The document is a white paper that discusses the need for organizations to consider cloud-based security solutions in 2012. It notes that threats from email, web, and other vectors are growing more sophisticated and severe. On-premise security alone is often not enough to adequately protect organizations. Cloud-based security offers advantages like reducing the workload on IT staff and resources, providing protection for mobile users, and allowing for rapid deployment of new services. The white paper recommends a layered approach using both on-premise and cloud-based security for maximum protection.

1. WHITE PAPER
Why You Need to Consider
Cloud-Based Security in 2012
ON An Osterman Research White Paper
Published January 2012
SPONSORED BY
!
!
!
SPON
!
!
!
sponsored by
sponsored by
Osterman Research, Inc.
P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman

2. Why You Need to Consider Cloud-Based Security in 2012
Executive Summary
Protecting endpoints from various threats is perhaps the single most critical function for any IT
department. Given the still voluminous quantity of spam that hits corporate email servers, the
growing threat from malware and advanced persistent threats, and the increasing number of
physical platforms and Web-based applications that have access to corporate data resources,
protecting critical these resources and platforms should be at the top of virtually IT decision-
maker’s “must-do” list.
However, the sheer volume of these threats and their sophistication in using social engineering
and other methods to penetrate corporate defenses, coupled with an increasingly dispersed
workforce, mean that on-premise security solutions alone will not provide adequate protection
in most cases. Consequently, many organizations have opted for cloud-based security
solutions, either as complete replacements for their existing on-premise solutions or – more
commonly – as supplements to it.
KEY TAKEAWAYS
There are four key takeaways presented in this white paper:
• The number, sophistication and consequences of email, Web and other threats is increasing
and will require more advanced, faster and more efficient ways of dealing with them.
• Security is a priority that has not been lost on IT and business decision makers. Most
continue to view security as a top-of-mind issue, resulting in security spending and analysis
of new security models as a leading priority in most organizations.
• The use of cloud-based security capabilities is increasing at a faster pace than use of on-
premise security servers and appliances. While we do not believe that on-premise solutions
are by any means going away, their use is being displaced and/or supplemented by cloud
services.
• Cloud-based services are generally seen as a complement to existing on-premises email
security and Web security solutions, rather than an outright replacement, particularly in
larger organizations. To an extent this is because some organizations are taking a cautious
approach to cloud-based services for email and Web security and will run these in addition
to in-house systems. For others – and we believe a growing proportion – the goal is to
create a layered security model that performs pre-filtering in the cloud and uses on-premise
solutions for the “heavy lifting” tasks associated with data loss prevention (DLP) and other
CPU-intensive tasks.
ABOUT THIS WHITE PAPER
This white paper discusses key security issues focused on email, Web and other communication
and collaboration systems. It also provides information on the sponsors of this white paper –
AppRiver, Proofpoint and SpamTitan – and their relevant offerings. Information on each vendor
is provided at the end of this document.
©2012 Osterman Research, Inc. 1

3. Why You Need to Consider Cloud-Based Security in 2012
The Growing Challenges of Email and Web Security
THREATS ARE GROWING IN SOPHISTICATION AND SEVERITY
During the past several years, we have observed growing numbers of organizations reporting
security violations experienced through the Web and email – albeit with a slight drop in 2011 –
as shown in the following figure from an Osterman Research study published in late 2011i.
Proportion of Organizations Reporting a Successful Security Violation by Mode
2007 through 2011
The data in the figure above suggest that security violations – namely malware, phishing and
related types of attacks – are growing steadily over time. The drop in these issues in our 2011
research suggests that defenses against these incursions are becoming somewhat more
successful as they become more widely deployed and as organizations are deploying cloud-
based defenses as a supplement to traditional on-premise systems. That said, the proportion of
organizations reporting security violations is at a very high level and is creating an enormous
number of risks for organizations of all sizes and across all industries.
SECURITY IS MORE DIFFICULT BECAUSE THERE ARE MORE INGRESS POINTS
Complicating the problem of security, and at least partially explaining the growth of malware
incursions over the past several years, are two fundamental problems that virtually all
organizations need to manage:
©2012 Osterman Research, Inc. 2

