2009 PGP Corporation Approved for redistribution by The Ponemon Institute. All rights reserved. No part of this document may be reproduced, stored in

Transcription

1

2 2009 PGP Corporation Approved for redistribution by The Ponemon Institute. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any means without the prior written approval of PGP Corporation. The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending applications. PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners. The information in this document is provided as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes to this document may be made at any time without notice.

3 Table of Contents EXECUTIVE SUMMARY... 2 KEY FINDINGS... 3 CONCLUSION... 5 INTRODUCTION... 6 STUDY OVERVIEW & METHODOLOGY... 7 KEY REPORT FINDINGS... 9 REPORT CONCLUSIONS ABOUT THE PONEMON INSTITUTE ABOUT PGP CORPORATION APPENDIX DEFINITION OF AN ENCRYPTION PLATFORM APPROACH PGP SOLUTIONS SECURITY EFFECTIVENESS SCORE

4 Executive Summary Since last year s US Encryption Trends 2008 Study, the economy has become front page news. IT budgets and spending are strained yet the protection of intellectual property and customer data remains paramount. President Obama just released in May the intended blueprint of what is required to get a handle on cyber security. This Review affirmed that cyber security will touch military and civilian organizations within the government, large and small private sector companies, and is an important part of the United States path to economic recovery and continued technology innovation leadership around the globe. Today, there are two competing data breach bills before the U.S. Congress proposing federal breach notification laws while the number of states with breach notification laws is currently at 44 and growing. 1 Trying to stay in business, protect against attacks or breaches and meet these, and subsequent, regulations will be tough for small and large organizations in this economy on average a company will pay $202 per record compromised and, in total, an average of $6.6 million should they experience a data breach. 2 Companies know they can t afford the real consequences of a data breach: the loss of customers, the difficulty in acquiring new ones, irreparable brand damage and industry fines. They are continuing to look to encryption solutions to protect their valuable data, intellectual property and integrity. For the fourth year, research by the Ponemon Institute, sponsored by PGP Corporation, focuses on identifying trends in encryption use, planning strategies, budgeting, and deployment methodologies in enterprise IT. 997 U.S.-based IT and business managers, analysts, and executives participated in this annual survey for Twenty five percent of respondents were at the director level or higher. With the rising occurrence and costs of a data breach an accepted business reality today, the need for encryption is more apparent than ever. This year s Study sought to answer questions about the use of and strategy for enterprise encryption: Why are enterprises using encryption? What encryption applications are in use? How are organizations planning for encryption? Can the adoption of an encryption strategy reduce the risk of a data breach? How are organizations budgeting for encryption? How much are organizations spending on key management? What type of encryption approach do they prefer? Are leading IT organizations adopting a strategic approach to encryption, as might be expected? To understand how organizations are performing, The Ponemon Institute continues to track the index of an organization s IT security effectiveness known as the Security Effectiveness Score (SES). The SES is based on respondents self-evaluation of their IT organization across 24 attributes and is used throughout the study to answer questions, make comparisons, and identify trends. 1 National Conference of State Legislatures, 2 The Ponemon Institute, 2008 Annual Study: Cost of a Data Breach, February

