Presentation on theme: "Encryption: one element of Smart Security"— Presentation transcript:
1 Data Protection Policy Compliance using Notebook Hard Disk Drive Encryption
2 Encryption: one element of Smart Security Security Involves Several Focus Areas
3 Why Data Encryption? Breaches Can Be Costly! When a breach occurs, organizations can lose money.They may be required to publicly disclose the breach, significantly damaging an organization’s public image.They are generally required to notify persons whose information was exposed - involving communication costs & perhaps financial compensation.They may experience lost productivity costs when staff is repurposed to address a breach.They may face fines from the FTC or business partners.Many industries are now subject to governmental regulation and/or industry security compliance guidelines
4 Costs of a Security Breach 2007 Estimated Cost/Lost RecordForrester Research: $90-$3051Ponemon Institute: $1972Direct CostsNotification Costs - organizations can incur costs associated with legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offersLost Productivity Costs - organizations can incur costs when employees and contractors are diverted from their normal duties in order to address data breach controlsFinesCertain federal privacy statutes include fines for violations that can amount to tens of thousands of dollars3In 2006, Visa and MasterCard announced levying of fines from $10K-100K against transaction processors that fail to keep transactions secure4,5In 2006, the FTC issued $15 million in fines when an Atlanta-based consumer data broker lost more than 163,000 personal records to insurance and credit companies in February 20056Lost Shareholder Value and GoodwillStock prices can take temporary or long term drops – eg, an Atlanta-based data broker had lost about 20% of its stock value 2 years after losing 163,000 personal records7Footnoted references are recorded at the end of this presentation.
5 Who can be Affected? Virtually Everyone! Any organization can be at risk if, for instance, they lose employee recordsRetailers & Merchants• In October 2007, a national home supply retailer announced that a laptop with the personal data of about 10,000 employees was stolen from the car of a regional manager• In January 2007, a major national clothing retailer revealed that hackers took the credit and debit card information of customers through an unauthorized intrusion into their computer systems• In June 2005, a regional membership warehouse retail chain on the east coast settled FTC charges stemming from lax security practices which included a failure to encrypt consumer information when it was transmitted or stored on store computersHealthcare & Insurance• In March 2007, one of the nation’s largest health insurers notified 75,000 members that a compact disk holding medical and personal information had disappeared• In August 2006, a corporate operator of hospitals and health systems reported 10 laptops with thousands of patient files had been stolen from a regional officeGovernment Agencies• In November 2007, a federal agency investigated the theft of personal computers containing the names of 12,000 veterans; in 2006, a system containing the personal details of 26.5 million veterans was stolen from the same agency• In October 2007, a federal agency mandated that contractors must encrypt any and all data on personal computers following the loss and possible theft of two laptop computersEducational Institutions• In April 2006, a major state university announced that an unknown person or persons had gained unauthorized access to a large number of electronic records that included social security numbers and other biographical dataBanking & Brokerage• In October 2007, a Kansas branch of a regional bank in the Midwest announced that a limited number of customers had personal data compromised in an attempted hacking of a computer systemCredit & Payment Agencies• In February 2006, the FTC announced that it had settled with a third-party credit card processor for failure to provide reasonable and appropriate security for sensitive consumer informationAccounting• In November 2007, an Ohio-based accounting firm lost personal information on clients when a laptop was stolen from an automobile
6 What can organizations do? Strong data encryption can protect private information from unauthorized accessData encryption can help address federal and state privacy requirements*At least 39 states have enacted legislation requiring the notification of security breaches involving personal information**Many federal laws that have been enacted also seek to ensure protection of private informationEncryption can be hardware-based or software- basedHardware-based: Seagate® Momentus® Full-Disk Encryption (FDE) drivesSoftware based: Software encryption solutions exist from a variety of third-party independent software vendors*Rigorous standards apply and can vary by state - check with a local legal expert for a complete set of requirements for your state**According to the National Conference of State Legislatures, December 12, 2007
7 Hardware vs. Software Encryption Dell FDE Hardware Solution(FDE + Wave)Software EncryptionItems encryptedEverything (boot files, all folders, etc)Encryption keys stored within the drive (closed environment = tougher encryption)Some SW solutions omit boot files and possibly temp filesPerformanceEncrypts as fast as the drive can writeDoesn’t utilize system CPU/memoryUses system CPU power (estimated 3-4% performance degradation)ManageabilitySimple installation & deploymentCentralized management with purchase of Wave ERAS softwareMay experience issues with HDD errors and maintenance routines (i.e. defrag, bad sectors)Risk that remote mgmt SW may not work well with some SW encryption solutionsHDD DisposalQuick and secure “Erase” for HDD disposal or repurposeNot available with most SW; would have to utilize current HDD destroy methods (time consuming)OS SupportMicrosoft® Windows® XP support thru DellWindows Vista® supported by Wave Systems CorporationMany solutions support Windows 2000, XP, and Vista®; some support Linux®Compliance CertificationsFDE drive is NOT currently FIPS compliant (primarily a Fed certification)Many solutions have been NIST Certified FIPS CompliantEncryption OptionsFully encrypts data stored on the hard driveFull disk encryption on the hard driveOptional encryption for removable media (i.e. USB keys, external HDDs, etc)DeploymentFull deployment requires full scale replacement of existing HDDsHW agnostic; allows full deployment across existing PC infrastructure. Does NOT require full scale replacement of HDDsDell recommends hardware encryption for new system purchases.