4. Why You Need to Consider Cloud-Based Security in 2012
• As discussed later in this white paper, spammers, malware authors and other criminals are
becoming more adept at their craft, they are better financed than in years past, and thus
they are better able to penetrate corporate security defenses.
• As companies provide users with more mobile platforms, as shown in the following figure,
and as employees “consumerize” IT by using their personal devices alongside those supplied
by their employer, as shown in the next figure, the number of ingress points for malware
continues to increase.
Please note that the data in these figures totals to more than 100% because many employees
use multiple devices.
Penetration of Company-Supplied Mobile Devices
2009 through 2012
©2012 Osterman Research, Inc. 3

5. Why You Need to Consider Cloud-Based Security in 2012
Penetration of Company-Supplied and Personal Mobile Devices
2011 and 2013
SPAM IS STILL A SERIOUS ISSUE
The good news about spam is that volumes of this unwanted content were substantially lower
in 2011 than in 2010 due to the takedown of various botnets. The bad news is that spam
continues to represent roughly 75% of all email traversing the Internet.
Spam, while not “dangerous” from a security perspective per se, wastes bandwidth, storage,
and employee time, not to mention the cost of deploying systems to deal with identifying and
eradicating spam from corporate networks. Spam wastes IT’s time, users’ time and drives up
the overall cost of email and other IT-managed systems.
MALWARE IS BECOMING A MORE SERIOUS THREAT
Much more sinister than the spam problem is malicious email – messages, such as phishing or
spearphishing attempts, that are sent with the specific intent of carrying a damaging payload or
directing a victim to a malware site so that information or funds can be stolen. The growing
number of keystroke loggers, password-stealing Trojans and other types of malware means
that corporate data and finances are increasingly at risk. Data theft can include sensitive
content like usernames and passwords, but it can also include login data for banking systems,
customer data, trade secrets and other types of confidential information. The increasing end
goals of stealing information (both personal and corporate), hijacking systems for a wide range
of purposes and launching additional malicious attacks all have serious business implications, in
©2012 Osterman Research, Inc. 4

6. Why You Need to Consider Cloud-Based Security in 2012
addition to the more traditional impacts to storage, bandwidth, infrastructure and other costs.
For example, there have been a number of serious malware incursions during the recent past:
• A number of children’s game sites have recently been spreading malware. For example, a
Czech security firm found that as of January 10, 2012, the children’s site CuteArcade.com
had attempted 12,600 Trojan infections. This is a particularly dangerous threat, since many
employees work from home on the “family” computer, potentially leading to infections in
corporate networks.
• In December 2011, the Web site of Amnesty International UK was compromised and was
delivering malware to visitors in a “drive-by” attackii.
• Also in December 2011, Microsoft discovered malware that infects users’ PCs with a
message supposedly from the national police force of various nationsiii. This particular
malware variant is unique in that it is delivered primarily in the local language of the victim,
affecting users thus far in Germany, Switzerland, the United Kingdom, Spain and the
Netherlands.
• In September 2011, Mitsubishi Heavy Industries experienced a spearphishing attack that
compromised 83 different systems in 10 locations across the companyiv.
• In June 2011, the International Monetary Fund (IMF) experienced a spearphishing attack
that may have been perpetrated by a rogue state. Although employees were warned not to
open unexpected attachments, to open email from unknown senders or to click on video
links, malware in an email successfully penetrated IMF defenses and information was stolen
from compromised computersv.
• In April 2011, hackers sent phishing emails to many lower level employees at security firm
RSA. These emails contained the subject line “2011 Recruitment Plan” and included an
Excel spreadsheet attachment that contained a zero-day flaw aimed at vulnerability in
Adobe Flash. Although the emails were successfully sent to these users’ spam quarantines,
the emails were opened and a Trojan was installed that was able to harvest credentials from
many employee accounts, compromising RSA’s SecurID tagsvi. As of late 2011, 760
organizations have been attacked using the same command and control, including IBM,
Google, Microsoft and about one-fifth of the Fortune 500vii.
• On April 7, 2011, a spearphishing attack sent to the Oak Ridge National Laboratory was able
to steal a few megabytes of data before IT administrators cut off Internet access. The
email sent to employees was supposedly from the lab’s HR department and was received by
530 employees, 57 of whom clicked on a malicious link contained in the emailviii.
• In November 2010, a 26-year-old Hungarian citizen, in a strange attempt to be hired by
Marriott International, sent an infected email attachment to several Marriott employees that
allowed him to steal sensitive information from the company. Marriott estimates that the
cost of analyzing the extent of the compromise of its network cost it somewhere between
$400,000 and $1 millionix.
©2012 Osterman Research, Inc. 5

