We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKaden Fallick
Modified over 3 years ago
Local Data Protection (LDP) A Case Study Laptop Data Encryption Eric V. Leighninger Chief Security Architect Allstate Insurance Company June 20, 2008 ©2008 Allstate Insurance Company
Agenda Allstate and Information Security – A Snapshot View Laptop Encryption – Goals, Expectations, Priorities Technology Acquisition – Vendor Selection Process Vender Solution Deployment Lessons Learned
©2008 Allstate Insurance Company Allstate At A Glance The Allstate Corporation is the nations largest publicly held personal lines insurer. A fortune 100 company with $156.4 billion in assets. Allstate sells 13 major lines of insurance, including auto, property, life and commercial. Allstate also offers retirement and investment products and banking services. Allstate is widely known through the Youre In Good Hands With Allstate® slogan. The Allstate Corporation encompasses more than 70,000 professionals with technology operations located around the globe. More than 17 million customers in the U.S. and Canada. Allstates strategic vision is to reinvent protection and retirement for the consumer.
©2008 Allstate Insurance Company Allstates Vision for Information Security Aligned with Corporate and Technology Strategy Security Solutions Prioritized Based Upon Risk Operational Excellence – Security as a Service Comprising People, Processes, and Technology
©2008 Allstate Insurance Company Local Data Protection Goals Reduce Risk of Exposure Minimize Recovery and Support Costs Ensure Compliance Enable Productivity and Ease of Use Leverage Investment in Existing IT Infrastructure
©2008 Allstate Insurance Company Local Data Protection Priorities Policy Holder and Applicant Data Employee Data PHI Credit Card Numbers Confidential Data Financial Information – Pre Earnings Release Communications to Competitors, Partners and Suppliers Source Code Competitive Sensitive Information
©2008 Allstate Insurance Company Local Data Protection Approaches File Encryption Laptops Desktops Full Disk Encryption Laptops Desktops Encryption of Removable Media USB-enabled Devices – Flash Drives, iPods, Bluetooth Devices, Thumb Drives, Hard Disks CD/DVD Writers Password and PIN Controls Blackberry Other PDA Devices Standards and Guidelines for Data Classification, Usage and Protection, Access Control and Encryption
©2008 Allstate Insurance Company Laptop Full Disk Encryption Evaluation Step 1: Using the local data protection goals and solution selection criteria Performed paper analysis of top disk encryption vendors Interviewed vendors regarding respective product functionality Step 2: Performed hands-on product evaluation per our technology evaluation process at Allstate for candidate vendor ranked highest in Step 1 Step 3: Based on in-house product and process evaluation results Allstate acquired the vendors encryption product
©2008 Allstate Insurance Company Laptop Encryption Product Criteria FIPS 140-2 Approved Encryption Full Disk Encryption Strong Key Management Storage of Encrypted Keys Separate from Encrypted Data Controlled Views to Keying Material – MAC and Separation of Duties Key Recovery – Onsite, Off- site and DR Centralized Management Interoperable With Enterprise Software Removable Media Encryption Support Low Performance Degradation Fast, Robust and Reliable Initial Encryption SMS Package Support Throttled Background Encryption Processing Capability Fault Tolerance – Power Outages or User Shutdown Does Not Affect Encryption Process Support for Suspend and Hibernation States Mouse Support
©2008 Allstate Insurance Company Laptop Full Disk Encryption Benefits The selected encryption product provides Allstate the following advantages: Strong security model Efficient key management Ability to leverage our current SMS infrastructure for deployment and management Compatibility with Allstates current Image and Break-Fix processes Does not require alteration or replacement of key Windows components: Windows Master Boot Record and the Windows GINA High confidence due to the type and number of the vendors installed base of users Attractive product TCO
©2008 Allstate Insurance Company Full Disk Encryption Security Model
©2008 Allstate Insurance Company Laptop Full Disk Encryption Deployment A pilot was completed successfully for over 60 users from our information security, internal audit, claims, enterprise technology and infrastructure, and officer groups Final pre-deployment enterprise testing was conducted to test product enhancements and updates Production rollout is being accomplished in a 3 phase fashion Phase 1 is complete Phase 2 is scheduled this year Phase 3 is pending
©2008 Allstate Insurance Company Laptop Full Disk Encryption Deployment Phase 1: Full disk encryption was deployed to approximately 10,000 laptops in areas within the company identified as handling sensitive data e.g., Senior Management Legal Claims Investments Phase 2: Full disk encryption will be deployed this year to all Allstate owned and managed laptops running latest base image, approximately18,500 laptops Phase 3: Laptops running earlier base image and Desktops, an approximate total of 70,000 machines, will be addressed at a future time
©2008 Allstate Insurance Company Laptop Full Disk Encryption Timeline
©2008 Allstate Insurance Company Lessons Allstate Learned Encryption can be a timely and beneficial technology Laptop encryption has provided increased data protection and has helped us reduce the risk associated with laptop loss or compromise Three suggestions to consider Establish clear data protection goals, criteria and policies for encryption and key management Establish a communications plan for systematic and smooth deployment of encryption software Do your homework on vendor capabilities versus organizational needs Most significant lesson: Ours was a rapid pilot to production deployment for pragmatic and regulatory reasons. We found such a deployment is possible, albeit not without some bumps in the road, when requirements are well defined, there is clear alignment of technology strategy and management objectives, and cooperation and flexibility across organizational boundaries
Thank You! Questions?
ATUL PATANKAR [ ASUG INSTALLATION MEMBER MEMBER SINCE: 2000 LINDA WILSON [ ASUG INSTALLATION MEMBER MEMBER SINCE: 1999 JUERGEN LINDNER [ SAP POINT OF CONTACT.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Global Program Management Dawn Davis, SVP Global Records Management.
Information Systems Portfolio Management March 7, 2002.
© 2012 Citrix | Confidential – Do Not Distribute BYOD Champion Presentation CIO How-To Kit: Bring-Your-Own Devices © 2014.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
1 CREDANT Confidential. 1 NLIT CREDANT Company Overview 2007 Data Security Leadership Quadrant 2007 & 2008: #1 Fastest Growing Private (Security)
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
Microsoft and Symantec
Albany Bank Corporation Security Incident Management Program.
RDX: REMOVABLE HARD DISK STORAGE SYSTEM December 2010.
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
ITACS L.L.P. Policy And Procedures Group 1. Objective: To establish companywide policy with regards to personal device usage both on and off of the company.
1 Copyright © 2007 Accenture All Rights Reserved. Affirmative Insurance Accenture Claim Components Solution Win Card Accenture has been selected to license.
Selling Consolidation’s Value. Why Consolidate? Reduce Complexity Increase Productivity Reduce TCO Improve End User Experience Improve IT Performance.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Protecting Data at Rest Through Encryption CIO Summit November 30, 2007.
© 2017 SlidePlayer.com Inc. All rights reserved.