MimeCast Chief Scientist & Chief Security Officer Discuss Cloud Security

MimeCast Chief Scientist & Chief Security Officer Discuss Cloud Security

In your own words, please describe Mimecast and the company’s service to readers.

Nathaniel: Mimecast is a cloud-based email management company. We provide our customers with a unified solution for their company’s email that incorporates security, business continuity, storage, and eDiscovery solutions. With Mimecast, companies’ email systems are more secure, less costly and easier to maintain as several different products can be replaced with one holistic cloud-based solution. In the future, we expect to provide similar services for additional types of information management.

What are the key questions most of your customers ask related to security and back-up concerns?

James: The most common security and backup questions/concerns in the industry are typically related to data access and continuity—who can access data and how do you ensure that there are no service interruptions.

Specifically, we’ve seen questions around:

Confidentiality of Data: How is data encrypted and how much access does staff have to that data? It is important for vendors to create an impenetrable wall between its customer’s data, its employees, and other customers’ data.
Protective Controls Around the Data: Customers want to know details about how data is protected, including encryption, perimeter security (firewalls), physical security (at the data center) and operational security (change control, incident management, log auditing, staff vetting, etc.);
Jurisdiction of the Data: Will the customer breach local regulations or legislation by having data leave the country of origin? And if this is the case, how can my service provider or vendor help me prevent this from happening? Are there multiple locations or ways that data can be stored locally to mitigate this problem?
Judicial Access to Data: What happens when law enforcement requests access to customer data held on a vendor’s system under laws such as the US PATRIOT Act or UK Regulation of Investigatory Powers Act?
– Continuity of Service: How does my vendor guarantee that my business does not have any service interruptions? It is important to many companies that their service provider has several geographically dispersed data centers and layers of redundancy to protect against an outage.

How do you internally insure that client data can be restored if you yourself are subject to a major threat to your datacenter(s)?

James: The entire Mimecast service platform is engineered with high availability in mind – from the multiple data centers to the design of the internal proprietary protocols.

Mimecast utilizes a grid computing model which is comprised of multiple geographically dispersed data centers, each containing multiple grid nodes (servers) which themselves contain multiple disks. Each customer’s processing and data storage is balanced across a number of nodes to increase performance and redundancy, which itself is duplicated across multiple data centers. This architecture allows Mimecast to lose a disk, a server, a cluster or an entire data center without impacting customer data or service availability.

How do you address internal security issues on your platform? What safeguards are in place to guarantee cutting edge processes for a security policy that addresses customer needs?

James: Managing security for a service provider is not vastly different than managing information security for any other type of company. In fact, the steps are essentially the same:

-Define scope;
-Define acceptable risk;
-Assess risks;
-Treat risks that are beyond the acceptable tolerance;
-Monitor and ensure risks are maintained below an acceptable level;
-Rinse, repeat (as risks change over time, this is a continual process).

The only difference is in that in the first step, you need to ensure that you include the service delivery platform in your risk treatment strategy (it is surprising the amount of service providers who do not include their service platform in the scope of their information security management systems).

You also need to ensure that your level of acceptable risk (as defined in the second step) correlates with the risks your customers are willing to accept. It is important for customers to make sure that their service provider has a compatible scope or level of acceptable risk before choosing them. While the economies of scale that a service provider offers in terms of proactive information security management is often way beyond that which could be achieved by individual companies themselves, this has to be balanced with the fact that service providers represent a much more attractive target to attackers.

Professional associations such as the Cloud Security Alliance and Cloud Audit are establishing a set of best practice controls and audit mechanisms for cloud service providers that should help customers feel safe with their choice. Mimecast is a member of these associations and aligns with other best practice standards such as ISO/IEC 27001:2005 and ISO/IEC 20000:2005, ensuring that the company takes a risk-based approach to treating the threats to both customer data and Mimecast data.

When major players jump into the market with enormous resources both in development and marketing how does a small start-up protect a market share or niche today?

Nathaniel: Being smaller is both an advantage and a disadvantage. Big companies can massively outspend little ones, but little ones can work much faster and can afford to focus – at least initially – on smaller niches (success in only one niche is failure for the big company, but a beachhead for the small).

