1 PGP White Paper June 2007 Enterprise Data Protection Version 1.0
2 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION OF ENTERPRISE DATA PROTECTION...4 EDP STRATEGY: A BUSINESS ENABLER... 4 EDP ARCHITECTURE: SECURING DATA WHEREVER IT GOES... 5 ENCRYPTION: THE CORE OF ENTERPRISE DATA PROTECTION...6 ENTERPRISE ENCRYPTION SOLUTIONS... 6 ENABLING A STRATEGIC APPROACH: PGP SOLUTIONS... 7 INTEGRATED APPLICATIONS... 7 REST SECURED....8
3 PGP White Paper Enterprise Data Protection 3 Executive Summary In today s enterprise, data knows no boundaries. While data is consumed, transferred, and stored, however, it is also susceptible to compromise. The cost of a data breach can reach millions of dollars and permanently damage brand equity as well as customer trust 1. That s why protecting data in the modern enterprise requires a comprehensive approach. Enterprise Data Protection is a new evolutionary layer of technologies that manage data, control data access, detect data at risk, and protect data. With Enterprise Data Protection, security is built in, starting with data creation and following data as it is modified, transferred, stored, and archived. At the core of this approach is the protection of data using encryption, everywhere it goes. This PGP White Paper examines how encryption provides the foundation for an Enterprise Data Protection strategy. Instead of erecting barriers to control data security, encryption enables authorized users to move, share, and store data throughout the enterprise and beyond. This PGP White Paper is intended for IT and business managers responsible for developing strategy and implementing information security projects. 1 The Ponemon Institute, 2006 Annual Study: Cost of a Data Breach, October 2006
4 PGP White Paper Enterprise Data Protection 4 Protecting Data Everywhere it Goes Data is everywhere: Corporate data, partner data, customer data, and employee data seem to increase exponentially every day. Data has spread out of data centers, databases, remote file servers, and extranets to new and even more vulnerable locations such as laptops and removable storage devices. Although ubiquitous data access enables new business models and relationships, it also presents a challenge. Data must be controlled and protected to maintain the privacy of customers, the confidentiality of employees, and the business advantages of intellectual property. Any one piece left unprotected could lead to a significant data security breach, resulting in public embarrassment, customer satisfaction issues, and financial loss. Adequately protecting business data requires an adaptive, built-in method of data security. IT organizations, service providers, and vendors have evolved a new approach known as Enterprise Data Protection (EDP). EDP is an always-on, data-state-independent approach to maintaining data security. Building on data management and access controls, EDP embeds data protection with the actual data and works to identify data at risk. For example, data can now be encrypted at its source, transferred throughout an organization and beyond, and automatically checked when necessary to ensure compliance and privacy. With data security built in, IT is freed from developing new and redundant means of protecting data for each application or risk identified. Both end users and administrators become more productive as data access and security become more seamless and transparent. Most important, EDP also includes built-in validation of policy, improving the possibility of achieving comprehensive audit and regulatory compliance. At the core of this approach is the use of encryption to protect data everywhere it goes. Encryption provides the most fundamental level of data security, substituting cryptographically secured data for unprotected data. By its nature, encryption therefore ensures that whether data is being transferred or stored, data access policies are constantly and consistently enforced. The Evolution of Enterprise Data Protection Today, data is as likely to be transferred via a $20 USB flash drive as a large virtual private network (VPN) concentrator. And when data is distributed across storage devices, laptops, databases, and , it can become vulnerable to inadvertent or malicious compromise. IT organizations are busy adapting to this new reality by actively looking at ways to identify and protect data at risk while controlling access and managing the data lifecycle. EDP Strategy: A Business Enabler The following brief history illustrates why successful organizations increasingly believe an EDP strategy is a critical and essential business enabler. The Early Days: Data Secure in Physical Location Businesses have used some form of data protection since the first days of data processing in the mid-1960s with early mainframe computers. Whether controlling access to tapes, systems, applications, or firewall ports, these tactics formed the prevailing data security practices and built up walls of defense around data. Back when it was stored in perhaps two physical locations and
