Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting the Confidentiality and Integrity of Corporate and Client Data When in the Hands of a Mobile Workforce Mobile Protection for Trustmark Insurance.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting the Confidentiality and Integrity of Corporate and Client Data When in the Hands of a Mobile Workforce Mobile Protection for Trustmark Insurance."— Presentation transcript:

1 Protecting the Confidentiality and Integrity of Corporate and Client Data When in the Hands of a Mobile Workforce Mobile Protection for Trustmark Insurance

2 Topics Categorization of Mobile Security 1 - Gerard Justifying Costs to Management and Problem at Hand 2 - Andy Phase 1 Product Selection 3 - Gwen

3 External / Internal Approach  External Protection – Protection of data on a device that has the potential to be externalized – Products: MDM, MDP  Internal Protection – Protection of data before it is moved to a device – Products: DLP, SIEM

4 Proposed Approach and Tools Mobile Device Protection Data Loss Protection Mobile Device Management SIEM – Security Information and Event Management Laptops Data Smart Phones Monitoring and Compliance Notes: Data Loss Prevention products are sometimes referred to as Data Leak Prevention Mobile Data Protection is sometime referred to as Endpoint Protection because they can protect both internal and external

5 Mobile Data Protection  Mobile data protection (MDP) is a category of products for securing data on movable storage systems - laptops, smartphones, and removable media.  Provides common protection policies across multiple platforms  Provides auditable proof that data is protected.  Should entail minimal support costs  Should provide FIPS-140 certified encryption* *Federal Information Processing Standards, issued by NSIT

6 Mobile Device Management  Mobile Device Management (MDM) is a category of applications for managing smartphones. Includes the following functionality:  Software Distribution — The ability to manage and support mobile application including deploy, install, update, delete or block.  Policy Management — Development, control and operations of enterprise mobile policy.  Inventory Management — Beyond basic inventory management, this includes provisioning and support.  Security Management — The enforcement of standard device security, authentication and encryption.  Service Management — Rating of telecom services.

7 Data Loss Protection  Data loss protection (DLP) is a category of tools that protects data as it leaves the network (sometimes referred to as “Content-Aware” DLP). Includes the following functionality:  Enables the dynamic application of policy based on the classification of content  Can be applied to data in rest (storage), data in use (during an operation), and data in transit (across a network)  Can dynamically apply policies, such as log, report, classify, relocate, tag, or encrypt protections.  Helps organizations develop, educate and enforce better business practices concerning the handling and transmission of sensitive data.  Designed to:  Protect customer information, HIPPA privacy, and intellectual property  Stop data leaks to media  Provide device and port control when protected data is passed to laptops, USB drives, CDs, etc.  Provide endpoint auditing and discovery – where’s my data?

8 SIEM – Security Information and Event Management  Security Information and Event Management (SIEM) is a category of tools that aid in regulatory compliance and threat management. Includes the following functionality:  Supports the real-time collection and analysis of events from host systems, security devices and network devices combined with contextual information for users, assets and data  Provides long-term event and context data storage and analytics  Not limited to mobile data

9 Functions MDP Encryption Poison Pill Central Management Console Audit Reports DLP Content- Aware Policy-Driven Actionable – Log, Block, etc. MDM Enforced password Device wipe Remote lock Audit trail logging "Jailbreak" detection SIEM Compliance External threats Monitoring Internal threats i.e., medical record snooping

10 Steps in the Mobile Protection Program Laptops and Externals (MDP) Data (DLP) Smart Phones (MDM) Advanced Logging and Compliance (SIEM) RISK Education

11 Justifying Costs to Management Explaining to senior management the costs of doing nothing and making a case for mobile protection

12 Project Phases and Estimated Costs Phase 1 MDP and DLP Software: $51K – $106K MDP per Seat: $52-$132 LDP per Seat: $50 - $80 Impl&Trn: $104K Phase 2 MDM Software: $35K Per Seat: $70 Impl&Trn: $112K Phase 3 SIEM Software: $50K Per Seat: $100 Impl&Trn: $224K Total Cost of Program:576K – 631K Software:136K – 191K Consulting:120K Internal Costs:320K Estimated Duration:4 mos. Phase 1 Assumptions: 2 implementation consultants for 3 weeks at $1600/day; 4 hours of security and tool training per employee at internal cost of $40/hour Phase 2 Assumptions: 1 implementation consultant for 4 weeks at $1600/day 4 hours of security and tool training per employee at internal cost of $40/hour Phase 3 Assumptions: 1 implementation consultant for 8 weeks at $1600/day 8 hours of security and tool training per employee at internal cost of $40/hour Additional servers can be created through virtualization at minimal cost

