about whether the current (Obama) administration is meeting its own promises to be more transparent.

You can find a player for that interview on this page - Group: Administration Making an Effort at Openness - or jump directly to an MP3 version of that replay.

We held a web seminar yesterday titled "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" (you can view the replay of this HIPAA email webinar by following this link) where Rami Habal presented some great information on the new requirements enterprises face when protecting private healthcare information (PHI) in email. This was our most highly attended web seminar ever with more than 1200 registered attendees.

During the question and answer session at the end of presentation, I mentioned briefly that HIPAA may require some types of emails to be retained and that this argued for adopting email archiving solutions as well as email encryption/data loss prevention.

At the end of all our webinars, we conduct a survey that allows attendees to provide feedback. One of the webinar attendees chastised me gently in their survey response saying that my assertion was wrong and that HIPAA does not require organizations to retain email.

Was I wrong? Well, it's true that HIPAA does not specifically mandate that covered entities archive email. (Certainly not in the same way that it requires encryption of PHI in electronic messages.) However, HIPAA does require that covered entities retain certain types of documentation related to their compliance with the HIPAA regulations. It's my contention that, in some cases, this requires that certain emails be retained.

This is a fairly subtle point but one that I think healthcare organizations and other HIPAA covered entities should consider. I wrote about this briefly in our whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email. Here's an excerpt of what I had to say:

While this paper has focused primarily on the requirements for protecting private healthcare information during email transmission, HIPAA covered entities are also required to retain a wide range of documentation regarding their compliance with the regulation. In general, documentation must be retained for six years from the date of its creation, or the date of last effect, whichever is later (though some states mandate longer retention periods).

Documentation that must be retained includes:

• Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
• Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
• Complaints: Documentation related to the handling of patient and/or HCO employee complaints
• Training: Including processes for and content of workforce training.

An increasing number of email messages sent or received by HCOs could fall into these categories, and in some cases, may only exist in email (for example, patient requests sent via email). In a recent Proofpoint survey of large healthcare organizations, 68% of respondents cited “ensuring the confidentiality and protection of private healthcare information” as a top concern driving the need to archive email in their organizations. HCOs should look for email security solutions that also include an email archiving component.

Email archiving technology can ensure both the preservation and easy discovery of email messages that could be considered medical records or HIPAA-regulated documentation. Such systems should store email in an encrypted form, to ensure the security of any PHI contained in archived email messages and their attachments.

The point is, some email communications clearly do qualify as documentation that must be retained under the HIPAA regulations. Modern email archiving solutions can enforce retention of such messages and make them more easily discoverable. The full whitepaper has a bit more detail and, as always, I appreciate your comments as to whether I'm off base on this topic!

Links:

• Watch the HIPAA and Beyond webinar replay
• Download the HIPAA and Beyond whitepaper

Update 4/29/2010: The 2010 edition of the Magic Quadrant for Secure E-mail Gateways is now available. You can view a copy at the following URL:

http://www.proofpoint.com/magicquadrant

A couple of "last chance" reminders today: First, Gartner's most recent "Magic Quadrant for E-mail Security Boundaries" published in 2008 is about to be retired as an updated quadrant will debut in the first half of 2010.

You can still get a complimentary copy of that document from Proofpoint (until December 11th, 2009) at the following URL:

http://www.proofpoint.com/id/gartner-email-security-magic-quadrant/index.php

After 12/11/09, you'll have to wait until Gartner publishes an updated Magic Quadrant on email security, probably not available until Q2 of 2010.

Gartner, Inc. positions Proofpoint in the Leaders quadrant in its 2008 Magic Quadrant for the Email Security Boundaries (anti-spam, anti-virus, outbound content filtering, email encryption, intrusion prevention market). While consolidation in the email security market means that the market landscape is rather different today than when this report was first published, it still provides some great insight into what enterprises should look for when buying email security solutions and the comparison of the various vendor solutions is still quite useful.

Second, our next live Proofpoint webinar, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" is just a week away (Wednesday, December 9th at 2:00 PM ET, 11:00 AM PT).

This is an extremely popular topic right now and there are already more than 750 attendees signed up. As usual, if you can't make it to the live webinar, just register and we'll send you a replay as soon as it's available.

Proofpoint's 2009 live web seminar series continues on Wednesday, December 9th, 2010 with a webinar titled, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email." Join us to learn about the recent changes and expansions to HIPAA healthcare privacy regulations and how they impact your organization's approach to email security.

Email continues to be the number one source of exposures of protected health information (PHI) and, with the new HITECH provisions of HIPAA now applying to more companies than ever, it's a great time to learn about these regulatory changes and how data loss prevention and policy-based encryption technologies can help you meet the latest requirements.

Register here: HIPAA and Email Security Webinar, Dec 9, 2010

If you'd like a preview of the types of information we'll be presenting, check out our new whitepaper on the same topic. Read our HIPAA and Beyond whitepaper to get a quick overview of what you need to know about the latest security, privacy and data breach regulations for companies that handle private healthcare information.

It also outlines what to look for in a secure email solution for HIPAA compliance.

Download it here: Proofpoint's HIPAA and Beyond whitepaper.