5 Key Findings NEW - Data protection is an important part of an organization s risk management efforts: For the first time, we asked how data protection relates to an organization s risk management efforts. Fifty-eight percent report that is a very important part of risk management and 22 percent say it is an important part. Twelve percent remain unsure. The most important priorities for their organization s enterprise data protection program are protecting sensitive or confidential data at rest (storage) and detecting data at risk. These were also the two most important priorities in NEW - Encryption of data on mobile data-bearing devices used by employees is very important or important: More than 59 percent of respondents say it is very important or important to encrypt employees mobile devices - a sign that organizations recognize that valuable data is more mobile than ever. More than 70 percent have fully executed or just launched data encryption strategy in their organization: To determine the maturity of an organization s IT security and data protection program, we asked respondents what activities they have fully executed, just launched or are in the process of developing. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in The percentage of organizations without some form of encryption strategy declined from 34 percent in 2007, to 26 percent in 2008 to the 2009 low of 22 percent. Plans range from company-wide policies that are consistently applied throughout the organization to plans that cover only specific areas of the company s data. Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in Just over three quarters (76 percent) suffered two or more data breaches in the past year. Of these 20 percent were never publically announced; there was no legal or regulatory requirement to disclose these incidents. A strategic approach to encryption reduces the occurrence of a data breach: For the second year in a row, organizations with no encryption strategy accounted for all the organizations that suffered five or more data breaches (13 percent). This proves once again that the implementation of an enterprisewide encryption strategy does reduce the risk of a data breach. The use of encryption in organizations has stayed fairly consistent over the past two years. File server encryption, followed by database encryption and full disk encryption, are the most in use in both the 2009 and 2008 studies. Full disk encryption use saw a sizable increase from 49 percent to 54 percent in 2009 as it did from 2007 when it was in use 44 percent of the time. Least used in 2009 are VOIP, mainframe and tape encryption. Most organizations have some type of strategy for using encryption across the enterprise. In 2009 and 2008, more than one-third of respondents (36% and 34%, respectively) reported that their organizations have an overall encryption plan or strategy that is adjusted to fit different applications and data types. Only 25 percent in 2009 and 21 percent in 2008 said that they have an overall encryption plan or strategy that is applied consistently across the entire enterprise. On a positive note, the 3

6 percentage of respondents who reported that they don t have an encryption plan or strategy declined from 26% percent in 2008 to 22 percent in Encryption is mostly used to mitigate data breaches and comply with privacy and data protection regulations. However, the percentage of respondents who report that encryption is important to preserving brand and reputation has increased. While it is still the most important reason to use encryption, the percentage of respondents reporting that they use encryption to mitigate a data breach has declined from 2008 when 71 percent said it was a top reason to 67 percent in Those using it to comply with regulations increased from 58 percent in 2008 to 64 percent in Those citing brand or reputation protection for encryption use increased from 37 percent in 2008 to 45 percent in Despite this increase, 40 percent of respondents are unsure if the use of encryption increases customers trust and confidence in their organization s privacy or data security commitments. Those who selected regulations as one of the top reasons in both 2008 and 2009 note that state privacy laws (such as those in California, Massachusetts and others), PCI requirements, and Sarbanes-Oxley as the biggest regulatory catalysts for encryption. The percentage of organizations using the platform approach to managing encryption solutions has increased. Additionally, 76 percent would strongly recommend or recommend the platformbased approach if it reduced the cost of acquiring, deploying and managing encryption applications. The use of the platform approach has increased from 17 percent in 2008 to 25 percent in 2009, almost double the 13 percent in 2007 who said they were using a platform. An overwhelming 87 percent of respondents who use the platform approach say that it increases the effectiveness and efficiency of their IT security program. Eighty percent of those who currently do not use the platform approach would consider using it to manage their company s encryption solution across the enterprise. The primary benefits of the platform approach to managing encryption across the enterprise include reducing operational costs, eliminating redundant administrator tasks and allowing additional encryption applications to be added as needed. 4

7 Conclusion As we have seen in the companion Ponemon Institute Cost of a Data Breach Report data loss is costly, damages a brand and causes customer churn. To combat the effects of a possible data breach, overall encryption adoption is on the rise - for file servers, laptops and now mobile devices such as PDAs. But a single application approach is not nearly as popular, and IT leaders continue to turn to the use of a more strategic platform approach to manage their encryption applications with the platform approach doubling in use since The need for consistent key and policy management as well as the need to comply with privacy and PCI regulations are influencing the use of an encryption platform. In an economy that has companies doing everything they can to retain customers and brand reputation, and where federal, state and local governments are looking at ways to ensure sensitive citizen data is properly protected, encryption applications managed via a platform continues to be a best practice approach to an overall data protection strategy in

