Deployment Strategies for Effective Encryption

Similar documents
The Five Habits of Highly Secure Organizations

Using End User Device Encryption to Protect Sensitive Information

SECURITY RISK MANAGEMENT

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Security Controls What Works. Southside Virginia Community College: Security Awareness

Encryption: Ensuring Information Security

Enterprise Cloud-to-Cloud Backup and Recovery:

Secure Your Business with EVault Cloud-Connected Solutions

Top Ten Technology Risks Facing Colleges and Universities

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

Firewall Administration and Management

Cloud Backup and Recovery for Endpoint Devices

Encryption Buyers Guide

Enterprise Cloud Backup of Cloud-Based Applications/Platforms

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

How To Evaluate A Cooperative For Safety

Whitepaper : Cloud Based Backup for Mobile Users and Remote Sites

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility

Symantec DLP Overview. Jonathan Jesse ITS Partners

SecureD Technical Overview

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Enterprise Data Protection

How To Secure An Extended Enterprise

Certified Information Systems Auditor (CISA)

More Expenses. Only this time the Telegraph will have to pay them after their recent data breech

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

HIPAA Security Alert

The Impact of HIPAA and HITECH

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

The Pros and Cons of DLP Tools

Information Security It s Everyone s Responsibility

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

How To Backup From Your Computer To Your Phone Or Tablet Or Computer

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Virginia Commonwealth University School of Medicine Information Security Standard

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Domain 1 The Process of Auditing Information Systems

The Holistic Guide to BYOD in Your Business Jazib Frahim

Endpoint data protection solutions for Healthcare

Payment Card Industry Data Security Standard

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

For your eyes only - Encryption and DLP Erkko Skantz

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

How To Protect Your Data From Theft

IT - General Controls Questionnaire

Allstate Insurance Company s Local Data Protection (LDP) Project

EARTHLINK BUSINESS. Simplify the Complex

Employing Best Practices for Mainframe Tape Encryption

TACKLING THE ENCRYPTION CONUNDRUM

Things You Need to Know About Cloud Backup

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

Supplier Security Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Bridging the HIPAA/HITECH Compliance Gap

Information Security Awareness Training

How-To Guide: Cyber Security. Content Provided by

Best Practices for DLP Implementation in Healthcare Organizations

Client Security Risk Assessment Questionnaire

2009 NASCIO Recognition Awards Nomination. A. Title: Sensitive Data Protection with Endpoint Encryption. Category: Information Security and Privacy

BEST PRACTICE GUIDE TO ENCRYPTION.

Information Technology Security Standards. Effective Date: November 20, 2000 OFM Guidelines for Economic Feasibility Revision Date: January 10, 2008

Decrypting Enterprise Storage Security

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

10 Threats to Successful. Enterprise Endpoint Backup

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

How To Implement Data Loss Prevention

EXECUTIVE SUMMARY Cloud Backup for Endpoint Devices

Managing PHI in the Cloud Best Practices

Strategies and Best Practices to Implement a Successful Data Loss Prevention Program Sebastian Brenner, CISSP

Cloud Computing Safe Harbor or Wild West?

HOW SECURE IS YOUR PAYMENT CARD DATA?

MFA Perspective. 201 CMR 17.00: The Massachusetts Privacy Law. Compliance is Mandatory... Be Thorough but Be Practical

HITRUST CSF Assurance Program

End-to-end data protection solutions

Feisal Nanji. Techumen LLC,

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

in Transition to the Cloud

IBM Data Security Services for endpoint data protection endpoint encryption solution

Uni Vault. An Introduction to Uni Systems Hybrid Cloud Data Protection as a Service. White Paper Solution Brief

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Demonstrating Regulatory Compliance

28% Top 10 Endpoint Backup Mistakes And how to avoid them. of corporate data resides exclusively on laptops, smartphones, and tablets

Protecting Data-at-Rest with SecureZIP for DLP

How To Test For Security On A Network Without Being Hacked

Are You in Control? MaaS360 Control Service. Services > Overview MaaS360 Control Overview

Cybersecurity Tips for Startups and Small Businesses

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

security and compliance best practices

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

Transcription:

Deployment Strategies for Effective Encryption Ben Rothke, CISSP, CISA Information Security Wyndham Worldwide Corp. Session ID: DSP-W25B Session Classification: Intermediate

Deployment Strategies for effective encryption encryption internals are built on complex mathematics and number theory your successful encryption program requires a CISSP, CISA and PMP, not necessarily a PhD effective encryption strategy requires attention to detail, good design, combined with good project management and documentation your encryption strategy must reflect this

It s 2013 where s the encryption? many roll-outs are nothing more than stop-gap solutions Getting it done often takes precedence over key management, documentation, processes, etc. many organizations lack required security expertise these and more combine to obstruct encryption from being ubiquitous adds up to a significant need for an effective encryption deployment strategy

3 steps to effective encryption 1. define your requirements 2. know where your sensitive data resides 3. create detailed implementation plans when implementing your encryption strategy, it s imperative to remember that your encryption project, and information security is a process, not a product.

