Email Policy: Self-Governance or Central Enforcement?</h1> <article> <h1>Email Policy: Self-Governance or Central Enforcement?</h1> <p>Stephanie Jordan — Thu, 19 Jan 2012 02:30:52 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/email-policy-self-governance-or-central-enforcement" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/email-policy-self-governance-or-central-enforcement" data-url="http://www.messagingnews.com/story/email-policy-self-governance-or-central-enforcement" data-lang="en">Tweet</a></div><p>We all know email is the backbone of business communication. When the corporate email system goes down, productivity of the workforce plummets and there is a greater outcry than when any other “utility” function provided by the enterprise IT department is out of service. In the enterprise, email has arguably become more reliable and trusted than the telephone or any other human collaboration tool. However, if not properly secured, email can also pose a great risk for corporations because confidential and sensitive communications can end up quite costly in legal fees, compliance fines, and erosion of brand.</p> <p>So why is it that so many large organizations have not implemented reliable email use and enforcement policies to govern security and compliance risks, data leak protection, messages accidentally sent by mistake, or even best practices for communication and systems efficiency? Is it the lack of available and trusted technology, human apathy, or a little of both that prevents most organizations from doing more about it?</p> <p>On the technology front, we know there are many Data Leak Protection (DLP) solutions that have been purchased and implemented by enterprise security departments, which is required for most regulated industries. These DLP systems help security, compliance, and legal departments determine corporate email policies. The systems are also useful tools in analyzing email traffic and for discovering when there has been a leak of sensitive or confidential information, accidental or on purpose, to warn employees of their company email use policies, legal risks, and liabilities.</p> <p>In many of these organizations using DLP systems, it cannot be apathy which causes the lack of enforcement because policies are written down, employees are informed, understand the consequences, and even sign their names saying they will abide by the policies, even being totally aware that their emails may be inspected without their involvement. Despite this, confidential information such as social security numbers or embarrassing personal comments are still found in messages, and compliance violations continue to occur even in encrypted messages, and the email policies intended to prevent these risks are not enforced.</p> <p>Most often, the reason for these violations is that humans make unintentional mistakes and such accidents will continue if left to self-governance. DLP systems are wonderful systems for discovering and analyzing what has already happened, but they lack the ‘in-stream’ email policy enforcement capabilities needed to get in front of a potential issue and prevent unwanted actions from occurring before messages are sent.</p> <p><a href="http://www.sendmail.com">Sendmail Inc</a>., which provides message processing appliances and applications for enterprise messaging infrastructures for large enterprises of 10,000 employees or more, believes it is critical for enterprise IT to formulate email policies and not to leave enforcement to self-governance. To mitigate the human element, an intelligent centralized policy management system should be put in place by the corporate IT department for all email systems (enterprise, Web mail, and public email networks such as AOL, Yahoo, Gmail).</p> <p>The requirements of an intelligent “policy management engine” must include:</p> <ol> <li>Full message content scanning (message body, header, footer, and attachments) performed “in-stream” (i.e., before it is delivered to the recipient) for which any email policy can be intelligently applied based upon any content attribute (i.e., key words, phrases, destination, sender, attachment type, data field, etc.).<br /><br />While scanning the message in-stream the email policies should be automatically applied, which can result in the message being stopped, delivered, archived, forwarded to another party, copied, an alert notification sent, etc. There are unlimited policy-based routing and enforcement actions that can be applied centrally, or by each department, location, authority based upon user requirements. And email policy should be able to dynamically change and be implemented “on the fly” at any time.</li> <li>Directory synchronization. With an intelligent policy engine that is also tied to the internal employee directory, unlimited actions such as authorization rights can be applied seamlessly on any record including employee name, department, position, rank, or title within groups, locations, or through various “Ethical walls.”</li> <li>Scaleable and extendable to social media networks. An intelligent centralized policy engine should also be scaleable to support any size organization and extended to support all email enabled applications and social media networks such as Twitter, Facebook, LinkedIn, et al.</li> </ol> <p>Fortunately, such technology exists today. Large organizations utilizing a message processing platform and powerful policy engine, have found the technology to be integral to central policy enforcement, whether their email systems remain on-premises (most commonly with Microsoft Exchange) or even more valuable when moving their human collaboration email systems to the cloud (such as to Microsoft Exchange BPOS/365 or Google Gmail Apps). With a message processing platform in place, unlimited email policies can be implemented for both incoming and outgoing messages.</p> <p>In this scenario, the same intelligent policy manager can also integrate policy-based applications such as true in-stream enforcement of DLP, encryption, malware filtering, and even policies that enable end-users to recall messages that were sent by mistake, before they reach their destination. For example, every email user has suffered the panic when realizing they hit the SEND button too soon on a message and want to recall it for modification of the sender list, the attachment, or even the content in the message body.</p> <p>Bottom line? The first step for an enterprise should be to develop and adopt email policy based on its own unique requirements, risks, and best practices. The second step to ensure email policy is adopted by the organization is to ensure a high performance email backbone is in place, one with an intelligent central policy management engine to ensure enforcement. Just as critical as it is to adopt email policy, is having a system to remove the human-only enforcement element and administer it. And once email policies and the systems for enforcement are in use, the same policy engine can be extended to the growing use of social media networks.</p> <p>Until these critical steps are taken, email, one of the world’s most critical business communication tools, can leave an organization at risk for violation of various legal, compliance, and security policies as well as embarrassment and brand erosion.</p> <p><strong>About Glen D. Vondrick</strong><br />With more than 30 years of high-tech industry experience, including executive leadership roles from the last 10 years in the messaging security space, Glen Vondrick heads Sendmail customer-facing, global operations including sales, professional services, customer technical support, business development, marketing, and sales operations.</p> </article> <article> <h1>Unified Communications: Is the Public Cloud Your Enemy?</h1> <p>Stephanie Jordan — Tue, 08 Nov 2011 21:08:31 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/unified-communications-is-public-cloud-your-enemy" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/unified-communications-is-public-cloud-your-enemy" data-url="http://www.messagingnews.com/story/unified-communications-is-public-cloud-your-enemy" data-lang="en">Tweet</a></div><p>The hype surrounding the public cloud has reached a fever pitch in the past year. Amazon is making big news with EC2. Meanwhile, in the unified communications (UC) arena, Microsoft’s recent introduction of the Office365 service is really making IT departments sit up and take notice. This combined email, IM/Presence, conferencing, collaboration and voice behemoth — largely because it is delivered as a public cloud service — was billed as a panacea for the ills of the communications and collaboration world. Despite the fact that the public cloud has achieved “darling” status in the computer industry, is it really the friend of IT? Perhaps hype is getting ahead of reality. </p> <p>Let’s take a look at the evidence.</p> <p>The obvious starting point is the myriad of service outages that have occurred over the course of the past year. From August 23rd, 2010 through Sept 8th, 2011 there have been at least three major Gmail outages and eight major Microsoft outages of either Office 365 or its predecessor BPOS. Together, these have totaled over 50 hours of downtime for end users….and those are just the outages that have been publicized!</p> <p>What about security?<strong> </strong>Just because the public cloud is generally considered more secure than enterprise datacenters, that doesn’t mean it specifically meets corporate security standards and policies. For example, multi-tenant servers, unsecured access to server logs, non-granular administration rights and spotty TLS enforcement can introduce security risks in public cloud UC services that are unacceptable in on-premise systems.<strong></strong></p> <p>As for reliability and availability, the public cloud doesn’t really care if multiple servers die each day. This explains why downtime penalties for missed SLAs are built into cloud service provider business models.<strong></strong></p> <p>When it comes to recovery times, these are not always satisfactory. Most public cloud providers offer downtime recovery, which does not meet expected enterprise requirements, e.g. recovery point objectives (RPO) can range from 15 minutes to 24 hours. <strong></strong></p> <p>Do you need customization? This is not an option in the public cloud. Today’s UC deployments have become quite sophisticated and intensely customized, but yet the public cloud has rules and procedures that only allow for generic deployments.<strong></strong></p> <p>Compliance is also an afterthought. Many public cloud providers don’t allow enterprises to customize long-term storage policies, which is often a requirement for meeting regulatory compliance requirements. <strong></strong></p> <p>Support is quite often frustrating and slow. In many cases public cloud providers outsource support calls overseas to teams who are either not well versed in the complexities of the system, or don’t have access to the servers to make immediate changes.<strong></strong></p> <p>You must be able to give up control, because the public cloud decides when upgrades take place and when downtime occurs. It doesn’t adapt to your business; you must adapt your business to the public cloud.<strong></strong></p> <p>Finally, what about hidden costs? Public cloud UC systems, with add-on options like archiving, migration, mobile device support, increased network bandwidth, etc. can often be just as costly as on-premise systems. Furthermore, the ongoing costs of the public cloud are theoretically never-ending, will never decrease, and will only go up. In addition, these costs cannot be counted as an asset or depreciated as a facilities investment.</p> <p>Nevertheless, the public cloud is here to stay. The question is: will it shed the cloak of immaturity and inflexibility that today makes it more of a foe than friend of IT? Clearly the answer is yes — both Google and Microsoft have already made significant forward progress with their cloud platforms. However, ultimate success in the public cloud UC space will take time.</p> <p>In the interim, there is a work around that doesn’t involve overzealous server-hugging by IT. A close relative of the public cloud is available now, and offers many of the same benefits without the downsides. It’s called the Private Cloud. For many organizations that have bought into cloud computing, the main driver is not lower costs. Rather, it’s about adopting the operational advantages provided by the cloud – shared resources, hardware usage optimization, and elasticity – and applying them in datacenters using a private cloud model. The cloud can be your friend, but only if you make yourself its master.</p> <p>About Scott Gode<br />Scott Gode is vice president of product management and marketing for <a href="http://www.azaleos.com">Azaleos</a>, a provider of managed unified communications services. </p> </article> <article> <h1>Trust Takes Time and Dedication to Build, But Only A Second to Collapse</h1> <p>Stephanie Jordan — Fri, 30 Sep 2011 23:49:15 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/trust-takes-time-and-dedication-build-only-second-collapse" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/trust-takes-time-and-dedication-build-only-second-collapse" data-url="http://www.messagingnews.com/story/trust-takes-time-and-dedication-build-only-second-collapse" data-lang="en">Tweet</a></div><p>2011 is being heralded as the “year of the breach”. Combined with the rise of fraudulent business activities and uncertainty of the U.S. economy, recent studies indicate trust in email, advertising and businesses is heading towards an all-time low. The convergence of these events and data collection abuses has us heading towards a trust tsunami.