So the key is to direct your relatively meager resources to take advantage of your strengths and avoid the kind of head-to-head conflict you’re bound to lose. A good first strategy is to exploit your advantage in speed to make sure your product stays ahead on features. That can carry you a good long way, but eventually the product category will mature enough to allow the big competitor to catch up on features. That’s why you need a second strategy, executed at the same time as the first, that allows you to move into adjacent markets as well.

This is where I’ve seen many small tech companies break down. They may be doing a great business in their niche, but if they aren’t able to enter a second market, it’s more or less a matter of time before a competitor or acquirer takes them out. The great entrepreneurial frenzy at the base of the tech pyramid reflects the fact that each new technology is, initially, a new niche, and therefore suitable for an innovator. Over time, however, the more mature the market, the larger a company seems to have to be to compete.

For the little company, this means that “protecting market share” can be equivalent to “die more slowly.” If its sole market niche is consolidating, the small company nearly always has to grow, get acquired, or die. Is there room in the “cloud” for small start-ups and how do they position themselves against the competition?

Nathaniel: I think there is, but not if they define themselves in terms of competing directly with the big cloud companies. That’s like a start-up deciding it’s going to take on Visa or Walmart. The good news is that the nature of large companies pushes them towards the most general, big-market services, so the little guys can find opportunities in more specialized markets. A few of the little guys find that their specialized market is connected to a much larger emerging market, which gives them the rare shot at becoming big companies themselves.

To pick a fanciful example, imagine a company that wants to compete head to head with gmail – same demographics, similar features, etc. They’d have a tough, uphill battle. However, what if they thought they had a clever idea that would make them irresistible to gmail-using dentists? Being small, they could quickly implement their idea and could better afford marketing to dentists than marketing to everyone. If they’re right, the dentists would flock to them, and they could then begin to ask, “what other groups might find this feature useful?” If they can out-invent Google for long enough – an unlikely possibility, to be sure – but they might eventually come to rival gmail, without ever having attacked them head-on.

Moreover, for the somewhat less ambitious very small company the opportunities are unprecedented. Using Amazon’s cloud, for example, a single programmer could build a specialized cloud service and get it up and running for an incredibly small amount of money. Lots of other big cloud services will eventually create similar ecosystems for small innovators. It would not surprise me if there were thousands of very small companies offering highly specialized services a few years from now, some of them virtual one-man shows operating highly reliable services on a global basis.

In terms of current market issues how does your firm determine pricing to attract new customers and retain existing one?

Nathaniel: Pricing truly depends upon the variables of each customer’s particular situation, the services they want and what amount of information or processes are being moved to the cloud.

What issues determine how you address platform reliability and performance from the perspective of your application offering?

Nathaniel: I’ve always felt that if you aimed for 99.9% reliability, you were more or less promising to fail one time out of a thousand. These sorts of numbers are necessary and good for SLAs (Service Level Agreements) and the like, but not for the people tasked with making the system actually work. If you find a bug, you don’t ask if it will occur less than 0.001% of the time; you fix it if you can. I don’t care how Quixotic it sounds, your fundamental posture has to be a zero defect policy. The system should always work well enough to provide the necessary services, period. I think that’s the application-level perspective.

From inside the service delivery team, of course, things look rather different. You have to be proactive in anticipating the effects of growth and the need for additional servers, disks, and other resources. You have to be constantly evaluating your build/test/deploy process, which is ideally a never-ending story of continuous improvement. Basically every issue you can imagine matters, and which one to address next is a tough, one-of-a-kind decision each time.

Having said that, however, no matter how good you are, there are always things outside your control. Perhaps an ISP between you and the customer is behaving erratically, or is down entirely; it will not be obvious to most customers that this isn’t your fault. Recently we had a case in which a major vendor released a new version of its software with a bug that caused it to send out email with gross violations of the email standards, causing our system to handle it poorly. Only an acknowledgement from the offending vendor would convince our customers that we weren’t the ones being unreliable (and of course, we hacked around it to ameliorate the problem far faster than the vendor’s release cycle). In this case, little old Mimecast behaved much more “reliably” than the big old trusted vendor, but probably got more complaints from its customers. It’s just not uncommon for upstream errors to cause downstream problems.

With new announcements daily, we see the major players continue to validate cloud applications. How do you protect or at least anticipate a market share niche with the incredible speed of change in today’s market?