7. Why You Need to Consider Cloud-Based Security in 2012
• Also in November 2010, employees at the Ministry of Economics, Finances, and Industry in
France received spearphishing emails that contained a Trojan. A minimum of 150
computers were compromised and sensitive G-20-related documents were stolenx.
The threat of malware rarely ends with the initial victim, since the data stolen is often used to
generate new attacks. For example, data hijacked in the very well publicized Epsilon breach in
2011 is now being used to target customers of Chase Bank.
BREACHES CARRY MORE RISK
Threat that come from the Web – such as those that can infect users who are simply surfing
the Web or using Web 2.0 applications like Facebook or Twitter – are becoming much more
serious as criminals increasingly exploit holes in corporate security defenses, and as users
employ more Web-based tools. These threats are becoming so costly that many organizations
are at risk of being put out of business through direct financial losses or the loss of data that
carries with it very high direct and indirect costs.
For example, many organizations have been targeted with keystroke loggers, such as Zeus, that
allow criminals to transfer funds out of corporate financial accounts. There have been many
cases of this type of theft – many targeted to small and mid-sized organizations that often do
not have full-time IT staff – resulting in major financial losses:
• Hillary Machinery: $800,000 (its bank was able to recover only $600,000xi)
• The Catholic Diocese of Des Moines: $600,000xii
• Patco: $588,000xiii
• Western Beaver County School District: $700,000xiv
• Experi-Metal, Inc.: $560,000xv
• Village View Escrow: $465,000xvi
• An unidentified construction company in California: $447,000xvii
• Choice Escrow: $440,000xviii
• The Government of Bullitt County, Kentucky: $415,000xix
• The Town of Poughkeepsie, New York: $378,000xx
• An unidentified solid waste management company in New York: $150,000xxi
• An unidentified law firm in South Carolina: $78,421xxii
• Slack Auto Parts: $75,000xxiii
As bad as these losses are – particularly in light of the fact that most of these organizations are
relatively small and can ill afford to lose amounts this large – the direct loss of funds is not the
only consequence of malware. For example, the 2011 Data Breach Investigations Report found
that malware was responsible for nearly 80% of lost data in 2010 and was a factor in roughly
one-half of the cases in which data was lostxxiv. Compromised data can include a wide variety
of valuable content, including trade secrets, financial data, marketing plans, server passwords
and other sensitive and confidential information.
IMPROVING SECURITY IS A HIGH PRIORITY
The good news on the security front is that the seriousness of problems involving security risks
have not been lost on IT and other decision makers. For example, Web security, anti-virus,
anti-spam, and corporate smartphone security capabilities are all fairly strong priorities for
spending, as shown in the following figure.
©2012 Osterman Research, Inc. 6

