Palisade Systems CEO Christian Renaud will be speaking on a panel in West Des Moines, Iowa for the Des Moines Business Record/Hanser and Associates 2010 survey of business use of social media.  If you are reading this, then you already know that Palisade Systems leverages social media extensively in communicating with our customers, vendors, and press/analysts.  If you plan to be in the area, this should be a worthwhile use of your time.

You can register here.

Please come and join us for the housewarming party to commemorate the opening of our new headquarters!  We want to thank all of our customers, investors, and the vendors that made the HQ move possible!

We'll be gathering at Palisade's corporate headquarters this Thursday the 28th from 3pm to 7pm, at:

400 Locust Street

Suite 700

Des Moines, IA 50309

Food and beverages will be provided, including choice selections from my personal wine cellar. Please RSVP to carole@palisadesystems.com if you are able to make it so we can reserve you a wine glass and a name tag!

We look forward to seeing you!

One of the tenets of Palisade Systems' corporate culture is to be environmentally conscious in how we sell and support our products.  In the spirit of being green, we are going to be speaking tomorrow, Thursday January 21st, about the real uses of DLP with John Jainschigg, the Executive Director of the Internet & Technology lab for ZiffDavis Enterprise as part of the Smarter Technology Virtual program, sponsored by IBM.  Instead of a flat conference bridge, or Webex, we'll be socializing as avatars virtually in the Smarter  Technology Conference Center within Second Life, a virtual world communication and social networking platform. 

No plane/train/auto trips will be harmed in order to interact with the large, erudite group they typically host for these gatherings. 

For those of you who have never experienced a virtual conference or briefing, please join us tomorrow at 1PM Pacific/4PM Eastern!

One of our favorite sites to watch around here is DataLoss db, which does an excellent job documenting data loss incidents.  This isn't simply human nature to gawk at the roadside accident, rather an excellent source of watching macro trends of where and how data loss events are happening. 

On January 7th, they wrote a blogpost that looked at the sudden marked decrease in declared data breaches and correlated those against press mentions.  There is a strong correlation between data breaches declared and press mentions, as they are obviously causal, however it doesn't explain why there has been a sudden dropoff in declared breaches.

We all know there is no sudden panacea that has miraculously cured breaches, so that can only lead the reader to the same conclusions that the blogpost intimates but never comes out and says (no, not solar flares), namely that organizations are not disclosing breaches that are occurring, or they have applied their blindfold and are hoping for the best.

We've personally seen instances where companies adopt the 'stuff your head in the sand' approach to data loss, which means that they are advised (sometimes by counsel!) to not do a free security assessment of their current environment, because they would then be aware of said breach and would have to disclose it.  Ignorance is bliss, it seems.

This approach only works until the breach becomes public, and the damage is greater and harder to repair.

Feel free to comment anonymously on this one, but does this sound like your organization's approach? Are you being pressured to deliberately not-look for potential exposure?

A friend sent me a copy of the Interim Final Rule for Health Information Technology: Initial Set of Standards, Specifications, and Certification Criteria for Electronic Health Record Technology.  This 136 page document spells out the who/what/when/where/why/how on HITECH as it applies to electronic health records (EHR) and Health Information Technology (HIT).  If you think the title was lengthy and dry, you should have read the entire 136 pages.

To save you the time and attention cycles, let me summarize this most recent guidance for health organizations and their requirements under HITECH.  For those of you who are not aware, there are provisions under HITECH that apply to EHR technology and three stages that need to be implemented by 2011 by ‘eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs’.  If you are a health care organization, the odds are you fall in this category.

In addition to all of the proposed requirements and standards for EHR formatting, interoperability and the like, there is also the requirement for “Technologies that protect the privacy of health information”.  There are numerous sub components to this requirement that include terminating sessions after a certain time interval, verifying that the EHR has not been tampered with in transit (man in the middle), and audit tracking. 

Another key sub-component is policy based encryption, depending on if there is transmission (“Use” in HIPAA parlance) to another organization, or “disclosure”.  There is also the requirement for security audits and assessments to ensure that the entire EHR solution is adhering to the prior strictures.

Palisade is not an EHR provider, but what we do provide are the tools to prevent unauthorized EHR information from leaking from health care networks. We can also identify EHR records in motion, and redirect them to industry-leading encryption technology providers, depending on the platform adopted by the receiving party.  This provides the very-important safety net for health care professionals as they begin to implement these EHR solutions, so that the ease-of-use and ease-of-transmission benefits of EHR don’t also come burdened with the penalties for unauthorized EHR loss/leakage.

Let us know if we can help your organization in your EHR deployment.  As they say on late-night cable television, ‘Our operators are standing by.’

Christian

Confession: I am a social media junkie.