8 Introduction Data is everywhere and no longer confined to the relative safety of the enterprise network it is on laptops, smartphones and blackberries as well as exchanged freely on thumb drives, CDs and DVDs. The need to secure data extends outside of the traditional network. Business is becoming more mobile, more closely integrated with business partners, and more dependent on business process outsourcing. In the current economic climate, organizations are looking to reduce their operational costs and improve their IT efficiencies. Often this has resulted in the increased use of outsourcers and also different application delivery models, particularly Software-as-a-Service (SaaS) or Cloud computing applications. These external providers change the data landscape even more dramatically and force IT organizations to take a data-centric approach to information security. The Cloud Security Alliance (CSA) has highlighted these significant risks in its recent security guidance report, which identifies encryption and key management as areas for concern. 3 And while the landscape is changing, data breaches and their costs are increasing. We are seeing settlements in some of the more public data breaches of the last few years reaching into the 100s of millions of dollars. The reality of breaches and their consequences include: damage to brand equity, to customer relationships, to supply chain partners, to not meeting government regulations, not to mention the loss of intellectual property and competitive positions in the market. For the fourth year, The Ponemon Institute examined the costs incurred by companies after experiencing a data breach. The research showed that the average total cost including notification costs, loss of customers, and increased difficulty in acquiring new customers was $6.6 million per breach. 4 The hundreds of data breach incidents reported during the past few years 5 have increased awareness of these security risks, prompting organizations to act. To address these changes and meet data where it is, IT security is shifting to build data security and encryption in protecting data wherever it goes. This approach to enterprise data protection requires a platform approach to secure data from the server to the application to the endpoint and beyond. As the strategic use of encryption grows both within and outside of the enterprise, then the approach chosen to roll out becomes more crucial. The choice is between the silo approach, with companies deploying and managing separate encryption products for each application or device to protect, or the platform approach, where organizations look to establish a central infrastructure for the creation, distribution, control and management of multiple encryption applications and the keys associated with them. This latter approach potentially allows companies to scale their security to meet the new threats, while still ensuring they meet the necessary audit requirements, policy and regulation mandates. Given this, the questions remain: where do IT organizations stand with their encryption implementations, how are they budgeting for encryption, do they see a need for a platform approach, and what are their plans for enterprise key management? The Privacy Rights Clearinghouse, 6

9 Study Overview & Methodology The purpose of this study by The Ponemon Institute is to identify trends in encryption planning, deployment preferences, and spending among U.S. IT organizations. The study surveyed 997 U.S.-based IT and business managers, analysts, and executives employed in corporate IT departments. The questions focused on how they plan and manage encryption at their companies, whether or not they feel their organizations security efforts are effective, and their interest in new deployment frameworks and methodologies. The randomly selected sample was built from lists of information security professionals. In total, 14,893 subjects were invited to participate in the survey, resulting in 997 usable responses. Only surveys that passed reliability tests were used in the final sample. This final sample represents a 6.7 percent net response rate. Data was captured through a secure extranet site, and The Ponemon Institute paid respondents nominal compensation for their time. The margin of error on all adjective or ordinal responses is 3 percent for all completed items. Following are demographics and organizational characteristics for respondents. Table 1 provides the selfreported organizational level of respondents. Position Percentage Senior Executive 1% Vice President 3% Director 20% Manager 36% Associate/Staff 37% Other 3% Table 1: Study participants by position On average, respondents have 11 years of experience in the information security field, and 5 years experience in their current position. In total, 69 percent of respondents are male and 31 percent are female. Although results are skewed on the gender variable (more male than female respondents), this situation is consistent with known demographics about the information security industry within the United States. 7

10 Table 2 reports the distribution of respondents by major industry classification. Industry (Top 10) Percentage 1. Financial Services 21% 2. Healthcare & Pharma 13% 3. Government 12% 4. Technology & Software 11% 5. Manufacturing 9% 6. Communication Services 8% 7. Hospitality & Leisure 6% 8. Consumer Products & Retail 6% 9. Transportation 5% 10. Education 4% Table 2: Top 10 respondent industry classifications 8

