Busting the Myth of Encryption Complexity. Companies looking for a simpler, more efficient way to encrypt their sensitive data.

Transcription

1 WHITE PAPER: ENCRYPTION Busting the Myth of Encryption Complexity Who should read this paper Companies looking for a simpler, more efficient way to encrypt their sensitive data.

2

3 WHITE PAPER: ENCRYPTION Busting the Myth of Encryption Complexity Contents Executive Summary The Value of Data Data Loss Hurts Rules and Regulations Policy Led Security Why Don t Companies Use Encryption? The Symantec.cloud Solution More Information

4 Executive Summary Barely a month goes by without a big data protection story in the media. But where is the real threat and what can you do to protect your business? How do you protect data at rest and data in transit? If encryption is so important, why isn t everyone using it? Is there a simpler, more efficient way to encrypt your data? This white paper aims to answer these questions. Every day, around 294 billion s fly around the internet. 1 Around three-quarters are spam, 2 leaving 75 billion legitimate personal and business s. Only a tiny fraction of these are encrypted. The rest are like postcards anyone can read them between sender and recipient. In addition, gives every employee a way to send company secrets instantly to virtually anyone in the world. Data at rest in your organization is equally under threat from espionage, hacktivism, spyware and insider negligence or wrongdoing. The Value of Data According to Dale Zabriskie, Principal Technologist at Symantec, 75 percent of a company s intellectual property can be found in s, presentations and spreadsheets. This information is often stored and ed without regard to its potential value and the risk of public disclosure, and usually without effective encryption. As if losing data to hackers and thieves wasn t embarrassing enough, the fallout from a data breach is highly toxic. Share prices fall, reputations are ruined and organizations suffer. With all these risks, regulations and problems, it seems extraordinary that companies are not encrypting their data and correspondence as a matter of course. Data Loss Hurts Recently, data loss stories have hit the front pages. It s a pressing issue for businesses and governments. Some recent examples underline the dangers: Hacktivism - WikiLeaks release of hundreds of thousands of unencrypted but confidential US government documents should have alerted all CIOs to the threat posed by data leaks. Unfortunately, the message fell on deaf ears. Months later, the Anonymous and LulzSec hacktivist networks got into the computers of strategy consulting firm Booz Allen Hamilton 3 and security consultancy HBGary. 4 Identity theft - When Sony s PlayStation Network was breached, as many as 77 million PlayStation users saw their personal information stolen by hackers. 5 The BBC reports that the information was stolen from an outdated database, highlighting the need to protect data throughout its life and as it moves from one system to another. Accidental loss - In 2007, HMRC lost two CDs in transit, containing personal details about 25 million people. 6 This highlights several problems. First, the need for a secure way to transmit data from one place to another. Sending those records by unencrypted is just as risky as sending them by unencrypted CD. Second, it shows that employees will usually find a way to circumvent any security protocols or rules unless they can be implemented automatically. While the HMRC story is noteworthy, it is repeated thousands of times every day on a smaller scale Symantec.cloud MessageLabs May 2011 Intelligence report

