Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC, eplace Solutions, Inc. William Ewy, CIPP/US, eplace Solutions, Inc.
William Ewy, BSEE, CIPP/US Host Privacy and Data Security Practice Manager, eplace Solutions, Inc. International Privacy Manager at Agilent Technologies Various positions in Marketing and Quality with Hewlett-Packard in California, Hong Kong, and Beijing 4
Mel Jackob, CISSP, GSEC, CISA, MCT eplace Solutions Inc. Senior Cyber Security Consultant eplace Solutions, Inc. Director of IT/Cyber Security at L-3 Communications Senior Cyber Security Consultant at Microsoft Senior Lead Security Engineer at NMCI 5
Loss prevention services and information for cyber insurance policyholders 1 2 3 4 5 6 Legal Compliance Materials: regulatory summaries, sample policies, procedures, plans, and agreements Risk Assessment Guides: step-by-step procedures to lower risk Email List: monthly newsletter, privacy and data security tips, and Data Security Alerts Specialist Support: by phone or email Training & Awareness Programs: online courses, bulletins, and webinars Handling Data Breaches: summary of breach notification requirements, sample incident response plans, etc. 6
The basics of static encryption Device encryption technologies/considerations Examples of available hardware and softwarebased solutions Conclusions 7
Encryption is Not a Silver Bullet Cracking the encryption algorithm. Over time, algorithms become compromised. Because of this it is important to securely remove (digitally wipe or shred) sensitive information, even if encrypted, from devices when no longer needed. All software, including encryption, can have defects (e.g. bugs) and backdoors that can allow unauthorized access if discovered. 8
Data Security Basics Limit sensitive personal information collected to the minimum necessary as required by organizational purposes Encrypt all sensitive information stored on mobile devices (laptop PC, smartphone, tablet, USB stick, DVD, etc.) Completely destroy sensitive information when no longer needed 9
Cryptography Cryptography hides data from unauthorized individuals Collection of Software, Protocols, Algorithms and Keys Cryptosystems draw their strength from the Algorithms, the length and Randomness of the Keys used and other Mathematical factors 10
Cryptography Methods of Encryption Symmetric (Same key used to encrypt and decrypt) N(N-1)/2=Number of Keys Symmetric Encryption Algorithms Data Encryption Standard (DES) Triple-DES (3DES) Blowfish IDEA RC4,RC5, and RC6 Advanced Encryption Standard (AES) (128,192, and 256 bits) Asymmetric (Public, Private Keys) 11
What is Data Data is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected Users store data on variety of Endpoints Whatever form the Data takes, or means by which it is shared or stored, it should always be appropriately protected 12
Value of Data Security Protects information against various threats Ensures business continuity Minimizes financial losses and other impacts Optimizes return on investments Creates opportunities to do business safely Maintains privacy and compliance 13
Impact of Laptop Thefts www.privacyrights.org Average 50% of reported breaches involved laptop theft 14
Launch video Internet Attacks 15
Data Security Preserves CIA - Confidentiality Integrity Availability Making information accessible only to those authorized to use it Safeguarding the accuracy and completeness of information and processing methods Ensuring that information is available when required 16
Endpoint Encryption Strategies Full Disk Encryption How Software Disk Encryption Works How Hardware Disk Encryption Works File/Folder Encryption How File/Folder Encryption Works Removable Media Encryption How Removable Media Encryption Works 17
Full Disk Encryption Recovery Lost or forgotten passphrase Self Recovery (Computer is not Managed) Computer has not communicated with the management server with a set communication interval One time Password Data corruption resulting from hardware failure or other factors such as a data virus Preinstallation Media 18
Folder/File/Removable Media Encryption Recovery Options Lost or forgotten Certificate or Password Automatic Key Archiving for Recovery of Encrypted Data Recovery Certificate Have a backup copy of your data 19
Criteria for Selecting Endpoint Encryption Solution(s) Identify compliance requirements Conduct a risk assessment Specify requirements Expect to support multiple endpoint technologies Expect to provide training Thoroughly engineer the processes for endpoint encryption Test the encryption system and the procedures for user management 20
Criteria for Selecting Full Disk Encryption Products Device deployment Product management Compatibility Authentication service integration Key recovery Cryptography Self Destruct Mechanism 21
Leading Full Disk Encryption Products Check Point Full Disk Encryption McAfee Endpoint Encryption Microsoft BitLocker Drive Encryption Sophos SafeGuard Enterprise Symantec PGP Whole Disk Encryption WinMagic SecureDoc Disk Encryption Trend Micro 22
Conclusion Changes in the endpoint landscape have an impact on endpoint encryption architectures. Organizations must understand the business risk and compliance requirements regarding data theft and data loss and make choices to support a wide variety of devices. Solutions should support a heterogeneous infrastructure that may need to include full-disk encryption software, self-encrypting drives, file/folder encryption, smartphones and tablets, and personal storage devices 23
Mel Jackob, CISSP eplace Solutions, Inc. Senior Cyber Security Specialist Tel.: 559-261-9293 MJackob@eplaceinc.com William Ewy, CIPP/US eplace Solutions, Inc. Privacy and Security Practice Manager Tel.: 559-577-1252 WEwy@eplaceinc.com 25
Using End User Device Encryption to Protect Sensitive Information