</p> <p>Cybercriminals are working 24/7, with increased precision and relevancy. They are no longer content to reach consumers via email phishing. They are moving upstream through the supply chain, targeting business and government leaders. Gleaning data from public sites including LinkedIn, Facebook and businesses’ own sites, they are crafting personalized and compelling emails trolling for access to data, customer lists and confidential information.</p> <p>Cybercriminals have realized that if they can infiltrate trusted systems and hijack a business’s infrastructure, their ability to compromise a user increases significantly. For example, breaches at leading email marketers provided the capability to mail to millions of unsuspecting users, leveraging their trusted status with ISPs and mailbox providers. By targeting ad networks with malicious advertising, (malvertising), a single ad can be served to hundreds of thousands of users every daily, from the very sites consumers trust and frequent. By compromising the ad supply chain the cybercriminal has effectively bypassed multiple levels of security. The sites may be safe, but the third party ads being served through them and the code being executed are not.</p> <p>A recent example was with the certificate authority DigiNotar. They experienced a total failure in preventing; detecting; and perhaps most importantly, adequately notifying the browser community that over 500 certificates were fraudulently issued. The reaction by the community was swift and decisive, invalidating all of their certificates. Trust has been lost and likely will never be regained. Mozilla will no longer recognize DigiNotar SSL certificates and has stated their decision is permanent.</p> <p>Reviewing all of these incidents there is a pattern; a lack of proactive security focus by the company and the failure of adhering to security and privacy stewardship fundamentals. Unfortunately, cybercrime will continue to grow and business leaders need to accept the fact they will likely have an incident. To succeed we can no longer work in isolation, or think we are immune. Our best defense is collaborating, sharing data and best practices. We need to learn from our mistakes and the successes of others.</p> <p>We must act proactively and be willing to make meaningful changes in our approach to security and privacy. The failure to do so risks significant consequences. One scenario is a tsunami will bring on a trust meltdown. Consumer confidence will continue to decline, negatively impacting the vitality and growth of commerce and fraud losses will wash profits out to sea. The second wave will be the rising tide of regulatory scrutiny, adding costs, and complexity, while stifling innovation.</p> <p>Fortunately, progress is being made on many fronts. Support of initiatives such as email authentication continues to build momentum and other practices including “always on SSL” and promotion of Why Your Browser Matters are making a difference. The work of the OTA infrastructure and anti-malvertising committees continues to move forward, publishing practical advice and guidelines to aid all sites.</p> <p>To learn more, I am personally inviting business and policy leaders to join the <a href="https://otalliance.org">Online Trust Alliance</a> at the Online Trust Forum in Washington DC, October 17—19. The Forum provides a platform for Learning, Innovation and Collaboration. With over 60 speakers who are thought leaders in security, branding, interactive marketing and public policy, the OTA Forum uniquely provides a 360-degree view of the issues, challenges and remedies. More information is posted at <a href="file://localhost/dc.html">https://otalliance.org/dc.html</a></p> <p><em>Messaging News is a supporter of the Online Trust Forum, and has been for over six years. Join us at the Forum and save $200 off of registration using the discount code OTAMF.</em></p> <p> </p> <p><em>About Craig Spiezle</em></p> <p><em>Craig is a widely recognized expert on consumer trust and the convergence/importance of online policy, privacy, security, governance and stewardship. Recognized as a voice of reason and a trusted advisor, Craig is on the board of the Identity Theft Council, on the editorial advisory board of SC Magazine and was recently appointed to the Federal Communications Commission’s Communication Security, Reliability and Interoperability Council. In addition, Craig is an active member of the Email Service & Providers Coalition, the London Action Plan, InfraGard, the International Association of Privacy Professionals and the Anti-Phishing Working Group. Prior to OTA, Craig spent over a decade at Microsoft, as Director of Security & Privacy Product Management for Internet Explorer, driving the development of anti-spam, anti-phishing, anti-malware and privacy enabling technologies.</em></p> </article> <article> <h1>Smartphones? There’s Malware for That, Too.</h1> <p>Stephanie Jordan — Thu, 16 Jun 2011 10:04:11 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/smartphones-there-s-malware-too" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/smartphones-there-s-malware-too" data-url="http://www.messagingnews.com/story/smartphones-there-s-malware-too" data-lang="en">Tweet</a></div><p>Malware is finding a new place to wreck havoc: the smartphone. In fact, a recent study conducted by McAfee shows a 46 percent surge in malware and malicious software targeting mobile devices compared to one year ago. </p> <p>Cyber crooks are infecting popular mobile platforms through malicious applications and, unfortunately, no mobile platform is immune from the destruction it can cause. According to McAfee’s report, Symbian remains the most targeted mobile platform, though vulnerabilities in both the Android and Apple IOS should not be overlooked.</p> <p>Android’s open source software is something that gives the platform great appeal, but it is also the basis of its vulnerability. Users may enjoy the freedom to acquire apps both inside and outside the Android Market, but it doesn’t come without risk. The Android Market allows developers to upload apps without first running through an established screening process like one that you might find at Apple’s App Store or when using RIM’s application for BlackBerry. As a result, Google detected more than 50 malicious apps within the Android Market, downloaded to approximately 260,000 Android mobile devices. (Google later remedied the infections remotely via an auto installed software update.)</p> <p>While Google’s remote “kill switch” might have been effective at removing the rogue apps, it was reactionary in nature and not a permanent solution to the underlying security problem. What’s more, human nature is typically the weakest link in security. Many of the dangers surrounding malicious apps could be avoided with more scrutiny on apps from the start. In the most recent Android Apps infection, for instance, many apps were cleverly disguised, using titles such as “Hilton Sex Sound” or “Hot Sexy Videos.” Those erring on the side of caution would most likely have been kept safe from falling prey to these malicious downloads.</p> <p>Though the most recent malware outbreak was found on the Android platform, it is important to remember that there is malware readily available for every platform. To combat this, however, there are anti-virus solutions for every mobile platform, as well. </p> <p>Despite this, malware screening for app markets may not be perfect—evidenced by the increasing number of infections—but there are a few things smartphone users can do to increase mobile security. </p> <ul> <li><strong>Safe Browsing Habits</strong>—Remember, the same dangers that exist on the Web (i.e. black hat SEO poisoning, social media, email and SMS) can also exploit your mobile device. Remain vigilant about all Web surfing habits.</li> <li><strong>High Risk Apps</strong>—There is an alarmingly number of apps available for various smartphone platforms that pose significant security threats. Such apps can potentially allow other programs access to your valuable personal information. Although the distribution platforms attempt to inspect the apps for security holes, the process, as of now, is feeble at best. </li> <li><strong>SMS or VM Phishing</strong>—SMS and voicemail are common vectors of attack for phishing scams. Always call the institution directly and verify the information whenever responding to a questionable voicemail or text. </li> <li><strong>Password Protection</strong>—Lost or stolen phones likely contain personal information, such as stored logins to banking or social media sites, and could provide someone with access to sensitive company email. This threat can be minimized by password protecting your mobile device. </li> <li><strong>VPN Access</strong>—When accessing corporate network resources via smartphone, utilize a SSL VPN connection to secure the session. <strong></strong></li> <li><strong>WiFi Hotspot Security</strong><strong>—Nearly all smartphones are now equipped with WiFi functionality, making them highly vulnerable to attacks</strong>. There are various tools available that allow even the least talented hacker to exploit WiFi hotspots and intercept Web traffic. Avoid accessing any password protected site (i.e. Facebook, Banking, Paypal) when connected to an unsecured WiFi hotspot, such as those in a coffee shop or at the airport. </li> <li><strong>Remote Wipe & Encryption</strong>—Utilize encryption software on your smartphone to protect data in the event the device is lost or stolen. Consider using a remote wipe to brick the device remotely. </li> </ul> <p>Smartphones have placed the power of personal computers in the palms of our hands. But it takes smart usage and strong security practices to keep our personal data out of the wrong hands. </p> <p>–</p> <p>About Troy Gill<br />Troy Gill is a security analyst at <a href="http://www.appriver.com/">AppRiver</a> and is responsible for analyzing data regarding cyber threat tactics, methodologies and vulnerabilities that present threat to IT operations.</p> </article> <article> <h1>Who Is Responsible for Email Messaging Security—Law Firm or Client?</h1> <p>Stephanie Jordan — Wed, 25 May 2011 21:07:40 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/who-is-responsible-email-messaging-security-law-firm-or-client" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/who-is-responsible-email-messaging-security-law-firm-or-client" data-url="http://www.messagingnews.com/story/who-is-responsible-email-messaging-security-law-firm-or-client" data-lang="en">Tweet</a></div><p>With severe consequences for non-compliance, email messaging security can no longer be ignored; more and more organizations and people contend, it is now a “must have.”</p> <p>But the challenge is that email was not designed to support the gamut of today’s business requirements. Until recently the only way to achieve messaging security was to send a decryption key to the recipient and then send an encrypted message that could be opened with the key. This has proven so cumbersome that in most cases even if the protocol has been adopted by the company, it is seldom, if ever, used.</p> <p>Currently, over 40 states have data breach legislation in place, including Federal initiatives like HIPAA and Sarbanes Oxley, that covers the Healthcare and Finance industry respectively.</p> <p>In 2010, we witnessed one of the first HIPAA lawsuits involving the Connecticut Attorney General and Health Net Inc., which settled at a cost of $250,000 to the company. It is likely that there will be many more data security breach cases, as smaller sized businesses are finding it difficult to address the problem on a low budget.</p> <p>Law firms in particular are taking a closer look at securing their communication, especially when dealing with clients that are covered by the new data breach laws. The importance of email security becomes more significant for external legal representation. In particular, the security implications associated with the exchange of legal confidential information is often the most sensitive in nature.</p> <p>Cloud computing has surged in recent years in the corporate IT space and emerged in the legal industry. It lends itself nicely to open and quick-to-deploy applications without the need to invest in new infrastructure. Given the security needs, the growing legal risks, and a preponderance of small- to mid-sized firms, legal firms are certainly in the forefront of companies needing a quick solution at a low-cost and minimal interruption to their operations.</p> <p>There are also additional advantages of using cloud-based solutions:</p> <p>Considering the growing number of employees working remotely, including those who work away from the office, periodically, on client sites, exposure increases materially and email messaging security on laptops becomes even more imperative. Consistent, rules-based monitoring of the content and ensuring that any exchange of confidential information complies with data breach laws are fundamental. A cloud-based solution makes this possible.</p> <p>It is easy to include an audit trail clearly identifying who has sent or received such confidential information. This is a lawful requirement for many industries, and can often be used as evidence in data breach court cases.</p> <p>The International Legal Technology Standards Organization, a new nonprofit organization, is dedicated to helping lawyers better understand the practical and ethical implications of technology for their law practice environments. The ILTSO has recently released a set of standards that law firms can use to evaluate their internal security standards and assist them in the process of choosing a reliable “cloud-based” secure messaging vendor.