Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encryption: one element of Smart Security

Similar presentations


Presentation on theme: "Encryption: one element of Smart Security"— Presentation transcript:

1 Data Protection Policy Compliance using Notebook Hard Disk Drive Encryption

2 Encryption: one element of Smart Security
Security Involves Several Focus Areas

3 Why Data Encryption? Breaches Can Be Costly!
When a breach occurs, organizations can lose money. They may be required to publicly disclose the breach, significantly damaging an organization’s public image. They are generally required to notify persons whose information was exposed - involving communication costs & perhaps financial compensation. They may experience lost productivity costs when staff is repurposed to address a breach. They may face fines from the FTC or business partners. Many industries are now subject to governmental regulation and/or industry security compliance guidelines

4 Costs of a Security Breach
2007 Estimated Cost/Lost Record Forrester Research: $90-$3051 Ponemon Institute: $1972 Direct Costs Notification Costs - organizations can incur costs associated with legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers Lost Productivity Costs - organizations can incur costs when employees and contractors are diverted from their normal duties in order to address data breach controls Fines Certain federal privacy statutes include fines for violations that can amount to tens of thousands of dollars3 In 2006, Visa and MasterCard announced levying of fines from $10K-100K against transaction processors that fail to keep transactions secure4,5 In 2006, the FTC issued $15 million in fines when an Atlanta-based consumer data broker lost more than 163,000 personal records to insurance and credit companies in February 20056 Lost Shareholder Value and Goodwill Stock prices can take temporary or long term drops – eg, an Atlanta-based data broker had lost about 20% of its stock value 2 years after losing 163,000 personal records7 Footnoted references are recorded at the end of this presentation.

5 Who can be Affected? Virtually Everyone!
Any organization can be at risk if, for instance, they lose employee records Retailers & Merchants • In October 2007, a national home supply retailer announced that a laptop with the personal data of about 10,000 employees was stolen from the car of a regional manager • In January 2007, a major national clothing retailer revealed that hackers took the credit and debit card information of customers through an unauthorized intrusion into their computer systems • In June 2005, a regional membership warehouse retail chain on the east coast settled FTC charges stemming from lax security practices which included a failure to encrypt consumer information when it was transmitted or stored on store computers Healthcare & Insurance • In March 2007, one of the nation’s largest health insurers notified 75,000 members that a compact disk holding medical and personal information had disappeared • In August 2006, a corporate operator of hospitals and health systems reported 10 laptops with thousands of patient files had been stolen from a regional office Government Agencies • In November 2007, a federal agency investigated the theft of personal computers containing the names of 12,000 veterans; in 2006, a system containing the personal details of 26.5 million veterans was stolen from the same agency • In October 2007, a federal agency mandated that contractors must encrypt any and all data on personal computers following the loss and possible theft of two laptop computers Educational Institutions • In April 2006, a major state university announced that an unknown person or persons had gained unauthorized access to a large number of electronic records that included social security numbers and other biographical data Banking & Brokerage • In October 2007, a Kansas branch of a regional bank in the Midwest announced that a limited number of customers had personal data compromised in an attempted hacking of a computer system Credit & Payment Agencies • In February 2006, the FTC announced that it had settled with a third-party credit card processor for failure to provide reasonable and appropriate security for sensitive consumer information Accounting • In November 2007, an Ohio-based accounting firm lost personal information on clients when a laptop was stolen from an automobile

6 What can organizations do?
Strong data encryption can protect private information from unauthorized access Data encryption can help address federal and state privacy requirements* At least 39 states have enacted legislation requiring the notification of security breaches involving personal information** Many federal laws that have been enacted also seek to ensure protection of private information Encryption can be hardware-based or software- based Hardware-based: Seagate® Momentus® Full-Disk Encryption (FDE) drives Software based: Software encryption solutions exist from a variety of third-party independent software vendors *Rigorous standards apply and can vary by state - check with a local legal expert for a complete set of requirements for your state **According to the National Conference of State Legislatures, December 12, 2007