8 Dell FDE Hard Drive Solution Solution ComponentsSelect Dell™ Latitude™ D-series notebooks*, withSeagate Momentus 5400 FDE.2 hard driveDell Embassy Security Center with Wave Trusted Drive managerWave Embassy Remote Administration Server Software (running on your Dell server)Implementation of Dell’s Security Best PracticesENTERPRISE NETWORKEmbassy®RemoteAdministrationServerLOCAL PCFDE DRIVEEmbassy®Trusted DriveManagerSeagate®DriveTrust™TechnologyImplementation of Dell’s Security Best Practices* Seagate Momentus hard drives and Dell Embassy Security Center are also available on select Precision mobile workstations8
9 Dell FDE Hard Drive Solution Dell Embassy Security CenterSingle-user SolutionThis offering allows individual users to configure and control their personal access to encrypted data on their hard drive. The offering provides the following featuresAuthenticate user in BIOSSimple Sign On capabilitySingle-user passwords managementManual backup and restore for keysFactory-installed softwareKey ComponentsSeagate Momentus FDE hard driveFactory-installed Dell Security Center with Trusted Drive ManagerSingle-userSolutionManaged Enterprise SolutionUsing the ERAS software, IT departments can remotely manage clients with FDE hard drives, providing documentation on the state of a drive when a system has been lost or stolen. With ERAS server software, you can…Enable remote deployment & management of FDE hard drivesTake ownership of TPMsEnable identity & authorization provisioning from Active DirectoryEmbassy RemoteAdministrationServer(ERAS)* Note: Additional Wave security solutions detailed in backup slides9
10 Client Encryption Evaluation Program Cross-overNetwork cableReviewer’sGuide“Client” System withDell Embassy Security Center“Server” System withEmbassy Remote Administration ServerProgramClient Full-Disk Encryption Evaluation ProgramProgram Scope14-day technology evaluation programTwo systems:- “Client” system with Dell Embassy Security Center- “Server” system with Embassy Remote Administration ServerKey FeaturesStep-by-step Reviewer’s Guide, showing how…- To initialize and enable drives- To add/remove users- To remotely manage credentials- The FDE drive is protected from a hacker- To decommission or re-commission a drive using “Erase” function
12 References“Calculating the Cost of a Security Breach" Khalid Kark, Forrester Research, April 10, 2007."2007 Annual Study: U.S. Cost of a Data Breach," The Ponemon Institute.Health Insurance Portability and Accountability Act of Public Law , 104th U. S. Congress, August 21, 1996“Visa and MasterCard take new steps to stop credit card fraud,” Jeremy Simon, Creditcards.com Article, November 27, 2006 (http://www.creditcards.com/visa-and-mastercard-take-new-steps-to-stop-credit-card-fraud.php)“Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data”, Visa Corporate Press Release, December 12, 2006 (http://corporate.visa.com/md/nr/press667.jsp)ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, Federal Trade Commission Press Release, January 26, 2006“The Hidden Cost of IT Security,” Network Security Journal, Cindy Waxer, April 16, 2006