13 Justifying Costs to Management  Leakage of personally identifiable information (PII) and personal health information (PHI), direct costs:  The average cost per record associated with a leak to make affected parties whole  Fees for legal representation  Engaging a PR firm to minimize damage and restore reputation to the extent possible  Consumer credit monitoring for all customers (not necessarily only those affected by the leak)  Up to five years of system and process audits conducted by an independent third party  Forrester estimates $218 per leaked record, so a leak of 100,000 records would cost $21.8M Source: Trends: Calculating the Cost of a Security Breach. Forrester Research, Inc. April 10, 2007.

14 Justifying Costs to Management  Intellectual property, direct costs :  Fees for legal recourse to address who leaked the data and discover if it is being used inappropriately  Short-term impact to R&D cost recuperation  Long-term impact to profitability/revenue projections  System and process audits to identify and correct the source of the leak  Forrester estimates the average leak results in $1.5M loss Most IP data losses go unreported because there are no public disclosure laws that apply to intellectual property and the impact on valuation from a publicized loss would likely be tremendous.

15 Justifying Costs to Management  Total economic impact in one lost laptop: $49,256 (incl. replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)  Occurrence of data breach represents 80 % of cost; intellectual property loss is 59% of cost  If the company discovers the loss in one day, it is $8,950. After one week, it is $115,849  Average cost for senior management is $28,449. For a manager or director it is about $61,000  Productivity loss is only about 1% of the cost  Loss if laptop is encrypted: $29,256 (> $20,000 less)  Loss varies by industry – financial services: $112, 853, healthcare: $67,873, manufacturing: $2,184  Loss of intellectual property for healthcare is quite high - $17,999 Source: The Cost of a Lost Laptop, Ponemon Institute (sponsored by Intel), February 9, 2009

16 Justifying Costs to Management Seven cost componentsAverage Cost Laptop replacement cost$1,582 Detection & escalation cost$262 Forensics & investigation cost$814 Data breach cost$39,297 Intellectual property loss$5,871 Lost productivity cost$243 Other legal or regulatory costs$1,177 Total$49,246 Source: The Cost of a Lost Laptop, Ponemon Institute (sponsored by Intel), February 9, 2009

17 Current Trustmark Security Profile AvailabilityConfidentiality Physical IntegrityAuthentication Host Platform End User Application Network Door Locks Security Guards Device Protection McAfee Anti-Virus SunGard Disaster Recovery Subscription levels? GFI LANGuard Patch Mgmt Cisco uRPF McAfee Anti-Spyware RAID-5/RAID-6 Database Security Single-Factor Authentication ID Badges Two-Factor Authentication CCTV Mantrap Hardware Security Token Proxy Server IPsec Internet Content Filter RADIUS Firewall PEAP LDAP Server Secure Paper Documents Edifecs EDI Translator NACVLAN s NAT Border Router PKIs P-Synch Microsoft Certificate Server Business Application Level Security WS-Security VPN CO2 Fire Suppression System PPTP Enterprise SANs Verizon MPLS GlobalSCAPE FTP server S-FTP HTTP S PPTP OpenPGP EMC Key Mgmt Appliance Iron Mountain Departmental VLANs Laptop Biometrics Laptop Automated Backup to Network Role-Based Access Control Security Policy Refresher Training VMware Encrypted Tape Backups MS WSUS ConfidentialityIntegrity Host Platform End User Network/ Application Device Protection McAfee Anti-Virus McAfee Anti-Spyware Laptop Automated Backup to Network Security Policy Refresher Training Data Loss Protection

18 User View of Situation End UserITAuditorManagement Lost Laptop Are there copies of my files? Is our network vulnerable? What client/patient data was on the laptop? What trade secrets were on the laptop? What’s the productivity loss? Sensitive Information I need the data if I’m expected to work off- site. I’m told which users should have access to the application. Personally identifiable data is governed by regulation, such as PCI and HIPPA. Employees can’t be productive if they don’t have what they need to work. Corporate Smartphone The smartphone my company gives shouldn’t be a pain to use. How should the phones be provisioned? I don’t have time for this. Need to be prepared with users access lists and activity logs for an audit. Need to control costs. Proliferation of Tools I want any tool that makes my job easier. I know that 3 rd party tools like flash drives can make our network vulnerable. If we have audits on laptops for personally identifiable information, shouldn’t other sources of leaks be examined too? If it ain't broke, don’t fix it.

