Presentation on theme: "Data Protection Policy Compliance using Notebook Hard Disk Drive Encryption."— Presentation transcript:
Data Protection Policy Compliance using Notebook Hard Disk Drive Encryption
Encryption: one element of Smart Security Security Involves Several Focus Areas
Why Data Encryption? Breaches Can Be Costly! When a breach occurs, organizations can lose money. –They may be required to publicly disclose the breach, significantly damaging an organizations public image. –They are generally required to notify persons whose information was exposed - involving communication costs & perhaps financial compensation. –They may experience lost productivity costs when staff is repurposed to address a breach. –They may face fines from the FTC or business partners. Many industries are now subject to governmental regulation and/or industry security compliance guidelines
Costs of a Security Breach Direct Costs –Notification Costs - organizations can incur costs associated with legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers –Lost Productivity Costs - organizations can incur costs when employees and contractors are diverted from their normal duties in order to address data breach controls Fines –Certain federal privacy statutes include fines for violations that can amount to tens of thousands of dollars 3 –In 2006, Visa and MasterCard announced levying of fines from $10K-100K against transaction processors that fail to keep transactions secure 4,5 –In 2006, the FTC issued $15 million in fines when an Atlanta-based consumer data broker lost more than 163,000 personal records to insurance and credit companies in February 2005 6 Lost Shareholder Value and Goodwill –Stock prices can take temporary or long term drops – eg, an Atlanta-based data broker had lost about 20% of its stock value 2 years after losing 163,000 personal records 7 2007 Estimated Cost/Lost Record Forrester Research: $90-$305 1 Ponemon Institute: $197 2 Footnoted references are recorded at the end of this presentation.
Who can be Affected? Virtually Everyone! Any organization can be at risk if, for instance, they lose employee records Retailers & Merchants In October 2007, a national home supply retailer announced that a laptop with the personal data of about 10,000 employees was stolen from the car of a regional manager In January 2007, a major national clothing retailer revealed that hackers took the credit and debit card information of customers through an unauthorized intrusion into their computer systems In June 2005, a regional membership warehouse retail chain on the east coast settled FTC charges stemming from lax security practices which included a failure to encrypt consumer information when it was transmitted or stored on store computers Healthcare & Insurance In March 2007, one of the nations largest health insurers notified 75,000 members that a compact disk holding medical and personal information had disappeared In August 2006, a corporate operator of hospitals and health systems reported 10 laptops with thousands of patient files had been stolen from a regional office Government Agencies In November 2007, a federal agency investigated the theft of personal computers containing the names of 12,000 veterans; in 2006, a system containing the personal details of 26.5 million veterans was stolen from the same agency In October 2007, a federal agency mandated that contractors must encrypt any and all data on personal computers following the loss and possible theft of two laptop computers Educational Institutions In April 2006, a major state university announced that an unknown person or persons had gained unauthorized access to a large number of electronic records that included social security numbers and other biographical data Banking & Brokerage In October 2007, a Kansas branch of a regional bank in the Midwest announced that a limited number of customers had personal data compromised in an attempted hacking of a computer system Credit & Payment Agencies In February 2006, the FTC announced that it had settled with a third-party credit card processor for failure to provide reasonable and appropriate security for sensitive consumer information Accounting In November 2007, an Ohio-based accounting firm lost personal information on clients when a laptop was stolen from an automobile
What can organizations do? Strong data encryption can protect private information from unauthorized access Data encryption can help address federal and state privacy requirements* –At least 39 states have enacted legislation requiring the notification of security breaches involving personal information** –Many federal laws that have been enacted also seek to ensure protection of private information Encryption can be hardware-based or software- based –Hardware-based: Seagate® Momentus® Full-Disk Encryption (FDE) drives –Software based: Software encryption solutions exist from a variety of third-party independent software vendors *Rigorous standards apply and can vary by state - check with a local legal expert for a complete set of requirements for your state **According to the National Conference of State Legislatures, December 12, 2007
Hardware vs. Software Encryption Dell FDE Hardware Solution (FDE + Wave) Software Encryption Items encrypted Everything (boot files, all folders, etc) Encryption keys stored within the drive (closed environment = tougher encryption) Some SW solutions omit boot files and possibly temp files Performance Encrypts as fast as the drive can write Doesnt utilize system CPU/memory Uses system CPU power (estimated 3-4% performance degradation) Manageability Simple installation & deployment Centralized management with purchase of Wave ERAS software May experience issues with HDD errors and maintenance routines (i.e. defrag, bad sectors) Risk that remote mgmt SW may not work well with some SW encryption solutions HDD Disposal Quick and secure Erase for HDD disposal or repurpose Not available with most SW; would have to utilize current HDD destroy methods (time consuming) OS Support Microsoft® Windows® XP support thru Dell Windows Vista® supported by Wave Systems Corporation Many solutions support Windows 2000, XP, and Vista®; some support Linux® Compliance Certifications FDE drive is NOT currently FIPS 140-2 compliant (primarily a Fed certification) Many solutions have been NIST Certified FIPS 140-2 Compliant Encryption Options Fully encrypts data stored on the hard drive Full disk encryption on the hard drive Optional encryption for removable media (i.e. USB keys, external HDDs, etc) Deployment Full deployment requires full scale replacement of existing HDDs HW agnostic; allows full deployment across existing PC infrastructure. Does NOT require full scale replacement of HDDs Dell recommends hardware encryption for new system purchases.
