Congratulations to the nuBridges team on a series of announcements this week that coincide with the big RSA security conference in San Francisco.

Among the announcements are the release of a new data security product and two awards from Info Security Products Guide (one for compliance and one for innovation).

I was fortunate to be part of the team that started nuBridges back in 2001 and the company has grown successfully since.  If you are looking for a solution to secure your data or help share it with your customers or suppliers, give them a call.  Also, be sure to check out their blog and follow them on Twitter.

Pretty good write up on the implications of deploying SaaS and the the legal, regulatory, and security concerns that come with it.  I agree with the points around SAS 70 and the article in general but would have added some details around regulatory drivers beyond Sarbanes-Oxley like PCI Compliance.

I’m a bit late to the party on something very few could say they are surprised about.  Congrats to the Vontu team (and Benchmark Capital) on the $350MM acquisition by Symantec.  With revenues generously estimated at $30MM that’s a nice 10x+ multiple. Funny thing is that Gartner estimated the DLP (Data Loss Prevention) market to be pretty small (around $170MM in 2007, I believe).  Hope it works out for the Symantec folks who have their work cut out for them after a downgrade and questions regarding overpaying for Vontu. As for the other players out there, definitely a continuing sign of consolidation although one must wonder where Orchestria’s proclamation of "next generation" DLP factored into their partner Symantec’s decision process.  Hopefully Rich will chime in on that.  Also, interestingly, while I was at MessageGate we were called upon to handle the workflow around an email once the Vontu system detected it on more than one occasion.  Hope that was on the due dili check list…

Updated:  Thoughts on the DLP market and M&A from Rich Mogull.  Thanks Rich.

Orchestria issued this press release yesterday about their "next generation" approach to the DLP market.  I’ll save the biting criticism for always charming former Gartner analyst Rich Mogull, but do see this as an interesting development.  Data loss prevention was about the only place Orchestria could go after making good inroads to the NASD 3010 surveillance market on Wall Street.  That said, DLP is an infantile market estimated to be $100MM or so this year with dozens of vendors buzzing around for a piece of the pie.  For those that don’t know, I am no longer in this market (details on my next gig coming) so am coming at this without competitive bias.  There is lots of activity in e-discovery, archiving, and security and today’s announcement by Orchestria shows where they are placing their bet. 

MessageGate CEO Shaun Wolfe was featured in today’s Wall Street Journal Business Technology blog on the topic of how new technologies can create security challenges in the enterprise.  Ben Worthen wrote an earlier piece on the generational aspects of electronic communications which is something I previously posted on here.  It will be interesting to watch how "old school" technologies like email collide with "new school" ones like text messaging and social media in the workplace.  My view is that both sides have a lot of learning to do.

This story on a former Boeing employee drives home the challenges and complexities related to properly safeguarding information.  I am not going to get into the merits of the case, but think the story here is indicative of the complexities of trying to solve the problem of a determined insider.

What strikes me about this is that Mr. Eastman obtained over the course of two years more than 320k pages of documents with many labeled as sensitive or confidential.  How’d he do it?  Email, FTP, web site upload?  Nope – thumb drive.  How’d he get access?  In his role, he had wide ranging access or "unfettered access" as the charges describe.  How’d this come to light?  Via an email (of course) received by Boeing entitled "Leaks to the Seattle Times."

Drives home the points on my post about access to information and how that must be part of a broader information security plan.  Even if in his quality control position he needed broad system access, the sheer volume of file access and subsequent download activity pointed to an anomaly in need of further examination.

I recently had a really great conversation with the CTO of a large money center bank about information access and control.  During our meeting, we discussed his priorities and the things that keep him up at night which were mostly centered on personally identifiable information (PII) and ensuring the proper safeguards were in place to protect it.  My agenda was mostly around messaging and he agreed that it is important to have proper safeguards and controls in place to take appropriate action (log, encrypt, intercept, etc.) once information takes flight either in or as an attachment to an email.  That said, his approach was more inclusive starting with where the information resides and who can access it. 

He explained their approach as follows:

• Only the right people have access to this type of information – Access Control
• If those people or access rights change, there is a process in place to manage it – Change Control
• Create transparency when one of these authorized users breaches a rule (ie, alert them that their message has been flagged for further review due to the possible inclusion of PII) – Information Control

Policy-based controls for messaging work well in this situation because they are building on the policy-based controls limiting who can access what information.  This makes the problem much easier to solve and ensures that the bank’s most valuable asset to protect- your information – remains safe.

The French have determined that Blackberries represent a "data security" risk due to the location of servers in the US and UK exposing them, in their view, to surveillance by those countries. 

This, of course, assumes that there would be a reason to spy on the French… 

Here’s the Financial Times article and WallStreetFolly’s write up on it.