Encryption nirvana scenario Initial Drivers Business Technical Regulatory Policy Define Drivers Data Classification Strategy Data Mapping Risk Modeling Deployment Implementation Management Effective Encryption Policy Definition Control Gaps Audit

Common deployment mistakes Thinking encryption projects are plug and play until they have to deal with key management don t forget about legacy systems Going to a vendor too early vendors sell hardware/software you need requirements, project plans, implementation plans, etc. Not giving enough time to design and testing an effective encryption roll-out takes time requires significant details you can t rush this!

Encryption strategy mathematics of cryptography is rocket science most aspects of information security, compliance and audit aren t good computer security is attention to detail and good design, combined with effective project management enterprise encryption strategy must reflect this not everyone will need encryption across the board policies need to be determined first as to what requires encryption strategy of let s just encrypt everything demonstrates confusion

Analyze your encryption needs protect data from loss and exposure prevent access to the system itself? does software need to access the files after encryption? data to be transported securely? via what means? how much user burden is acceptable? how strong does the encryption need to be? do you need to match the solution to the hardware? regulatory, contractual, organizational policy ask a lot of questions at this point! and when you are done, ask a lot more

Drivers and requirements If you don t know your drivers, you re driving blind. Business customer trust intellectual property Technical AES, PGP, BitLocker, etc. mobile devices Regulatory PCI / SoX / EU / ISO-17799 State data breach laws Image source: http://www.whattofix.com/blog/archives/2008/05/peace-for-pachy.php

Documentation and policies Encryption must be supported by policies, documentation and a formal risk management program shows work adequately planned and supervised demonstrates internal controls studied and evaluated Policy must be endorsed by management communicated to end-users and business partners / 3rd-parties that handle sensitive data. If it can t meet company s policies, don t give others access to the data encryption responsibility should be fixed with consequences for noncompliance

Encryption processes encryption is a process intensive endeavor must be well-defined and documented if not implemented and configured properly, can cause system performance degradation, operational hurdles and locking yourself out of your own data improperly configured encryption processes give false sense of security perception that confidentiality of sensitive information is protected when it s not

It s all about the data Identify all methods of data input/output storage media smartphones, USB, laptops, removable, SSD, and more business partners and other third parties understand all applicable regulations and laws high-risk areas laptops wireless data backups others

Requirements analysis define business, technical, and operational requirements and objectives for encryption define policies, architecture, and scope of encryption requirements conduct interviews, review policy documents, analyze current and proposed encryption strategy to identify possible security gaps determine liabilities better requirements definition directly correlates to successful encryption program

Understand your encryption options full-disk / host-based encryption (at rest) data encrypted at creation, first possible level of data security appliance-based data leaves host unencrypted, then goes to dedicated appliance for encryption. Quickest to implement; but can be costly storage device encryption tape data transmitted unencrypted to storage device easiest integration into existing backup environments data encrypted on tape drive; easy to implement provides protection from both offsite and on-premise information loss database database encrypted tables inside the database, protected by native DBMS access controls

Key management (KM) Key management is a big deal; don t underestimate it generation, distribution, storage, recovery and destruction of encryption keys encryption is 90% management and policy, 10% technology most encryption failures due to ineffective KM processes 80% of 22 SAP testing procedures related to encryption are about KM effective KM policy and design requires significant time and effort

Key management fundamentals Ask lots of the fundamental questions: how many keys do you need? where are keys stored? who has access to keys? how will you manage keys? how will you protect access to encryption keys? how often should keys change? what if key is lost or damaged? how much key management training will we need? how about disaster recovery?

Encryption is a long journey Immediate steps in the long-term encryption expedition prioritize based on specific requirements and compensating controls identify your most sensitive/confidential data and know where it resides organizations that don t have an effective data classification program usually fail at their data encryption projects - Gartner know which regulatory mandates matter most leverage DLP to more effectively identify sensitive content that resides on the network and at the endpoint

There s a book for that

Summary organizations that do not have an effective data classification program usually fail at their data encryption projects creating an effective deployment strategy is the difference between strong encryption and an audit failure encryption is about attention to detail, good design and project management.

Ben Rothke, CISSP CISA Manager Information Security Wyndham Worldwide Corporation www.linkedin.com/in/benrothke www.twitter.com/benrothke www.slideshare.net/benrothke

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information