11 Key Report Findings Strategic encryption planning gains ground. Once again, proactive approaches to data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007 as the percentage of organizations without some form of encryption strategy declined from 34 to 26 percent to the 2009 low of 22 percent. Plans range from company-wide policies that are consistently applied throughout the organization to plans that cover only specific areas of the company s data. Figure 1 shows that 25 percent of organizations now plan and implement an encryption strategy across the enterprise, up slightly from 21 percent in 2008 and up from 16 percent in Figure 1: Encryption strategy and implementation 9

12 Leading IT organizations plan strategically for encryption. For the third year, further analysis shows that the organizations with the most effective security programs (highest SES) have taken a strategic approach to encryption. For 2009, organizations that are implementing an enterprise-wide encryption strategy increased the overall effectiveness of their IT security programs. These organizations are at the forefront of leading the IT security industry. As Figure 2 illustrates, companies with ineffective security programs continue to not plan strategically for encryption. Security Effectiveness Scores (SESs) reflect the confidence levels of IT security practitioners with respect to their organization s overall security and internal controls. Scores are based on the average of individual responses made to 24 attributes considered critical to the success of IT security. (The list of these attributes can be found in the Appendix, beginning on page 14.) The highest-possible SES for a respondent s organization is +2 and the lowest is -2. For 2009 the average SES increased to up from the 2008 the average SES of and from in Overall, respondents feel their IT security programs improved since Figure 2: IT leaders (high SESs) plan more strategically for encryptionµ use 10

13 Mitigating data breaches and complying with privacy and data protection regulations: Figure 3 details the reasons why companies encrypt data. Encryption is mostly used to mitigate data breaches and comply with privacy and data protection regulations. Additionally, the percentage of respondents who report that encryption is important to preserving brand and reputation has increased. While it is still the most important reason to use encryption, the percentage of respondents reporting that they use encryption to mitigate a data breach has declined from 2008 when 71 percent said it was a top reason to 67 percent in Complying with regulations increased from 58 percent in 2008 to 64 percent in 2009 and protecting brand or reputation increased from 37 percent in 2008 to 45 percent in Despite this increase, 40 percent of respondents are unsure if the use of encryption increases customers trust and confidence in their organization s privacy or data security commitments. Those who selected regulations as one of the top reasons in both 2008 and 2009 point to state privacy laws (such as those in California, Massachusetts and others), PCI requirements, and Sarbanes-Oxley as the biggest regulatory catalysts for encryption Figure 3: Top reasons why organizations encrypt sensitive/confidential data 11

14 Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in Just over three quarters (76 percent) suffered two or more data breaches in the past year. Of these 20 percent were never publically announced; there was no legal or regulatory requirement to disclose these incidents. Figure 4: Number of data breaches over the last 12 months Respondents reporting the number of breaches that occurred in their organizations 12

15 A strategic approach to encryption reduces the occurrence of a data breach: As we see in Figure 5, for the second year in a row, organizations with no encryption strategy accounted for all the organizations that suffered 5 or more data breaches (22 percent). Proving once again that the implementation of an enterprise-wide encryption strategy does reduce the risk of a data breach Figure 5: Comparison of encryption strategy approaches and data breaches over the last 12 months Ratio of enterprise-wide encryption strategy to other approaches is highest for no data breaches 13

16 Organizations recognize importance on data loss: Table 3 shows that security professionals acknowledge the risk posed by malicious employee attacks to the organization, with 97 percent of respondents rating this as either severe or very severe, other data security threats that rated highly included cyber security attacks (95 percent), loss or theft of confidential information and economic espionage (94 percent) and the ongoing problem of social engineering and emerging insecure cloud computing (88 percent). Very Severe Severe Not Severe Loss or theft or confidential or sensitive information 51% 43% 6% Economic espionage 71% 23% 6% Social engineering 33% 55% 12% Malicious employee attacks 64% 33% 3% Cyber security attacks 61% 34% 5% Surreptitious download of malware, virus, worm or Trojan that penetrates your company s network or enterprise system 21% 29% 50% Use of insecure cloud computing applications or platforms 53% 25% 23% Virtualization opens access to unauthorized parties 62% 11% 27% Insecure mobile devices connect to y our company s network or enterprise system 56% 26% 18% Average 52% 31% 17% Table 3: Relative severity of data security threats 14