</p> <p>As it specifically relates to CLOUD transmissions, the ILTSO states that whenever client data is transmitted across the Internet, it must be encrypted at every point. By default, Internet-based transmissions are typically sent unencrypted (in plain text). It is imperative that client data is only communicated online through encrypted channels. Since encryption is only as strong as the weakest link in the chain, end-to-end encryption should be required. ILTSO concludes by stating that unencrypted movement of data “packets” across the Internet presents an unacceptable risk to client data.</p> <p><strong><em>So now the question:</em></strong><em> Does the responsibility for a secure communication channel lie with the Law firm or the client that ‘owns’ the confidential information?</em><strong></strong></p> <p><strong>My answer:</strong> The responsibility should lie with the law firm, offering proper messaging security to all its clients to reduce possible punitive damages to their clients. Especially today, when there are low cost solutions that can be quickly implemented and that work securely.</p> <p>—<br />About <strong>Thierry LeVasseur <br /> </strong>Thierry started his entrepreneurial career when he founded Marqui Inc., a SaaS Marketing Automation offering that raised over $12M in venture capital financing. Prior to founding Marqui, Thierry spent a few years at Moet & Chandon as a financial Analyst, located in the beautiful Champagne region in France. Thierry hold a BA in Economics and an MBA, and is the inventor of 5 US Patents. Thierry is regularly invited to speak on the topics of security, entrepreneurship, software development and intellectual property protection. Thierry LeVasseur is founder & CEO of <a href="http://www.email2.com">email2 SCP Solutions Inc.</a> Contact him at <span class="spamspan"><span class="u">thierry</span> [at] <span class="d">email2 [dot] com</span></span>.</p> </article> <article> <h1>Feedback Loops in the Fight Against Spam</h1> <p>Stephanie Jordan — Thu, 05 May 2011 17:40:12 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/feedback-loops-fight-against-spam" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/feedback-loops-fight-against-spam" data-url="http://www.messagingnews.com/story/feedback-loops-fight-against-spam" data-lang="en">Tweet</a></div><p>Nearly everybody gets spam. But do you ever wonder what happens when you click that “Report Spam” button on your mail reader? Does it do anything useful, or is it really the same as just clicking “Delete”?</p> <p>The Internet is plagued by messaging abuse, such as spam and viruses. In the context of messaging, defenses such as anti-spam and anti-virus filters are typically deployed; however the simplest of these defense filters are easily circumvented by mutating the spam attack, either in form or in origin, just enough to avoid detection. In order to be effective, these filters must adapt to threats as they mutate to prolong their success.</p> <p>Filters can only adapt when they have new details about what it is they need to filter. In the simplest case, a user issues a complaint to a customer service center about an undesirable or dangerous piece of spam, and the representative then acts on the complaint by disabling the source, retraining the filter based on the details of the complaint, or both. But in a world of automation and enormous volumes of data, such a manual system simply cannot survive; it doesn’t scale.</p> <p>Learning is defined as a change in behavior based on experience. What consumers and service providers need, then, is a system that is capable of learning, with maximum accuracy, what constitutes a threat that must be kept out and what constitutes legitimate traffic that should be allowed in. To be effective in the face of mutating attacks, the defenses must themselves mutate, as quickly and accurately as possible. The filter needs more “experience” in order to learn.</p> <p>Much effort has been expended to try to define what spam is in order to classify and filter it. However, not only do spam campaigns mutate to avoid detection, but we have also learned that spam is in the eye of the beholder: What one person says is junk might be of some value to someone else, with great consequences if a filter gets it wrong. A career spam fighter once opined, when tasked to define the problem: “Spam is what our users say it is.” So how do we embrace that idea in software?</p> <p>We have found over time that the most effective systems are those that learn to classify undesirable content based on feedback from users. The user is truly the best judge of what is and isn’t spam. The faster consistent feedback becomes available, the sooner a filter can be re-trained to detect and respond to new attacks. This is known as a feedback loop. Cloudmark’s system, for example, takes user feedback and then identifies spam as that content which attracts mostly negative user attention, and moreover values feedback from users that typically both concur with the majority and respond quickly. A system collects and evaluates this information, yielding new data from which the system can learn about new spam campaigns in a matter of seconds.</p> <p>Open solutions to the need for feedback loops have been attracting attention for several years. In particular, a mechanism called the Abuse Reporting Format (ARF) was created by participants in the Messaging Anti-Abuse Working Group (MAAWG) some years ago. ARF allows exchange of feedback information between peer Internet Service Providers (ISPs) when spam or other abuse originating at one is received at another; a user clicks a “Spam” button in the mail reader and an ARF message is generated and sent to the originating service, where automated software quickly processes the complaint, and the systems at both ends have more data from which to learn.</p> <p>Once proven, the ARF work was taken up by the Internet Engineering Task Force (IETF), which has now posted it as a proposed standard. ARF continues to evolve as new categories of email threats emerge.</p> <p>With the enormous growth of messaging from email into the mobile world, the same problems exist and similar solutions are beginning to appear. Trial systems now exist wherein a mobile subscriber can forward a piece of mobile SMS spam to a mobile operator for filtering and investigation, while others are working to construct learning systems using user-based feedback loops. A standardization effort has already reached prototype phase within the Open Mobile Alliance (OMA), a collaborative standards body in the mobile world that creates specifications for mobile handset software. This will define the very language used to communicate among systems when you click a “Report Spam” button on your handset when mobile spam begins to rear its ugly head in the Americas as it already has overseas. In addition, Cloudmark has collaborated with the GSM Association (GSMA) to launch the GSMA Spam Reporting Service that aggregates mobile SMS spam feedback with participating operators globally, in an effort to secure mobile networks and users around the world.</p> <p>Feedback loops are a proven tool in the fight against abuse. They are key features in a highly responsive, accurate filtering system. So, yes, do click “Report Spam” instead of “Delete”. We’ll all be glad you did.</p> <p><strong>About Murray S. Kucherawy</strong></p> <p>Murray S. Kucherawy is the Director of Internet Standards & Governance at <a href="http://www.cloudmark.com">Cloudmark</a>. His research interests include message authentication, data analysis, and reputation systems. Kucherawy received a Bachelor of Mathematics from the University of Waterloo in Ontario, Canada. He is a regular presenter and participant at MAAWG and the IETF’s applications and security areas. Contact him at <span class="spamspan"><span class="u">msk</span> [at] <span class="d">cloudmark [dot] com</span></span>. </p> </article> <article> <h1>Network Forensics—Beyond Evidence to a New Platform that Empowers all Security Tools</h1> <p>Stephanie Jordan — Thu, 21 Apr 2011 09:17:53 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/network-forensics-beyond-evidence-new-platform-empowers-all-security-tools" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/network-forensics-beyond-evidence-new-platform-empowers-all-security-tools" data-url="http://www.messagingnews.com/story/network-forensics-beyond-evidence-new-platform-empowers-all-security-tools" data-lang="en">Tweet</a></div><p>Network Forensics (NF) has matured in recent years to play a critical role in defending against the increasing number of advanced threats. Previously, NF focused on basic network packet capture to gather evidence to prove a security event—useful to lawyers prosecuting or pursuing recompense for corporate or individual damages. Today’s NF is something altogether different, quickly becoming an invaluable asset that any organization can use. It goes beyond raw packet capture to now deliver critical insight to any and every type of network security incident and enable Next Generation Threat Prevention.</p> <p>Much like a 24/7 surveillance camera, NF records and stores every packet of network traffic, providing a record of any network activity. NF has been a critical tool for skilled analysts at government agencies to capture historical views of their networks in order to determine the scope of damages from cyber threats and network breaches. With a complete record of network traffic, they can see exactly what happened before, during, and after a security incident or attack.</p> <p>Today’s high-profile network breaches and cyber threats make it clear that many attacks are unpreventable and that the frequency of attacks are growing at a phenomenal rate.</p> <p>NF may have had limited use in the past, but advancements in capture speed, indexing, classification and reconstruction have made it an easy-to-use solution for anyone charged with securing the network and information assets. The new NF exposes what’s happening on the network in clear visuals we all can recognize and understand, helping security professionals significantly reduce incident response time. Response teams now have real-time views of security incidents and full reconstruction of network artifacts. Raw packet data is instantly transformed into real evidence like a Word document that was delivered as an email attachment complete with a payload of identified malware; or an IM conversation revealed as an exchange that has enabled the propagation of a botnet within the organization. These are invaluable views into the network that security professionals can’t afford to be without. The new NF now means real-time and immediate threat awareness, accelerated time to remediation, prevention of future threats, and keeping persistent threats off the network. As email, IM and social media continue to be the most frequently used vectors for network threats and malware, NF helps to maintain an edge against outside attacks.</p> <p>NF also provides immediate visibility into insider threats. With complete real-time and historical network capture of everything that happens on the network, detailed evidence is now clearly revealed as the exact documents, applications and data involved if someone consciously or inadvertently compromises network security. This level of situational awareness is important not only to network managers and email and messaging administrators, but also to Human Resources and individual department managers. Evidence now is delivered quickly and in an easily understood form that enables immediate and complete remediation.</p> <p>Most organizations have invested heavily in security using DLP, IPS/IDS, SIM/SIEM, and other tools. Today’s NF has become a technology that can serve any security tool, making them more intelligent and thus more effective. By providing real-time and historical visibility into any security incident, NF today is a platform for next generation threat prevention.</p> <hr /> <p>About Peter Schlampp, Vice President, Marketing and Product Management, <a href="http://www.soleranetworks.com">Solera Networks</a></p> <p>Schlampp brings a keen understanding of the network security and infrastructure industries with more than a decade of product development and marketing expertise in the enterprise, government and education markets.</p> </article> <article> <h1>What Facebook's Social Inbox Means to the Future of Digital Messaging</h1> <p>Stephanie Jordan — Mon, 21 Mar 2011 05:51:45 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/what-facebooks-social-inbox-means-future-digital-messaging" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/what-facebooks-social-inbox-means-future-digital-messaging" data-url="http://www.messagingnews.com/story/what-facebooks-social-inbox-means-future-digital-messaging" data-lang="en">Tweet</a></div><p>For years, the email marketing industry has railed against imperfect spam filtering and advocated reputation measures as an alternative. We’ve acknowledged that filters play a vital role in protecting customers from those who seek to harm or exploit them through unscrupulous practices and malicious tactics. But we also argued (rightly) that filters are poor proxies for customers’ true intentions about messages from the companies they do business with—of what they really do or don’t want to receive. And by attempting to make these determinations and intercepting legitimate messages in the process, spam filters impede communication and commerce, potentially damaging both brands and the customers they share with ISPs. We’ve further argued (again rightly) that reputation rating systems are better proxies of customer intent than filters, and should at least be used in determining which brands deserve to be exempted from filters, and perhaps awarded special privileges (maybe at a fee) for their good behavior.