Nathaniel: We can move faster than the big players, but not in more than 2 directions at once, so the key is deciding which direction to move. There is always another niche, or an adjacent product that you can move into fairly seamlessly, but it’s really hard to tell which of those niches will pay off. Basically, I think you have to aim at growth, not niche preservation, acknowledging that your current niches may shrink over time, and using them as a jumping off point.

There are many legal and regulatory guidelines dealing with domain names and management. Are there sufficient legal and regulatory processes in place to protect customers who have made the decision to move all or part of the company data to a cloud platform?

James: Regulations and legislation can differ based on the geographic location and even vertical market segment of the customer – for instance some of our customers are subject to national legislation such as the UK Data Protection Act that embodies EU Privacy Directive 95/26/EC, which relates to securities investment information; while others based in the state of Massachusetts may be subject to local state legislation such as 201 CMR 17.00 that governs the protection of personal information by those that store it.

With regards the compliance requirements of customers, Mimecast simply operates as a service provider providing a platform for customers to conduct their business in accordance with their own compliance requirements. Mimecast designs its service delivery platform and conducts its business with consideration for its customers’ compliance requirements, but, like most cloud platforms, does not have a direct effect on whether a company is compliant or not—that still remains in the hands of the companies themselves.

What is the new paradigm of cloud business models if any? Put your “futurist hat” on and describe how you see the “cloud” evolving over the next ten years?

Nathaniel: I think there are two directions we could go, and the key issue is one you hinted at with your earlier questions: how much, and how quickly, will the industry come to be dominated by a small number of big companies?

In one vision of the future, there will be 1 to 3 cloud companies. Each of them will do more or less the same things, and will create powerful incentives for their customers to do everything with the single vendor. They will have some incentive to innovate to differentiate themselves, but they’ll do so slowly and painfully. Mostly they’ll imitate each other while crushing smaller innovators.

In another version, there will be hundreds or thousands of cloud vendors, accessed via marketplaces similar to the Android or iPhone Markets today. Those markets will access reputation information about the vendors of services from reputation brokers, so that you’ll be able to know a lot about a service provider before you ever sign up. Even though it may just be a guy in his apartment in Topeka, you’ll be able to see that his customers all adore him. And you’ll know that his actual services are running on a third-party service like Amazon’s cloud, so it’s professionally administered and reliable.

It’s no doubt obvious that I prefer the second scenario. The question is, what will make one or the other of these prevail? The answer, I think, is a combination of technical, market, and political factors. Technically, the development of open reputation systems and some related infrastructure is an absolute prerequisite for the happier scenario, and there are others. From a market perspective, is there really room in the market for all those different little services? And politically, how quickly and how completely will governments allow cloud vendors to consolidate markets before they intervene in the name of antitrust?

Whatever happens, I have little doubt that most applications will move into the cloud. I hope that turns out to promote diversity in applications and vendors, but I can just as easily imagine it going either way.

In what way does your internal new product development interface with the need to keep a dedicated cloud security team involved and engaged in anticipating vulnerabilities in security?

James: Security can’t simply be bolted-on, or else it becomes expensive, intrusive, and often, ineffectual. Security is a culture, a mindset and a continual process that needs to be integrated into the operational functions of the business, whether that function is product management, development, testing or operations.

Mimecast ensures that the potential risks (in terms of opening new potential vulnerabilities or exposing new threats) are considered early on in the functional specification and design stages of new features. This helps to ensure that controls can be architecturally baked into the final solution early on in the process and that instead of being expensive, intrusive and ineffectual, security solutions are proportionate, integrated and effective.

One the key issues related to cloud SaaS applications is the complexity and management of the platform. How has your firm addressed user training and support?

Nathaniel: I was a bit surprised, when I joined Mimecast, at the resources we’ve put into these areas, but I’ve quickly come to see how sensible it is. Being proactive is key – teaching people up front can save dozens of support calls down the road, with higher user satisfaction.

Because a cloud service doesn’t have release cycles and support issues like those of traditional software vendors, it’s fundamentally easier for a cloud service to evolve in positive ways. Key to that, I think, is for the user-facing staff (training and support) to have a clear line of communication with the technical team. This leads to quicker improvements which obviate common support situations, and you can get into a virtuous cycle of quick improvements and quick feedback. I’m not saying we’re completely there yet, but you can at least see the outline of that virtuous cycle in what we do today.