7 Hardware vs. Software Encryption
Dell FDE Hardware Solution (FDE + Wave) Software Encryption Items encrypted Everything (boot files, all folders, etc) Encryption keys stored within the drive (closed environment = tougher encryption) Some SW solutions omit boot files and possibly temp files Performance Encrypts as fast as the drive can write Doesn’t utilize system CPU/memory Uses system CPU power (estimated 3-4% performance degradation) Manageability Simple installation & deployment Centralized management with purchase of Wave ERAS software May experience issues with HDD errors and maintenance routines (i.e. defrag, bad sectors) Risk that remote mgmt SW may not work well with some SW encryption solutions HDD Disposal Quick and secure “Erase” for HDD disposal or repurpose Not available with most SW; would have to utilize current HDD destroy methods (time consuming) OS Support Microsoft® Windows® XP support thru Dell Windows Vista® supported by Wave Systems Corporation Many solutions support Windows 2000, XP, and Vista®; some support Linux® Compliance Certifications FDE drive is NOT currently FIPS compliant (primarily a Fed certification) Many solutions have been NIST Certified FIPS Compliant Encryption Options Fully encrypts data stored on the hard drive Full disk encryption on the hard drive Optional encryption for removable media (i.e. USB keys, external HDDs, etc) Deployment Full deployment requires full scale replacement of existing HDDs HW agnostic; allows full deployment across existing PC infrastructure. Does NOT require full scale replacement of HDDs Dell recommends hardware encryption for new system purchases.

8 Dell FDE Hard Drive Solution
Solution Components Select Dell™ Latitude™ D-series notebooks*, with Seagate Momentus 5400 FDE.2 hard drive Dell Embassy Security Center with Wave Trusted Drive manager Wave Embassy Remote Administration Server Software (running on your Dell server) Implementation of Dell’s Security Best Practices ENTERPRISE NETWORK Embassy® Remote Administration Server LOCAL PC FDE DRIVE Embassy® Trusted Drive Manager Seagate® DriveTrust™ Technology Implementation of Dell’s Security Best Practices * Seagate Momentus hard drives and Dell Embassy Security Center are also available on select Precision mobile workstations 8

9 Dell FDE Hard Drive Solution
Dell Embassy Security Center Single-user Solution This offering allows individual users to configure and control their personal access to encrypted data on their hard drive. The offering provides the following features Authenticate user in BIOS Simple Sign On capability Single-user passwords management Manual backup and restore for keys Factory-installed software Key Components Seagate Momentus FDE hard drive Factory-installed Dell Security Center with Trusted Drive Manager Single-user Solution Managed Enterprise Solution Using the ERAS software, IT departments can remotely manage clients with FDE hard drives, providing documentation on the state of a drive when a system has been lost or stolen. With ERAS server software, you can… Enable remote deployment & management of FDE hard drives Take ownership of TPMs Enable identity & authorization provisioning from Active Directory Embassy Remote Administration Server (ERAS) * Note: Additional Wave security solutions detailed in backup slides 9

10 Client Encryption Evaluation Program
Cross-over Network cable Reviewer’s Guide “Client” System with Dell Embassy Security Center “Server” System with Embassy Remote Administration Server Program Client Full-Disk Encryption Evaluation Program Program Scope 14-day technology evaluation program Two systems: - “Client” system with Dell Embassy Security Center - “Server” system with Embassy Remote Administration Server Key Features Step-by-step Reviewer’s Guide, showing how… - To initialize and enable drives - To add/remove users - To remotely manage credentials - The FDE drive is protected from a hacker - To decommission or re-commission a drive using “Erase” function

11 Backup Materials 11

12 References “Calculating the Cost of a Security Breach" Khalid Kark, Forrester Research, April 10, 2007. "2007 Annual Study: U.S. Cost of a Data Breach," The Ponemon Institute. Health Insurance Portability and Accountability Act of Public Law , 104th U. S. Congress, August 21, 1996 “Visa and MasterCard take new steps to stop credit card fraud,” Jeremy Simon, Creditcards.com Article, November 27, 2006 (http://www.creditcards.com/visa-and-mastercard-take-new-steps-to-stop-credit-card-fraud.php) “Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data”, Visa Corporate Press Release, December 12, 2006 (http://corporate.visa.com/md/nr/press667.jsp) ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, Federal Trade Commission Press Release, January 26, 2006 “The Hidden Cost of IT Security,” Network Security Journal, Cindy Waxer, April 16, 2006


Download ppt "Encryption: one element of Smart Security"

Similar presentations


Ads by Google