Proofpoint: Security, Compliance and the Cloud

Regular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).

Three new things to share with you today: First, Proofpoint announced a new partnership with  Clearwell Systems, a leading provider of eDiscovery solutions, to deliver integrated, cloud-based litigation-readiness services for email.

The companies will work together to better integrate the Proofpoint Enterprise Archive SaaS email archiving solution with Clearwell's eDiscovery Platform, delivering a solution that will reduce the time, costs and risks associated with electronic discovery.

You can read more about that partnership in our full press release.

In conjunction with that announcement, we also published a new whitepaper that explains how the adoption of cloud computing applications can complicate electronic discovery if not handled correctly. In What Every Enterprise Should Know about Cloud Computing and eDiscovery we explain these risks and offer practical advice on how to evaluate cloud service providers and the features and service level agreements you should look in cloud-based solutions, so that eDiscovery risks are minimized while meeting your organizations business, legal and IT goals.

As usual, you can get a copy of this whitepaper by clicking the link above... But (and here's the third new thing), you can also get a copy right now, simply by filling out the form below. How's that for efficiency?

Complete this form and click "Submit" to read our new cloud computing and eDiscovery whitepaper:

Hola, amigos! Did you know that information on Proofpoint's SaaS email security and compliance suites is available in a variety of languages, including French, German, Japanese, Portuguese... and now Spanish?

 You can always find the latest product datasheets in our Email Security Learning Center. Items that have been localized for multiple languages have a note in the description portion with a link to PDFs of all the available language versions.

The newest additions to our international collateral set are Spanish versions of the latest Protection, Privacy, Archive and Encryption datasheets along with our corporate overview brochure.

Direct links to these new documents (in Adobe Acrobat PDF format) can be found below:

Proofpoint Enterprise Protection: "Seguridad de correo electrónico SaaS: protección total contra amenazas de correo electrónico"

Proofpoint Enterprise Privacy: "Cumplimiento de normas de correo electrónico SaaS, prevención de pérdida de datos y Solución de codificación"

Proofpoint Encryption: "Codificación de correo electrónico con tecnología SaaS basado en políticas"

Proofpoint Enterprise Archive: "Solución de almacenamiento de correo electrónico SaaS"

Proofpoint corporate overview brochure: "Controle hoy los riesgos del correo electrónico del mañana"

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6

Keeping with our eDiscovery and archiving theme this week, Proofpoint published a new press release and case study about customer Wedbush Securities, a leading financial services firm. Wedbush uses Proofpoint solutions for email security (Proofpoint Enterprise Protection) as well as email archiving and eDiscovery (Proofpoint Enterprise Archive).

The new case study (click the image at left to view the actual PDF version) focuses on how Wedbush replaced its outdated email archiving solution with Proofpoint's SaaS solution with the goals of making archiving and eDiscovery more user friendly, more efficient and better satisfying SEC/FINRA supervision requirements.

Wedbush's director of IT, Mattias Tornyi, says, "I think the performance around eDiscovery is really a big benefit, and something that we wouldn’t get with an in-house solution. I can do any type of search through the system, and know I am getting a response time within 30 seconds. It’s so easy to use and very efficient for IT, Compliance and Legal to perform discovery searches now."

Regular blog readers will recall that I recently posted a video interview with Jeff Bell, the executive VP of clearing and technology for Wedbush Securities talking about how his organization uses Proofpoint. I've included that video again, below, as well as a new "part 2" of that interview where Jeff discusses some of the other security and IT issues (including phishing, mobility and training) that are most on his mind today. Here's part one:

And here's part two:

Note that you can find more customer case studies in our online learning center and more Proofpoint videos in our YouTube channel.

On this eve of the new year, I wanted to take a moment to thank all of our customers, partners, friends and fans -- on behalf of everyone here at Proofpoint -- for yet another terrific year! We couldn't have done it without your support.

It was a year of great milestones for Proofpoint, including being named once again to the "Leaders" quadrant in Gartner's 2010 Magic Quadrant for Secure Email Gateways, reaching our seventh consecutive year of record revenue, launching new versions of our SaaS email security, data loss prevention and email archiving solutions, publishing our seventh-annual survey on email/social media data loss prevention risks, a new look and feel for our brand and much more.

