Proofpoint: The threat landscape
Paul Fisher: Tell us a little bit about your background and your history.
Andres Kohn: When Eric Hahn, who is our founder, first contacted me and told me he was thinking of starting an email security business, my first thought was, well, there's companies out there that are doing this. This is in 2002. You had Brightmail, Tumbleweed and Clearswift so why do we need another one? Once we started talking to a lot of customers and companies that we knew, it became obvious that anti-spam was becoming a problem. But it was also obvious that anti-spam was going to be commoditised so we had to build a platform to do other things. What's actually happened is that anti-spam continues to be really important - nobody predicted the huge growth that there would be. Because of this customers continue to re-evaluate their decisions because it's not working for them. We always thought that it would get commoditised but it hasn't - that's interesting.
PF: Do you think we've reached the point where spam is just managed, as every company has spam protection?
PF: So there isn't much room for innovation in that space really? It's either on or it's off.
AK: It's on or it's off, but there is room for innovation in doing it better and, most importantly, these days in lowering the cost of ownership, and that's really where SaaS comes into play.
Another area that one customer is showing interest in is what we call hybrid, whereby we deploy filtering for them in the cloud as a first level before we pass on the clean stream to them, which is then distributed to their global offices for more granular checks on the ground.
PF: What's the difference between customer expectations in Europe and the US particularly in relation to data law and data protection?
AK: In continental Europe there's a feeling of: 'I can't look at outbound email inspector because of data privacy laws but at the same time I need to be inspecting it because of data privacy laws'. What we've found is every company is interpreting it in a different way, there's no real consistency. I think the UK is a lot more like the US, the feeling is: 'I can inspect it, it's company property'.
PF: Do you think governments would do better to actually talk to people like yourselves and your customers before they come up with data laws?
AK: It's interesting that the one regulation, which is probably the clearest and most prescriptive, is PCI-DSS but it's not a government regulation. I just had one of our sales guys send around a new State of Massachusetts regulation. It says you should put in place best practices for securing data. What does that really mean?
One of the big issues is these rules are fairly vague. What we see a lot of times, your readers probably see it all the time, is legal or compliance goes to IT and says you must do something about HIPAA (the US Health Insurance Portability and Accountability Act 1996) and as long as the email administrator is trying to interpret the regulation and what they should be doing they are happy, but that's not what they should be doing.
PF: You said the UK is better, it may be, but I don't think most businesses have a clue what their responsibilities are and what their rights are either. Most people use email in a fairly casual way. Is that true of the US as well?
AK: Some of the stuff going on is. People sending out Excel spreadsheets with private customer information on Yahoo mail so they can work over the weekend. Good for you for wanting to work over the weekend but that's kind of scary. Or medical staff sending out stuff to patients with all their data.
PF: I've heard of a case where nursing staff were using Google docs, cutting and pasting medical records onto that so that they can look at them at another PC station, which is a direct infringement of HIPA.
AK: People are spending a lot more money on IT to make sure it's secure, yet I was talking to a customer of ours where people were trying to send round large documents and trying to find an easy way to do that, they were using MySpace as a place where you would upload these large sensitive documents.
So a lot of this is about security, a lot of times it is about stuff in place to control what users do and we believe a big part of it has to also be to put in place technology to enable users to do what they want to do but do so securely. So allow people to send email to their patients, it's great, that's good and you can do it, but make sure it's encrypted.
Read Paul Fisher's interview with Proofpoint CEO Gary Steele