Complexity is a hard, hard issue. We’re lucky in that most of what we do is well-understood, but we still have a disturbingly large number of configuration options. I think that for the foreseeable future, companies that move to cloud services will see IT savings, but won’t be able to get their IT staff down near zero, precisely because of the complexity of configuring all of these services.

Can you describe for me your role at Mimecast and how your past background helps the company succeed today?

Nathaniel: Well, I’m new enough to Mimecast that I have to say the jury is out on how much I’m helping. Our CTO, Neil Murray, is a super programmer, and prefers to focus on the development and deployment of our technology as its user base continues to grow rapidly. So that leaves me responsible for more or less everything else on the technical side. I’m worrying about long term strategy, research and prototyping, intellectual property, standards, and technical outreach and evangelism. I hope to help in all of these areas, but what I think is most important is helping the company move into adjacent markets, to make sure we grow in breadth of offering as well as number of customers. Choosing which directions to move, and when, is probably the most important decision we face, and it’s a major focus for me.

This is more or less a perfect job for me. I’ve played a pretty wide range of roles in the Internet industry in the past, which I hope gives me a broad enough perspective for this role. I think I still have a lot of the idealism of a researcher/inventor, but it’s tempered by my experience in multiple startup companies, not to mention IBM. Mimecast is at a very interesting stage – it’s grown large enough that you can’t really call it a startup, and it needs to pick up some aspects of a big company while preserving its fast-moving, innovative traditions. Between that and the strategic decisions we need to make, Mimecast seems to me to be a fascinating place where I have a chance to make a big difference in the long term.

About Nathaniel Borenstein

Nathaniel Borenstein is chief scientist for cloud-based email management company Mimecast. At Mimecast, he is responsible for driving the company’s product evolution and technological innovation. Dr. Borenstein is the co-creator of the Multipurpose Internet Mail Extensions (MIME) email standard and developer of the Andrew Mail System, metamail software and the Safe-Tcl programming language. Previously, Dr. Borenstein worked as an IBM Distinguished Engineer, responsible for research and standards strategy for the Lotus brand, and as a faculty member at the University of Michigan and Carnegie-Mellon University. He also founded two successful Internet cloud service start-ups; First Virtual Holdings, the first Internet payment system; and NetPOS, the first Internet-centric point-of-sale system.

About James Blake

James Blake is the chief security officer for Mimecast and has overall responsibility for strategic messaging, customer advocacy and community relations. James has over two-decades worth of experience in Information Security and has overall responsibility for risk management for the Mimecast’s internal IT and service delivery infrastructure spread across four continents.

By Anthony Park

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Cukes and the Cloud

Cukes and the Cloud

The Cloud, through bringing vast processing power to bear inexpensively, is enabling artificial intelligence. But, don’t think Skynet and the Terminator. Think cucumbers! Artificial Intelligence (A.I.) conjures up the images of vast cool intellects bent on our destruction or at best ignoring us the way we ignore ants. Reality is a lot different and much…

Ransomware’s Great Lessons

Ransomware’s Great Lessons

Ransomware The vision is chilling. It’s another busy day. An employee arrives and logs on to the network only to be confronted by a locked screen displaying a simple message: “Your files have been captured and encrypted. To release them, you must pay.” Ransomware has grown recently to become one of the primary threats to…

InformationWeek Reveals Top 125 Vendors Taking the Technology Industry by Storm

InformationWeek Reveals Top 125 Vendors Taking the Technology Industry by Storm

InformationWeek Reveals Top 125 Vendors Five-part series details companies to watch across five essential technology sectors SAN FRANCISCO, Sept. 27, 2016 /PRNewswire/ — InformationWeek released its list of “125 Vendors to Watch” in 2017. Selected by InformationWeek’s expert editorial team, the companies listed fall into one of five key themes: infrastructure, security, cloud, data management and…

