Introduction - Prevention of Mail Intervention
The protection of customer’s data is of primary importance to Google/Postini.  So much so that not only is the product designed to automate all data processing tasks so that no human intervention is required, but any mail storage is segmented in such a way that piecing messages back together requires more than a single person to complete.

As a measure of how seriously Google/Postini takes corporate security and compliance requirements, they have signed up to several high level categories of security and compliance, including; FSA (Financial Services Authority), ISO17799, WebTrust, AICPA WebTrust, SAS 70 Type II Certified, and audited by KPMG

Behind Google/Postini’s ability to ensure the highest level of security is their patented “Pass-Thru” technology, which scans mail in memory, rather than writing all mail to physical media before forwarding to the recipient.  This unique process allows Google/Postini to maintain the best service levels, as well as the best security levels.

Email Scanning & Email Archiving
Although Postini scans mail in memory, there is clearly a requirement to write mail to physical media on a number of occasions:

• Quarantined mail
• Disaster recovery spooling
• Email archiving

These services are all managed in the same manner and the security around these services is managed in 4 distinct methods:

• Physical data centre security
• Security around personnel and their access to systems
• Logical security of each email
• Full auditability

The basic Pass-Thru process and each security process are all described below:

Mail Not Held During Processing - Destruction of Mail Not Necessary
The basis of the Google/Postini security is Google/Postini’s Pass Thru Processing™, which ensures that Google/Postini processes email entirely in memory as a proxy and never writes a good email to disc.  This allows customers to ensure regulators/internal security/sensitive clients that their email does not reside outside of the customer’s environment.

Google/Postini’s mail processing architecture begins with a large number of separate mail handlers that service all inbound mail for a given system.  The mail handlers are load balanced and represented on the Internet by only 4 virtual IP addresses.  On the mail handlers, messages are inspected, scored, processed, and delivered in memory. No valid email is stored to disk.

For email that is scored as junk and forwarded to quarantine, the headers are stored in a database and the bodies are stored to disc on a separate set of machines into logical “buckets”.  A bucket does not represent a particular organisation or domain.  This is also true of messages that are spooled for customers experiencing network outages or MTA failures.

Physical Infrastructure Protection - Summary
Google/Postini DCs provide the following physical security measures:

• Remote 24 x 7 security monitoring
• Full electronic access control system, based on proximity cards with photo and PIN keypads
• Biometric Palm-scanners in addition for co-location areas
• Locks on co-location suites and cabinets
• Intruder detection system on escape and riser doors
• CCTV monitoring and recording of all access points and circulation areas
• Local Operations and Control Centre
• Network monitoring system with critical alarm repeating to Regional Management Centre

Personnel
On the personnel side, access to these systems is restricted to only those employees required for product support.  All access is approved by management and implemented through Google/Postini’s security group.  Authorised employees are required to go through bastion hosts to gain access to production systems.  Authentication on the bastion hosts is through 2-factor RSA SecurID tokens and all employee actions on production systems are keystroke logged.  In areas where customer data is stored, segmentation of duties is enforced.  Database administrators do not have access to the machines where message bodies are stored and system administrators do not have access to the databases.

Granular Access and Management
The Google/Postini Administration Console provides a comprehensive and granular permissions structure.

There is no limitation on the number of administrators that may be defined in the Administration Console.  Administrators may be given ‘read’ or ‘modify’ permissions to all functions within the product.

In addition since the Google/Postini solution is organised as a hierarchical group structure (similar to Active Directory) these permissions may be implemented at any point in the directory structure.

For example:

Administrator A - has global permissions from the root down through all groups.
Administrator B - has permissions ONLY within his business unit group structure.

Using this methodology it is easy to delegate authority to view quarantine areas without giving unnecessarily powerful access to those users who do not require it.

Intruder Detection Systems
Google/Postini has implemented a Security Management System (SMS) as required by SAS70 Type II and WebTrust audited certifications. As part of the SMS, Google/Postini have an IDS to monitor and alert for unusual and/or suspicious traffic and employ tools to respond as required to maintain our Security Certifications.

For example:

• We conduct quarterly vulnerability scans on all external IP addresses using Qualys to validate our ACL and load balancer configurations.
• We conduct quarterly vulnerability scans on all internal machines using a combination of eEye Retina and Nessus to validate our patch management and remediation program.
• All system builds originate from system images heavily scrutinised and hardened by the Information Security Department. These systems go through various levels of operational and engineering validation and testing before final imaging.
• Automated reports that summarise network and load balancer changes are emailed daily for review and validation. The reports are reviewed by Network Engineering management and the Information Security Department.
• Automated port scans are conducted against all new devices introduced to each production system on a daily basis.
• The results are sent via email and examined by the Information Security Department.
• We use a restricted access compliance engine to maintain key security and operational files on all
• production machines. Certain files will automatically revert to approved configurations if unapproved changes are made locally.
• System patching status is reviewed monthly by senior level managers in Operations and Engineering.

Email Logging
All messages are logged, and these logs are kept for 98 days: Details that are logged are:

• Sender IP
• Sender address
• Date / Time
• Spam score
• AV result
• Recipient address
• TLS status
• Size
• Message Disposition

Audit Trail
The Postini system is fully auditable and change logs can be requested at any time.  Administrator access is extremely granular and can therefore limit the access granted to administrators to cover only the necessary OU’s and actions required for each individual administrator.

Further to this, Postini carries both SAS70 Type 2 and WebTrust certifications.  They are also audited themselves annually by KPMG.

Security Certifications – Further Information
Postini maintains two security certifications.

The validation of Postini’s security measures is our SAS 70 Type II and WebTrust Certifications as well as our adoption in the Financial Services, Legal Services and Security Services organisations with arguably the most rigorous security requirements.

Postini compliance and audit standards include; FSA (Financial Services Authority), ISO17799, WebTrust, AICPA WebTrust, SAS 70 Type II Certified, and audited by KPMG.

Postini has been awarded WebTrust security certification.
Go to: https://cert.webtrust.org/ViewSeal?id=471 for details.

KPMG has audited and certified Postini's SAS-70 Type II (Statement for Auditing Standards #70). 
Go to: http://www.sas70.com/about.htm

These two certifications represent an on-going commitment to excellence. Postini is regularly audited for security to maintain these certifications.

Postini is also ISO17799 compliant.

The Perimeter Manager service and administrator portal are Verisign Secure sites. The Perimeter Manager service is Trust-e privacy certified.
See: http://www.truste.org/ivalidate.php?url=www.postini.com&sealid=102

As mentioned, Postini is able to audit and report back on all changes made by any authorised administrator within the Postini admin portal.