5 Spyware - Symantec has a global network that manages and related malware detection and prevention services for client companies. In its April 2011 intelligence report, Symantec reported it was stopping an average of 85 targeted attacks per day. Further they found that 1 in every 242 s contained a phishing attack, and 1 in every 169 s contained malware of some kind. 7 Espionage - UK Defense Secretary Liam Fox told businesspeople recently that the Ministry of Defense had blocked more than 1,000 attacks on its systems in This was twice the number of attacks the year before. This comes on top of MI5 s warnings about the threats to UK businesses from Chinese hackers. 9 No one knows how many attacks get through. Detica, a security consultancy, estimates that the British Aerospace and defense sector loses $2.6 billion a year to espionage and theft of intellectual property. This is almost as much as it spends on R&D. 10 Rules and Regulations Several data protection laws are already in place in the US including the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Gramm-Leach-Bliley Act (GLBA) of Numerous states have also enacted laws to protect personally identifiable information. HIPAA mandates severe civil and criminal penalties for noncompliance, such as fines of up to $25,000 for multiple violations of a single standard in one calendar year and as much as $250,000 and ten years imprisonment for the misuse of health information. Another important data-security regulation is the GLBA which covers financial institutions. This standard requires that financial firms develop, implement and maintain administrative and technical safeguards to protect the security of customer information. Financial activities protected by GLBA include loan transactions, financial advisory services, tax planning or preparation services, credit counseling services and check cashing services. As with HIPAA, noncompliance with GLBA brings severe penalties, including civil action brought by the U.S. Attorney General and fines to financial institutions of up to $100,000. To address data breaches on the state level, Massachusetts and Nevada have established their own encryption laws. The Massachusetts mandate (201 CMR 17.00), which went into effect on March 1, 2010, requires that any organization in Massachusetts or elsewhere that owns, licenses, stores or maintains personal information about a Massachusetts resident follows a set of information-security requirements. Penalties for noncompliance include $5,000 fine for each violation. 11 The Nevada law (Senate Bill 227) requires all Nevada businesses to use encryption when data-storage devices containing personal customer data are moved beyond the physical or logical controls of the business. Penalties for noncompliance are undefined, but the law authorizes the state Attorney General to bring action to stop continuing or impending violations. 12 Currently, legislators in California, Michigan, Wisconsin and Washington are working on pending encryption laws for those states. Policy Led Security Every company needs policies that set out how staff can access, use, store, transmit and company information. A high-level information policy can drive and shape staff policies, training, and technical decisions when it comes to encrypting data at rest and in transit. 7-Symantec Intelligence Report, April

6 The Center for the Protection of the National Infrastructure (CPNI) in the UK offers the following general security advice. 13 Companies, it says, need constantly to ask themselves: Who would want access to our information and how could they acquire it? How could they benefit from its use? Can they sell it, amend it or even prevent staff or customers from accessing it? How damaging would the loss of data be? What would be the effect on our operations? CPNI suggests the following principles should be central to any decisions: 1. It is not possible to protect everything, so one must prioritize what to protect. 2. The measures should be proportionate to the threat. 3. The cost should not exceed the value of the asset being protected. Finally it notes, Security is more cost-effective when incorporated into longer-term planning. The first step is to classify data, in particular . As Zabriskie says, When you classify information, then you re also able to encrypt the right information at the right time and in the right place. Why Don t Companies Use Encryption? There is a perception, cultivated by Hollywood and law enforcement agencies, that encryption is impossibly complicated and only for use by people with really important secrets. Inside this myth, there is a grain of truth. The mathematics that underpins modern cryptography is complex, but tools have evolved that make it easy, even completely transparent to use, while maintaining the security against unauthorized access. For example, voice conversations on Skype are encrypted and no one notices. Online stores use SSL encryption to protect credit card data and very few people notice. Most electronic banking transactions use encryption and many now use crypto devices for login authentication, and no one notices. However, managing your own in-house encryption environment can be complex and potentially expensive. You have to secure it against hackers and accidents. You will need to manage the keys used to encrypt and decrypt messages as well as develop trusted relationships with those with whom you exchange encrypted correspondence. And you need to have robust enrollment, updating, and end-of service procedures for the people with access to keys and encrypted information. The Symantec.cloud Solution We ve seen that there is a clear and present threat to businesses from data loss, whether it is the result of accidents or deliberate attack. The consequences are severe and increased by regulations. It s clear that classifying your data accordingly is essential, as are policies and processes that protect it