8. Why You Need to Consider Cloud-Based Security in 2012
Priorities for Security-Related Spending
% Responding a Priority or High Priority
Why Consider Cloud-Based Security?
While on-premises security solutions can provide robust defenses against spam, malware and
other security threats, cloud-based security – used either as a standalone solution or in
conjunction with on-premise defenses – offers a number of inherent advantages:
• Most threats never hit the on-premises network
The use of a cloud service for spam processing, for example, eliminates the majority of
content processing, storage and bandwidth associated with spam before it ever reaches the
customer’s network, making the on-premise infrastructure more efficient. More critically,
the bulk of malware can be eradicated before it ever reaches the corporate network, leaving
on-premise solutions – if they are in place – to act as another layer of protection against
these threats.
• More efficient use of IT resources
One of the key issues that should be considered by any organization – but one that often is
not – is the opportunity cost of IT staff members. Most CIOs and IT managers would agree
that finding and retaining highly qualified IT staff is not an easy task. As a result, in-house
IT staff should be used so that they can provide maximum efficiency to their employer,
while also giving them a satisfying work experience that will motivate them not to move
elsewhere.
©2012 Osterman Research, Inc. 7

9. Why You Need to Consider Cloud-Based Security in 2012
A cloud security solution – whether used for messaging security, Web security or other
capabilities – allows IT staff members to move on from managing security servers and
appliances and to work on projects that provide more differential value to the organization
and that can result in greater job satisfaction.
More broadly, the use of cloud services allows an organization to focus more on its core
business rather than devote resources to managing its security infrastructure. Just like the
vast majority of organizations do not generate their own electricity or drill their own water
wells, organizations should consider security to be a service that should at least partially be
in the cloud.
• Reduced total cost of ownership
Many decision makers believe that internally managed security systems are less expensive
to deploy, configure and manage than cloud services. While in some cases that perception
may be true, very often it is not largely because many decision makers do not factor in the
total cost of providing robust security capabilities. Many underestimate the cost of labor to
manage their security infrastructure and they do not consider the highly disruptive impact of
outages and other unforeseen events. A cloud security capability can be significantly less
expensive than its on-premise counterpart when all of the costs of security are included.
• Easier support for mobile and remote users
Given that a growing proportion of the working population is mobile – either because of
corporate telework initiatives or employees who travel as part of their work – security for
these employees can be difficult to manage using on-premise systems. Cloud security
capabilities can provide a high level of protection for these employees, many of whom use
Wi-Fi hotspots and other resources that are much less secure than their in-office
counterparts.
• Rapid deployment of services
One of the fundamental benefits of a cloud security service is the speed with which services
can be deployed. For example, using a cloud service make it easy to add or subtract small
numbers of users, or even entire business units, from a particular service, which is
particularly advantageous when integrating merged or acquired companies into an IT
infrastructure.
• Better prevention of zero-hour threats
Cloud service providers typically update their capabilities on a near real-time basis and often
have access to new malware signatures sooner than they are made available for user of on-
premise systems. Moreover, many cloud security providers run multiple threat detection
systems, making their solutions less likely to allow malicious content through to customer
endpoints, particularly when used in conjunction with on-premise security solutions.
• Extending the life of on-premises solutions
Related to the point above is that cloud services allow an organization to extend the useful
life of an in-house security solution. For example, if a company has reached the maximum
capacity of its email filtering appliances, it could implement a cloud-based spam filtering
service that would dramatically reduce the amount of incoming traffic and thereby allow
new investments in internal hardware to be postponed or avoided altogether.
©2012 Osterman Research, Inc. 8

