PGP Insider Threat Technical Whitepaper

An IT Briefing produced by PGP Education Series: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: The Insider Threat: Understanding the Risks & Defending the Enterprise By Doug McLean and Jim Reavis © 2005 TechTarget Doug McLean is Vice President of Online Operations and Commerce for PGP Corporation. He most recently served as Vice President of Products for PGP Corporation. Prior to joining the company, he was Vice President of Corporate Marketing at Postini, a leading provider of enterprise email anti-spam and anti-virus perimeter solutions. Prior to Postini, Mr. McLean served as Vice President for Launch Pad. He has also held management positions at Xerox Corporation, Apple Computer, and Hewlett-Packard. He has a B.S. and an M.S. in Industrial Engineering from Stanford University as well as an MBA from Dartmouth College–Amos Tuck School. Jim Reavis is President of Reavis Consulting Group and editor of the CSOInformer newsletter. He is also a member of the Board of Directors of the Information Systems Security Association (ISSA) International, where his role is that of Vice President of Vendor Relations. For more than 12 years, he has worked in the information security industry as an entrepreneur, writer, speaker, technologist, and business strategist. Mr. Reavis founded SecurityPortal in 1998 and has been an advisor on the launch of many industry ventures. BIOS This IT Briefing is based on a PGP Corporation/TechTarget Webcast, “PGP Education Series: The Insider Threat: Understanding the Risks & Defending the Enterprise.” To view this Webcast online, please click the link. This TechTarget IT Briefing covers the following topics: • Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Strategies for Defending Enterprises . . . . . . . . . . . . . . . . . . . . . 2 • Company Policy and Insider Threats . . . . . . . . . . . . . . . . . . . 2 • Data Classification Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • The Layer 8 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Network Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Extrusion Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • Using PGP Products to Address the Insider Threat . . . . . . . . . . . . . . 5 • PGP Universal Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 • PGP Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 • Using PGP Desktop with PGP Universal to Defend Against Insider Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 • PGP Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 • Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 • Common Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Copyright © 2005 PGP Corporation. All Rights Reserved. Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under the copyright laws. About PGP Corporation The global customer standard for encryption and digital signature solutions, PGP Corporation develops, markets, and supports an integrated data security suite used by more than 30,000 enterprises, businesses, and governments worldwide, including 84 percent of the Fortune® 100, 66 percent of the Fortune® Global 100, and thousands of individuals and cryptography experts. Customers depend on PGP solutions for regulatory and audit compliance, to protect confidential company information, to secure customer data, and to keep identity information private. During the past 10 years, PGP® technology has earned a global reputation for innovative, standards-based, trusted solutions. The flexible PGP suite allows customers to phase-in gateway, partner, mobile, or internal email security; data storage protection for laptops, desktops, and removable media; IM encryption; and FTP/batch transfer security using a single key management and recovery infrastructure. PGP Corporation is the only commercial security vendor to publish source code for peer review. Contact PGP Corporation at www.pgp.com or (650) 319-9000. About TechTarget IT Briefings TechTarget IT Briefings provide the pertinent information that senior-level IT executives and managers need to make educated purchasing decisions. Originating from our industry-leading Vendor Connection and Expert Webcasts, TechTarget-produced IT Briefings turn webcasts into easy-to-follow technical briefs, similar to white papers. Design Copyright © 2004–2005 TechTarget. All Rights Reserved. For inquiries and additional information, contact: Dennis Shiao Director of Product Management, Webcasts dshiao@techtarget.com The Insider Threat: Understanding the Risks & Defending the Enterprise Introduction The virtual world moves at a pace that is much faster than the physical one. That same easy connectivity means today’s companies must protect their networks while maintaining availability and security. Mobility, remote virtual private networks (VPNs), and wireless access points are becoming increasingly important tools for attackers. Some postulate the issue is not just the ease and stealth with which mobility allows attackers to infiltrate an organization. Sociologists believe there is actually a breakdown in the conscience’s natural barriers that allows an attacker to carry out a threat. In addition, attackers can work from the safety of a remote location, thus increasing their predisposition to go out and do something they should not do. Deloitte Touche Tohmatsu conducts an annual “Global Security Survey.” The 2005 report surveyed senior security officers at the world’s top 100 financial institutions. It found that insiders were often victims of phishing and pharming, two online scams that exploit human behavior, by using bogus emails and websites to persuade people to reveal confidential information to hackers and fraudsters. For large global financial institutions, the insider threat has surpassed external threats. About 35 percent of respondents said they had encountered attacks from inside their organization within the last 12 