19 Vision for What to Accomplish Device KillData RecoveryContent-AwareAudit TrailsEncryptionEducation

20 Key Questions  Since we are not starting from a clean slate:  How is the organization using McAfee and will the mobile security products we select be compatible with McAfee?  Utimaco SafeGuard is being used to manage laptop hard drive encryption, lock down, and auditability:  How is it being used specifically?  Are there other products that may be better choices?

21 Phase 1 Product Selection Identifying vendor products, comparing features, developing final selection pros and cons

22 Phase 1 – MDP Selection McAfee Sophos Symantec Check Point Software Technologies

23 MDP Product Comparison FeatureMcAfeeSophosSymantecCheck Point Poison pill Management console Audit reports Windows and Mac Support FIPS 140-2 supported Protection for removable media Trusted Platform Module (TPM) support Supports tokens Encryption Strength + Offers Cloud service Supports self-encrypting drives Integration with file sharing products - meets criteria; + - exceeds criteria; ++ greatly exceeds criteria

24 Phase 1 – DLP Selection Symantec McAfee Websense Verdasys

25 DLP Product Comparison FeatureSymantecMcAfeeWebsenseVerdasys Content-aware – can classify information Offers non-transparent control Manages endpoints Workflow and case management + Secure email gateway integration Webmail and web controls + USB controls ++ Applies policy on public network Advanced Intellectual property controls + - meets criteria; + - exceeds criteria; ++ greatly exceeds criteria

26 Most Suitable Product - MDP  Winner of MDP Category – Sophos  Pros  Content-aware, integrated DLP to help decide when to enforce encryption on information being written to external devices.  Platform support is provided for Windows 2000 through 64-bit Windows 7, Mac OS X, and Linux.  Embedded system support includes TPM, TCG encrypting drives, Intel vPro and UEFI.  Smaller mobile devices to be separately supported under an MDM product include iPhone, iPad, and Android.  Cons  North American penetration and brand recognition needs to improve

27 Most Feature-Rich Product - DLP  Winner of feature-Rich DLP Category – Verdasys  Pros  Offers strongest controls for the protection of sensitive information.  Has strong workflow and case management  Simple and easy-to-use process for creating custom dashboards and reports.  Can audit every access to (and control the movement of) files that contain sensitive data (sought after by IP firms and organizations fearing WikiLeaks-type data disclosures)  Sensitive files are encrypted when copied to mobile media and devices.  Cons  High-end controls and complexity  Priced at premium market  Limited RBAC (role-based access control) capabilities  Offers just endpoint DLP

28 Best DLP for Trustmark  Best DLP for Trustmark – Websense  Pros  Less costly  Easier to implement  “Fast, effective security leak prevention without a lot of hassle” (Forrester)  Offers both network and endpoint DLP  Cons  Less robust solution for complex business processes

29 Question and Answer

30 Extra Slides NOT IN PRESENTATION

31 Mobile Data Vulnerabilities Original Scope Loss/ Theft Data Corruption Unauthorized Physical Access Attacks Laptops Tablets Smartphones USB Drives N/A ? Confidentiality and Integrity Authentication & Availability

32 Mobile Data Vulnerabilities: Is that everything? ConfidentialityIntegrity Laptops Smartphones N/A USB Drives N/A External Media (CDs) N/A Paper N/A

33 User View of Situation Presenting ‘as is’ and ‘to be’ situations and a vision for the future D

34 Vision for What to Accomplish End UserITAuditorManagement Lost Laptop At least my data is protected. Another laptop gets the poison pill. We have a record of what was on the laptop and the data was encrypted. Damn employees. At least trade secrets are protected. Sensitive Information Reminder of what data is sensitive and limits on quantity. I’m told what the policies are and given tools to enforce it. I can establish enforceable policies in compliance with regulation. Employees can get access to the data they need to work, but not in excess. Corporate Smartphone My smartphone allows access to the applications and data I need Easy provisioning and support. User activity is auditable for smartphones. I know where the money is going and my costs are predictable. Proliferation of Tools I am reminded of the risks of using certain tools. Flash drives and portable hard drives no longer frighten us. We have logs of where sensitive and personally identifiable information goes. If it ain't broke, don’t fix it.