7 An essential part of any data protection plan is encryption. However, we ve seen that it can be difficult, expensive and time-consuming to use. Fortunately, there is an alternative: using cloud-based, managed encryption systems. Many companies already outsource much of their system. When so much carries spam and malicious content, running an service is a costly overhead most companies sensibly prefer to leave to specialists such as Symantec.cloud. The same approach helps companies protect against data loss, and Symantec.cloud has several services that can help: Boundary encryption - Symantec s Boundary Encryption.cloud allows clients to set up secure private networks that link up with their nominated partners. Every part of every sent or received via these networks is fully and securely encrypted. As with Skype and mobile phone calls, both sender and recipient remain unaware that their messages are encrypted, unless you tell them. The service works seamlessly with leading servers such as Microsoft Exchange, Lotus Domino and Sendmail. And of course, it works with other Symantec.cloud services such as Security.cloud to scan all incoming and outgoing encrypted for viruses, spam and other inappropriate content, thus preserving the integrity of both your IT systems and your information. Policy-based encryption - This lets you encrypt sensitive data using flexible rules to decide what s should be encrypted; for example, based on sender, recipient, words or attachments. Recipients can read encrypted s easily and send encrypted replies without installing special software on their PC or smartphone. Content control - Symantec Content Control.cloud reduces the risk of data loss over by scanning outgoing s and attachments for keywords, phrases, URL lists or particular wildcards (e.g. credit card numbers). s of concern can be tagged, redirected, or blocked and deleted. Spyware prevention - Keeping your computers safe from spyware and intrusion is an essential part of data loss prevention. Our cloud-based , Web, and endpoint solutions do exactly this. The Symantec Web Security.cloud service blocks spyware coming in via web browsers and Symantec Security.cloud blocks malware including targeted attacks coming in via . Because they are cloud-based services, they can block threats before they reach your network and provide advanced malware filtering such as Link Following which ispects web links embedded in s. Although these services are in the cloud, you still retain complete control over the security policies you wish to enforce via a web-based console. When combined with sensible security policies, employee training and information classification, Symantec.cloud can help you keep your critical data away from prying eyes and protect it from accidental leaks. Easy-to-implement encryption adds a further level of protection that protects a vital channel of communication. In a world where leaked s, spyware and data theft can cost companies millions, it pays to have comprehensive protection. For more information please visit our website at or contact us at [email protected] 4

8 More Information AMERICAS UNITED STATES 512 Seventh Avenue 6th Floor New York, NY USA Toll-free CANADA 170 University Avenue Toronto, ON M5H 3B3 Canada Toll-free : EUROPE HEADQUARTERS 1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom Tel +44 (0) Fax +44 (0) Freephone LONDON 3rd Floor 40 Whitfield Street London, W1T 2RH United Kingdom Tel +44 (0) Fax +44 (0) Support +44 (0) NETHERLANDS WTC Amsterdam Zuidplein 36/H-Tower NL-1077 XV Amsterdam Netherlands Tel +31 (0) Fax +31 (0) BELGIUM/LUXEMBOURG Symantec Belgium Astrid Business Center Is. Meyskensstraat Wemmel, Belgium Tel: Fax: DACH Humboldtstrasse 6 Gewerbegebiet Dornach Aschheim Deutschland Tel +49 (0) Support :+44 (0) NORDICS St. Kongensgade Copenhagen K Danmark Tel Fax Support +44 (0) ASIA PACIFIC HONG KONG Room 3006, Central Plaza 18 Harbour Road Tower II Wanchai Hong Kong Main: Fax: Support: AUSTRALIA Level Kent Street, Sydney NSW 2000 Main: Fax: Support: SINGAPORE 6 Temasek Boulevard #11-01 Suntec Tower 4 Singapore Main: Fax: Support: JAPAN Akasaka Intercity Akasaka Minato-ku, Tokyo Main: Fax: Support:

9

10 About Symantec.cloud More than 31,000 organizations ranging from small businesses to the Fortune 500 across 100 countries use Symantec.cloud to administer, monitor, and protect their information resources more effectively. Organizations can choose from 14 preintegrated applications to help secure and manage their business even as new technologies and devices are introduced and traditional boundaries of the workplace disappear. Services are delivered on a highly scalable, reliable and energy-efficient global infrastructure built on fourteen datacenters around the globe. A division within Symantec Corporation, Symantec.cloud offers customers the ability to work more productively in a connected world. For specific country offices and contact numbers, please visit our website. Symantec.cloud North America 512 7th Ave. 6th Floor New York, NY USA 1 (646) (866) Symantec helps organizations secure and manage their information-driven world with managed services, exchange spam filter, managed security services, and antivirus. Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 8/