10. Why You Need to Consider Cloud-Based Security in 2012
• Distribution of security tasks
As a corollary to the point above is the inherent advantage of cloud security services to
offload the majority of content scanning and filtering from the on-premise infrastructure,
leaving on-premise systems free to do the “heavy lifting” of deep content inspection.
Because DLP solutions, for example, typically require more CPU horsepower than scanning
for spam or known malware, the on-premise infrastructure can be focused more on these
CPU-intensive activities.
• Very high reliability and ability to better satisfy SLA commitments
Cloud service providers can typically invest more resources into their infrastructure than
individual organizations can afford and so provide extremely high levels of reliability.
Because most cloud service providers maintain very capable data centers, they can typically
offer higher levels of reliability and better Service Level Agreements (SLAs) that would be
difficult for internally managed systems to match. This allows customers to focus on
providing services that offer greater value to their enterprise with the assurance that
functionality will be available virtually 100% of the time.
It is also important to consider that cloud providers’ data centers are staffed on a 24x7 basis
and that capabilities are monitored around the clock – something that would be cost-
prohibitive for smaller companies. This means that problems can be dealt with more rapidly
than is feasible in many on-premise deployments.
• Improved disaster recovery and business continuity
Another important advantage of cloud solutions is that they can provide a very useful
backup messaging solution in the event of an outage of the primary messaging system. For
example, most cloud security providers will spool incoming email for at least several days
(much longer in some cases) if it cannot be delivered to a customer’s server. This prevents
an email server outage from causing bouncebacks to senders and ensures that incoming
email is still being processed.
Considering Different Cloud Deployment Models
Cloud services are increasing in popularity and offer a robust option for organizations to
implement a variety of threat-protection capabilities. As shown in the following figure,
deployment of security in the cloud is rapidly outpacing growth in both on-premise server and
appliance-based solutions.
©2012 Osterman Research, Inc. 9

11. Why You Need to Consider Cloud-Based Security in 2012
Installed Base of Security Solutions by Delivery Model
2011 and 2012
The primary advantages of the cloud model, as discussed above, are that no investments in
infrastructure are required, up-front costs are minimal, ongoing costs are predictable, and all
management and upgrades of the system are managed by the cloud provider.
A newer approach that is increasingly offered by vendors is to combine on-premise
infrastructure with cloud services. For example, a vendor may provide a spam-filtering
appliance on-site, but couple this with a cloud spam-filtering service that acts as a sort of pre-
filter; or they may rely on a cloud-based anti-malware service and desktop anti-virus tools.
Many organizations are deploying their own hybrid solutions, mixing and matching various
vendors’ cloud and on-premise offerings into a customized hybrid solution.
The fundamental advantage of this layered, hybrid approach is that the on-premise
infrastructure is protected from unanticipated events like spikes in spam traffic or overall
increases in the volume of malicious traffic over time. This helps to preserve the on-premise
investment and maintain stable performance of the IT infrastructure as measured by metrics
like email message delivery time or latency in delivering Web pages.
Osterman Research believes that in the future cloud-based services will more often be used a
complement to existing on-premises email security and Web security solutions, rather than as
©2012 Osterman Research, Inc. 10

12. Why You Need to Consider Cloud-Based Security in 2012
an outright replacement. While many small organizations may opt for a cloud-only security
model, most mid-sized and large firms will adopt a hybrid approach.
A new deployment offering is that of private cloud based security solutions, a combination of
cloud and virtualization technologies, delivering immediate private cloud based virtual
appliances to the customer. This new and interesting option offers all the benefits of the cloud,
but with the additional security of a private cloud.
What Should You Ask a Cloud-Based Security Provider?
There are a number of questions that should be asked of any prospective cloud security
provider, among which are the following:
• What capabilities do you offer and what is on your roadmap?
This is perhaps the most critical single question to ask of a cloud security vendor because of
the increasing number of communication and collaboration channels for which security will
need to be provided. These include social media, file-sharing capabilities, file-
synchronization services, various types of Web 2.0 applications and Web services, etc. A
cloud vendor that does not keep pace with the long-term requirements of its market, while
a solid choice today, might need to be reconsidered at a later date.
• How integrated are your services?
Giving customers a single pane of glass from which to manage cloud security capabilities –
spam quarantines and filters, messaging policies and the like – will make management of
these services easier and more efficient.
• What is your financial viability?
It goes almost without saying that any vendor – but particularly one focused on such a
critical offering like messaging, Web and collaboration security – must remain solvent and
generate the operating funds needed to continually improve their security solutions.
• How secure is your infrastructure?
Just how physically secure is the provider’s infrastructure in the context of physical security
like video monitoring of the data center(s) and access to servers, backups and other
resources that house customer data? While this is more important for cloud services at
which customer data is stored for long periods, like archiving services, it is also an important
consideration for security vendors, as well.
• What certifications have you met?
Another important question is the level of certification that cloud providers have met or are
planning to meet in the future. Among the certifications that might be considered for
review are Statement for Attestation Engagements (SSAE) 16, Statement of Auditing
Standards (SAS) 70 Type II, Federal Information Security Management Act of 2002 (FISMA)
and International Organization for Standardization (ISO) 27001.
©2012 Osterman Research, Inc. 11

