Embed Size (px)
Citation preview
Data Protection Policy Compliance usingNotebook Hard Disk Drive Encryption
Encryption: one element of Smart Security
Security Involves Several Focus Areas
Why Data Encryption? Breaches Can Be Costly! When a breach occurs, organizations can lose money.
– They may be required to publicly disclose the breach, significantly damaging an organization’s public image.
– They are generally required to notify persons whose information was exposed - involving communication costs & perhaps financial compensation.
– They may experience lost productivity costs when staff is repurposed to address a breach.
– They may face fines from the FTC or business partners.
Many industries are now subject to governmental regulation and/or industry security compliance guidelines
Costs of a Security Breach
Direct Costs– Notification Costs - organizations can incur costs associated with legal fees, mail
notification letters, calls to individual customers, increased call center costs and discounted product offers
– Lost Productivity Costs - organizations can incur costs when employees and contractors are diverted from their normal duties in order to address data breach controls
Fines– Certain federal privacy statutes include fines for violations that can amount to tens of
thousands of dollars3
– In 2006, Visa and MasterCard announced levying of fines from $10K-100K against transaction processors that fail to keep transactions secure4,5
– In 2006, the FTC issued $15 million in fines when an Atlanta-based consumer data broker lost more than 163,000 personal records to insurance and credit companies in February 20056
Lost Shareholder Value and Goodwill– Stock prices can take temporary or long term drops – eg, an Atlanta-based data broker
had lost about 20% of its stock value 2 years after losing 163,000 personal records7
2007 Estimated Cost/Lost Record Forrester Research: $90-$3051
Ponemon Institute: $1972
Footnoted references are recorded at the end of this presentation.
Who can be Affected? Virtually Everyone!
Any organization can be at risk if, for instance, they lose employee records
Retailers & Merchants
• In October 2007, a national home supply retailer announced that a laptop with the personal data of about 10,000 employees was stolen from the car of a regional manager
• In January 2007, a major national clothing retailer revealed that hackers took the credit and debit card information of customers through an unauthorized intrusion into their computer systems
• In June 2005, a regional membership warehouse retail chain on the east coast settled FTC charges stemming from lax security practices which included a failure to encrypt consumer information when it was transmitted or stored on store computers
Healthcare & Insurance
• In March 2007, one of the nation’s largest health insurers notified 75,000 members that a compact disk holding medical and personal information had disappeared
• In August 2006, a corporate operator of hospitals and health systems reported 10 laptops with thousands of patient files had been stolen from a regional office
Government Agencies
• In November 2007, a federal agency investigated the theft of personal computers containing the names of 12,000 veterans; in 2006, a system containing the personal details of 26.5 million veterans was stolen from the same agency
• In October 2007, a federal agency mandated that contractors must encrypt any and all data on personal computers following the loss and possible theft of two laptop computers
Educational Institutions
• In April 2006, a major state university announced that an unknown person or persons had gained unauthorized access to a large number of electronic records that included social security numbers and other biographical data
Banking & Brokerage
• In October 2007, a Kansas branch of a regional bank in the Midwest announced that a limited number of customers had personal data compromised in an attempted hacking of a computer system
Credit & Payment Agencies
• In February 2006, the FTC announced that it had settled with a third-party credit card processor for failure to provide reasonable and appropriate security for sensitive consumer information
Accounting • In November 2007, an Ohio-based accounting firm lost personal information on clients when a laptop was stolen from an automobile
What can organizations do?