</p> <p>While giving lip service to the notion of customers being the final arbiters of what they want, neither the email industry nor ISP community have invested much in making that a reality—outside of a few user preference options and spam buttons—or given much thought to the consequences should it occur. Instead, since reputation systems haven’t really taken hold, many brands have blithely continued to treat digital messaging (especially email) as a broadcast medium, despite all the indicators that it was becoming more personalized and one-to-one. And ISPs have continued to take a paternalistic stance on end-user protection without full regard for protecting the user’s right to express their own preferences, despite mounting evidence that this was a next step toward customer empowerment.</p> <p>For marketers, deliverability has become a game of finessing the rules, testing the margins of best practices and negotiating acceptance of their messages with the ISPs, sometimes with the aid of reputation services but often without them.</p> <p>Enter Facebook’s Social Inbox. In one fell move, Facebook has changed the rules of the game.</p> <p>With its November announcement, Facebook did more than signal its entry into the inbox business. It’s offering cross-channel inbox convergence—a true unified inbox—and enabling members to make their own decisions about how to manage it. Soon 550 million Facebook members will be able to directly determine what messages they want and don’t want, but more importantly, what <em>messengers</em> they do or don’t want to hear from—and to apply those determinations across channels.</p> <p>The combination of a unified inbox and user control is strong differentiator relative to other inbox providers, and will likely prompt a wave of similar offerings. Some are already moving in that direction. So while the email industry ponders the likelihood of Facebook of displacing Gmail, Yahoo or Hotmail, it’s missed the fundamental issue about what it means to have the customer as the final arbiter of message and messenger acceptance, especially in the context of a unified inbox.</p> <p>As an industry, we should welcome the Facebook move. Ultimately, it should mean that ISPs can stop worrying about unwanted mail so much and rely on filters to do what they do best—protecting end-users from truly egregious and criminal activity—and leave the rest to their users to sort out. After all, the ISP doesn’t know the nature of the relationship between users and the companies they choose to do business anyway. Why should they be in the middle of the communication flow in making acceptance decisions? It’s a no win position. Why not put the power in the hands of the end-users? But for marketers, this is definitely a case of being careful what you wish for, as we’ll discuss in a moment.</p> <p>None of this is to suggest that the authentication has become passé. To the contrary, sender identity remains core to creating a safe and secure environment for online communication and commerce. And if anything, it should gain greater importance as we contemplate persistent identity across channels and how to authenticate it as messages morph from one channel to another.</p> <p>What this <em>does</em> suggest is that the role reputation systems play in determining which messages should reach end-users has changed. Like spam filters, their value as proxies have been diminished. With the combination of message authentication, properly applied filters and users being the final arbiters of acceptability, a good reputation rating would simply provide an enhanced opportunity for a brand to present its message based on its past behavior and whatever privileges the receiving ISP may extend to that brand at its domain. But ultimately, it will be up to ISP users to determine whether that rating means anything and warrants a brand’s continued access to their inbox.</p> <p>So now we come to the true rub for marketers.</p> <p>Whether Facebook becomes a serious rival to other inbox providers misses the point. It’s only a matter of time before the Facebook notion of user empowerment in managing a unified inbox finds its way into other provider’s solutions. What does this portend for the future of digital messaging?</p> <p>With customers being the final arbiters of message acceptance, there won’t be any appeal to the ISP. And it would be folly to assume that they’ll be more forgiving than the ISPs. In fact, the risk to marketers is even greater since customer non-acceptance decisions may apply to the messenger across ALL digital channels, essentially locking the brand out of their customers’ unified inboxes. And we don’t need to enumerate the consequences of companies losing their vital connections to customers for communication and commerce.</p> <p>So while empowerment may be liberating for customers, it could be lethal to those brands who ignore what’s happening, are stuck in their silos and don’t engage in customer-centric practices in all that they do. In the new reality that’s emerging, customers will expect the companies they do business with to know who they are and act on what they know in delivering meaningful content through the most contextually relevant channel. And their inboxes will be reserved for those brands who meet those expectations and earn the right to be there. So best practices are no longer optional; they’re mandatory. But companies need to go a step further in embracing message convergence as their core strategy for staying connected with customers in this new reality of changing customer communication behaviors, heightened expectations and, importantly, control. As David Daniels (CEO, The Relevancy Group) and I suggest in our new whitepaper, ‘<a href="http://www.messagesystems.com/landing_pages/eec2011.html">Preparing for Message Convergence</a>’, companies have only a small window of opportunity to respond and delight their customers.</p> <p>Yes, empowerment can be both liberating and lethal. Yet, the future of digital messaging is bright for those companies that empower themselves by putting their customers at the center of their business model, liberate themselves from their silos, and adopt message convergence as their mantra. For the companies who do those things, the upside business opportunities will be as enormous as the downside risks for those who don’t. </p> <p>It’s time to take a hard look at customer empowerment and what it means for the future of digital messaging and the companies who engage in it. It’s time to get on the right side of the issue. </p> <p><strong>About Dave Lewis</strong></p> <p>Dave Lewis is the chief marketing officer for <a href="http://www.messagesystems.com/">Message Systems</a>, and is a 26-year direct marketing veteran and a recognized industry thought leader. He writes and speaks frequently on digital messaging opportunities, challenges and best practices.</p> </article> <article> <h1>Snowstorms and Baseball Games: It's All about Remote Productivity and Data Governance</h1> <p>Stephanie Jordan — Wed, 23 Feb 2011 04:25:59 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/snowstorms-and-baseball-games-its-all-about-remote-productivity-and-data-governance" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/snowstorms-and-baseball-games-its-all-about-remote-productivity-and-data-governance" data-url="http://www.messagingnews.com/story/snowstorms-and-baseball-games-its-all-about-remote-productivity-and-data-governance" data-lang="en">Tweet</a></div><p>Recent storms in the northeastern United States serve as a reminder and sometimes cautionary tale: If you’ve waited until the eve of “the storm” to plan and enact a business continuity strategy, you’ve likely waited a day too long. And it’s not just snowstorms; hurricanes and other natural disasters and events, can slow or shut down corporate offices and force employees to work remotely. As anyone in New England will tell you, just like a storm, a midday baseball game between MLB nemeses can empty out an entire office, placing a major burden on the systems that manage remote connectivity; including virtual private networking, secure socket servers and the multiple layers of identity management and authentication.</p> <p>While today’s technology enables mobile workers to remain productive anytime and anywhere, it’s essential that organizations also provide employees with the tools and policies needed to be secure and compliant in their remote information exchanges. </p> <p>When employees work remotely and use prosumer devices and services like personal computers, smartphones and the cloud, the governance of the information moving in and out of the corporate environment becomes more of a priority. Technology that provides governance capabilities, such as managed file transfer and integration suites, can help companies address their governance needs and mitigate the risk of data breaches, access and authentication breaches and damage to the corporate brand. </p> <p>Along with technology, a robust set of policies that ensure the control, security, management, monitoring, provisioning and validation of data and its usage will result in better business continuity, and will minimize the after effects of a “massive remote working incident”. </p> <p>Factors IT should consider include:</p> <p>1. <strong>Increased demand for access control and authentication systems.</strong> An on-premise employee may be able to keep network credentials alive for a longer period of time than a remote employee, forcing repeated access and authentication attempts.</p> <p>2. <strong>The increased usage of personal devices on the corporate network. </strong>Even if the company provisions a corporate PC or laptop, access to corporate resources may ultimately end up coming via an unsecured smartphone or tablet.</p> <p>3. <strong>Disregard for IT policies. </strong>In some cases, employees that work remotely or use personal devices become lax with respect to corporate governance and IT policies. In an office setting, an employee may always “log off” or lock a machine, but how often does that happen at home or in a hotel room? While all data breaches are not malicious - if an employee accidentally mishandles sensitive information - it remains a data breach nonetheless.</p> <p>4. <strong>Increased demand for system performance and availability.</strong> Networks are becoming increasingly more complex and distributed. Start with encrypted data streams, the encryption and decryption of the payload, and “mix in” multiple hops via the Internet through subnets with a lowered quality of service (QoS) and voila! IT better start tuning their applications and systems to get the same level of performance they would have had if the employee were working on premise.</p> <p>5. <strong>Increased demand for help desk and service desk personnel and applications.</strong> Password reset services can quickly become inundated when many remote workers come in to play.</p> <p>Every event - including the multiple blizzards of 2011 - should be a learning experience for IT. As soon as possible, representatives from IT should interview remote employees, surveying them on expectations, both explicit and implicit service levels, and the availability and quality of IT resources. And it isn’t just a learning opportunity for the IT department. It’s a learning opportunity for the remote employee, who in the absence of technologies, processes, and services, will look for and obtain their own mechanisms to be productive and retain access to corporate resources.<strong></strong></p> <p>The bottom line? Regardless of where or how an employee works, the onus is on the organization to ensure that employees have the tools and assistance needed to remain productive and secure in their data interactions. In return, employees must keep data security, compliance and management top of mind.</p> <p>—</p> <p><em>Frank Kenney is a former Gartner analyst and current VP of Global Strategy at </em><a href="http://www.ipswitchft.com"><em>Ipswitch File Transfer.</em></a><em> Ipswitch, the managed file transfer company, builds software that helps companies and people securely move sensitive data. </em></p> </article> <article> <h1>Can Data Be More Secure in the Cloud?</h1> <p>Stephanie Jordan — Fri, 04 Feb 2011 23:31:09 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/can-data-be-more-secure-cloud" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/can-data-be-more-secure-cloud" data-url="http://www.messagingnews.com/story/can-data-be-more-secure-cloud" data-lang="en">Tweet</a></div><p>There’s no reason data stored in the cloud can’t be more secure and reliable than data stored on-premises. To make this happen, consider four key factors: operational expertise, controlled environments, encryption architectures and redundant infrastructure.</p> <p>All key factors can be done on-premises, but that can be expensive and difficult, especially for processes that are not core to a business. By core, I’m referring to something that differentiates a company in the eyes of customers, such as the type of products a company provides. Everything else is context, which is important, but doesn’t impact business in the same way.