Protecting Personally Identifiable Information (PII) Data Encryption for the Emergency Services Sector (ESS)

Transcription

1 Protecting Personally Identifiable Information (PII) Data Encryption for the Emergency Services Sector (ESS)

2 FOREWORD In 2007, more than 79 million records were reported compromised in the U.S. according to the Identity Theft Resource Center. The scope and breath of data collected, stored, shared and/or disposed of by government agencies, is crucial and far-reaching. The highly interdependent nature of agencies within the Emergency Services Sector (ESS) necessitates the sharing of high-stakes information (often laden with personally identifiable information [PII]) across multiple cooperating agencies in real-time, which makes cyber security a major concern. Although some similarities exist, each discipline uses electronic systems differently, which combined with widely varying standards and resources, adds an additional layer of difficulty in securing data across the ESS. This ebook will review the basics of data encryption; data concerns specific to ESS; how data encryption addresses the unique data security challenges facing ESS, and key points to consider when building the case for data encryption. TABLE OF CONTENTS FOREWORD 1 INTRODUCTION 2 CHALLENGES FACING THE EMERGENCY SERVICES SECTOR 3 PROTECTING SENSITIVE DATA ACROSS MULTIPLE PLATFORMS 3 COMPLYING WITH PRIVACY LAW AND FEDERAL REGULATIONS 4 ENABLING SECURE SHARING OF DATA 5 DATA ENCRYPTION DEFINED 6 BENEFITS OF DATA ENCRYPTION 7 TOTAL COST OF OWNERSHIP (ESS) 8 WHAT TO LOOK FOR 9 READY TO LEARN MORE? 13 1

3 INTRODUCTION The Emergency Services Sector (ESS) includes five disciplines: Law Enforcement, Fire and Emergency Services, Emergency Management, Emergency Medical Services (EMS), and Public Works. These disciplines, and their personnel, work in close tandem with each other, with large numbers cross-trained to work in one or more other agencies. Data sharing is requisite to the sector, but variances in cyber usage are common from discipline to discipline. The very nature of the information collected by ESS agencies makes it very attractive to cyber criminals. Post-9/11 national directives to government agencies consistently underscore the need to achieve and maintain high levels of cyber security. Cyber security is defined by the 2009 U.S. National Infrastructure Protection Plan (NIPP) as: prevention of damage to, unauthorized use of, or exploitation of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability. That directive, taken together with the vast amount of Personally Identifiable Information (PII) routinely collected by ESS, and the inherent complexity of IT and cyber systems, makes data security a serious concern for the sector. 2

4 CHALLENGES FACING THE EMERGENCY SERVICES SECTOR The ESS, the first-responder network of Federal, State, local, tribal, territorial, and private partners, functions to prevent and mitigate the risk from physical and cyberattacks, and manmade and natural disasters and provides life-safety and security services across the nation. In the course of normal operations, branches of the ESS come in contact with, collect, and share, large quantities of PII, which can be defined as: information which can be used to distinguish or trace an individual s identity, such as their name, social security number, biometric records, etc. This information may be gathered as part of an ongoing criminal investigation, may involve zero data-breach subjects (i.e., witness protection candidates, victims of domestic violence or child abuse, confidential patient information, informants, undercover officers, etc.), or contain evidence that could be linked to a future criminal investigation. In some instances, a data breach could compromise an entire investigation, impair a rescue operation, or worse, put people s lives at risk. As such, the nature of the information collected by ESS mandates the strictest of data security controls. The key challenges prompting the ESS to consider data protection solutions are the need to: Protect sensitive data and personal identifiable information (PII) on multiple platforms and devices Comply with privacy law and Federal regulations Enable secure sharing of data within ESS and with other Federal agencies If someone s identity were a whole pie, each piece of PII would be a slice. PROTECTING SENSITIVE DATA ACROSS MULTIPLE PLATFORMS Core ESS activities, such as emergency operations communications, database management, biometric activities, telecommunications, and electronic systems (e.g., security systems), are conducted via atrest and portable data systems and require vigorous data security controls. The ESS also operates in a highly mobile environment in which agents collect and disseminate highlysensitive information through a variety of portable electronic devices (e.g., USB keys, tablets, mobile devices, etc.). This information, however, can carry significantly higher stakes than information collected by other industries. For the ESS in particular, data integrity is paramount, as it can inform the actions of a suite of ESS and other Federal agencies and carry legal ramifications for a number of interested parties. 3