5 PGP White Paper Enterprise Data Protection 5 processed in one, data was usually available only as a representation: a green screen or daisywheel printout. Physical security rooms, locks, and monitoring provided a fort-like barrier to protect the data. Breaking the Barriers: Data Moves to Multiple Locations As networks and computing power advanced in the early 1990s, businesses leaped to enhance productivity, reduce costs, and enhance the customer experience. Bandwidth limitations, storage constraints, and the lack of standards continued to relegate most data to traditional data centers. To protect these data centers, enterprises erected firewalls and added VPNs to enable access, creating a digital fort to keep out unauthorized users and malicious code. Anywhere, Anytime: Data Lives in Thousands of Locations With the availability of broadband and inexpensive mass storage, data can no longer be controlled through a few pipes and gates. This new environment results in the customer database, current and forecasted financials, or complete patient records becoming immediately available on individual laptops or removable USB flash drives. Along with increased mobility and easier access, however, comes the heightened risk of data theft or loss. Organizations cannot afford to ignore the potential consequences of a data breach significant remediation and legal costs, loss of customers, regulatory penalties, brand damage and hope to remain competitive. EDP Architecture: Securing Data Wherever It Goes The need to manage and control access to data has led to an evolution in data security. Because data is increasingly transferred across multiple systems and networks, organizations must now detect when it is at risk or and secure it automatically using persistent protection that works both inside and outside the enterprise. The easiest way to meet this goal is with a centrally managed solution that controls policy and data access without requiring end users to make enforcement decisions or burdening administrations with complicated and resource-intensive tasks. This comprehensive approach ties security to the data. Built-in data protection separates how data is transferred, stored, and used from the security controls, reducing the risk incurred by human decision-making and increasing usability for end users. EDP comprises four integral technology solutions working together: Protect At the core of EDP is the need to Protect the data itself. Industry experts agree that standards-based encryption enables a data-centric approach to security. 2 Encryption locks down and follows data wherever it goes, making it accessible only to authorized users. For EDP to scale effectively, enterprise encryption must be managed centrally with automated 2 Forrester Research, Inc., Secure The Data, Not Just The Underlying Infrastructure, May 2006
6 PGP White Paper Enterprise Data Protection 6 key and policy management. This approach makes encryption interoperable, transparent to users, and flexible enough to respond as new data security needs emerge and evolve. Detect As data moves in and out of the enterprise and is stored on servers or workstations, data leakage prevention solutions search for data at risk, enabling the Detect layer. They identify risks and then help IT executives evolve their EDP strategies to include remedies that mitigate exposure. These solutions can also enforce policy, such as requiring encryption at the Protect layer. Access Authentication, including hardware tokens/smart cards and identity management, ensures only authorized credentials are allowed, controlling Access to data. Strong authentication plays an important role through to the Protect layer, enabling authorized encryption users to access data. For example: a cryptographic smart card with a private key and encryption provides both access and protection controls. Manage Ensuring business continuity requires that data is available and redundant throughout its lifecycle, from creation to archive. Storage management, backup, and archive solutions provide a layer to Manage data, making efficient use of storage and accessible even in the event of a disaster or system malfunction. Encryption: the Core of Enterprise Data Protection Regardless of the business driver, encryption is becoming widely recognized as the solution to protect data wherever it goes. At the core of EDP, encryption serves to provide the encompassing Protect layer that obscures data from unauthorized access. If encrypted data is somehow lost or stolen, it remains useless. Even if someone violates access controls, encrypted data will still be protected. This level of critical protection is why more than 30 U.S. states provide safe harbor from mandated consumer notification in the event of a data breach involving encrypted data. In countries such as the U.K. where the need for breach mitigation is just emerging, protecting their brand and reputation is the major reason enterprises adopt encryption solutions. 