</p> <p>By moving context functions to the cloud, organizations can reduce costs and redirect those savings to core functions. </p> <p><strong>Operational Expertise</strong></p> <p>Security features must be planned for and built into every part of the solution, even for components that aren’t core to a customer’s needs. For example, by owning most components of the SaaS technology stack, an organization can leverage secure software development lifecycles to ensure that security best practices are accounted for in core software, tools, processes and monitoring systems.</p> <p>A cloud solution also needs dedicated staff for monitoring, security, architecture, platform development, compliance and engineering. Having a dedicated and specialized staff both ensure expertise, and also increase security, because vulnerabilities often happen when technology is implemented without the right level of proficiency.</p> <p>A cloud solution should also ensure, through continuous validation and auditing, that the right things are being done through a variety of mechanisms, whether those are SAS 70 Type II audits, internal audits, or security probes. </p> <p>Additionally, cloud services need to operate at scale for specific applications not found in a typical enterprise, which in turn creates a need for automation, ensuring that all the right tasks are happening at the right times. </p> <p><strong>Controlled Environments</strong></p> <p>A SaaS solution needs a scalable environment made for performing one task (or set of tasks) in an automated, repeatable, and dependable way. Therefore, cloud providers need a homogenous environment from an OS monitoring tool and even hardware point-of-view in order to increase visibility and decrease risk exposure.</p> <p>In this environment, there’s not one key person who has access to everything. Instead, there are strict controls regarding when and who can do what, which should be automated to provide an additional level of security.</p> <p><strong>Data Encryption Architecture</strong></p> <p>Enterprise-class cloud vendors must ensure that data is encrypted both in transit and at rest, no matter where it resides. Crucial to this are encryption keys, which should be separated from the data or application. One way is to have data in the cloud and keys onsite. Alternatively there could be one cloud where keys are maintained and stored and a separate cloud for data encryption and decryption. Those clouds should communicate through controlled protocols so unauthorized users can’t access both.</p> <p><strong>Redundant Infrastructure</strong></p> <p>To deliver services reliably, across multiple datacenters and at scale, cloud solutions need redundant infrastructure. To ensure reliability and disaster recovery, it should be at the core of all architecture.</p> <p>Redundancy is often overlooked because it is complex, not always cost-effective, and many times it’s an afterthought. But it provides additional security. If attackers target one datacenter, other datacenters are still running.</p> <p> If an organization looks for SaaS solutions that hit on all of these four factors, they can rest assured that their data will be secure and reliable, even in the cloud. </p> <p>—</p> <p><strong>About <em>Andrés Kohn</em></strong><strong></strong></p> <p>Andrés Kohn is currently responsible for <a href="http://www.proofpoint.com">Proofpoint</a>’s email archiving business unit and has been responsible for setting Proofpoint’s product direction since the inception of the company. In addition, Andrés is responsible for developing strategic technology partnerships that complement Proofpoint’s solution offerings. He joined Proofpoint from Critical Path, where he was director of product management and responsible for the global direction of their messaging products and services. Before joining Critical Path, Andrés held several product marketing positions at PeopleSoft, and various management roles at International Paper as well as Procter and Gamble. Andrés holds a B.S. degree with distinction and an M.S. degree in engineering from Cornell University. He also holds an M.B.A. degree from Stanford University.<em></em></p> </article> <article> <h1>A Short History of Email's Future</h1> <p>Stephanie Jordan — Thu, 30 Dec 2010 03:45:08 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/short-history-emails-future" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/short-history-emails-future" data-url="http://www.messagingnews.com/story/short-history-emails-future" data-lang="en">Tweet</a></div><p>Scarcely a year out of the past 30 have gone by without someone making radical predictions about the future of email. A few have even been right. Facebook has reopened the topic with predictions of how the new Facebook Messages product will shape email’s future—a scant five months after their COO predicted the death of email. Both predictions echoed similar musings from decades past.</p> <p>Predictions of the death of email go back to email’s beginnings as an extension to the FTP program. This ugly hack, which allowed researchers on perhaps dozens of machines to send each other messages, was widely seen as a scandalous waste of expensive resources, and more than a few system managers expected to stamp it out. They were wrong. And although I’ve devoted nearly my entire career to email, I blush to admit that my first assessment of it, in 1978, was that it was a useless toy. I was wrong. (In my defense I will point out that our campus’ single computer wasn’t on a network, and all the terminals were in a single room, so email was no more useful than another new high-tech product, the post-it note.) In the following years, I’ve probably heard dozens of “death of email” predictions before Facebook’s. They were all wrong.</p> <p>Spam, everyone’s favorite email villain, made its debut in the 1970′s as well, and although it didn’t become a major problem until much later, some technologists immediately went to work to “fix the problem.” Most of them expected quick success. They were wrong. A few, like Bill Gates 20 years later, were bold enough to predict the complete eradication of spam by a date certain. They were very wrong.</p> <p>In a related topic, hundreds of technologists and privacy advocates have predicted that the widespread use of encryption would soon make email more private and secure. But people seem to want privacy at any price, as long as it’s free. If it requires a single extra step, they tend to reject it. The encryption-boosters were wrong.</p> <p>Another recurring prediction has been the unification of email with other kinds of tools. In 1982 I built a system known as BAGS, which integrated email, bulletin boards, and calendaring software. The bulletin boards fit in very nicely, while the calendaring software did not. I was wrong. Years later, with RSS, voice mail, and fax seamlessly integrated into my mail reader, I still haven’t seen good integration of calendars or instant messaging. This bodes well for some of Facebook’s plans, as the heart of Facebook is multiple RSS-like message streams. But if they expect to be able to integrate too many other things into their mail interface, they’re wrong.</p> <p>I spent roughly 9 years working on my greatest success, multimedia mail. But I got a lot of it wrong. In the late 1980′s I built an open source multimedia mail reader—coincidentally also named Messages—and expected the world to beat a path to my door. I was wrong, but at least it was a mistake that led to MIME. And although MIME seemed like the biggest revolution in the history of email, it only succeeded because it was designed to be evolutionary.</p> <p>I also expected to transform email with what I called “active messages”—messages containing programs in a restricted, safe language, to be executed when viewed. I developed two such languages, and demonstrated some remarkable applications, but I completely missed what the emerging Web was doing to the idea. Email that contains a web link can do almost anything an active message can do, so there’s little appetite for developing an active messaging infrastructure. I was wrong.</p> <p>Predicting the future is hard. Even successful predictions tend to be partial. When people asked why I was working so hard to create multimedia email, I used to say, “Some day I’ll have grandchildren, and I want to get cute pictures by email.” Most people laughed, and they were wrong. But I expected my daughters to scan printed photos, never anticipating cheap digital cameras. And I certainly didn’t expect that magic first emailed picture to be a sonogram of a pair of zygotes, just a few days after in vitro fertilization and implantation. (Cute pictures were still 8 months away.) I wasn’t exactly wrong, but it wasn’t what I expected, either.</p> <p>So, I trust you’ll pardon my cynicism when I hear about the next revolution in email. What I’ve seen, for over 30 years now, is the gradual evolution and expansion of email’s capabilities, its reach, and yes, its flaws. Facebook may well contribute to the next steps in that evolution, and I look forward to their innovations, but I don’t expect any revolutions.</p> <p>Of course, I may be wrong.</p> <p>—</p> <p>About Dr. Borenstein</p> <p><em>Dr. Nathaniel S. Borenstein is <a href="http://www.mimecast.com/">Mimecast’</a></em><em>s Chief Scientist and is responsible for driving the company’s product development and technological innovation. Dr. Borenstein is the co-creator of the Multipurpose Internet Mail Extensions (MIME) email standard and developer of the Andrew Mail System, metamail software and the Safe-Tcl programming language.</em></p> </article> <article> <h1>Business Continuity and the Cloud</h1> <p>Stephanie Jordan — Thu, 04 Nov 2010 02:25:06 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/business-continuity-and-cloud" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/business-continuity-and-cloud" data-url="http://www.messagingnews.com/story/business-continuity-and-cloud" data-lang="en">Tweet</a></div><p>Implementing sound business continuity practices within the workplace allows organizations to avoid disruptive events and continue operation without stoppage. Today, email is a mission critical application that must be accessible with minimal outage since even momentary downtime can have serious consequences for an organization’s bottom line. It’s for this reason that businesses of all sizes should have a plan to maintain the continuity of email during planned and unplanned downtimes.</p> <h2>Benefits of the Cloud</h2> <p>Building a highly available network and server environment can be a costly undertaking. Fortunately, cloud-based services can lower the financial burden of performing in-house IT maintenance by outsourcing the responsibilities to a service provider who oversees a company’s network and information system. </p> <p>Moving email to the cloud has a number of business critical benefits. First, customers may add layers of protection and eliminate the need for deploying and supporting applications internally. Protection is provided in real-time to thwart off threats before they enter the network. Second, there is no hardware or software to maintain, upgrade or support. Third, the financial cost for cloud-based services is minimal when compared to traditional in-house IT costs. The ability to adopt on-demand services on a pay-as-you-go basis give many customers greater cost controls and flexibility.</p> <h2>Potential Challenge</h2> <p>Once a business elects to use a cloud-based provider, they could be moving their business critical email hundreds, to even thousands, of miles away from their location. So what happens if there is an outage on the Internet? Most of the time, the Internet is very stable and able to handle issues with minimal impact to users. However, as with all things in the computer/technical world, problems can and do happen.</p> <p>Performance issues can occur outside the service providers’ control, including Internet bottlenecks and other latency issues. To combat such problems, look for cloud-based service providers who use technologies that optimize the route between customer location, mobile device or desktop computer, to where customer data is stored. Such technology achieves LAN-like network consistency, performance and reliability over the Internet.</p> <h2>Business Continuity and the Cloud</h2> <p>While most businesses think of catastrophic events, such as a hurricane or an earthquake, when devising a business continuity plan, something as simple as a power failure can create the need for a call to action.</p> <p>Whether a company chooses to partner with an outside vendor or not, a good business continuity plan can keep a company up and running through interruptions of any kind. In order to create a plan, there are a number of policies to take into consideration: a solid business continuity plan can take months of planning and each aspect of the business should be involved in the process. Business leaders and IT leaders should work together to determine what type of plan is necessary and which systems and business units are most crucial to the company. Sound planning from the start will pay off large dividends later.</p> <h2>About James Dean</h2> <p><em>James Dean joined <a href="http://www.appriver.com">AppRiver</a> in 2008 as the Senior Exchange Engineer. Dean is primarily responsible for managing AppRiver’s Secure Hosted Exchange and SecureTide environments, which supports a customer base of 45,000 (and 6 million users) worldwide.</em></p> </article> <article> <h1>Web Monitoring: Can Businesses Afford Not To?