240 likes | 335 Views
Rob MacIntosh West Coast Sales Director Utimaco Safeware, Inc. Endpoint Encryption: Evolution and Trends in Data Security. Agenda. Data theft and loss Analysis of Full Disk Encryption solutions Software OS HDD-based Chipset Q&A. Data Security Business Drivers. Securing….
E N D
Rob MacIntosh West Coast Sales Director Utimaco Safeware, Inc Endpoint Encryption: Evolution and Trends in Data Security
Agenda • Data theft and loss • Analysis of Full Disk Encryption solutions • Software • OS • HDD-based • Chipset • Q&A
Data Loss Or Theft Is ExpensiveRecent Surveys Say… Data Is The Target
Compliance Regs. Mandate Data SecurityProtection Of Confidential and/or Private Data • Federal • GLBA, HIPAA, PCI • States: 44/50 require “Reasonable measures” • CA: Breach notification (personal, medical). Encryption exempt • OR: Similar to CA (personal). Fines for delayed disclose • WA: Similar to CA • States (“Specific measures”) • NV: Encrypt PII data in transit outside the enterprise • MA: Encrypt all personal information • Canada • PIPEDA: Protect personal info. – collected, used, disclosed. Technologies: e.g., passwords, encryption
Data Breach Headlines to be Avoided • TJX • In store communications intercepted? • Data for 94 million customers lost • Reported on October 24, 2007 • Source: www.msnbc.com 245 Million Data Records of U.S. Residents Exposed Since 2005 Source: www.privacyrights.org
Data Security Is Top Issue On The Agenda68% Of Firms Consider It To Be Very Important Source: Forrester Research - The State Of Enterprise IT Security: 2008 To 2009
Full Disk Encryption Is A Top InitiativeTop Client Security Tech. For Near-Term Pilot Or Adoption Source: Forrester Research - The State Of Enterprise IT Security: 2008 To 2009
Laptop Theft/Fraud No. 3 Concern – 42%CSI Computer Crime & Security Survey (October 2008 )
Loss of Private, Confidential Information2008 Data Breach Investigations Report -- Verizon Business
Data Security Solution RequirementsUtimaco Customer Surveys…Encryption, And More… • Define security roles and responsibilities • Enforce consistent polices • Provide transparent security to end-users • Enable secure data sharing and recovery • Allow easy deployment and administration • Facilitate quick, on-demand audits
Full Disk Encryption (FDE)ForLaptops, Desktops and Servers • Encrypts and secures all data on HDD • Enforces pre-boot authentication for users • Secure protection: Power-off, hibernation • Confidentiality of IP • Protection of privacy • Compliance w/ policy & regulations • • •
FDE Requirements • Protect all data on HDD • Integrate into existing IT environment (e.g., tokens) • Easy roll-out across enterprise • Emergency procedures -- forgotten passwords, lost tokens • Transparent encryption, minimal end-user training • Easy central management • Logging, reporting and audit
Existing and Emerging FDE Solutions • S/W based • Early 1990s • e.g. Utimaco / SafeGuard • O/S based • November 2006 • e.g. Microsoft / BitLocker™ Drive Encryption • Self-encrypting HDDs • 2006 • e.g. Seagate Momentus5400 FDE.2 • PC board Chipset-based • Not yet released
Software-based FDE • Full / partial HDD encryption, independent of file system • Multi-user support • Mature (millions of seats worldwide) • Enterprise class manageability, data/password recovery • Wide platform support (OS, h/w) • Additional s/w solution required on PC • • • •
OS-based FDE -- BitLocker • Fully encrypts Windows OS volume on HDD • Verifies integrity of early boot components, config. Data • Bundled in Windows Vista™ Enterprise & Ultimate • H/w & S/w upgrade (compatible TPM, BIOS) for wide rollout • Narrow management, password-reset capabilities • • •
Self-Encrypting HDDs – e.g., Seagate, Hitachi • Data encrypted by the HDD • Encryption keys stored in HDD chip • Fast encryption • Secure – h/w based. Key not stored in RAM • On-the-fly drive erasure for fast, thorough erasing • Limited key- and user-management • Requires HDD h/w upgrade for full rollout • • • • •
PC-Board Chipset based FDE • Data encrypted by the chipset when written to HDD • Fast encryption • Secure – h/w based. Key not stored in RAM • Limited key- and user-management • Requires major h/w upgrade for full rollout • • • •
Sample Enterprise Scenario: 500 PCs Achieving full data encryption in mixed environments • Desktops, laptops with 3 OS versions • Win 2000 (on desktop PCs) • Win Vista Business (for all laptop users) • Win Vista Ultimate (mgmt laptops) • Differing PC h/w configs. • 4 types of HDDs(incl. Seagate, Hitachi, Samsung) • 7 chipset types (incl. Intel, AMD)
Challenges with Emerging Solutions • Emergency procedures – password recovery, lost tokens • Integrate w/existing IT environment: AD, PKI, tokens • Central Administration & key management • Using existing definitions (e.g. users, keys, roles) • Separation of duties • Limited logs and reports for audits • Securing data stored on other media: encryption of • Removable media (incl. USB sticks, CD/DVD) • Files stored on servers, • Emails
Encryption Solutions SurveyEnterprise-class Management is Required Source: PonemonInstitute 2007 Annual Study: U.S. Enterprises Encryption Trends
Data Loss/Theft From a Porous Infrastructure Personal, Medical, Financial, Intellectual Property, Non-public Data File Share Partners, Customers Central Management Server Email Gateway Remote Users Local Users Removable Media Email Encryption Security Admins. Email gateway Internet Data Thieves
Thank you. Q & A Rob MacIntosh robert.macintosh@utimaco.com 480-726-0020