Endpoint & Media Encryption
Bill Kyrouz, Senior Applications Manager Tim Golden, Principal Architect Bingham McCutchen LLP Enterprise Architecture & IT Governance ILTA Boston City Rep (CR) McGuireWoods LLP
#SOSPG4 #SOSPG4 201CMR17 (Massachusetts Data Security Regulations)
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or
from federal, state or local government records lawfully made available to the general public.
[201 CMR 17.02]
#SOSPG4 201CMR17 (Massachusetts Data Security Regulations)
(a) Social Security number; (b) driver's license number or state‐ issued identification card number; or (c) financial account
number, or credit or debit card number
These need to be protected while: •Stored on laptops or portable media •Transmitted over public networks such as the Internet •Transmitted wirelessly
#SOSPG4 …but as a law firm, we answer to higher authorities:
Attorney-Client Privilege Securing our client’s Intellectual Property & Competitive Intelligence
We have a great deal of data that is treated as sensitive and in need of encryption in a variety of media...
#SOSPG4 “The only safe assumption that a company can make to avoid the consequences of a data breach and disclosure is to assume that a mobile device contains sensitive data. It is impractical to attempt to ‘classify’ either the devices or the information on them, encrypting some devices but not others. “ ‐ Gartner, 2009
“Oops.“ ‐ Oklahoma Department of Human Services (DHS), 2009
#SOSPG4 Laptop & Portable Media Help Forming Your Shortlist
General Services Administration “Data at Rest” Encryption Awardees (www.gsa.gov)
Office of Management and Budget, US Department of Defense and GSA teamed up to identify products government agencies could use to protect “sensitive, unclassified data residing on government
laptops, other mobile computing devices and removable storage media devices” [Warning – this is getting dated!]
SANS What Works program (www.sans.org/whatworks) 5.2 Mobile Data Protection and Storage Encryption
#SOSPG4 Selecting Encryption Solutions
Full Disk File & Folder Encryption VS Encryption
#SOSPG4 Selecting Encryption Solutions
System Performance
End User Experience
#SOSPG4 Selecting Encryption Solutions
Encryption Management Capabilities
#SOSPG4 Selecting Encryption Solutions
Now Patching Now Patching Now Patching Password:??
Maintenance Windows
#SOSPG4 Laptop & Portable Media A sample playing field
Checkpoint (PointSec) Fiberlink Credant Mobile Guardian Info Security Corp Secret Agent
McAfee SafeBoot SafeNet ProtectDrive Mobile Armor Data Armor WinMagic SecurDoc SPYRUS Talisman SecurStar DriveCrypt Symantec Endpoint Encryption 7-zip Utimaco FreeOTFE PGP (now Symantec) TrueCrypt GuardianEdge (now Symantec) Encryption Solutions SkyLOCK Microsoft Bitlocker Dekart Private Disk Secure Computing Beachhead Solutions
BOLD items are in Gartner’s “leaders” quadrant for endpoint data protection
#SOSPG4 ILTA Survey Results
TrueCrypt Symantec PGP Other Credant
Bitlocker N/A
0% 5% 10% 15% 20% 25%
#SOSPG4 Laptop & Portable Media RFP/Issues to consider Encrypt all our user’s data Robust encryption algorithm(s) User friendly (read: seamless) Easy Deployment Removable drive encryption Minimal (or no noticeable) performance hit No interference with shared computers No conflicts with our existing environment Ease of management (PW resets, etc.) & integration with Active Directory No interference with our desktop deployment or desktop/laptop maintenance procedures (Dell OMCI, WoL, etc.) #SOSPG4 Laptop & Portable Media Bill & Tim’s Shortlist
Checkpoint PointSec
Credant Mobile Guardian
Trend Micro Mobile Armor Data Armor
Symantec Endpoint Encryption (formerly Guardian Edge)
Sophos Utimaco SafeGuard
TrueCrypt
BOLD items are in Gartner’s “leaders” quadrant for endpoint data protection
#SOSPG4 Your endpoint encryption charter has made it through the finance committee!
We adjusted your budget to $0.
#SOSPG4 Laptop & Portable Media Low or No Budget Options
Some regulations take the size of the organization into consideration:
[You must maintain physical and technical security safeguards] that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program” (201 CMR 17.03) Inexpensive viable options may include:
MS BitLocker TrueCrypt
But take note: Commercial software is available to access a Bitlocker encrypted file
#SOSPG4 How to deploy?
Use a Risk Based Start with IT Eventually Hit Approach Everyone
#SOSPG4 Handheld Devices
This is a non‐negotiable cost of doing business. Encryption may exempt you from security disclosure laws in the event of loss or theft of a device.
#SOSPG4 One Policy to Rule Them All
Bingham’s requirements:
Email - Messages Policy Enforcement - Device Encryption Policy Enforcement - Lockout Policy Enforcement – Password Complexity Policy Enforcement - Remote PWD Reset Policy Enforcement - Remote Wipe Policy Enforcement - Transport Encryption Policy Enforcement - Wipe on Bad PWD [10 strikes and you’re out] System - Works with existing Bingham technologies (m)
#SOSPG4 Reach Bill at: [email protected] @Kyrouz on Twitter
Reach Tim at: [email protected] @Tim_Golden on Twitter
#SOSPG4 #SOSPG4 Secure File Transfer
Internal server, appliance or virtual appliance SFTP Accellion SFT Biscom BDS AllardSoft Filetransfer
Pros/Cons Windows vs Non-windows.. important features... subscription model versus not... hardware versus software versus virtual appliance...
#SOSPG4 Secure File Transfer
Hosted Solutions
www.yousendit.com (limit 2GB) sendthisfile.com free for files up to 2GB optional features include dedicated server, dedicated bandwidth No anti-virus
What to look for: SSL protected interface (it’s not a given!) anti-virus
#SOSPG4 Is this you?
#SOSPG4 Better (and free!) alternatives
KeePass http://keepass.info
Password Safe (Demo) http://passwordsafe.sourceforge.net
#SOSPG4