months, up from 14 percent in 2004. In contrast, only 26 percent confirmed external attacks, compared to 23 percent in 2004. According to industry analyst Gartner, 84 percent of insider incidents occur when insiders send confidential data outside the company. A major report released in June 2005, the “CERT® Insider Threat Study,” analyzed both the behavioral and technical aspects of insider threats. The study found that the impact of nearly all insider incidents in the banking and finance sector from 1996 to 2002 was financial loss for the affected organization: in 30 percent of the cases, the financial loss exceeded $500,000. Many affected organizations experienced damage in multiple areas. CERT summarized typical incidents in the banking and finance sector as follows: • • Insiders were authorized users with active computer accounts Insiders had little or no technical expertise and exploited non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) Insiders devised and planned the incidents in advance, and others often had knowledge of the insider’s intentions, plans, and/or activities Insiders executed their attacks physically from within their organization during normal business hours, using simple, legitimate user commands to carry out the incidents Most insiders were motivated by financial gain rather than a desire to harm the company or information system Insiders in this report fit no common profile: • • • • • 23 percent held a technical position • 13 percent had a demonstrated interest in “hacking” • 27 percent had come to the attention of a supervisor or co-worker prior to the incident • Insider incidents were detected by internal as well as external individuals, including customers It can be difficult to stop the smart insider who is focused on causing problems. However, it is honest mistakes by well-meaning people (victims of phishing and pharming) within an organization that cause a large portion of the threats. This is a key point to keep in mind while developing a strategy for dealing with the insider threat. This briefing identifies the insider threat to the enterprise, the risks it poses, and the strategies needed to mitigate those risks. 1 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Strategies for Defending Enterprises There is not a single “silver bullet” solution for defending the enterprise, and it is not a problem that can be solved completely. Rather, it is a situation that requires constant mitigation. The comprehensive approach to improving security is to create a strategy that incorporates people, process, and technology, as shown in Figure 1. From a technology perspective, an in-depth defense is a requirement for dealing with the insider threat. This approach includes having security and control over the endpoints where users can enter the network. The definition of an endpoint is becoming blurred, however, as a result of mobile devices, USB flash memory, and so on. It is also necessary to look at servers as well as the way in which data is transported between servers. Finally, it is important for a company to understand both its business and its business in action on an enterprise network. These are two different things and may involve: • • • • Understanding how the business is functioning day-to-day Determining what needs to be protected Identifying from what or whom the business must be protected Determining how to support the business while protecting it Company Policy and Insider Threats Although it is not possible to discuss every key threat and response, this document serves as a starting point for looking at ways organizations can enhance security. In other words, every company has a policy, but what are the considerations when dealing with the insider threat that make the most sense? Figure 2 illustrates common policy considerations. To gain a granular view of insiders and related levels of trust, it is important to consider outsourcing, offshoring, and consulting. Figure 1 2 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Figure 2 Insiders include key employees, ex-employees, and contractors. They all have some degree of access to an internal network. They also should be associated with specific levels of trust. This granular view often is not included in policies that may have only a few different levels of trust. A policy should not be merely a piece of paper gathering dust. Instead, organizations should review and update it frequently. Threat modeling, while not a universal strategy, can be very effective. Threat modeling refers to examining the likely places and people to leak data, turn against the company, or access data for improper purposes. Despite the popular notion that everyone is innocent until proven guilty, it can be wise to use a different standard to look at likely threats in terms of people and the technologies they use to craft a policy that will address the real issues. The policy needs to be something people understand. From a technology perspective, policies work best when they become part of the process. The best way to accomplish this goal is by integrating the process with technology and then automating the process. Data Classification Strategy It is important to define levels of data sensitivity and appropriate access rules for that data. Many organizations already have a data classification strategy. This strategy may be ad hoc or informal, but to address insider threats, organizations may need to make it more formal and more rigorous in practice. The most common strategy has a four-level scheme for data classification: • • • • The public level includes data on the company website The business level includes data on the company’s internal website The confidential level includes information about departmental budgets The highly confidential level includes customer data The number of levels does not matter as long as the strategy fits the business. The key is to put