5 CHALLENGES FACING THE EMERGENCY SERVICES SECTOR COMPLYING WITH PRIVACY LAW AND FEDERAL REGULATIONS Information data breaches (the viewing, leaking, or accessing of data by anyone not the individual or authorized to have access to this information as part of his/her duties) have now become commonplace. In lieu of the elevated risks involved in a data breach for all government agencies, including the ESS, strict guidance and laws have been proposed and/or enacted. One example would be the existing U.S. Privacy Act of 1974, which has undergone revisions to ensure compliance with the emerging technology capabilities. U.S. Privacy law impacts records creation, file management for both active and inactive records, records protection, records access, and records retention and disposition. As an example, US ESS organizations have two privacy laws they must comply with which are The Privacy Act of 1974 and The E-Government Act of The Privacy Act of 1974 (U.S.) specifically provides strict limits on the maintenance and disclosure by any Federal agency of information both outside and under the rubric of PII, such as: education, financial transactions, medical history, and criminal or employment history and that contains [the] name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. The limited exceptions to this law still require strict recordkeeping on any disclosure. One common application of privacy law is the medical profession s adherence to HIPAA (the Health Insurance Portability and Accountability Act, which also applies to EMS), whose principal focus is protecting a patient s PII. The E-Government Act of 2002 (U.S.) was enacted to ensure public trust in electronic government services, in response to the increased use of computers and the Internet to process government information. The E-Government Act also directed the Office of Management and Budget (OMB) to issue implementation guidance to Federal agencies. OMB continually provides privacy such guidance to Federal agencies on many PII protection topics such as remote access to PII, encryption of PII on mobile devices, and breach notification. 4

6 CHALLENGES FACING THE EMERGENCY SERVICES SECTOR ENABLING SECURE SHARING OF DATA Another data security challenge specific to ESS is the highly mobile platform of its personnel: fire and emergency services, law enforcement, public works, emergency medical services, and emergency management personnel, are perpetually in the field. As such, data they collect, share and store has a greater chance of unauthorized access and or disclosure through being lost or stolen than if it were within the physical boundaries of the organization. The interrelated nature of each division of the sector, and the sharing of information throughout, creates strong ties of collaboration and cooperation, but carries a significant drawback: the more people and systems that access PII, the more opportunities for it to be compromised. While every piece of data ESS collects may not be classifiable as PII, even partially identifying data can be sufficient to identify an individual, due to the versatility of current re-identification algorithms. These algorithms can take a piece of data and combine it with other data elements to complete the puzzle, making any and all data collected and shared by ESS highly sensitive. Ironically, to operate at peak efficiency, ESS must be able to share sensitive data across all divisions, rapidly and continuously, which consequently makes that data even more vulnerable to unauthorized access. For example, in the U.S. Department of Homeland Security s (DHS) Emergency Services Sector- Specific Plan, An Annex to the National Infrastructure Protection Plan 2010, the DHS recognized that each ESS division has, and works to address, its own sectorspecific cyber-related issues, but also indicated that an integrated cross-sector The interrelated nature of ESS agencies necessitates greater controls to ensure data integrity. cyber-security perspective is needed to address mutual concerns and issues all agencies within ESS share. The DHS argued that such a crossfunctional approach would facilitate greater implementation of best practices in data security. Another example of such an initiative is the U.S. National Institute of Standards and Technology s (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), an exhaustive survey of data security best practices (including Federal guidance, regulations, and privacy law) for Federal agencies, of which data encryption for at-rest and mobile data storage devices, is a recurring component. The NIST s method for protecting PII, The Cryptographic Module Validation Program (CMVP), is operated jointly by the NIST Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments. Each country has their own Privacy and Data Protection policies that local ESS organizations need to adhere to. As a result many have turned to data encryption as one of the prime methods of securing critical PII data across their networks. 5

7 DATA ENCRYPTION DEFINED Data encryption refers to the process of transforming electronic information into a coded form that can only be read by those authorized to access it. To read an encrypted file, a user must have access to a secret key or password that enables them to decrypt it. The way in which an organization can protect their data encompasses a variety of options. The foundation or core group of options typically start with: Full Disk Encryption (FDE): Protects the entire hard disk (all sectors and volumes) and can only be accessed with a secure key. Removable Media Encryption (RME): The protection of all or a portion of a USB key, external hard drive, or similar removable media. File and Folder Encryption (FFE): Protection is associated with specific folder or files where they are encrypted with specific user access permissions, much like network permissions. There are a number of solutions available to fulfill virtually any data protection requirement, so before embarking on any new project, it s important to research and understand the options that work best for your unique situation. 6

