160 likes | 283 Views
Local Data Protection (LDP). A Case Study Laptop Data Encryption Eric V. Leighninger Chief Security Architect Allstate Insurance Company June 20, 2008. 2008 Allstate Insurance Company. Agenda . Allstate and Information Security – A Snapshot View
E N D
Local Data Protection (LDP) A Case Study Laptop Data Encryption Eric V. Leighninger Chief Security Architect Allstate Insurance Company June 20, 2008 • 2008 Allstate Insurance Company
Agenda • Allstate and Information Security – A Snapshot View • Laptop Encryption – Goals, Expectations, Priorities • Technology Acquisition – Vendor Selection Process • Vender Solution Deployment • Lessons Learned
Allstate AtA Glance • The Allstate Corporation is the nation’s largest publicly held personal lines insurer. • A fortune 100 company with $156.4 billion in assets. • Allstate sells 13 major lines of insurance, including auto, property, life and commercial. Allstate also offers retirement and investment products and banking services. • Allstate is widely known through the “You’re In Good Hands With Allstate®” slogan. • The Allstate Corporation encompasses more than 70,000 professionals with technology operations located around the globe. • More than 17 million customers in the U.S. and Canada. • Allstate’s strategic vision is to reinvent protection and retirement for the consumer.
Allstate’s Vision for Information Security • Aligned with Corporate and Technology Strategy • Security Solutions Prioritized Based Upon Risk • Operational Excellence – Security as a Service Comprising People, Processes, and Technology
Local Data Protection Goals • Reduce Risk of Exposure • Minimize Recovery and Support Costs • Ensure Compliance • Enable Productivity and Ease of Use • Leverage Investment in Existing IT Infrastructure
Local Data Protection Priorities • Policy Holder and Applicant Data • Employee Data • PHI • Credit Card Numbers • Confidential Data • Financial Information – Pre Earnings Release • Communications to Competitors, Partners and Suppliers • Source Code • Competitive Sensitive Information
Local Data Protection Approaches • File Encryption • Laptops • Desktops • Full Disk Encryption • Laptops • Desktops • Encryption of Removable Media • USB-enabled Devices – Flash Drives, iPods, Bluetooth Devices, Thumb Drives, Hard Disks • CD/DVD Writers • Password and PIN Controls • Blackberry • Other PDA Devices • Standards and Guidelines for Data Classification, Usage and Protection, Access Control and Encryption
Laptop Full Disk Encryption Evaluation • Step 1: Using the local data protection goals and solution selection criteria • Performed paper analysis of top disk encryption vendors • Interviewed vendors regarding respective product functionality • Step 2: Performed hands-on product evaluation per our technology evaluation process at Allstate for candidate vendor ranked highest in Step 1 • Step 3: Based on in-house product and process evaluation results Allstate acquired the vendor’s encryption product
FIPS 140-2 Approved Encryption Full Disk Encryption Strong Key Management Storage of Encrypted Keys Separate from Encrypted Data Controlled Views to Keying Material – MAC and Separation of Duties Key Recovery – Onsite, Off-site and DR Centralized Management Interoperable With Enterprise Software Removable Media Encryption Support Low Performance Degradation Fast, Robust and Reliable Initial Encryption SMS Package Support Throttled Background Encryption Processing Capability Fault Tolerance – Power Outages or User Shutdown Does Not Affect Encryption Process Support for Suspend and Hibernation States Mouse Support Laptop Encryption Product Criteria
Laptop Full Disk Encryption Benefits • The selected encryption product provides Allstate the following advantages: • Strong security model • Efficient key management • Ability to leverage our current SMS infrastructure for deployment and management • Compatibility with Allstate’s current Image and Break-Fix processes • Does not require alteration or replacement of key Windows components: Windows Master Boot Record and the Windows GINA • High confidence due to the type and number of the vendor’s installed base of users • Attractive product TCO
Laptop Full Disk Encryption Deployment • A pilot was completed successfully for over 60 users from our information security, internal audit, claims, enterprise technology and infrastructure, and officer groups • Final pre-deployment enterprise testing was conducted to test product enhancements and updates • Production rollout is being accomplished in a 3 phase fashion • Phase 1 is complete • Phase 2 is scheduled this year • Phase 3 is pending
Laptop Full Disk Encryption Deployment • Phase 1: Full disk encryption was deployed to approximately 10,000 laptops in areas within the company identified as handling sensitive data e.g., • Senior Management • Legal • Claims • Investments • Phase 2: Full disk encryption will be deployed this year to all Allstate owned and managed laptops running latest base image, approximately18,500 laptops • Phase 3: Laptops running earlier base image and Desktops, an approximate total of 70,000 machines, will be addressed at a future time
Lessons Allstate Learned • Encryption can be a timely and beneficial technology • Laptop encryption has provided increased data protection and has helped us reduce the risk associated with laptop loss or compromise • Three suggestions to consider • Establish clear data protection goals, criteria and policies for encryption and key management • Establish a communications plan for systematic and smooth deployment of encryption software • Do your homework on vendor capabilities versus organizational needs • Most significant lesson: • Ours was a rapid pilot to production deployment for pragmatic and regulatory reasons. We found such a deployment is possible, albeit not without some bumps in the road, when requirements are well defined, there is clear alignment of technology strategy and management objectives, and cooperation and flexibility across organizational boundaries
Thank You! Questions?