13. Why You Need to Consider Cloud-Based Security in 2012
• What architectural capabilities ensure that there is neither delay in message
delivery nor any additional, unnecessary risk incurred by storing a copy of the
message?
This is another important question because it can determine the level of latency introduced
by the cloud-screening process. While delays of just a few seconds are unlikely to be
noticeable in the vast majority of situations, processing delays of a minute or more might
impact message throughput and productivity. Moreover, if a provider must store customers’
content – such as when spooling messages when the primary message system is suffering
an outage – how content is stored should be well understood.
• Are you using your technology or another vendor’s?
It is important to understand which vendors’ technologies are used for malware scanning by
each prospective cloud provider, since the efficacy of each provider’s services can be
significantly impacted by the technologies they employ. Moreover, it is important to
understand how these vendors’ solutions will interact with current on-premise systems in a
hybrid deployment.
• What provisioning tools are available?
The availability of provisioning tools, such as a Web-based interface for adding users,
modifying services, monitoring content, etc., can vary from one provider to another.
• Where is the data stored?
This is another important question, particularly for cloud security providers that spool their
customers’ data during outages. For example, non-US companies might opt for a cloud
provider with data centers outside of the United States in order to avoid potential access of
their content under the PATRIOT Act. Countries in which data protection laws prevent the
storage of sensitive or confidential data outside of a particular geography must also be
cognizant of exactly where cloud providers store their data.
• Do you operate multiple data centers?
This is an important question because it impacts message latency, as well as the ability of a
cloud provider to meet or exceed its SLAs.
• How often are upgrades provided?
One of the fundamental advantages of cloud security is that it can be updated on an almost
continual basis. Leading cloud providers will update their malware signatures and other
elements of their infrastructure frequently.
• What are the termination conditions?
This is by no means a “show-stopper”, but an important question nonetheless because of its
impact on the ability of a customer to migrate to a new cloud security provider easily and
rapidly.
• What reporting capabilities are available?
Robust reporting on spam levels, false positives, malware filtering and other parameters of
the cloud security service are important to provide IT administrators with the ability to fine-
tune corporate security policies, as well as to determine the overall effectiveness of the
security offering. However, while the effectiveness of blocking malicious content is
©2012 Osterman Research, Inc. 12