</h1> <p>Stephanie Jordan — Thu, 26 Aug 2010 01:50:35 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/web-monitoring-can-businesses-afford-not" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/web-monitoring-can-businesses-afford-not" data-url="http://www.messagingnews.com/story/web-monitoring-can-businesses-afford-not" data-lang="en">Tweet</a></div><p>Cyber-slacking—wasting time online instead of working—is only one of the many problems faced by today’s businesses from unlimited and uncontrolled access to the Internet. The sites that eat up productivity at work include auction sites, travel sites, E-commerce sites over the holidays, social networking sites, car-shopping and price-comparison sites, pornography, fantasy sports, horoscopes, banking, investment and stock-watch sites, cyber-dating services, and, to rub salt in the employer’s wound, job-hunting sites. And where downloading video clips and lots of music files is concerned, storage capacity on the network’s servers!</p> <p>Every minute spent cyber-slacking increases costs and reduces profits and in addition to lost productivity, SMEs, like large businesses have to be concerned with a host of other Internet related threats, including:</p> <ul> <li>Introduction of malware; social engineering risk</li> <li>Leakage, intentional or not, of confidential information</li> <li>Bandwidth usage</li> </ul> <h3>What To Do?</h3> <p>There are two options. The first, and most extreme, is to cut off access to the Internet entirely. This may work effectively for some employees who do not need it; however, it is unlikely that you will be able to apply it to every single employee. Using the Internet at the workplace has become an integral part of doing business. More and more businesses now opt for a second option: deploy software that prevents access to inappropriate sites, filters keywords and monitors against malware, thus allowing continued Internet access by employees who need it, while at the same time protecting the company’s assets.</p> <p>For a business, the principal advantage to web monitoring is how it can be used to protect a company’s assets; including equipment, networks and data. Other key advantages include:</p> <p><strong>Identifying Internet Abuse</strong></p> <p>Monitoring allows for identifying the culprits and dealing with them individually, rather than being forced to take a global action, such as cutting off all access or introducing draconian measures that may be necessitated by the actions of a few.</p> <p><strong>Boost Security, Reduce Risk</strong></p> <p>Any kind of infection that attacks computers on the employer’s network can pose serious consequences for the organization. Depending on the kind of infection, data could be compromised or stolen, which could lead to legal repercussions. Monitoring employees’ Internet use also means it is less likely they are going to be involved in activities that can expose the company to litigation.</p> <p><strong>Maximize Productivity</strong></p> <p>Employees who are aware they are being monitored are likely to spend more time working and considerably less time on personal matters, thereby leading to an increase in productivity.<strong></strong></p> <p><strong>Accountability</strong></p> <p>Without a monitoring system in place, some employees may feel like they can do whatever they want. On the other hand, if an employee feels like they are being monitored they may not go to certain sites in the first place.</p> <p>Internet misuse is a problem in every company that has an Internet connection. Misuse borders on the occasional transgression to serious impact of a company’s productivity. Cyber criminals have and will continue to exploit vulnerabilities wherever they are found. Being without a basic protection methodology such as web monitoring is a shortcut to financial losses and serious security risks.</p> <p><strong>About David Kelleher</strong></p> <p>David Kelleher is a Communications and Research Analyst at <a href="http://www.gfi.com/">GFI Software</a>, an infrastructure provider for small and medium-sized businesses. A journalist by profession, David has over 20 years’ experience writing for newspapers and publications across most verticals. A former editor, he has a deep interest in information technology and its impact on end-users, end-user education, writing about security for non-technical people, security awareness in SMBs and all research related to market perceptions and security.</p> </article> <article> <h1>WARNING: Sending Sensitive Information via Mail, FedEx Is a Security Risk</h1> <p>Stephanie Jordan — Thu, 05 Aug 2010 04:09:42 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/warning-sending-sensitive-information-mail-fedex-is-security-risk" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/warning-sending-sensitive-information-mail-fedex-is-security-risk" data-url="http://www.messagingnews.com/story/warning-sending-sensitive-information-mail-fedex-is-security-risk" data-lang="en">Tweet</a></div><p>Last month Lincoln Medical and Mental Health Center of NY suffered an <a href="http://www.nyc.gov/html/hhc/lincoln/html/news/public_notice_20100604.shtml">embarrassing data breach</a> after a weekly shipment of compact disks (CDs) went missing while in the custody of FedEx. The CDs were being transported to the hospital from its billing and claims partner, Siemens.<a href="http://www.nyc.gov/html/hhc/lincoln/html/news/public_notice_20100604.shtml"> </a>More than 130,000 medical records were exposed. </p> <p>A similar incident occurred at Lampeter Medical Practice in Wales after a USB stick containing 8,000 patients’ medical details was <a href="http://www.publicservice.co.uk/news_story.asp?id=13139">lost in the mail</a>. Two DVDs containing personal information on two Lorillard Tobacco staffers also became <a href="http://datalossdb.org/primary_sources/2553">lost in transit</a>. The package went missing after being picked up by a major transportation carrier from the offices of the company’s benefits consultant, Towers Watson.</p> <p>These recent examples can be added to a <a href="http://datalossdb.org/search?breach_type%5b%5d=SnailMail&direction=desc&order=reported_date">list of more than 134 data breaches</a> resulting from information being shared through mail services. The list was compiled by the Open Security Foundation, DataLossDB.</p> <p>Despite the known risks, it is startling to see that a vast number of organizations large and small, and across a broad variety of industries, still believe it is okay to ship, via mail or overnight courier, portable media such as CDs and thumb drives containing confidential information as part of a standard business process. It is not okay.</p> <p>Simple to use and relatively inexpensive, USB sticks/thumb drives and DVDs/CDs have become frighteningly common vehicles for transferring data in many organizations. However, as seen over and over again in the headlines, these highly portable devices can quickly turn into a security nightmare. While advances have been made to allow encryption of thumb drives, the inability to monitor what information is copied onto devices, and track where the devices go after leaving an enterprise, makes achieving compliance nearly impossible.</p> <p>Fortunately, significant advances have been made in digital file transfer technology that make sharing information quick and easy, and most importantly, secure. The availability of secure file transfer solutions removes the need to use portable media such as thumb drives, CDs and DVDs for transferring data. At Accellion, we work with corporations around the globe, helping them implement systems to prevent data leakage at the file-transfer source. To avoid exposing an organization to security and compliance risks at the file transfer source, here are some important tips that we recommend companies consider when selecting a digital, enterprise-level secure file transfer solution.</p> <ol> <li><strong>Pick a business level solution.</strong> There is a difference between corporate and consumer file transfer offerings. If you are an enterprise customer, look for an enterprise file transfer solution. There are distinct differences in the level of security needed for enterprise vs. consumer file transfer and the different offerings reflect this.</li> <li><strong>Outlaw individual personal file transfer accounts.</strong> They are non-compliant and put enterprise information at risk for a security breach. For example, individual accounts on solutions such as YouSendIt do not allow corporate visibility into information that is being sent. Information cannot be tracked and there are no audit trails, making it impossible to document conformance with compliance mandates.</li> <li><strong>Secure your data.</strong> Accept no less than business-level security. Automatic encryption and authentication check points that validate recipients provide an added level of security to show that confidential information has not been shared and exposed.</li> <li><strong>Avoid IT overload.</strong> Pick a solution that easily integrates into your existing IT environment and requires minimal IT administration. Look for an “install and forget it” application solution with no file size limitations; one that doesn’t require constant IT support for account creation, administration, and doesn’t create IT support headaches such as decryption software or security keys required for every recipient—a perfect example of why FTP and SFTP are not the answer.</li> <li><strong>Make it easy.</strong> It is best if secure file transfer is integrated directly into email applications, online chat, web conferencing software and/or standard Web interfaces. If a solution is not easy to use, users will find alternative means for sending files, often inadvertently creating data security loopholes.</li> </ol> <p>Given the increase in data breaches associated with sending information via mail and FedEx, it is important that organizations understand the benefits associated with deploying an enterprise-level managed file transfer solution.</p> <p>—</p> <p><strong>About Yorgen Edholm</strong></p> <p>Yorgen Edholm is a Silicon Valley veteran with 25 years of Enterprise Software expertise. Edholm co-founded Brio Technology and during 12 years as CEO, took the company public and grew it to $150 million in revenues with over 700 employees and a customer base of over 5,000 organizations. In addition Edholm was President and CEO of DecisionPoint Applications, an Analytical Applications company. Edholm has served on several public and private company boards including most recently Hyperion (sold to Oracle), I-many, Resilience, Verix and Saama.</p> </article> <article> <h1>Could Social Networking at Work Leave SMBs Playing Russian Roulette with the Law?</h1> <p>Stephanie Jordan — Thu, 01 Jul 2010 04:26:35 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/could-social-networking-work-leave-smbs-playing-russian-roulette-law" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/could-social-networking-work-leave-smbs-playing-russian-roulette-law" data-url="http://www.messagingnews.com/story/could-social-networking-work-leave-smbs-playing-russian-roulette-law" data-lang="en">Tweet</a></div><p>Research by <a href="http://www.idc.com/getdoc.jsp?containerId=prUS22179110">IDC</a> published in January this year found that 57 percent of U.S. workers use social media for business purposes at least once per week. As social networking and collaboration tools that started out in the home become increasingly absorbed into the workplace it appears that the business environment is inexorably changing forever.</p> <p>As ever, major change in business culture brings new risks. Social networking at work presents unseen challenges for both individuals and companies. This month <a href="http://www.purdyfitzgerald.com/">Purdy FitzGerald Solicitors</a>, a prominent law firm, was among the first to sound a warning. They note that the more business embraces social networking techniques to spread their messages and build their brands the more the dividing lines between personal and company data are becoming blurred. For firms there is a real danger this could lead to ownership issues being contested in the courts.</p> <p>At <a href="http://www.spamtitan.com/">SpamTitan</a> we believe that Internet filtering software such as our own WebTitan product can help. In Q1 of this year we conducted our own audit of 200 SMBs worldwide to find out attitudes to filtering. In almost every case Internet access and some social networking applications were permitted in the workplace. But while 76.4 percent said Web filtering was important around half (49 percent) of all respondents admitted not using one. At least 50 percent of those without filtering said they were taking positive steps to secure themselves against the possibility of either attack or employee misunderstanding in respect of social networking applications. A further 16 percent who had not yet done anything were intending to do something about it in the next 12 months. This still leaves a significant proportion doing nothing at all.</p> <p>To date legal cases involving disputes between employees and employers over who owns that data have tended to favor the employer. In a recent <a href="http://www.computerweekly.com/Articles/2008/06/19/231085/Former-Hays-employee-forced-to-disclose-LinkedIn-business.htm">UK case</a> a recruitment consultant moved confidential contact information to his LinkedIn account. The court reported that the consultant had planned to set up his own company in direct competition using the contact database concerned. He had thought that once the contacts had been invited to <em>connect</em> to him and they had accepted on LinkedIn, their contact information ceased to be confidential because it had been seen by all his other contacts. This decision was one of the first to highlight the tension between businesses encouraging employees to use social networking websites for work but then claiming that the contacts and content remain confidential information at the end of their employment. It is a sign of things to come.