3 Encryption also serves to segment access as needed, helping to maintain separation of duties and roles. This separation means confidential information in s cannot be read by an IT administrator, for example. Enterprise Encryption Solutions Today, the process of protecting data with encryption is automated and operates in the background, transparent to end users. Encryption is enforced by centrally managed policy while corporate access to data is always maintained. Most important, key management is integrated and automated, enabling administrators to focus on user and policy management instead of key maintenance. Point encryption solutions that protect only one type of data or one locale are rapidly being replaced by a platform that scales to provide a range of security options, depending on where data is stored, how it is shared, and who needs access. This approach provides operational and management efficiencies as well as consistent data security that can scale to meet new needs as they emerge and evolve. Examples of today s enterprise encryption solutions include full disk encryption, USB storage policyenforced encryption, network file encryption, and transparent encryption performed at the 3 The Ponemon Institute, 2007 Annual Study: U.S. Enterprise Encryption Trends, February 2007; 2007 Annual Study: U.K. Enterprise Encryption Trends, April 2007
7 PGP White Paper Enterprise Data Protection 7 desktop or gateway. True enterprise encryption removes the barriers of complexity, performance, and cost once associated with encryption. 4 Enabling a Strategic Approach: PGP Solutions Recognizing the critical business need to protect data while controlling costs, PGP Corporation developed the PGP Encryption Platform with encryption applications for enterprises. The PGP Encryption Platform is deployed with the first encryption application, making installation of a separate or additional infrastructure unnecessary. As a result, the PGP Encryption Platform lowers operational costs and accelerates time to deployment of new encryption applications. Most important, the PGP Encryption Platform provides the automated services, centralized management, consistent policy enforcement, and extensible framework needed to develop and deliver a robust EDP strategy. Figure 1: The PGP Encryption Platform and Encryption Applications Integrated Applications PGP Corporation and its partners deliver integrated applications that automatically provide and use the management, policies, provisioning, and other services delivered with the PGP Encryption Platform architecture. Key management, policy enforcement, provisioning, and reporting and logging for the PGP Encryption Platform architecture are provided by PGP Universal Server. As the foundation of the PGP Encryption Platform architecture, PGP Universal Server provides an extensible framework that supports scalable, centralized gateway and desktop encryption management, deployment automation, and policy enforcement across PGP Encryption Platform enabled applications. PGP Corporation develops applications that include and deploy the PGP Encryption Platform when first installed. Subsequent applications then leverage this framework, speeding deployment and preserving administrative resources: 4 Cooper, Lane F., Enterprise Encryption in the Financial Services Sector, InfoTech, 2006
8 PGP White Paper Enterprise Data Protection 8 PGP Whole Disk Encryption Provides comprehensive, nonstop encryption for securing all files on desktops, laptops, and removable media, transparently securing all disk contents, including system and temporary files, and enabling quick, cost-effective protection for sensitive data. PGP NetShare Enables teams to securely share documents on file servers by automatically and transparently encrypting the files for fine-grained group access. PGP Desktop Secures communications from the sender s client to the recipient s and all points in between automatically, using centrally defined, policybased encryption. PGP Universal Gateway Delivers standards-based enterprise encryption and digital signatures without client software. Rest Secured. The Enterprise Data Protection approach now allows IT to execute on business needs without making security a separate project or an afterthought. Instead, security is already built in: protecting, detecting risk, controlling access, and managing data. As part of a comprehensive, strategic EDP solution, PGP encryption can provide the core level of data protection. PGP encryption products build security into the most commonly used applications, protecting data wherever it exists from outbound , to file servers, to removable storage devices such as USB flash drives. PGP Corporation 3460 West Bayshore Road Palo Alto, CA USA Tel: Fax: Sales: Support: support.pgp.com Website: PGP Corporation All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any means without the prior written approval of PGP Corporation. The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending applications. PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners. The information in this document is provided as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. All strategic and product statements in this document are subject to change at PGP Corporation's sole discretion, including the right to alter or cancel features, functionality, or release dates. Changes to this document may be made at any time without notice.