14. Why You Need to Consider Cloud-Based Security in 2012
important, even more important is how malicious content is handled if it has entered the
corporate network.
• Are professional services available?
While professional services often will not be necessary in the context of cloud security per
se, organizations operating hybrid environments may need these types of services to
effectively integrate their on-premise capabilities – such as DLP – with cloud services.
Summary
Security is a critical issue that is becoming more complex and more difficult to address. As a
result, organizations of all sizes need to find new and more effective ways of protecting data
and endpoints in their organization, while reducing the cost of doing so to the greatest extent
possible. Cloud security capabilities should seriously be considered as a replacement for, or
supplement to, on-premise security defenses.
Sponsors of This White Paper
AppRiver, a leading provider of email messaging and
Web security solutions, was among the first syndicated
partners to bring the new Microsoft Office 365 suite to
market. With more than 45,000 corporate customers
and 8 million mailboxes worldwide, AppRiver is one of !
the largest hosted security service providers in the
world. It is that record of success, and the company’s AppRiver, LLC
over-the-top commitment to customer care that made 1101 Gulf Breeze Parkway
AppRiver a natural partner during the launch of Office Suite 200
365. Gulf Breeze, FL 32561
USA
With Office 365 from AppRiver, there's no upfront +1 866 223 4645
investment in software, updates are automatic and www.appriver.com
included, and service plans may be tried out for free for
30 days. There are no cancellation penalties and clients are free to leave at any time. That
said, the company maintains an impressive 93% customer retention rate since inception and
backs its services with award-winning Phenomenal Care™. Every AppRiver customer has VIP
access to US-based technicians 24 hours a day, every day. What’s more, a team of trained
sales engineers is available to assist customers with complimentary migration to the cloud.
AppRiver offers a growing suite of cloud-based security solutions that may be managed within a
single, easy-to-use customer portal. Services include spam and virus protection, secure
Exchange hosting, email encryption, email continuity, archiving and Web protection. The
company is led by an Ernst & Young Florida Entrepreneur of the Year award winner, and has
been identified as a Top 20 Cloud Security Vendor in 2011 by Everything Channel’s CRN
magazine. For more information, please visit www.appriver.com.
©2012 Osterman Research, Inc. 13

15. Why You Need to Consider Cloud-Based Security in 2012
Proofpoint, Inc. helps the largest and most successful
companies in the world protect and govern their most !
sensitive data. Proofpoint is a pioneering security-as-a-
service provider that focuses on cloud-based solutions Proofpoint, Inc.
for threat protection, compliance, archiving & 892 Ross Drive
governance and secure communications. Sunnyvale, CA 94089
USA
Organizations around the world depend on Proofpoint’s
+1 408 517 4710
expertise, patented technologies and on-demand
www.proofpoint.com!
delivery system to protect against phishing, malware
and spam, safeguard privacy, encrypt sensitive
information, and archive and govern messages and critical enterprise information. Proofpoint’s
cloud-based data protection solutions include:
• Proofpoint Enterprise Protection delivers the industry’s most comprehensive threat
classification and email security management solution against phish, virus, spam, and other
email-borne threats. Robust outbound email features include outbound spam/virus detection
and email policy enforcement.
• Proofpoint Enterprise Privacy provides powerful data loss prevention, protection and
encryption capabilities—the easiest and most cost-effective way for organizations to prevent
leaks of sensitive data. Powerful policies help organizations protect email data based on the
role of specific users. Advanced, deep content analysis monitors and classifies both
structured and unstructured data, ensuring that all sensitive information is protected. The
policy-based encryption capabilities of the included Proofpoint Encryption solution support
both desktop and mobile users, ensuring an easy, seamless experience from any device.
• Proofpoint Enterprise Archive is an on-demand email archiving solution that addresses
three key challenges—legal discovery, SEC/FINRA compliance and end user email
management—without the headaches of managing email archiving in-house. Proofpoint
Enterprise Archive can be utilized for search anytime-anywhere with sustainably fast,
reliable performance uniquely backed by a Search Performance Guarantee.
• Proofpoint Enterprise Governance is an enterprise information governance solution that
allows organizations to easily track, classify, apply policies and monitor unstructured
information wherever it exists across the enterprise. Using patented Digital Thread®
technology, Proofpoint Enterprise Governance follows every document as it proliferates and
migrates, allowing you to take control of all the unstructured, unmanaged, and de-
centralized documents in your enterprise.
Learn more about Proofpoint solutions at http://www.proofpoint.com/products
Headquartered in Sunnyvale, California, Proofpoint has offices around the globe including
Canada, Japan, the United Kingdom, Asia Pacific, Europe and Mexico.
©2012 Osterman Research, Inc. 14