8 BENEFITS OF DATA ENCRYPTION The US Privacy Act, PIPEDA, FERPA, and the Data Protection Acts of the United Kingdom and European Union have all defined the way that data can be used and the penalties for its mishandling. REGULATORY COMPLIANCE Data encryption enables organizations to better adhere to numerous local, state, federal and global privacy laws and regulations. DATA SECURITY Encrypting data provides protection for sensitive information whether it s stored on a desktop or laptop, a smartphone, tablet, removable storage media, an server or even the network, so in the event the device is lost or stolen, the information is protected. TRANSPARENCY Data encryption solutions enable agencies to run at their normal pace while the encryption solution silently secures critical data in the background. Some of the best data encryption options perform without the user even being aware. PEACE OF MIND Despite best efforts, data breaches can occur. Laptops and removable storage devices are prone to theft and loss. Data encryption protects critical assets if it falls into the wrong hands, and protects the integrity and credibility of your organization. The use of encryption provides a safe harbor in the event of a data breach. 7

9 TOTAL COST OF OWNERSHIP (ESS) The challenge with data security solutions for most organizations is trying to balance the expense of the solution against the productivity of the users. Maximizing that total cost of ownership (TCO) of the solution is critical. A recent study from the Ponemon Institute looked into what an encryption solution would cost an average organization per year. The results were shocking. What became apparent was that with features like pre-boot network authentication (WinMagic s PBConnex), data encryption solutions could help reduce TCO by not only managing encryption and security but improving the efficiency of other processes for IT Administrators such as support. Looking at typical costs associated with Password resets and device staging alone, the savings were staggering. Cost Savings with Pre-Boot Network Authentication Password Resets over 8,000 Users Cost of Password Reset WITHOUT Pre-Boot Network Authentication Cost of Password Reset WITH Pre-Boot Network Authentication PASSWORD RESET - SAVINGS Times per user per annum 3.3 STAGING AN FDE COMPUTER - SAVINGS Time to stage a computer with FDE 20 mins per machine Value of Tech and User Time for reset $8.10 Time to stage computer using Pre-Boot Network Authentication 5 mins per machine Total cost of password reset for user/tech per annum $26.70 Value of Tech time to stage machine $12.00 Savings with Pre-Boot Network Authentication Total Cost Saving in Password resets per organization of 5,000 devices $20.04 $100,200 Value Saved with Pre-Boot Network Authentication Size of Organization Total Cost Saving to stage a computer per organization $9.00 5,000 $45,000 8

10 WHAT TO LOOK FOR IN A BEST-IN-CLASS DATA ENCRYPTION PROVIDER 1 Before embarking on a data encryption initiative, you ll need to determine which provider can offer you the protection that best suits your needs. Obviously, there s a lot to think about, but by taking the time to select the INTEGRATION Look for a provider that has proven third party integration with hardware and software companies for optimal security offerings and increased functionality. Be sure they offer services for different operating systems and hardware, and mobile device management for devices like tablets and smart phones. 2 3 PRE-BOOT NETWORK BASED AUTHENTICATION Pre-boot network authentication (wired or wireless) utilizes network based resources to authenticate users, enforce access controls, and manage end point devices before the operating system loads. This approach to FDE management also results in significant cost savings for organizations by streamlining the time and cost associated with things such as password resets and device staging. This capability truly separates the best from the rest. right provider, you ll be poised for success as you move forward with your deployment. These are some key things to look for when seeking out a best-in-class data encryption solution. MULTI-PLATFORM/MULTI DEVICE MANAGEMENT 76 percent of employees today use more than one mobile device and cyber usage varies widely with the ESS sector. Ensure the provider you select can offer central management for systems running any operating system, whether it s Windows, Mac OS X or variants of Linux, Android, ios. Mobile device management offers the proof that information security officers require to ensure compliance with key sector regulations. 9