We're looking forward to another great year in 2011 and wish you a happy, successful and safe new year!

A couple of good 2010 IT security year in review articles caught my eye this week that are worth checking out:

eSecurity Planet has a roundup of key security events for the year in "IT Security 2010: The Year in Review," and on the other side of the pond, the UK's IT Pro has an extensive overview in "Security: Year in review 2010".

See you in 2011!

First, "Good question!" And second, "Why did I ask this in the first place?"

Ran across two things recently that inspired me to write on this topic...

One:In doing a little research into how web surfers find Proofpoint and the Proofpoint Email Security blog, I discovered some interesting statistics (and regular readers know how I love statistics).

Proofpoint generally describes its solutions as being "Software-as-a-Service (SaaS)" — because that really is the best description for our "on-demand" type offerings — or, in the case of things that are deployed on-premises (like email security appliances) as "cloud-enabled" (because they leverage various cloud services that we've built).

But it turns out that a lot of individuals, when looking for "not on-premises" solutions, use the term "hosted" in their searches. 

For example, Google's search engine reports 85% more searches for "hosted email encryption" than for "SaaS email encryption." In the case of "email archiving" almost 5 times as many users search for "hosted email archiving" over "SaaS email archiving". And for "email security" we see 6 times as many searches for "hosted email security" as for "SaaS email security."

I have to say that I was surprised by these differences. Much higher than I had expected! So, should we just call these things "hosted" and get on with it?

I don't think so...  And here's why...

Two: I recently became aware of a cool blog called Enterprise Features that touches on a lot of the same topics we cover here (see for example, this very interesting interview about Wikileaks and corporate privacy) where I read a really nice summary of the differences between the "hosted" and "SaaS" concepts.

In, "The Difference Between Hosted, SaaS (Software-as-a-Service) and the Cloud," technology blogger Paul Rudo writes, "the most obvious difference between 'SaaS applications' and 'hosted applications' is that one is a 'service' that you use, and the other is a 'product' that you own."

He notes also that there's "some overlap between SaaS applications and hosted applications. You can reasonably say that all SaaS services are hosted, but it would not be accurate to say that all hosted applications are SaaS."

He goes on to give a very easy to understand example around hosting a Wordpress blog versus subscribing to the SaaS version of Wordpress. (Rather than cribbing his entire article, I encourage you to read it here.) In the hosted case, he notes that there might be more control and flexibility, but there's also more maintenance effort. In the SaaS case,  one is taking advantage of the service that Wordpress offers, possibly losing some flexibility but gaining much in the way of convenience, security and lowered total cost of ownership.

It's a great description, but I'd also point out that SaaS solutions also have an element of shared services to them (and this is one of the primary ways that SaaS reduces TCO).

As an example, in the Proofpoint Enterprise Archive SaaS email archiving solution, we leverage a huge grid of servers to enable very rapid searches across an organization's entire mail archive and we guarantee that — no matter how large one's archive grows or how complex the search query — search results will be returned in 20 seconds or less. While each organization's data is held in strict isolation, all customers have access to this elastic pool of computing resources to perform discovery. 

This would be very hard and costly to replicate in a purely "hosted" model. Sure, you could "rack and stack" some archiving appliances in a remote datacenter, but you'd have to buy much more hardware than you would need on a day-to-day basis to ensure that same level of performance. 

I could go on, but I think you can see that the difference between "SaaS" and "hosted" solutions isn't purely a semantic one.

Readers, what do you think? We're always interested in your comments!

Back to my first point, I think it's going to take some time before this difference is fully understood. And, until that time, I guess I have to occasionally call what we do "hosted" simply to expose more people to the concept.

So, how about some resources about "hosted security and compliance" topics? Here are three great whitepapers that address the advantages of various SaaS hosted security versus an on-premises approach:

• Hosted Email Security whitepaper »
• Hosted Email Archiving whitepaper »
• Hosted Email Encryption whitepaper »

Proofpoint has made available some cool new Gartner research on data loss prevention in the form of a reprint of Gartner's 2010 Content-Aware Data Loss Prevention FAQs report.