Part 1 – Connected Vehicles: Paving The Way For IoT On Wheels

Part 1 – Connected Vehicles: Paving The Way For IoT On Wheels

Connected Vehicles From cars to combines, the IoT market potential of connected vehicles is so expansive that it will even eclipse that of the mobile phone. Connected personal vehicles will be the final link in a fully connected IoT ecosystem. This is an incredibly important moment to capitalize on given how much time people spend…

Embedded Sensors and the Wearable Personal Cloud

Embedded Sensors and the Wearable Personal Cloud

The Wearable Personal Cloud Wearable tech is one avenue of technology that’s encouraging cloud connections and getting us all onto interconnected networks, and with the continued miniaturization and advancement of computing the types of wearable tech are always expanding and providing us with new opportunities. A few years ago, smartwatches were rather clunky devices with…

Digital Twin And The End Of The Dreaded Product Recall

Digital Twin And The End Of The Dreaded Product Recall

The Digital Twin  How smart factories and connected assets in the emerging Industrial IoT era along with the automation of machine learning and advancement of artificial intelligence can dramatically change the manufacturing process and put an end to the dreaded product recalls in the future. In recent news, Samsung Electronics Co. has initiated a global…

Choosing IaaS or a Cloud-Enabled Managed Hosting Provider?

Choosing IaaS or a Cloud-Enabled Managed Hosting Provider?

There is a Difference – So Stop Comparing We are all familiar with the old saying “That’s like comparing apples to oranges” and though we learned this lesson during our early years we somehow seem to discount this idiom when discussing the Cloud. Specifically, IT buyers often feel justified when comparing the cost of a…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…

Which Is Better For Your Company: Cloud-Based or On-Premise ERP Deployment?

Which Is Better For Your Company: Cloud-Based or On-Premise ERP Deployment?

Cloud-Based or On-Premise ERP Deployment? You know how enterprise resource management (ERP) can improve processes within your supply chain, and the things to keep in mind when implementing an ERP system. But do you know if cloud-based or on-premise ERP deployment is better for your company or industry? While cloud computing is becoming more and…

Achieving Network Security In The IoT

Achieving Network Security In The IoT

Security In The IoT The network security market is experiencing a pressing and transformative change, especially around access control and orchestration. Although it has been mature for decades, the network security market had to transform rapidly with the advent of the BYOD trend and emergence of the cloud, which swept enterprises a few years ago.…

Cloud Computing Services Perfect For Your Startup

Cloud Computing Services Perfect For Your Startup

Cloud Computing Services Chances are if you’re working for a startup or smaller company, you don’t have a robust IT department. You’d be lucky to even have a couple IT specialists. It’s not that smaller companies are ignoring the value and importance of IT, but with limited resources, they can’t afford to focus on anything…

4 Industries Being Transformed By The Internet of Things

4 Industries Being Transformed By The Internet of Things

Compelling IoT Industries Every year, more and more media organizations race to predict the trends that will come to shape the online landscape over the next twelve months. Many of these are wild and outlandish and should be consumed with a pinch of salt, yet others stand out for their sober and well-researched judgements. Online…

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Recurring Revenue Business Metrics Recurring revenue is the secret sauce behind the explosive growth of powerhouses like Netflix and Uber. Unsurprisingly, recurring revenue is also quickly gaining ground in more traditional industries like healthcare and the automotive business. In fact, nearly half of U.S. businesses have adopted or are planning to adopt a recurring revenue model,…

New Report Finds 1 Out Of 3 Sites Are Vulnerable To Malware

New Report Finds 1 Out Of 3 Sites Are Vulnerable To Malware

1 Out Of 3 Sites Are Vulnerable To Malware A new report published this morning by Menlo Security has alarmingly suggested that at least a third of the top 1,000,000 websites in the world are at risk of being infected by malware. While it’s worth prefacing the findings with the fact Menlo used Alexa to…

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

Why Businesses Need Hybrid Solutions Running a cloud server is no longer the novel trend it once was. Now, the cloud is a necessary data tier that allows employees to access vital company data and maintain productivity from anywhere in the world. But it isn’t a perfect system — security and performance issues can quickly…

Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud Cloud computing is more than just another storage tier. Imagine if you’re able to scale up 10x just to handle seasonal volumes or rely on a true disaster-recovery solution without upfront capital. Although the pay-as-you-go pricing model of cloud computing makes it a noticeable expense, it’s the only solution for many…