Proofpoint Enterprise Archive: Proofpoint Network

Proofpoint hosts data in isolated units called stores. Each store contains data for a single corporate customer that is encrypted with unique customer keys. Stores are signed with unique customer identifiers. These stores are accessed through redundant directory services that are able to locate your corporate data across the entire storage infrastructure.

All email data maintained within the Proofpoint network remains in encrypted form and can only be decrypted using unique keys maintained by the customer. The isolation of customer data in individual stores, combined with customer-specific security encryption, ensures that your data is never compromised.

The Proofpoint network is designed to provide complete corporate data protection for email messages through multiple levels of physical and network security. Our servers are located in geographically diverse data centers engineered for maximum security protection through such measures as:

• Around-the-clock onsite security guards;
• 24 x 7 video surveillance that blankets the entire facility, monitoring and archiving all visitor movement;
• Multiple layers of security access into individually locked co-location areas via electronically-controlled pass cards with escorted access and/or biometric identification, logging all access and ensuring only authorized personnel can enter the data center.

The network infrastructure is further protected by multiple layers of industry-standard security technology to guard against unauthorized access and sudden security attacks.

Access to the Proofpoint network is restricted to authorized Proofpoint operations personnel who must supply proper identification codes and passwords to enter the data center and/or login to the archive servers. In addition, with Proofpoint's DoubleBlind Encryption™, all archived data is stored in encrypted form, so Proofpoint personnel cannot see the confidential information contained in messages.

The Proofpoint network is designed to ensure access to corporate data on demand. The data centers we employ are engineered for high availability and reliability, including:

• N+1 redundancy for all environmental controls including redundant HVAC systems and dry coolers, as well as highly sensitive leak detection systems;
• Advanced fire detection and suppression systems;
• Dual, high-voltage feeds from the public hydro system, with each feed capable of powering the entire data center at full load on its own;
• Redundant UPS systems, diesel generators and power distribution units to ensure uninterrupted power, backed by 100% power availability guarantee;
• Redundant connectivity to major Internet backbones to ensure network availability 100% of the time.

The Proofpoint network architecture has been designed to reduce single points of failure by employing redundant and/or clustered hardware configurations within each data centre. In addition, the solution was designed to allow horizontal scalability of the entire server infrastructure. Multiple copies of encrypted data are also maintained on spinning disks at multiple data centers.

Proofpoint leverages the data center's Network Operations Center (NOC) for 7x24 monitoring of the physical and network infrastructure, including network connectivity, HVAC, fire control, power and security. All systems, including data security firewalls and servers are monitored 24 hours a day, seven days a week with onsite sparing to ensure rapid replacement and minimize downtime in the event of a hardware failure.

For application monitoring, Proofpoint uses purpose-built tools that tie into our open-source monitoring infrastructure via SNMP and port-based monitoring. This service checks the application on a regular basis to verify and alert our technical support team of failure. These tools also provide us with information that can be used for trend analysis and capacity planning.

Each customer's archived data is encrypted and sent to a primary data center. A copy of the encrypted data is also sent to the secondary data.

In the event that the archiving service is completely shut down, we can re-point the service to the secondary data center. Once re-pointed, the secondary data center will process search requests throughout your archived data. Any new email received by the corporate Exchange server will continue to be added to the journaling mailbox for processing upon the resumption of normal operations.

Proofpoint follows a well-defined change management process for all changes to our internal and production environments.

All proposed changes to the application or the underlying infrastructure, including roll-back procedures, are first tested in our separate quality assurance environment. The results are then reviewed by members of the development, quality assurance, product management and operations groups prior to deployment in the production environment.

Changes made to the production environment are implemented during maintenance windows and are fully tested prior to release to our customers. In addition, all changes are documented and tracked to ensure accountability and repeatability.

The Proofpoint network has been designed to scale in parallel with growing storage requirements. Archived message stores are deliberately kept small in size, and then copied to multiple servers. When corporate data information is requested, messages that match the search criteria from each store are aggregated to produce the full search results. In addition to affording massive scalability, the grid storage infrastructure allows Proofpoint to constantly rebalance the network for optimal performance. This distributed grid storage and computing architecture was specifically built by Proofpoint to address the management challenges of ever-growing datasets.

Our storage infrastructure is capable of scaling to multi-petabytes of storage. The Proofpoint application has also been designed to leverage its large-scale distributed environment to search through petabytes of data in near real-time.

Yes, the archiving service as well as the Proofpoint data centers are SAS70 Type II certified. All operations processes are fully documented and audited in accordance with our SAS70 Type II certification.