</p> <p>As social data is shared between increasing numbers of sites the question of ownership becomes almost impossible to track. A piece of information may pass through various social networking sites becoming retouched as it does so. At what point are the rights to that data transferred? The issue is a moot point with important implications for business as it appears technology is once again outpacing the legal system.</p> <p>Developments taking place in the U.S. and the EU could soon provide a greater legal imperative for companies adopt formal social media policies or risk playing Russian roulette with the law.</p> <p>One such initiative is <a href="http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A7-2010-0066+0+DOC+XML+V0//EN">2015.eu</a> which calls for a charter of individuals’ Internet rights and aims to entitle Internet users to demand their information is removed from company systems even if it was collected with their consent. Elsewhere the <a href="http://www.ftc.gov/">Federal Trade Commission</a> (FTC) recently warned that even positive statements by employees in social media postings may constitute endorsements or testimonials and create liability for companies. With so much information being posted online and shared the boundaries will continue to become increasingly blurred.</p> <p>Companies need to introduce policies and procedures and deploy technology to help them manage every employee’s Internet usage at the individual level. We are in a new era and it is incumbent on every company to include a corporate social media policy alongside their social networking strategy. Without such clear social media policies many employees will be unaware of their rights and employers risk being drawn into costly legal wrangles with their employees over data ownership disputes.</p> <p>About Ronan Kavanagh<br />Ronan Kavanagh is responsible for Global Sales and Marketing for the SpamTitan suite of products. Educated in NUI Galway, Ireland, he joined Copperfasten Technologies in June 2004. Prior to joining Copperfasten Ronan worked with Eurokom, an Internet Security Services provider, delivering a wide range of solutions to both Government and large blue chip companies in Ireland.</p> </article> <article> <h1>The Future of Enterprise Messaging</h1> <p>Stephanie Jordan — Thu, 03 Jun 2010 01:34:47 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/future-enterprise-messaging" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/future-enterprise-messaging" data-url="http://www.messagingnews.com/story/future-enterprise-messaging" data-lang="en">Tweet</a></div><p>Today more than ever, enterprises rely on email for business-critical operations. To the dismay of many IT executives, current generations of email security appliances were designed as point solutions to solve the one-off problems that affected email from the past decade-like spam filtering, virus protection or routing email. They’re finding most solutions weren’t designed with the forward-thinking necessary to process today’s large volumes of messages for business and service applications, which now include everything from automatic statement delivery to having smart household appliances automatically send messages to customer support centers when problems arise.</p> <p>As a result, many cost-conscious IT organizations are gravitating away from costly point solutions toward a single messaging infrastructure platform capable of addressing the new complexities of today’s messaging application needs.</p> <p>With this in mind, IT executives should take the time to consider what else lies ahead for the future of enterprise messaging to make informed decisions about how to modernize their messaging infrastructures, and reduce IT costs down the road.</p> <p>Some of the key trends to consider when evaluating their enterprise messaging include customizable email architectures, cloud computing, virtualization and encryption. Here’s why:</p> <p><strong>Customizable Email Architectures:</strong> When it comes to a messaging infrastructure platform, IT professionals need a simple solution to reduce costs by easily adding functionality without deploying separate, and costly, point products from multiple vendors. With a customizable email architecture, enterprises can select messaging applications of their choice as add-on options to the messaging infrastructure. This new approach frees enterprises from having to implement specialized stand-alone email products, while enabling them to seamlessly implement all corporate policies for both inbound and outbound messages.</p> <p><strong>Cloud Computing:</strong> With IT cost-cutting initiatives continuing to drive increased demand for cloud services, many IT professionals will consider moving their messaging infrastructure to the cloud. However, migrating an entire messaging infrastructure has proven difficult for most enterprises to date. Despite the many cost-saving benefits cloud computing promises, numbers of underlying security issues exist that need to be considered before outsourcing this area of IT infrastructure to the cloud. </p> <p>To realize the potential benefits of cloud computing while avoiding the pitfalls, enterprises should adopt a hybrid approach—migrating only certain components of the messaging infrastructure, such as mail filtering, to the cloud and continuing to control the internal layer. </p> <p><strong>Virtualization:</strong> As IT virtualization continues to grow over the next several years as a cost-savings measure, IT professionals should consider modernizing their messaging infrastructures with a virtual message processing platform to further reduce capital and operating expenses associated with enterprise messaging.</p> <p><strong>Encryption:</strong> With greater regulatory requirements and stronger corporate security policies in place, the need to provide confidentiality of sensitive information is increasing, and driving demand for secure messaging solutions. As a result, IT professionals should implement an automated, policy-driven messaging architecture to enforce encryption-based security policies and reduce dependence on end-users for determining what should or shouldn’t be encrypted.</p> <p>In closing, it’s important to note that as enterprise messaging needs continue to evolve and the trends toward customizable email architectures, cloud computing, virtualization and encryption continue to shape the market, IT professionals can benefit the most by deploying a modernized messaging infrastructure platform that allows them to add applications that solve the one-off issues, such as Anti-spam, Anti-Virus, DKM, etc., based on their specific messaging needs. In doing so, not only will they have a lot more control over the applications that make the most sense for their messaging needs but they’ll have the ability to easily add applications as their messaging requirements change now and into the future in order to reduce operating expenses, increase efficiencies and save money down the road.</p> <p>—</p> <p>About <strong>Donald J. Massaro</strong> <br />Donald Massaro brings more than 30 years of success building and managing both public and privately-held technology companies. He is responsible for strategic planning and execution, and corporate leadership to establish Sendmail as a market leader in the emerging content security market.<br /> Most recently, he held the position of CEO and co-founder at Reconnex Corporation, a provider of content-monitoring security appliances.</p> </article> <article> <h1>Is Yesterday’s Messaging Solution Today’s Problem?</h1> <p>Stephanie Jordan — Thu, 13 May 2010 20:07:58 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/is-yesterday-s-messaging-solution-today-s-problem" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/is-yesterday-s-messaging-solution-today-s-problem" data-url="http://www.messagingnews.com/story/is-yesterday-s-messaging-solution-today-s-problem" data-lang="en">Tweet</a></div><p>To get underway, many companies chose quick fix, low cost email marketing solutions based on open source or early generation technology. While they may have sufficed in their day, changes in consumer communication behavior, advances in messaging technology and the requirements of a dynamic environment have rendered these solutions obsolete. Yet, many companies continue to rely on them. To keep marginally abreast of today’s requirements, they’ve thrown more and more scarce IT resources at them (custom coding, manual operations, etc.). The bottom line: cost of ownership has gone through the roof while business results have taken a nose dive, leaving companies with inflexible solutions that can’t scale and certainly aren’t extensible to the multi-channel, interactive digital messaging environment that lies just around the corner.</p> <p>It’s time for marketers to ‘look under the hood’ at the messaging infrastructure within their companies and lead initiatives to adopt next generation platforms that will ensure their future success. Failure to do so will leave them at a significant disadvantage relative to competitors who do.</p> <p>In building the business case, it’s important to understand the ‘true costs’ of your current solution. Cheap technology could be draining your budget and eroding your bottom line in ways you don’t even imagine. Consider:</p> <ul> <li><strong>Hard Costs:</strong> What are the costs of your servers, power consumption and other operational requirements? </li> <li><strong>Soft Costs:</strong> What are the costs of your IT/ops or engineering staff needed to maintain the operation, trouble shoot problems, make manual fixes or continually write/maintain custom code? </li> <li><strong>Opportunity Costs:</strong> What are the costs to your business of downtime, poor throughput, poor deliverability or a bad reputation? </li> <li><strong>Personal Costs:</strong> What are the costs of middle of night calls, inability to satisfy internal clients, no time or resource for other business-critical projects?</li> </ul> <p>It’s not unusual to see 50-75 percent reductions (or more) in all of these costs when switching from yesterday’s point solution to a next generation message management platform and to see them within months of deployment. After all, such a platform is by definition a fully integrated, multi-faceted solution—controlling gateway, intelligence router and advanced message transfer agent—for handling messages across the enterprise. It’s designed to serve as the central integration and processing hub for all forms of digital messaging within your infrastructure, connecting it with internal and external data sources, applications and systems. And that’s a far cry from the MTAs of yesterday.</p> <p>Points to evaluate are:</p> <ul> <li><strong>Performance:</strong> The capacity to efficiently manage all your messages—millions per hour on each server—with reduced infrastructure and costs.</li> <li><strong>Reliability:</strong> One hundred percent availability, automatic failover and full (3rd tier) to support your business-critical messaging needs. </li> <li><strong>Extensibility:</strong> A rules-based, modular framework with open APIs tailored to your unique business needs and easily modified as those needs change (future-proof). </li> <li><strong>Scalability:</strong> Limitless horizontal growth with efficient app integration and centralized management across geographies to keep pace with your business success. </li> <li><strong>Visibility:</strong> The clear, unobstructed real-time view into your messaging processes, interactions and results for informed decision making and business agility. </li> <li><strong>Usability:</strong> The tools and support to use the solution according to your exact specifications in business processes across your organization.</li> </ul> <br /> <p>These next generation messaging solutions already exist. Adopting them will not only pay significant dividends today, but also enable companies to take advantage of tomorrow’s trends in multi-channel digital communication and commerce. The time to graduate to next gen technology is now. </p> <p>—</p> <p><strong>About Dave Lewis</strong></p> <p><em>Dave Lewis is the chief marketing officer for <a href="http://www.messagesystems.com/">Message Systems</a></em><em>, and is a 26-year direct marketing veteran and a recognized industry thought leader. He writes and speaks frequently on digital messaging opportunities, challenges and best >practices.</em></p> </article> <article> <h1>2010 Trend Watch</h1> <p>Stephanie Jordan — Thu, 01 Apr 2010 22:46:40 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/2010-trend-watch" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/2010-trend-watch" data-url="http://www.messagingnews.com/story/2010-trend-watch" data-lang="en">Tweet</a></div><p>Security is an ever-evolving game and enterprises must strive to stay one step ahead of those that seek to attack them. Evolving mobile technologies, adapting malware and a new breed of attackers are all trends that enterprises should be paying attention to.