11 WHAT TO LOOK FOR IN A BEST-IN-CLASS DATA ENCRYPTION PROVIDER 4 SINGLE MANAGEMENT CONSOLE Monitoring and tracking devices from a single console supports the information system security division of each ESS agency in their operations, enables easy integration into accounts with laptops, desktops, tablets, smart phones, and SED devices, and supports full mobile device management. A central view of all devices reduces the need for desk side support calls because administrators can determine if a device is in a secure, compliant state, and if not, quickly contact the user to rectify the situation. 5 6 SUPPORT FOR SELF ENCRYPTING DRIVES (SEDS) While SED technology has improved the security of laptops and workstations, it does not require specific authentication during boot up, leaving data at risk. Providers on your short list should have the capability to centrally support users with SED devices and employ a pre boot authentication to ensure the drive is encrypted, compliant and functioning properly, while taking advantage of the transparency, performance and security that a SED offers. FILEVAULT MANAGEMENT OR FULL DISK ENCRYPTION FOR MAC OS Some organizations prefer to leverage the native encryption and security offered by Mac OS X s FileVault 2. Using a solution that supports FileVault 2 and offers centralized management to oversee all devices ensures you ve got the best of both worlds. 10

12 WE LL PROTECT YOU... WinMagic understands the data security challenges and changing needs of the ESS. In order to help effectively meet and adapt to the changing needs of the sector and the expectations of the public, WinMagic works closely with the ESS and other critical infrastructure and key resources (CIKR) sectors, such as the Department of Homeland Security (DOHS) and Department of Defense (DOD), to develop and deliver the most secure data encryption protection. SECUREDOC SecureDoc is a comprehensive disk encryption and data security solution that secures data at rest. It has two main components: the client software used to encrypt and protect data and the server software (SecureDoc Enterprise Server or SES) used to configure, deploy, and manage encryption for an entire organization. SecureDoc is FIPS validated, meeting U.S. NIST and Canadian CSE requirements and guidelines for data encryption and security. When you consider the relatively tiny cost of protecting each laptop to the potentially high cost associated with a single user losing their data, it is remarkable to think that every organization is not protecting information in this fashion. Installing encryption software makes perfect sense from both a data security and an ROI perspective. Andrew Labbo, Privacy and Data Security Officer and Information Security Manager, The Children s Hospital, Denver, Colorado 11

13 PBCONNEX SES WEB CONSOLE MOBILE DEVICE MANAGEMENT (MDM) FILEVAULT 2 SUPPORT SecureDoc with PBConnex is The SES web console provides a SecureDoc s MDM feature is a key SecureDoc offers one of the the only data encryption and web-based interface for SecureDoc component of the SES Web console, strongest Mac OS X FDE solutions management solution that allows Enterprise Server, WinMagic s offering government agencies available on the market today. For for pre-boot network authentication solution for centrally managing a holistic view to their status of customers that prefer to leverage either wired or wirelessly. encrypted devices in an enterprise their mobile devices, allowing the native encryption and security PBConnex utilizes network based environment. The SES web them to manage the deployment offered by Mac OS X s FileVault 2 resources to authenticate users, console supports many of the daily of Android and ios devices and solution, SecureDoc can manage enforce access controls, and administration features provided by also to ensure that the appropriate that as well. FileVault 2 enterprise manage end point devices before the SecureDoc Enterprise Server, security and password policies are management gives agencies the the operating system loads. This including user management, enforced. SecureDoc MDM offers flexibility to choose how they want unique and ground-breaking administrator management, the proof that IT administrators to encrypt and manage their Apple approach to FDE management also device management and recovery, require to ensure compliance with devices yes still have the ability to results in significant cost savings password management, and report key sector regulations while at the have all their devices managed by for organizations by streamlining management. It also includes a same time offering a strong solution SES s central management console. the time and cost associated with Mobile Device Management (MDM) for BYOD environments. things such as password resets server component. and device staging. In addition, multiple users can safely use the same device without ever putting confidential data at risk. 12

14 READY TO LEARN MORE? WinMagic provides the world s most secure, manageable and easy-to-use data encryption solutions. With a full complement of professional and customer services, WinMagic supports over five million SecureDoc users in approximately 84 countries. We can protect you too. For more information on SecureDoc Enterprise Server contact sales@winmagic.com or visit our website to access a number of valuable resources: PRODUCT PAGE WHITE PAPERS CONTACT WinMagic Inc. Phone: Fax: Toll Free: sales@winmagic.com SOCIAL MEDIA WANT TO TRY OUR SOFTWARE?