I have been blogging, tweeting, and FaceBooking, not to mention heavily leveraging synchronous social mediums like Virtual Worlds, since forever.  During this time, I've seen all manner of public tweets that were intended to be direct messages. Inadvertent FaceBook postings that caused arguments, breakups, and worse.  Drunken blogposts late at night that were syndicated to the world via RSS before the (now sober) author tried to delete their tracks.

All of these are the small downside for the powerful productivity and social benefit that society has gained as a result of social media tools.  We are connected in ways we wouldn't have considered possible even a decade ago, and are continually in contact with all of our friends and family through vacations, travel delays (often related hashtags), childbirth, weddings, political uprisings, and even bad-boss behavior.

Every useful tool also has, unfortunately, the potential for unintended consequences.  Just as the aforementioned mistaken status updates were damaging to friendships, the 'wrong window' problem can be a potential data-loss point for organizations as well.  Being heavy users of these technologies at Palisade (see our Twitter feed), we recognize that organizations need to ensure that their sensitive information isn't inadvertently being posted or tweeted.  This was the motivation behind today's announcement of the successful conclusion to our internal certification efforts for Data Loss Prevention for social media tools.  We extensively tested both web-based applications as well as popular third-party applications that leverage different network ports and protocols to make sure our customers were protected from data loss over Twitter and Facebook.  Just as email, instant messaging, and web-applications can be unwitting accomplices in accidental data loss, so can these emerging communications platforms.

You're covered.  You can relax.  Get back to focusing on the upside of these powerful tools, and leave the worrying to us.

Christian

Each year, the excellent team at the Computer Security Institute surveys large and small organizations across a broad spectrum of industries about their security incidents in the prior year, and the tools and techniques they are deploying to ameliorate their security woes.  They publish these in their Security Survey, and just recently they hosted a webcast to walk through the 14th annual survey's release.

Among the findings were a number of relevant statistics for those of us in the data protection industry.  As  LaGuardia's law states, "Statistics are like expert witnesses – they testify for either side.", so we'll constrain ourselves to the most relevant findings that apply to data loss, and balance the good news with the bad.

Financial Losses:

Good News: Average company financial losses due to security incidents dropped this year from $289,000 per respondent to the study in 2008 to $234,244 per respondent. 

Bad News: Theft of PII/PHI through all causes other than mobile device theft averaged a cost per incident of $710,000, and Financial fraud was $450,000.  This is further compounded when you consider that although only 7.7% of the respondents were categorized as 'health services', 57.1% of them said their organization had to comply with HIPAA.  

Insider abuse:

Good News: The annually-tracked 'Insider Abuse of Net access or e-mail' metric declined year over year from 44% in 2008 to 30% in 2009.  This may be attributable to the fact that 40% of respondents reported having deployed Data Loss Prevention (DLP) solutions within their organizations.

Bad News: The study also breaks down the percentage of losses due to insiders, and the findings were not consoling.  Malicious insiders were instigators 43% of the time, however the percentages of the total losses due to malicious abuse were typically low.  One of the summary statistics quoted in the key findings is that "Twenty-five percent of the respondents felt that over 60% of their financial losses were due to non-malicious actions by insiders."

What this last statistic tells us is that it is less frequently a 'bad actor' that is the root cause of the problem, but poor training, 'fat fingering' or other error that is the cause of expensive data breaches.

The key takeaway from this data, also articulated as a wishlist solution from respondents to the CSI study, is that organizations need improved visibility into their networks, be it log management, security information (like protocol usage and content analysis results), and so on.  It comes down to 'optics', and having all of the tools you need to see what is really happening in your network. With the right tools, you get the right information, and can make educated decisions in your security posture and policies.

Christian

Palisade is happy to announce that we've moved our corporate headquarters!

After Herculean efforts on the part of the entire team, we are now moved to our new location in bustling downtown Des Moines, Iowa. This move gives us considerably more space for our expanding organization, and access to a top notch local infrastructure and labor pool.

There may be some hiccups in our telephones and email while the kinks get worked out of the move, so please email us if you experience any issues whatsoever. Our new mailing address and telephone numbers are as follows:

Old                                       New

Palisade Systems Inc.            Palisade Systems, Inc.

2625 North Loop Drive           400 Locust Street

Suite 2120                             Suite 700

Ames, Iowa 50010                 Des Moines, Iowa 50309

515.296.6500                         515.727.0800

Our 888 telephone numbers remain the same. 888-824-0720 is our main telephone number, and you can also still reach technical support directly at 888-325-6500.

We'll be having our new office 'housewarming' party soon, so keep an eye out for the announcement, and feel free to stop by if you are in the neighborhood!

 Christian

Today is another exciting day at Palisade. 

What we really enjoy is solving customer needs in new and better ways each day, and today we added PacketSure Managed DLP to the Palisade product family.  This new solution is targeted at Managed Service Providers (MSPs), allowing them to add Palisade’s award-winning PacketSure DLP technology to their list of security product offerings for their customers.  