17 Encryption applications companies are using most. Figure 6 shows the percentage of respondents reporting consistent encryption use in various application categories. All areas increased from 2008 to 2009, with tape backup and mobile data encryption experiencing the greatest percentage increase from 2008 to The increasing use of encryption can put a strain on IT organizations that have taken a silo approach. As they add encryption applications to address, they must undertake more repetitive tasks, shoulder higher operational costs, and support a more complicated encryption strategy. New endpoints such as smartphones are quickly emerging as areas that are also in need of encryption. While 26 percent indicating they encrypt a smartphone or PDA most of the time, 51percent said they never do. Figure 6: Enterprise encryption use by application type Respondents reporting encryption application used most of the time 15

18 Organizations recognize importance of mobile devices: The increased mobility of the workforce has resulted in the spread of smartphones, enabling mobile access to applications such as , CRM, ERP and other core business functions. The security implications of this can be seen in Figure 7, where more than half the respondents (59 percent), considered the data residing on these devices to be either important or very important, a sign that organizations recognize that valuable data that is more mobile than ever. Figure 7: Importance of data on mobile-bearing device 16

19 Key management initiatives strongly funded in As organizations continue to roll out encryption across the enterprise, the importance of managing keys grows. Key management, including the active management of encryption key lifecycle, policy, and reporting, enables user account provisioning, encryption application operation, corporate access to encrypted data, and ongoing reporting for compliance. Although the relative total budget amount remains similar (76 percent in 2009 versus 75 percent in 2008), there is growth in organizations investing strategically in key management solutions. Figure 8 shows that the largest segment plans to spend between 21 to 40 percent of their encryption budgets on key management. Figure 8: Percentage of 2009 encryption budget earmarked for key management 17

20 While key management solutions are an expense, for the second year in a row, and in the face of tough budget discussions 45 percent of organizations expect their key management investments to reduce the overall operational costs of enterprise data protection. Figure 9 shows that only 6 percent of organizations expect key management to increase the operational costs of enterprise data protection. Figure 9: Impact of key management on overall costs of enterprise data protection 18

21 Single enterprise vendor for key management preferred. Products for key management are available that manage only a single encryption key type (e.g. disk encryption or tape backup) or manage different type of encryption keys for different applications (this approach is commonly referred to as an encryption platform approach). In this survey, 57 percent of organizations expect to deploy a single enterprise-wide key management solution or deploy a single vendor s key management solution for different purposes in 2009 (see Table 4). Fewer organizations are seeking a tactical key management product for just one encryption application - 10 percent in 2009 vs. 13 percent in Benefit Total % FY 2009 FY 2008 Single enterprise-wide solution 12% 11% Single vendor solution for different purposes 45% 47% More than one product from different vendors 33% 30% One point key management application 10% 13% Table 4: Enterprise preference for key management purchases in 2009 Platform approach to managing encryption solutions has increased Survey respondents were asked to study a definition of an encryption platform, provided in the Appendix on page 25, which speaks to the ability to centrally manage and deploy multiple encryption applications with consistent policy enforcement instead of making inconsistent usage and policy decisions for separate encryption applications. After reading this definition, respondents rated the importance of the following six significant characteristics of the encryption platform approach: 1. Encryption policy enforcement is automated across all applications 2. Key encryption management activities are automated 3. Encryption tools integrate with third-party applications 4. Encryption program is administered through one interface for all applications 5. Administrators install management interface only once, adding other encryption applications, as needed 6. Encryption keys are managed 19