16. Why You Need to Consider Cloud-Based Security in 2012
SpamTitan, a provider of sophisticated enterprise
level email and Internet security solutions, is a global
company with customers utilizing their software in
five continents. Customers range from small
businesses with as few as 10 users to organizations SpamTitan
with 40,000-plus users. IDA Business Park
Galway
SpamTitan on Demand offers businesses an on Ireland
demand private cloud virtual appliance solution
+1 201 984 3271
providing the most comprehensive protection from www.spamtitan.com
email threats, including spam, viruses, Trojans,
Phishing, Malware and other unwanted content. SpamTitan’s unique approach in utilizing next-
generation virtualization software combined with the cloud eliminates the need for unwieldy
hardware and shared resources, giving customers unparalleled flexibility, versatility and
scalability but at an affordable price. Integrating best-of-breed technologies.
SpamTitan is also used by many Internet Service Providers to offer managed email services to
their clients. SpamTitan is one of a select few to have achieved VMware’s Certified Virtual
Appliance status and was one of the first products to be awarded the certification.
WebTitan is a gateway Internet monitoring, filtering and reporting solution. It offers
organizations protection to their data and users from malware and other internet threats such
as viruses, spyware, and phishing as well as providing user policy browsing tools to ensure
corporate internet policy is adhered to in the new world of Web 2.0.
©2012 Osterman Research, Inc. 15

17. Why You Need to Consider Cloud-Based Security in 2012
© 2012 Osterman Research, Inc. All rights reserved.
No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of
Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior
written authorization of Osterman Research, Inc.
Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document
or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws
(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws
referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the
information contained in this document.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,
CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.
i
Messaging and Web Security Market Trends, 2011-2014; Osterman Research, Inc.
ii
http://www.zdnet.com/blog/security/amnesty-international-uk-compromised-serving-exploits-and-malware/9861
iii
http://blogs.technet.com/b/mmpc/archive/2011/12/19/disorderly-conduct-localized-malware-impersonates-the-police.aspx
iv
http://www.eweek.com/c/a/Security/Mitsubishi-Heavy-Network-Most-Likey-Compromised-by-SpearPhishing-Attack-335314/
v
http://www.eweek.com/c/a/Security/IMF-Breach-May-Be-StateSponsored-Spear-Phishing-Attack-526401/
vi
http://www.pcmag.com/article2/0,2817,2382970,00.asp#fbid=uW9bd7GksLR
vii
http://money.cnn.com/2011/10/27/technology/rsa_hack_widespread/index.htm
viii
http://www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/
ix
http://www.courthousenews.com/2011/11/29/41751.htm
x
http://arstechnica.com/security/news/2011/03/hackers-spear-phish-infiltrate-french-ministry-of-finances.ars
xi
http://rixstep.com/1/1/20100126,00.shtml
xii
http://krebsonsecurity.com/tag/catholic-diocese-of-des-moines/
xiii
http://www.networkworld.com/news/2009/092409-construction-firm-sues-after-588000.html
xiv
http://www.post-gazette.com/pg/09195/983738-57.stm
xv
http://www.computerworld.com/s/article/9156558/Michigan_firm_sues_bank_over_theft_of_560_000_
xvi
http://krebsonsecurity.com/2010/06/e-banking-bandits-stole-465000-from-calif-escrow-firm/
xvii
http://www.technologyreview.com/computing/23488/?a=f
xviii
http://www.bankinfosecurity.com/articles.php?art_id=3159&opg=1
xix
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html
xx
http://www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_378_000_online_theft
xxi
http://www.suite101.com/content/protect-yourself-against-banking-crimeware-a156086
xxii
http://www.abajournal.com/news/article/doj_says_massive_decade-old_botnet_helped_web_thieves_steal_millions/
xxiii
http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html
xxiv
http://gocsi.com/public/dbir
©2012 Osterman Research, Inc. 16