We are pleased to be the first data loss prevention vendor in the security market to recognize this market trend, and release a DLP offering specifically for MSPs and their SMB/SME customers.

This solution has been a long time in the making, as we have been gradually hearing of greater and greater interest in managed security services by small and medium enterprises as they seek to contain costs and outsource common security functions such as hosted Exchange, anti-spam and anti-virus, firewalls, and other services.  Recent developments in virtualization technology have enabled us to deploy our easy-to-install PacketSure DLP for multiple customers on a single, cost-effective, MSP-hosted platform.

We were doubly pleased to be working with our good friends at LightEdge Solutions, a full-service Managed Service Provider, in offering Data Loss Prevention to their customers.  You’ll see additional announcements following this one as we continue to add functionality, partners and customers.

Now customers have multiple choices of how they protect their sensitive and confidential data, either on-premise using our PacketSure DLP appliance, or via an MSP as a managed DLP service.  Either way, your information is protected, which is what we are all about.

Christian

As CEO, I have been receiving a number of questions recently regarding the acquisition of Vericept by Trustwave (and previously, Orchestria by CA) and what that market consolidation means to the DLP business in general.  Being a veteran of numerous market consolidations, we can look back on recent technology examples to help us place where in the maturity curve DLP technologies are today.  The short answer is that there are typically two or more phases of any new technology emergence, with consolidation within each phase, and that Vericept is the punctuation mark on the end of Phase One.  For more detail, read on.

Data Loss Prevention as a space is relatively new, with the first startups appearing within the last decade or so, and real value remaining elusive until the last 5 years.  As is typical in many emerging technologies, the initial adoption was from large-enterprise early-adopter customers, such as Wall Street and key Fortune 500 enterprises.  These early deployments helped debug the technology on forgiving customers, and helped distill 'nice to have' from 'must have' features for the early startups.  During these early stages, there is always a considerable amount of volatility while the definitions and product offerings vary wildly as the market matures.

When the startups begin closing Fortune 500 deals, the larger technology players that had adopted a 'sit back and wait' posture smell the blood in the water and the first stage of market consolidation occurs.  The large companies see the early successes as leading indicators of a broader market validation, and whip out their proverbial checkbooks.  This consolidation happens in fits and starts as large technology companies respond to product and competitive pressures.

After three or four years, when a number of startups have tried nearly every product and technology permutation on the market, and the first wave of consolidations have occurred, a semblance of technology-equilibrium emerges.  This is where the DLP market is now, which is nearing a common definition of what constitutes DLP (and more importantly, what doesn't fall in the overused term), and the beginning of the second phase of market development.  This phase is when the value of the technology becomes evident to not only the large enterprise market, but also Small and Medium Enterprises as well (SME/SMBs). Think about what happened with Anti-Virus, Anti-Spam, IDS/IPS.....the technologies reached initial traction in the large enterprises, and gradually percolated their way down to the small/medium enterprises.

That's where we are today, with the SMB/SMEs looking at DLP with a fresh perspective, and trying to map large enterprise focused products to their small/medium enterprise needs.  How does that work out, in practice?

• Large enterprises have IT staffs that specialize on applications, network, security, and so on.  SMB/SME customers often have one or two IT support people who do it all.
• Large enterprises have dedicated budget and headcount on a per project basis.  Small and Medium businesses need to focus on their core business, and not get immersed in multi-month projects.
• Large enterprises typically have very complex environments that require extensive configuration.  SMEs need the right products that fit their needs, and not over-instrumented/engineered solutions at a 'Cadillac price point'.

That's where Palisade lives.  We focus exclusively on SME/SMBs, with the features and price points needed for our customers, and not trying to shoe-horn a square peg into a round hole.  We install in 45 minutes or less, have multiple adjacent functions (protocol filtering, web filtering, and data loss prevention) in the same appliance so busy IT staff do not need to maintain three similar and overlapping devices, have pre-packaged templates for PCI/PHI/HIPAA and other regulations, and work with our customers to help them install and deploy the solution quickly and then get on with their core business.  This is what we do, and have been doing so in the DLP space for SMB/SMEs for over five years.

Vericept was one of the first companies to offer products in the DLP market, and focused on large enterprises.  This is where Trustwave focuses as well, so this is a key adjacent-technology acquisition for them.  I respectfully but wholeheartedly disagree with Brenon Daly's analysis in Seeking Alpha that this is indicative of the last of the consolidation in the entire DLP market, as this is only the first quarter of the game.  Brenon's analysis also disregards the macro-economic impact of M&A activity in general, which has caused a chill on all technology area consolidations. We instead view this as the last of the large-enterprise-focused DLP companies being acquired as part of 'Phase One' of the DLP market development.

Meanwhile, we will continue to secure the proprietary information and sensitive data of our hundreds of SMB/SME customers, and look forward to the second phase of the overall DLP market.