Endpoint & Media Encryption

Transcription

1 Endpoint & Media Encryption Bill Kyrouz, Senior Applications Manager Bingham McCutchen LLP ILTA Boston City Rep (CR) Tim Golden, Principal Architect Enterprise Architecture & IT Governance McGuireWoods LLP

2

3 201CMR17 (Massachusetts Data Security Regulations) Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. [201 CMR 17.02]

4 201CMR17 (Massachusetts Data Security Regulations) (a) Social Security number; (b) driver's license number or stateissued identification card number; or (c) financial account number, or credit or debit card number These need to be protected while: Stored on laptops or portable media Transmitted over public networks such as the Internet Transmitted wirelessly

5 but as a law firm, we answer to higher authorities: Attorney-Client Privilege Securing our client s Intellectual Property & Competitive Intelligence We have a great deal of data that is treated as sensitive and in need of encryption in a variety of media...

6 The only safe assumption that a company can make to avoid the consequences of a data breach and disclosure is to assume that a mobile device contains sensitive data. It is impractical to attempt to classify either the devices or the information on them, encrypting some devices but not others. Gartner, 2009 Oops. Oklahoma Department of Human Services (DHS), 2009

7 Laptop & Portable Media Help Forming Your Shortlist General Services Administration Data at Rest Encryption Awardees ( Office of Management and Budget, US Department of Defense and GSA teamed up to identify products government agencies could use to protect sensitive, unclassified data residing on government laptops, other mobile computing devices and removable storage media devices [Warning this is getting dated!] SANS What Works program ( 5.2 Mobile Data Protection and Storage Encryption

8 Selecting Encryption Solutions Full Disk Encryption VS File & Folder Encryption

9 Selecting Encryption Solutions System Performance End User Experience

10 Selecting Encryption Solutions Encryption Management Capabilities

11 Selecting Encryption Solutions Now Patching Now Patching Now Patching Password:?? Maintenance Windows

12 Laptop & Portable Media A sample playing field Checkpoint (PointSec) Credant Mobile Guardian McAfee SafeBoot Mobile Armor Data Armor SPYRUS Talisman Symantec Endpoint Encryption Utimaco PGP (now Symantec) GuardianEdge (now Symantec) Microsoft Bitlocker Secure Computing Fiberlink Info Security Corp Secret Agent SafeNet ProtectDrive WinMagic SecurDoc SecurStar DriveCrypt 7-zip FreeOTFE TrueCrypt Encryption Solutions SkyLOCK Dekart Private Disk Beachhead Solutions BOLD items are in Gartner s leaders quadrant for endpoint data protection

13 ILTA Survey Results TrueCrypt Symantec PGP Other Credant Bitlocker N/A 0% 5% 10% 15% 20% 25%

14 Laptop & Portable Media RFP/Issues to consider Encrypt all our user s data Robust encryption algorithm(s) User friendly (read: seamless) Easy Deployment Removable drive encryption Minimal (or no noticeable) performance hit No interference with shared computers No conflicts with our existing environment Ease of management (PW resets, etc.) & integration with Active Directory No interference with our desktop deployment or desktop/laptop maintenance procedures (Dell OMCI, WoL, etc.)

15 Laptop & Portable Media Bill & Tim s Shortlist Checkpoint PointSec Credant Mobile Guardian Trend Micro Mobile Armor Data Armor Symantec Endpoint Encryption (formerly Guardian Edge) Sophos Utimaco SafeGuard TrueCrypt BOLD items are in Gartner s leaders quadrant for endpoint data protection

16 Your endpoint encryption charter has made it through the finance committee! We adjusted your budget to $0.

17 Laptop & Portable Media Low or No Budget Options Some regulations take the size of the organization into consideration: [You must maintain physical and technical security safeguards] that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program (201 CMR 17.03) Inexpensive viable options may include: MS BitLocker TrueCrypt But take note: Commercial software is available to access a Bitlocker encrypted file

18 How to deploy? Start with IT Use a Risk Based Approach Eventually Hit Everyone

19 Handheld Devices This is a non negotiable cost of doing business. Encryption may exempt you from security disclosure laws in the event of loss or theft of a device.

20 One Policy to Rule Them All Bingham s requirements: - Messages Policy Enforcement - Device Encryption Policy Enforcement - Lockout Policy Enforcement Password Complexity Policy Enforcement - Remote PWD Reset Policy Enforcement - Remote Wipe Policy Enforcement - Transport Encryption Policy Enforcement - Wipe on Bad PWD [10 strikes and you re out] System - Works with existing Bingham technologies (m)

21 Reach Bill on Twitter Reach Tim on Twitter

22

23 Secure File Transfer Internal server, appliance or virtual appliance SFTP Accellion SFT Biscom BDS AllardSoft Filetransfer Pros/Cons Windows vs Non-windows.. important features... subscription model versus not... hardware versus software versus virtual appliance...

24 Secure File Transfer Hosted Solutions (limit 2GB) sendthisfile.com free for files up to 2GB optional features include dedicated server, dedicated bandwidth No anti-virus What to look for: SSL protected interface (it s not a given!) anti-virus

25 Is this you?

26 Better (and free!) alternatives KeePass Password Safe (Demo)