For your eyes only - Encryption and DLP Erkko Skantz Symantec Finland 1
USER PRODUCTIVITY INFORMATION MANAGEMENT DATA CENTER SECURITY 2
Focus on information 3
Today's System-Centric Enterprise Data Center Field Offices Point of Sale Field Headquarters 4
Today's System-Centric Enterprise Data Center Field Offices Point of Sale 1 in 10 people have lost a laptop, smart phone, or USB drive with corporate information on it 12,000 Headquarters Laptops lost in United States airports every week Field 5
Today's System-Centric Enterprise Data Center Field Offices 1/2 of corporate data resides on mobile devices Point of Sale Field Headquarters 6
Information is the most important asset you have Data Center Field Offices Point of Sale Field Headquarters 7
Where to get started? Where to implement encryption and DLP? 8
Recovey point- and time objective How much data can I afford to lose? How long does it take to get my system up again? CRASH 24 Hours 1 Hour 1/2 Hour 1 Hour Last backup taken Impact of data loss? System up again 9
The Mistakes that Companies Often Make Disk Encryption Find tactical solution Create keys Deploy infrastructure USB Encryption Find tactical solution Create keys Deploy infrastructure Mobile Encryption Find tactical solution Create keys Deploy infrastructure 10
Pay attention 11
Encryption is Easy 1) Take a document 2) Create a key and encrypt the document / file / disk Most customers think they are buying an encryption application. Don t make this mistake. Ask for management platform for encryption. 12
Administration can be difficult 1) Encryption management is UNLIKE any other administrative responsibility 2) Normally, administrative responsibilities end when the user leaves / quits 3) You must manage an encryption key for as long as there is encrypted data! 13
Suggested roadmap FTP, batch, backup transfer File/folder/shared server encryption Smartphone solutions Encryption Management Server Full disk encryption Device and media encryption End-2-end email encryption Gateway email encryption 14
Full disk encryption, the easy way 15
Symantec Full Disk Encryption Encrypts desktops, laptops, and USB drives Protects against Personal computer loss / theft / compromise / improper disposal Reduces risk of data loss Protects against reputation damage Enables business continuity without disrupting user productivity Demonstrates compliance to regulatory standards Common Criteria Evaluation Assurance Level 4+ (EAL4+) certification 16
Symantec Full Disk Encryption Deployment Clients Encryption Management Server LDAP Software Deployment Tool Flexible.MSI and.pkg formats Support for SMS, Zenworks, Altiris, AD GPO Deploy to: Windows, (including Windows Server), Windows 8 (BIOS and UEFI), Mac OS X, Ubuntu, and Red Hat clients 17
Full Disk Encryption How It Works Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Policy and Provisioning Initial Encryption Pre-Boot Environment Authentication Compliance Helpdesk Administrators configure policy on Symantec Encryption Management Server Deploy installation package(s) to Windows (or Mac OS X/Linux) laptops/desktops Install Symantec Drive Encryption client System is encrypted, blockby-block User is presented with modified preboot environment on reboot (or resume from hibernation) User logs in using passphrase or smart card Administrator views logs and reports on Symantec Encryption Management Server Forgotten passwords Unavailable employee Machine recovery 18
It is about the information Symantec Drive Encryption Situation Bag (+computer) lost at the airport or stolen from the car. Product & Solution Symantec Drive Encryption: Encrypt all laptops and desktops. Result The laptop was encrypted and the data was inaccessible by unauthorized users. Because the data was encrypted, the company did not have to report the breach. The company did not suffer a public blackeye. 19
It is about the information THEME: Cloud Storage Situation Employees are storing confidential documents in the cloud. They are doing this for collaboration purposes. Product & Solution Symantec File Share Encryption: Encrypt data on internal file shares and data on cloud storage lockers. Result All data being stored in the cloud is encrypted prior to being sync d into the cloud. Data is secure from 3rd party cloud companies as well as from compromise of account information to the cloud. 20
It is about the information THEME: Email Situation Email administrators are reading the email of the Executive staff Product & Solution Symantec Desktop Email Encryption: Encrypt and decrypt emails at the desktop level before leaving the desktop to the mail servers. Result Emails are secured on the desktop. Email admins can still access the emails on the mail server, but cannot read them because they are encrypted. Backups of the emails remain encrypted and secured. 21
Information encrypted Objectives Tasks Products Keep data secure Meet compliance objective Protect the business Control costs and liabilities Protect data at rest Product data in motion Protect in use MANAGEMENT ENDPOINT ENCRYPTION FILE AND SERVER ENCRYPTION EMAIL ENCRYPTION 22
Complete Encryption Platform Full Disk Encryption (FDE) Device and Media Encryption FTP/Batch and Backups File/Folder/Shared Server Encryption End-End Email Gateway Email Encryption Management Central Management of Encryption Applications Symantec Encryption Management Server Key Management PGP Key Management Server (KMS) Smartphone Solutions 23
The alternative option for encrypting everything 24
Where is your confidential data? How is it being used? How best to prevent its loss? DISCOVER MONITOR PROTECT 25
How Symantec DLP Works DATA LOSS POLICY DETECTION RESPONSE Content Context Action Notification Credit Cards SSNs Intellectual Property Who? What? Where? Notify Justify Encrypt Prevent User Manager Security Escalate Find it. Fix it. 26
Symantec Data Loss Prevention 27
Symantec Data Loss Prevention Products STORAGE Network Discover ENDPOINT Endpoint Discover NETWORK Network Monitor Data Insight Network Protect Endpoint Prevent Mobile Email Monitor Mobile Prevent Network Prevent for Email Network Prevent for Web Management Platform Symantec Data Loss Prevention Enforce Platform 28
Symantec Data Loss Prevention Architecture Secured Corporate LAN DMZ STORAGE Network Discover - Data Insight - Network Protect MTA or Proxy MGMT PLATFORM Enforce NETWORK Network Monitor - Network Prevent Mobile Email Monitor Mobile Prevent ENDPOINT Endpoint Discover - Endpoint Prevent SPAN Port or Tap 29
Incidents Per Week Continuous Risk Reduction 1000 800 600 Visibility Remediation 400 200 0 Risk Reduction Over Time Competitive Trap Notification Prevention 30
Putting it all together 31
Defense in Depth: DLP and Encryption Gateway DLP: FIND Removable Storage ENCRYPTION: FIX File-Based 32
Thank you Questions? - erkko.skantz@symantec.com 33