2 2 CREDANT Company Overview 2007 Data Security Leadership Quadrant 2007 & 2008: #1 Fastest Growing Private (Security) Company Testergebnis: 8.6 Very Good Founded - September 17, 2001 To enable customers to manage security of data on any device – PDA, PC, MAC, USB Product Line - CREDANT Mobile Guardian (CMG) Data-centric, policy based, centrally managed data protection solution that "Protects What Matters"- your critical information US-Based Company Code developed in Addison TX. Cisco Systems & Intel Capital are key investors Accomplishments More than 775 customers, 7 million endpoints Solution recognized by leading industry experts INC 500 Fastest Growing Security Company 2007 & 2008 CREDANT Confidential. Subject to NDA
3 Agenda The Business Problem Centralized vs. Decentralized Management Compliance with Federal Desktop Core Configuration (FDCC) Supporting Imaging Across Platforms Managing Shared PCs Authentication Support Roadmap Encryption Solution Issues
4 CREDANT Confidential. Subject to NDA 4 The Business Problem Employee Contractor Partner Research Data Intellectual Property Purchasing Information Social Security Numbers SBU or Classified Government Information Airport Internet Cafe Home Office Site Transit Critical enterprise data resides on numerous endpoint devices and the storage capacity and criticality of information continues to increase Test Data
5 The Business Justification – Encryption Cost Assume 1000 employees/contractors Assume 250 use laptops that need protection The ratio of machines that need protection and that dont need protection will vary but the business justification is the same Cost after discounts = $75/laptop Internal labor/training costs to implement = $50/laptop Total = $125/laptop x 250 laptops = $31,250 Just to be safe – double that to $62,500 to implement Data-at-Rest encryption solution (DAR) CREDANT Confidential. Subject to NDA 5
6 The Business Justification – Breach Cost Assume 10,000 personnel records lost A 200GB HD can hold 2,000,000 100KB records Cost to change each bank/credit card account $15/record = $150,000 Cost per individual for a year of credit monitoring service $60/individual = $600,000 TOTAL = $750,000 Does not include any legal fees, or the cost of security implemented after the fact DoE data breaches carry risk that cannot be monetized 6
7 Management Choices De-centralized Encryption Keys created on devices Usually only one key per device User may control keys, lockout may be catastrophic Administrative Accounts per-device Creates additional management overhead Requires change in maintenance operations Device-centric No differentiation of data types or users No data-usage controls Compliance may be hard to demonstrate No management of device status at time of loss Best only for use in very small deployments Typically fewer than 20 devices Un-managed environments No Usage Controls Single key
8 8 Management Choices Automatically detect users added to Enterprise directory and create encryption keys and policies. Detect media devices automatically. Encrypt and enforce encryption policies. Manage keys for hardware-based encryption. Control data usage outside the enterprise. Manage and Audit – show device state at time of loss. Adapt to changing regulations. Securely Automate key escrow. Operate and Support – reduce administrative costs. Centralize key escrow and access control (forensics). Detect Encrypt & Enforce Manage & Audit Operate & Support Reduce Risk Ensure Operational Efficiency Gain Workforce Productivity A centrally managed solution integrates with the Enterprise directory, providing enforcement of encryption policies and reducing management effort and cost. CREDANT Confidential. Subject to NDA Centralized Management
9 FDCC Compliance Users cannot have administrative rights on the PC Impacts removable media support most User cannot mount volumes Users cannot install software Users file system rights should be restricted Incompatible with some encryption solutions Pagefile must still be encrypted Solution must be able to run outside of user privileges Ports and protocols are managed/restricted Encryption solutions must have flexible network settings Automated Patching and Scanning Systems deployed Encryption solution must not prevent malware detection remediation IDS solutions are likely in use Must be compatible with deployed IDS(s)
10 Imaging is Now the Standard Way to Deploy This can be problematic if the DAR solution encrypts or generates keys for the image at install time All devices may end up with same key Changing the key requires decryption/re-encrypt Encrypted images cannot be changed The encrypted volume is not editable Can add considerable time to imaging process Requires unecessary encryption of an empty drive Some solutions do not support standard imaging processes Especially true if images are deployed to hard drives with different geometries
11 Shared PCs Multiple Users per Device Create Management and Security Issues Will users share boot passwords? If not, then pre-boot accounts must be managed for each user Does data access need to be controlled across users? Does User A need to be prevented from seeing User Bs data All users of the device may end up with same key Pooled-devices may need to be wiped/re-imaged between users Is Audit required to track system access? Can you show who used which PC and when?
12 Authentication Support Many organizations have multiple authentication types UID/Password Tokens Smartcards (HSPD-12m PIV) Mixed-mode authentication Are these supported by the DAR solution? What does it take to get a new authentication type supported? Do code updates may require decryption/re-encryption? What tools need to be used to upgrade? Can users switch between authentication types? eg: UID/Password or CryptoCard and still access data on the PC Temporary access while a token/smartcard is being re-issued Does data access need to be controlled across users? Does User A need to be prevented from seeing User Bs data? Can this be tied to the encryption solution? All users of the device may end up with same key Pooled-devices may need to be wiped/re-imaged between users
13 CREDANT Confidential. Subject to NDA 13 CREDANT Confidential Roadmap Full Disk Encryption No User Data Privacy Patch management issues System compatibility problems Operational & performance issues Dead-end Technology Now theres a Better Way: Full Data Encryption technology to solve current and future problems Intelligent Encryption benefits: User Cannot Choose – All Data Protected User Encrypted Data Privacy Single Console for all Management Broad ALL mobile platforms PC, USB Media, Handhelds Avoid compatibility & operational impacts Single agent can grow with future needs In the past there were two options in data protection… File/Folder Encryption User Chooses Files to encrypt
14 CREDANT Confidential. Subject to NDA 14 Management Across Platforms Full Compliance Reporting Low Operational Impact Transparent to End-users All Solutions Managed within One Console
15 Contact Information: Eric Hay Director, Federal Field Engineering Ofc: 703.532.2720 firstname.lastname@example.org Comments/Questions/Discussion Reduce the Risk of Data Compromise!