This 8-page report describes Gartner's advice about the best approaches and benefits of deploying data loss prevention (DLP) solutions. It lists many of the typical questions asked by Gartner clients and provides answers that are applicable to the most common DLP scenarios.

This document has some especially interesting information about the differences between "enterprise" and "channel" DLP and when the channel DLP approach (for example, deploying data loss prevention and encryption features for email). This is a topic that I touched on in a previous blog post (see, "Gartner Analyst: Many Organizations Buying More DLP than They Need").

As the report notes, "Gartner has found that many DLP implementations only use a small subset of the total capabilities. Many times, what has been implemented is often the functionality subset that can be achieved with a C-DLP [channel DLP] solution from an incumbent provider at substantially less cost and complexity."

There are many more interesting insights in this report and it's well worth a read for anyone looking for information on the business cases for adopting DLP technology, deployment tips, evaluation criteria and much more. Follow the link below to read the full report:

Gartner Report: 2010 Content-Aware Data Loss Prevention FAQs

Related Research

Note that Proofpoint currently makes a number of other Gartner reports available, including:

• Gartner Magic Quadrant for Secure E-mail Gateways, 2010: Learn how Gartner rates Proofpoint and other vendors in the email security space.
• Building an E-mail Retention Strategy: Learn best practices that organizations should follow when designing and implementing an email retention (archiving) strategy.

Ah, it must be harvest season because there's a whole bunch of new collateral cropping up on the Proofpoint website. Visit the products and solutions section (look for the orange "DATASHEET >" button on individual product pages) or our learning center where you'll find that links to datasheets pop up with new content hot off the virtual presses.

These join the new and revised datasheets for Proofpoint Enterprise Protection, Proofpoint Enterprise Privacy and Proofpoint Enterprise Archive that have been available for a while now.

Now, there are new datasheets for:

• Proofpoint Encryption: Our SaaS-powered email encryption solution (also included with Proofpoint Enteprise Privacy). Datasheet >
  
  
• Proofpoint Secure File Transfer: Our secure/managed file transfer solution (makes quick work of getting supersized attachments out of your mail stream and into a secure, controlled repository). Datasheet >
  
  
• Proofpoint Smart Search: Our advanced message tracing, forensics and log analytics solution. Datasheet>

If you explore further into the "TECHNOLOGIES" section of our products pages, you'll find new technology briefs (again, click the "DATASHEET >" link on each page) about the various anti-spam, anti-virus and data loss prevention technologies for regulatory compliance and digital asset security that Proofpoint employs.

And, "just one more thing..." As I mentioned in my previous post, we published a new whitepaper entitled, "Why Email Archiving and eDiscovery are More Important than Ever."

While it's aimed at financial services organizations, this short paper is useful for any organization that wants to learn more about both regulations and best practices that relate to electronic discovery and email archiving.

Proofpoint customer Jeff Bell, executive vice president of clearing and technology for financial services firm Wedbush Securities, was kind enough to host me at his San Francisco office recently and allowed me to interview him about his use of Proofpoint's email security and compliance solutions.

Wedbush has been using Proofpoint for email security since 2004 (protecting more than 1000 employees) and recently added our SaaS email archiving solution, Proofpoint Enterprise Archive. Wedbush Securities is a leading financial services and investment firm that provides private and institutional brokerage, correspondent clearing, investment banking, equities research, public finance, fixed income sales and trading, and asset management to individual, institutional and issuing clients.

As such, there are a host of email retention regulations with which they have to comply. While we don't get into that in the video, Proofpoint has just published a new email archiving whitepaper that gives a good overview of the regulatory and best practices drivers for using email archiving technology in financial services firms (see, "Why Email Archiving and eDiscovery are More Important than Ever" to download a copy).

 Jeff and I also discussed his views on other IT threats that are on his radar and I'll share that video in a future post.

And by the way, if you're a Proofpoint customer and would like to share your Proofpoint story, we're always happy to hear from you! Drop us a line at pr@proofpoint.com.