35 Mobile Security Program Management Defining solution categories and putting the initiative within a project framework

36 Tool Descriptions

37 Preparing the Users and Infrastructure  Putting it all together:  How do we select compatible products and vendors?  What will it cost to buy and implement?  How should we roll it out to the organization?  How do we justify the costs to management?

38 Selecting Potential Products Data Loss Protection SIEM – Security Information & Event Monitoring Mobile Device Management Mobile Data Protection Externalized Data # of vendors: 25 Source: Gartner Group # of vendors: 13 # of vendors: 14 # of vendors: 23

39 Selecting the Best Products Data Loss Protection – DLP Symantec McAfee Verdasys Websense RSA (EMC) CA Technologies Market Leaders or Visionaries Security Information Event Mgmt - SIEM HP/ArcSight Q1 Labs RSA (RMC) Symantec NitroSecurity (McAfee) LogLogic Novell Mobile Device Management - MDM Good Technology Sybase AirWatch MobileIron Mobile Data Protection - MDP McAfee Sophos* CheckPoint Software Technologies Symantec *Trustmark uses Utimaco SafeGuard Enterprise, which was purchased by Sophos

40 Selecting the Best Products  For everything except MDM, trend is for vendor consolidation in the marketplace, so that vendor can be “one-stop shop”. Example:  McAfee bought NitroSecurity  Sophos bought Utimaco  Symantec already has products in MDP, DLP, and SIEM categories  Selection should follow a disciplined process for evaluation examining comparative features, ease of configuration, price, and vendor support

41 Scope of Vision Education Laptops External Devices Smart Phones Data Com- pliance

42 Mobile Data Protection Security Features  Desired security features for a MDP product:  Central console features:  Controls client activations  Pushes data protection policies  Interfaces with the help desk  Acts as a key management facility  Generates alerts and compliance reports.  Endpoint device features:  Encryption management  Device lockouts, i.e. “Poison Pill”  Vendors  Several niche vendors, but just a few market leaders  Trustmark’s current product, Utimaco SafeGuard Enterprise, is now owned by Sophos

43 Causes of Security Breaches

44 The Mobile Workforce  75% of US workers are mobile; One billion mobile workers worldwide*  12,000 laptop were lost in US airports**; 10,000 cell phones are left in London taxis per month***  62% of mobile devices that were lost or stolen contained sensitive or confidential information**  35% of organizations report that a lost or stolen mobile device caused the data breach they experienced** Sources: * IDC ** Ponemon Institute *** The Register

45 Data Loss Protection Security Features  Desired security features for a LDP product:  Content-aware  Advanced content inspection and analysis techniques  Ability to define data policies  What data is governed?  How it can be moved outside the network to external media?  Ability take action when a policy violate is detected  Log, block, encrypt, etc.  Can also be triggered based on data quantity  Vendors  Several well-known vendors are considered market leaders

46 Mobile Device Management Security Features  Desired security features for a MDM product:  Enforced password  Device wipe  Remote lock  Audit trail/logging  "Jailbreak" detection  Vendors:  Very crowded marketplace, but most vendors are considered niche players

47 SEIM Compliance/Security Features  Desired compliance/security features for a SEIM product:  Security information management (SIM) — log management and compliance reporting  Security event management (SEM) — real-time monitoring and incident management for security-related events from networks, security devices, systems, and applications  Primary uses:  Compliance — log management and regulatory compliance reporting  External Threat management — real-time monitoring of user activity, data access, and application activity and incident management  Internal Threat Management - authorized user misuses of electronic health records (employee, partners, contractors). Medical record snooping, internal identity theft, internal medical identity theft  Vendors  Many vendors to choose from; healthcare specialized features may limit the field

Download ppt "Protecting the Confidentiality and Integrity of Corporate and Client Data When in the Hands of a Mobile Workforce Mobile Protection for Trustmark Insurance."

Similar presentations

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Security for Mobile Devices

Security for Mobile Devices
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
Project Management Methodology Procurement management.

Project Management Methodology Procurement management.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Security Controls – What Works

Security Controls – What Works
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.

Similar presentations

Ads by Google