processes 3 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: in place so that, when a new business initiative arises that is likely to generate new data, it will be easy to determine how to classify that data. Risk management skills are becoming more pervasive in security. Risk management makes it possible to understand the organization’s potential risks if specific data was to be compromised or leaked to the public. • • • • Identify who is communicating Identify each location of communication Identify all the different connections Log activity for forensics analysis These steps are very useful to characterize the network and normal traffic patterns and then to find deviations that might indicate unusual activity. For example, does the organization know why the customer relationship management (CRM) server is being accessed from a specific remote location? Is a salesperson traveling to that country or does that connection mean something else? Similarly, why is someone in R&D accessing an HR server? The goal is to identify any activity that is not normal. If an organization does not understand how its network is running, it probably does not understand how its business is running, either. It is important to keep records of all this information about the network. Unfortunately, organizations often learn they need this information at a later date, such as when legal prosecution becomes necessary, for example. The Layer 8 Approach Layer 8 is a play on the OSI 7-layer model for networks. In this approach, people are key, and having Human Resources involved in a leadership role is very important. Ironically, many insider threat issues have resulted from HR departments sending personal information to administrators for 401(k)plans, insurance policies, and so on. A good approach is to take an existing, mature process that addresses employees and make it available to contractors and consultants who work with sensitive data. Basically, a company should hold its employees, contractors, and consultants to the same standards and then look at HR processes for vetting new hires to make sure that all processes are in synch. Education about possible threats and general awareness are important for organizations to give to all employees. Intelligence and etiquette are mandatory when handling email. Equally important is that employees be very careful when handling customer data. Employees must be careful what they do with data files, how long the files are kept, and whether they are stored on local drives vs. on a secured server. At the same time, a company must be on guard for those employees who might try to compromise data. Technology can reinforce good behavior as well. For example, people respond to messages warning that they are doing the wrong thing. Such messages can be displayed within a login banner or another type of message. Although it usually is desirable for technology to be transparent, in some cases, it is good to use informational screens to explain what the system is doing for the sake of security. Extrusion Prevention Extrusion prevention means taking many defenses that have been used to prevent attackers from getting into a network and deploying them to prevent insiders from transmitting sensitive data out of that network. Although understanding network traffic is important, as explained earlier, applied content analytics is key. Applied content analytics includes the following activities: • • • Auditing—scanning organizational servers for sensitive information Monitoring—identifying sensitive data flowing through key corporate gateways Blocking—preventing traffic flagged as sensitive from leaving the company Network Monitoring The monitoring of a company’s network needs to: • • • 4 Understand network traffic patterns Establish a baseline of the network Understand what is happening It is important to take a more granular approach to understanding where data resides, how it flows, and even the contents of packets. An in-depth packet inspection, combined with network analysis, helps organizations understand content. This strategy makes visible keywords that apply to top-secret projects as well as patterns that can indicate Social Security or credit card numbers. Therefore, organizations should IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: audit their systems to determine where sensitive data may exist on servers to examine what has happened in the past. They then need to combine that analysis with the ability to block access to sensitive information. Endpoint security is another buzz word. No one wants to install another agent, although doing so might be necessary in some cases. An alternative solution may be configuring what is already installed on desktops, but adding the ability to lock down the desktop configuration. Having the ability to manage any PC or mobile device storage avenues is also important because it is now possible to put a very large database on a very small drive. Supporting the organization’s business policies and having the consoles that make it possible to embed that policy throughout the network are critical. into the current instantiation of the company is extremely important. There are two important email security standards: S/MIME and OpenPGP. Although OpenPGP is the most widely deployed email encryption standard, PGP products support both standards. Since the company’s inception in mid-2002, PGP Corporation has issued cumulative user licenses of about 1.3 million seats. The integrated PGP security suite is used by more than 30,000 enterprises, businesses, and governments worldwide, including 84 percent of Fortune® 100, 66 percent of Fortune® Global 100, and 76 percent of Germany’s DAX Index companies. PGP Corporation offers innovative technology that includes: Encryption Proactively locating and protecting sensitive data within an organization before it is compromised is not just a matter of