22 Figure 10 shows respondents feedback. The bars represent the percentage of respondents that found the features important or very important. The significance of key and policy management enforcement across applications and devices can be seen here, with response rates of 65 and 59 percent respectively. Figure 10 shows respondents feedback for 2009 against 2008 and The bars represent the percentage of respondents that found the features important or very important. For example, 76 percent of respondents felt that having encryption policy enforcement automated across all applications was either important or very important. The high percentages attributed to all five features are compelling evidence that a platform approach meets the key needs of an enterprise IT organization. Figure 10: Respondents rate interest in encryption platform attributes Respondents reporting encryption platform features as important or very important 20

23 Respondents see reduced operational costs and elimination of redundancies in platform approach. Figure 11 shows what respondents perceive to be the primary benefits of a platform approach to managing encryption across the enterprise include reducing operational costs, eliminating redundant administrator tasks and allowing additional encryption applications to be added as needed. These were cited in the 2008 study as being the leading benefits as well. Figure 11: Primary benefits of an encryption platform approach 21

24 Report Conclusions The 2009 Encryption Trends survey demonstrates that there is still a need to safeguard employee and customer data, and organizations are continuing to adopt encryption as part of their overall data protection strategy. The continual increase in data breach incidents, combined with the growing aggressiveness of federal, state and global regulators, suggest that this trend will continue. To address the need to combat data breaches, leading IT organizations have already started taking a strategic approach to their data security. Data protection that addresses , PCs/laptops, file servers, and now, the even more ubiquitous smartphone devices, will lead other organizations to adopt a strategic platform management approach. As the study results show, as organizations continue to increase the level of strategic planning for encryption via effective enterprise data protection programs, there will be an impact in the reduction of data breaches. These organizations will not only be able to better defend their data by the strategic platform approach, but will reduce the risk of data breaches and also improve their operational cost efficiencies. 22

25 About the Ponemon Institute The Ponemon Institute is dedicated to advancing ethical information and privacy management practices in business and government. The Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organisations in a variety of industries. Dr. Larry Ponemon is the chairman and founder of the Ponemon Institute. He is also a founding member of the Unisys Security Leadership Institute and an Adjunct Professor of Ethics & Privacy at Carnegie Mellon University s CIO Institute. Dr. Ponemon is a critically acclaimed author, lecturer, spokesman, and pioneer in the development of privacy auditing, privacy risk management, and the ethical information management process. Previously, Dr. Ponemon was the CEO of the Privacy Council and the Global Managing Partner for Compliance Risk Management at PricewaterhouseCoopers (where he founded the privacy practice). Prior to joining PricewaterhouseCoopers, Dr. Ponemon served as the National Director of Business Ethics Services for KPMG and as the Executive Director of the KPMG Business Ethics Institute. Dr. Ponemon holds a Ph.D. from Union College, attended the Doctoral Program in System Sciences at Carnegie-Mellon University, and has a Masters degree from Harvard University as well as a Bachelors degree from the University of Arizona. Contact The Ponemon Institute at or

26 About PGP Corporation PGP Corporation is a global leader in and data encryption software for enterprise data protection. Based on a unified key management and policy infrastructure, the PGP Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP platform-enabled applications allow organisations to meet current needs and expand as security requirements evolve for , laptops, desktops, instant messaging, PDAs, network storage, file transfers, automated processes, and backups. PGP solutions are used by more than 100,000 enterprises, businesses, and governments worldwide, including 95 percent of the Fortune 100, 75 percent of the Fortune Global 100, 87 percent of the German DAX index, and 51 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies' brands and reputations. Contact PGP Corporation at or

27 Appendix Definition of an Encryption Platform Approach An encryption platform reduces the complexity of protecting business data by enabling organisations to deploy and manage multiple encryption applications from a single console. A platform-based solution allows organisations to quickly deploy encryption for new applications, as needed. For example, a company can deploy encryption. Then, it might choose to deploy whole disk encryption clients to all laptop users. Subsequently, the platform provides solutions for deploying end-to-end storage encryption for engineering, human resources, finance, legal, and other core functions that use sensitive or confidential information. The entire deployment is managed from a single administration interface using centrally defined encryption policies to automate encryption and add new users and applications, as needed. 25