</p> <h4>Mobile Changes the Game</h4> <p>Everyone is focused on Apple’s battle with Adobe and their refusal to include Flash on the iPad just as it has done so on the iPhone. Whether that battle is technical or political is of little consequence. Of importance from a security perspective is that mobility is now shaping the future of Web technologies and it will also shape the future of Web attacks. For the past decade it has been commonplace for Web sites to require the download of separate technologies in order to be accessible. Whether it was ActiveX controls, Java applets or browser plug-ins such as Flash, we simply accepted that we had to adapt to the Web site, rather than the other way around. That model will no longer be acceptable in a mobile world in which no single operating system rules the industry. Mobile devices are also less open when it comes to installing third-party software, so browser plug-ins are generally not an option. Forcing Web technologies to work cross-platform and across all Internet accessible devices will accelerate the pace of Web-based attacks. Viruses coded as executable binaries are not effective in this realm. Instead, attackers will continue to shift toward Web application attacks such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking, which do not discriminate when it comes to the target being exploited. </p> <h4>Web-based Worms </h4> <p>Everything has moved to the Web. Communication mediums such as email, instant messaging and peer-to-peer applications that traversed the Web via alternate protocols now do so leveraging HTTP(S). Desktop applications such as photo editing and document creation have also moved to Web-based platforms thanks to the ease of deployment and enhanced collaboration capabilities that they offer. Malware, likewise has moved to the Web. Increasingly, worms are driven not by executable binaries downloaded to desktops but rather vulnerabilities in Web applications. Worms move not from desktop to desktop, but rather from profile to profile within a Web application, most likely a social network. We’ve seen numerous examples over the years such as the Samy worm that impacted MySpace and the StalkDaily worm that hit Twitter. These worms do not target a particular operating system. They require only a Web accessible device and a vulnerable Web application. Traditional desktop AV products can do little to protect against such attacks and as employees store more and more information online, a successful Web-based worm can have devastating effects, accessing and altering confidential information.</p> <h4>APTs Become a Household Term</h4> <p>The attack on Google and 30+ other companies, which hit the media in January should not be seen as a new threat, but rather one that is finally flying above the radar. The ‘big bang’ worms that we saw five-plus years ago are dead. Attackers are not leveraging vulnerabilities to write worms that spread simply for the sake of spreading. Vulnerabilities are valuable commodities that can be exploited to achieve financial and political gains. The attacks on Google went mainstream because Google chose to put them there. Similar attacks happen on a regular basis but we rarely hear about them as corporations fear the negative repercussions of admitting to a security breach and do their very best to hide the details. More and more, we’re hearing the term Advanced Persistent Threats (APTs) attacks such as those that targeted Google. While there is no universally accepted definition of APTs, they can be defined as prolonged attacks by knowledgeable and organized adversaries to achieve a specific goal. Organized crime syndicates or foreign governments generally back the attackers and as such, access to need resources is not a problem. This understandably raises the bar for enterprise security. If there is a weak link in the security chain of an entity, the attackers will find it and exploit it.</p> <p>Attacks and attackers continue to evolve and enterprises that fail to adapt are sure to become the next victim. The challenges to remain secure are significant, but achievable. Enterprises must look at these and other trends and shift budget dollars toward appropriate technologies and training to ensure that they’re staying one step ahead in this fast-paced game.</p> <p>—</p> Michael Sutton — Vice President, Security Research; Zscaler <p>Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. </p> </article> <article> <h1>Email Security: Cleansing Closer to the Source</h1> <p>Stephanie Jordan — Fri, 26 Feb 2010 18:06:09 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/email-security-cleansing-closer-source" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/email-security-cleansing-closer-source" data-url="http://www.messagingnews.com/story/email-security-cleansing-closer-source" data-lang="en">Tweet</a></div><p>There’s little denying the impact email plays in our daily lives. This valuable tool has helped to revolutionize the way we communicate and do business. Unfortunately, for all of the productivity gains realized as a result of this technology, there are still a number of risks email systems present on a daily basis. A staggering percentage of email — as high as 90 percent according to <a href="http://www.m86security.com/labs/">research</a> — is spam related. Spam, phishing, spyware, malware, and blended threat attacks cost businesses billions of dollars each year as they face an uphill battle combating complex security threats originated from email systems. </p> <p>As the Internet has evolved, so has the level of sophistication of email attacks on the networks we’ve come to rely so heavily upon. The vast majority of spam is now sent from botnets: armies of infected computers being used for these purposes without the unsuspecting owner’s knowledge. This wide distribution of spam senders has caused the technology used to combat spam to also evolve to ensure it remains on top of its game. Other emerging attacks, such as blended email attacks designed to bypass the malware scanning on email servers to infect users through Web browsing, also lead to the development of new innovative technologies. </p> <p>So, apart from selecting an email security vendor to minimize the impact of these attacks, what else should you consider? One area that many customers don’t seem to realize is that blocking or deleting as much of this unwanted email before it enters your network should be a best practice. This can be done through making better use of connection management, simply not accepting any email that is not for a valid internal email address for example, or shifting your detection technology to the cloud.</p> <p>Deploying email and email security in the cloud is now a fast-growing method for addressing the latest cloud-borne email threats. Osterman Research, Inc. estimates that cloud-based messaging services will grow from 12 percent of the email user base today, to 31 percent by 2012. The advantages of cloud-based email security are numerous but the prime benefit is having a ‘clean stream’ of email entering your network and lowering administration. </p> <p>Typically, cloud solutions have been used to provide this clean stream, and some offer more in-depth policy management controls but they still don’t match the capability offered by the leading on-premises solutions of today. This is one of the reasons why many customers hold back from moving to the cloud.</p> <p>So what is the solution? Customers have a choice and can either select an advance cloud security service that can offer all the policy coverage and granularity of an on-premises solution, or they can use the best of both worlds, in a hybrid deployment mode. Use the cloud service to provide that clean feed of email and cut your inbound email feed to just 10 percent of what it was, then rely on your on-premises solution for the more granular policy and management tasks, as well as for scanning outbound email for sensitive information and more.</p> <p>What is nirvana? Well, perhaps it’s a combined solution that uses a single management interface, consolidated reporting and central management, that you as the customer can slide the scale as to how much gets done in the cloud and how much gets done on-premises. This way you make the most of the advantages of both cloud and on-premises, but in a way that makes most sense for you and your organization.</p> <p>—</p> <p>About Luis Curet — Senior Vice President Americas; M86 Security</p> <p>Luis Curet brings over 25 years of experience in sales, channels and marketing to his role as senior vice president Americas. In this position Luis is responsible for all customer touch points and drives new business development as the company expands their growing Secure Internet Gateway. Prior to joining M86 Security, he held the position of vice president for Rainbow Technologies, a $125 million IT security solutions firm that was acquired by SafeNet Inc. </p> </article> <article> <h1>Death of the Hardware Security Appliance</h1> <p>Stephanie Jordan — Tue, 09 Feb 2010 00:12:27 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/death-hardware-security-appliance" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:News and trends on the latest in business email and messaging technology, including email & web security, virtualization, e-Disc" data-text="" data-counturl="http://www.messagingnews.com/story/death-hardware-security-appliance" data-url="http://www.messagingnews.com/story/death-hardware-security-appliance" data-lang="en">Tweet</a></div><p>The decline of the security hardware appliance is closely linked to the rising popularity of virtualization for business applications of all kinds. Virtualization, the technology that enables multiple heterogeneous operating systems to run simultaneously on the same physical piece of hardware, has been around for some time, but it is really only recently that it has come into its own developing from single server installations to fully global cloud-based infrastructures.</p> <p>According to <a href="http://www.gartner.com/it/page.jsp?id=1211813">Gartner, Inc</a>. just 16 percent of workloads were running in virtual machines by year-end 2009. Given the uncertain economic climate and cost-cutting mandates, it is not surprising that Gartner has forecast that this will rise to 50 percent by 2012. They also expect enterprises with 100-999 employees to have a higher penetration of virtual machines deployed than the Global 500. </p> <p>The reason for this growth in the small- to mid-sized market is that for years the entry point has been simply too high for small enterprises. Only recently has increased competition by server vendors brought prices down to a level that enables smaller firms to embrace virtualization. Moreover, in the IT security market, mounting pressure to cut hardware ownership costs and the ready availability of a growing number of easy-to-use and affordable virtual security appliances have started to change buying habits dramatically.</p> <p>Virtualization now opens the door to a radical overhaul of both people and processes and this appeals to many businesses as they look to make savings that will help them to survive the current market downturn. These savings come in the shape of both dramatically reduced management overheads and significantly lower capital expenditure. In the virtual world, servers can be provisioned and brought online in a matter of minutes - a task that takes several hours in the physical world. Problems, too, that would once have been tied to a specific physical server can be resolved much more speedily in a virtual environment.</p> <p>A perfect example of this sea change can be seen in the security market. Not so very long ago the universal demand was for hardware security appliances. At SpamTitan we have seen the balance shift markedly in favour of virtual appliances. Customers that have already moved to a virtualized environment are looking to increase their return on this investment and integrate a virtual appliance rather than opt for a physical appliance. This dramatic customer shift away from physical appliances is down to the cost advantages and easy management of virtual appliances on the one hand and the comparative high cost and management overheads of physical appliances on the other.</p> <p>This trend towards virtual appliances is a win-win for vendors and customers alike. For vendors, solution delivery and upgrade management is easier and less expensive, allowing savings to be passed to customers. For customers themselves, deploying and managing virtual appliances is simple and fast, and allows them greater economic and administrative flexibility from initial product testing through to purchase and future company growth.;</p> <p>In summary, physical appliances were once fine for the critical security needs of businesses. Customers were prepared to live with the various issues such as appliance overload, upgrade expense and over reliance on vendors that came with them. But the server world is changing fast. Virtual appliances avoid all of these issues while offering the added benefits of fast testing, speedy deployment and minimal management overhead—as well as real scalability and mobility, thus future proofing the initial investment. Our customer activity points emphatically to a future dominated by virtualization and cloud computing. It is difficult to see where and how traditional physical security hardware solutions can survive in this environment.</p> <p>—</p> <p>About Ronan Kavanagh—CEO SpamTitan Technologies</p> <p>Currently Ronan Kavanagh is responsible for Global Sales and Marketing for the <a href="http://www.spamtitan.com/">SpamTitan</a> suite of products. Educated in NUI Galway, Ireland, he joined Copperfasten Technologies in June 2004. Prior to joining Copperfasten Ronan worked with Eurokom, an Internet Security Services provider, delivering a wide range of solutions to both Government and large blue chip companies in Ireland.</p> </article> </main></body></html>