blocking things that are happening now. By taking a forward-thinking approach, it is possible to use audit trails, for example, to understand who is trying to access data. If strong encryption is implemented correctly, data cannot be attacked directly. Strong encryption forces attackers to use indirect means. However, it is important to maintain flexibility when designing a data protection plan. One encryption strategy—or one product—will not meet all the needs of an organization. Sometimes it is necessary to protect individual data files, storage devices, and computers. It is also necessary to protect stored data as well as data in transit. There are many different possible scenarios. The best solution will be transparent to users and will not interfere with their ability to perform work or with daily business processes. Organizations should consider how to apply a strategy in an intelligent way to address high-risk insider threats. • • • • • • • • A fully automated self-managing security architecture A comprehensive security suite A unified management console for centralized policy and deployment Support for all major encryption standards Key technology partnerships No disruption to users and systems A proven deployment track record Low cost of ownership As described in Figure 3, PGP Corporation is best known for its desktop product, which is based on the PGP Universal™ architecture. PGP Desktop 9.0 allows users to deploy content-based policies that will encrypt and decrypt mail automatically as well as volume, full disk, and instant messaging (IM) encryption. PGP Universal is PGP Corporation’s flagship product, providing centralized policy management, transparent key management, and gateway-based email encryption. PGP Command Line is a scriptable encryption tool that protects data transfers and backups to and from an enterprise, automating the encryption of key business applications. PGP Global Directory is a free service, sponsored by PGP Corporation, designed to make it easier to find and trust the universe of PGP keys. The PGP Global Directory serves as the newest PGP public keyserver, enabling email verification of keys. The newest PGP Using PGP Products to Address the Insider Threat One of the ironies in the encryption space is that older technology tends to be more effective, and therefore, more trusted than newer technology. The PGP brand has been around since 1991, and current PGP products are based on 10 years of technology evolution. PGP Corporation is the global customer standard for trusted, proven encryption and digital-signature solutions. So the legacy that the PGP technology brought 5 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Figure 3 products, PGP Desktop and PGP Universal, provide automatic key lookup and retrieval via the PGP Global Directory. PGP Universal also includes automated enrollment, thereby streamlining one of the more difficult aspects of deploying an encryption solution. The classic “keynot-found” problem involves what to do when users want to send encrypted mail to someone for whom they have no key. PGP Universal solves this problem by automatically encrypting the message and notifying the recipient that a secured message has been sent. Users can then read the message using PGP Universal Web Messenger’s Web-based email interface or by running the thin-client PGP Universal Satellite, which receives and decrypts messages directly into the recipient’s email application. Protecting access to encrypted information is an important enterprise requirement. PGP Corporation’s patented Additional Decryption Key (ADK) technology allows organizations to access data that is encrypted if the key is lost or unavailable. The ADK provides a unique mechanism to access data when required to do so by corporate security policy or regulations without compromising the overall security of the system. PGP Universal Architecture The most revolutionary aspect of PGP Universal’s architecture is that encryption occurs at the transport layer (server) rather than the application layer (desktop), as shown in Figure 4. In the application layer, users have to make messageby-message decisions about what to encrypt and not to encrypt. Moving encryption to the transport layer, where such decisions are managed automatically at the server level by the network, makes it transparent to end users. PGP Universal’s proxy-based technology seamlessly handles message encryption without changing an organization’s email infrastructure. This approach allows centralized or endpoint policy management of encryption, simplifying day-to-day usage. Because end users no longer have to make decisions about whether or not to encrypt individual messages, they can focus on performing their jobs instead. 6 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Figure 4 PGP Universal also features centralized policy management of both server-based and desktop deployments, tailoring security needs to different types of users across the organization. Now, administrators can manage and deploy both PGP Universal and PGP Desktop from the same administrative console. PGP Universal provides gateway-based email encryption or end-to-end email encryption with PGP Desktop. The use of PGP Universal for gateway-based email encryption is illustrated in Figure 5. address or domain while not encrypting others. These policies do not have to be managed via PGP Universal. It is possible to work very flexibly in either environment. PGP Desktop 9.0 offers many new features, as shown in Figure 6, including the ability to encrypt the full disk: • • • • PGP Whole Disk Encryption—allows organizations to address the risks and consequences of common data breaches. Instant Messaging encryption—secures the rapidly growing phenomenon of IM use in corporations. PGP Zip—allows users to wrap up groups of files or even full directories, encrypt them with their PGP key, and send them to a