Dell FDE Hard Drive Solution Solution Components 1.Select Dell Latitude D- series notebooks*, with Seagate Momentus 5400 FDE.2 hard drive Dell Embassy Security Center with Wave Trusted Drive manager 2.Wave Embassy Remote Administration Server Software (running on your Dell server) 3.Implementation of Dells Security Best Practices http://www.dell.com/secur ity/bestpractices/ http://www.dell.com/secur ity/bestpractices/ Seagate ® DriveTrust Technology Embassy ® Trusted Drive Manager Embassy ® Remote Administration Server * Seagate Momentus hard drives and Dell Embassy Security Center are also available on select Precision mobile workstations Implementation of Dells Security Best Practices
Dell FDE Hard Drive Solution Key Components Seagate Momentus FDE hard drive Factory-installed Dell Security Center with Trusted Drive Manager Single-user Solution This offering allows individual users to configure and control their personal access to encrypted data on their hard drive. The offering provides the following features Authenticate user in BIOS Simple Sign On capability Single-user passwords management Manual backup and restore for keys Embassy Remote Administration Server (ERAS) Managed Enterprise Solution Using the ERAS software, IT departments can remotely manage clients with FDE hard drives, providing documentation on the state of a drive when a system has been lost or stolen. With ERAS server software, you can… Enable remote deployment & management of FDE hard drives Take ownership of TPMs Enable identity & authorization provisioning from Active Directory Dell Embassy Security Center Factory-installed software Single-user Solution * Note: Additional Wave security solutions detailed in backup slides
Client Encryption Evaluation Program ProgramClient Full-Disk Encryption Evaluation Program Program Scope14-day technology evaluation program Two systems: - Client system with Dell Embassy Security Center - Server system with Embassy Remote Administration Server Key FeaturesStep-by-step Reviewers Guide, showing how… - To initialize and enable drives - To add/remove users - To remotely manage credentials - The FDE drive is protected from a hacker - To decommission or re-commission a drive using Erase function Client System with Dell Embassy Security Center Server System with Embassy Remote Administration Server Reviewers Guide Cross-over Network cable
References 1.Calculating the Cost of a Security Breach" Khalid Kark, Forrester Research, April 10, 2007. 2."2007 Annual Study: U.S. Cost of a Data Breach," The Ponemon Institute. 3.Health Insurance Portability and Accountability Act of 1996 - Public Law 104-191, 104th U. S. Congress, August 21, 1996 4.Visa and MasterCard take new steps to stop credit card fraud, Jeremy Simon, Creditcards.com Article, November 27, 2006 (http://www.creditcards.com/visa-and- mastercard-take-new-steps-to-stop-credit-card-fraud.php)http://www.creditcards.com/visa-and- mastercard-take-new-steps-to-stop-credit-card-fraud.php 5.Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data, Visa Corporate Press Release, December 12, 2006 (http://corporate.visa.com/md/nr/press667.jsp)http://corporate.visa.com/md/nr/press667.jsp 6.ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, Federal Trade Commission Press Release, January 26, 2006 7.The Hidden Cost of IT Security, Network Security Journal, Cindy Waxer, April 16, 2006 http://www.networksecurityjournal.com/features/hidden-cost-of-IT-security-041607/ http://www.networksecurityjournal.com/features/hidden-cost-of-IT-security-041607/