28 PGP Solutions PGP Corporation has developed the PGP Encryption Platform to protect confidential information from data breaches, regulatory notification requirements, and resulting remediation costs. As part of an enterprise data protection strategy to defend data wherever it goes, this unified platform allows IT organisations a simple, cost-effective way to provide data security to all internal departments and external partners that handle confidential information. The PGP Encryption Platform allows for central management with automatic operation, infrastructure transparency, and removal of laptop/desktop, gateway/server, and mobile/wireless encryption silos. It meets business unit requirements for customer privacy, competitive protection, supply chain integrity, and brand insurance against public breaches without disrupting users. Once deployed, the PGP Encryption Platform is capable of provisioning encryption applications in a combination of gateway and endpoint locations. This deploy-once, enable-over-time approach allows enterprises to address their greatest risks today and grow into a comprehensive security solution. Figure 12: PGP Encryption Platform and solutions Current PGP encryption applications: PGP Whole Disk Encryption: encrypted full disk, files, folders, USB drives, and external backups PGP NetShare: encrypted files and folders stored on network file servers PGP Universal Gateway gateway encryption and digital signatures PGP Desktop desktop encryption, digital signatures, file shred, and IM encryption PGP Endpoint: granular, policy-based control of devices and applications PGP Mobile: comprehensive data encryption for mobile devices PGP Portable: self-contained encryption for removable storage devices or optical media PGP Support Package for BlackBerry : PGP encryption on BlackBerry handheld devices PGP Command Line: encryption for automated processes and file transfers PGP Software Development Kit: encryption for customized, internal applications 26

29 The PGP Encryption platform is an automated, server-based architecture that centrally handles all key management, corporate encryption policy, and network infrastructure interaction. It manages both gateway and client encryption applications, providing an authoritative set of encryption policies that are automatically and consistently enforced for all users. Automatic encryption and decryption means no user training, minimal IT resource impact, and low operational costs. Its proxy-based design installs without disruption to existing network architectures and easily expands to meet future risks to data security. PGP Corporation sets the standard for verifying that no backdoors or secret access exists in its product software. The company is the only commercial security vendor to publish source code for peer review. PGP source code has been downloaded more than 100,000 times. The PGP Encryption Platform was one of only 12 innovations identified by a panel of experts to receive The Wall Street Journal 2007 Innovation Award. PGP Whole Disk Encryption and PGP Desktop are both SC Magazine Best Buy products, winning against competing point solutions in hands-on group tests. 27

30 Security Effectiveness Score The following 24 attributes are used to describe an effective IT security based on responses from survey participants. These attributes comprise an organisation s Security Effectiveness Score (SES). 1. Identify major data breaches involving sensitive or confidential information 2. Determine the root causes of major data breaches involving sensitive or confidential information 3. Know where sensitive or confidential information is physically located 13. Demonstrate the economic value or other tangible benefits of the company's IT security program 14. Ensure minimal downtime or disruptions to systems resulting from security problems 15. Comply with legal requirements and policies (including privacy laws and statutes) 4. Secure sensitive or confidential data at rest 16. Conform with leading self-regulatory requirements such as ISO 17799, PCI, and others 5. Secure sensitive or confidential data in motion 17. Prevent or curtail viruses, worms, Trojans, and spyware infections 6. Secure endpoints to the network 18. Perform timely updates for all major security patches 7. Identify system end users before granting access rights to sensitive or confidential information 8. Protect sensitive or confidential information used by outsourcers (including third parties, affiliates, and business partners) 9. Prevent or curtail major data breaches involving sensitive or confidential information 10. Prevent or curtail hacking attempts to acquire sensitive or confidential information 19. Control all live data used in systems development activities 20. Enforce corporate policies, including the termination of employees or contractors who pose a serious insider threat 21. Attract and retain high-quality IT security personnel 22. Training and awareness program for all system users 11. Prevent or curtail denial-of-service attacks 23. Conduct independent audits of the system 12. Limit physical access to data storage devices containing sensitive or confidential information 24. Consistently manage security program administration 28