Strong data encryption can protect private information from unauthorized access
Data encryption can help address federal and state privacy requirements*
– At least 39 states have enacted legislation requiring the notification of security breaches involving personal information**
– Many federal laws that have been enacted also seek to ensure protection of private information
Encryption can be hardware-based or software- based
– Hardware-based: Seagate® Momentus® Full-Disk Encryption (FDE) drives
– Software based: Software encryption solutions exist from a variety of third-party independent software vendors
*Rigorous standards apply and can vary by state - check with a local legal expert for a complete set of requirements for your state**According to the National Conference of State Legislatures, December 12, 2007
Hardware vs. Software Encryption
Dell FDE Hardware Solution
(FDE + Wave)
Software Encryption
Items encrypted • Everything (boot files, all folders, etc)
• Encryption keys stored within the drive (closed environment = tougher encryption)
• Some SW solutions omit boot files and possibly temp files
Performance • Encrypts as fast as the drive can write
• Doesn’t utilize system CPU/memory
• Uses system CPU power (estimated 3-4% performance degradation)
Manageability • Simple installation & deployment
• Centralized management with purchase of Wave ERAS software
• May experience issues with HDD errors and maintenance routines (i.e. defrag, bad sectors)
• Risk that remote mgmt SW may not work well with some SW encryption solutions
HDD Disposal • Quick and secure “Erase” for HDD disposal or repurpose
• Not available with most SW; would have to utilize current HDD destroy methods (time consuming)
OS Support • Microsoft® Windows® XP support thru Dell
• Windows Vista® supported by Wave Systems Corporation
• Many solutions support Windows 2000, XP, and Vista®; some support Linux®
Compliance Certifications
• FDE drive is NOT currently FIPS 140-2 compliant (primarily a Fed certification)
• Many solutions have been NIST Certified FIPS 140-2 Compliant
Encryption Options • Fully encrypts data stored on the hard drive • Full disk encryption on the hard drive
• Optional encryption for removable media (i.e. USB keys, external HDDs, etc)
Deployment • Full deployment requires full scale replacement of existing HDDs
• HW agnostic; allows full deployment across existing PC infrastructure. Does NOT require full scale replacement of HDDs
Dell recommends hardware encryption for new system purchases.
Dell FDE Hard Drive Solution
Solution Components1. Select Dell™ Latitude™ D-
series notebooks*, with
• Seagate Momentus 5400 FDE.2 hard drive
• Dell Embassy Security Center with Wave Trusted Drive manager
2. Wave Embassy Remote Administration Server Software (running on your Dell server)
3. Implementation of Dell’s Security Best Practices
http://www.dell.com/security/bestpractices/
Seagate®
DriveTrust™
Technology
Embassy®
Trusted DriveManager
Embassy®
RemoteAdministrationServer
* Seagate Momentus hard drives and Dell Embassy Security Center are also available on select Precision mobile workstations
Implementation of Dell’s Security Best Practices
Dell FDE Hard Drive Solution
Key Components• Seagate Momentus FDE hard drive• Factory-installed Dell Security Center with Trusted Drive Manager
Single-user SolutionThis offering allows individual users to configure and control their personal access to encrypted data on their hard drive. The offering provides the following features• Authenticate user in BIOS• Simple Sign On capability• Single-user passwords management• Manual backup and restore for keys
Embassy Remote
Administration Server (ERAS)
Managed Enterprise SolutionUsing the ERAS software, IT departments can remotely manage clients with FDE hard drives, providing documentation on the state of a drive when a system has been lost or stolen. With ERAS server software, you can…• Enable remote deployment & management of FDE hard drives• Take ownership of TPMs• Enable identity & authorization provisioning from Active Directory
Dell Embassy Security Center
Factory-installed software
Single-user Solution
* Note: Additional Wave security solutions detailed in backup slides
Client Encryption Evaluation Program
Program Client Full-Disk Encryption Evaluation Program
Program Scope 14-day technology evaluation program
Two systems:
- “Client” system with Dell Embassy Security Center
- “Server” system with Embassy Remote Administration Server
Key Features Step-by-step Reviewer’s Guide, showing how…
- To initialize and enable drives
- To add/remove users
- To remotely manage credentials
- The FDE drive is protected from a hacker
- To decommission or re-commission a drive using “Erase” function
“Client” System withDell Embassy Security Center
“Server” System withEmbassy Remote Administration Server
Reviewer’sGuide
Cross-overNetwork cable
Backup Materials
References
1. “Calculating the Cost of a Security Breach" Khalid Kark, Forrester Research, April 10, 2007.
2. "2007 Annual Study: U.S. Cost of a Data Breach," The Ponemon Institute.
3. Health Insurance Portability and Accountability Act of 1996 - Public Law 104-191, 104th U. S. Congress, August 21, 1996
4. “Visa and MasterCard take new steps to stop credit card fraud,” Jeremy Simon, Creditcards.com Article, November 27, 2006 (http://www.creditcards.com/visa-and-mastercard-take-new-steps-to-stop-credit-card-fraud.php)
5. “Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data”, Visa Corporate Press Release, December 12, 2006 (http://corporate.visa.com/md/nr/press667.jsp)
6. ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, Federal Trade Commission Press Release, January 26, 2006
7. “The Hidden Cost of IT Security,” Network Security Journal, Cindy Waxer, April 16, 2006 http://www.networksecurityjournal.com/features/hidden-cost-of-IT-security-041607/