destination. PGP Shredder—provides the ability to overwrite a deleted file several times to prevent anyone who obtains a used laptop from reconstituting files that were deleted by the previous owner. PGP Desktop When used with PGP Universal for end-to-end email encryption, PGP Desktop encrypts emails at the desktop. This environment supports all the common encryption standards and allows users to make policy decisions about what to send securely versus in the clear, completely transparent to the user. At the same time, this setup allows IT management, security management, and external auditors to verify that corporate security policy has been correctly deployed and implemented. PGP Desktop allows end users to develop granular security policies to the extent of encrypting a specific 7 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Figure 5 Figure 6 8 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: PGP Desktop 9.0 also fully supports the X.509 certificate standard and various smart cards for two-factor authentication. The product currently ships in English, German, and Japanese. Using PGP Desktop with PGP Universal to Defend Against Insider Threats PGP Desktop and PGP Universal are often deployed together in large enterprise environments to provide central policy management and centralized administration of desktop-based encryption. The simplest way to deploy PGP Universal is to put it in the gateway and allow it to make encryption decisions for desktop users, PGP Universal Satellite users, and users without PGP capability. It is simple to set up encryption policies on a domain-by-domain basis. Users outside the organization can use webmail and PGP Universal Web Messenger to send and receive encrypted email. The system can also be set up to reject messages if an encryption key is not available. Such messages are sent back to the originator, who is informed they must be sent another way because the corporate email system will not deliver them. When PGP Desktop and PGP Universal are deployed together to provide end-to-end encryption, emails are encrypted locally, based on centrally managed policy. End users may also configure additional policies locally that do not conflict with corporate policy. For example, a policy might specify that whenever an email includes the string [PGP] in a subject line, PGP Desktop or the PGP Universal Server will automatically encrypt the message. Defending Against Insider Threats via Email PGP Universal interoperates with all the leading email hygiene and policy management solutions, including those from CipherTrust, IronPort, and Vontu. If one of those systems encounters an email message that should be secured before delivery, it routes the message to the PGP Universal Server for handling prior to sending. Figure 7 shows an email message routed to PGP Universal. An email hygiene and policy management system, such as IronMail™ from CipherTrust, can be set up to scan outgoing email messages for various secure Figure 7 9 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Figure 8 words that are specific to an organization. Figure 8 shows PGP Desktop added to a client PC. It is possible to scan for specific words in an email header, body text, or subject line. If the email hygiene and policy management system identifies an email message that may contain confidential information, it automatically routes that message to the PGP Universal Server for encryption before forwarding it to the Internet. This process provides organizations with considerable granularity in how they deploy their security policy. When integrated with an email hygiene and policy management system, PGP Universal can be placed outside the mail flow. This flexibility is possible because of PGP Universal’s adherence to open standards. Customers can also use PGP Desktop features to lock down the last location from which confidential information can be extruded from the corporate network. As discussed previously, these features provide the ability to encrypt the entire disk of a laptop or desktop system as well as to automatically encrypt removable USB flash memory devices. Figure 9 illustrates the integration of PGP Universal with an extrusion prevention solution. Many large, well-known organizations and academic institutions have experienced security breaches. If they had used PGP Whole Disc Encryption, the lost data would have been inaccessible. For users who need to encrypt only specific files, PGP Desktop offers PGP Virtual Disk encryption capability. These two features also can work together: PGP Whole Disk Encryption can be used on a system that contains a PGP Virtual Disk without having to decrypt the virtual disk. This process works quickly to create new volumes on removable media and even on network servers. Many PGP enterprise customers asked the company for help in securing their IM traffic from end to end, so PGP Corporation added transparent AOL® Instant Messenger™ (AIM) session encryption. PGP Command Line PGP Command Line is a scripting solution that allows enterprises to quickly add strong PGP encryption 10 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Figure 9 Figure 10 11 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: to existing batch processes, network transfers, or backup systems. Figure 10 shows how PGP Command Line works to protect data transfers and backups. PGP Command Line is very popular in the financial services sector for moving accounts and the reconciliation of data. For example, a financial services firm that handles the majority of hedge funds has deployed PGP Command Line to all its customers and requires them to send daily encrypted reconciliation reports. that addresses all security problems requires organizations to think in terms of people, processes, and technology. Organizations should consider the use of encryption to protect sensitive confidential and proprietary information from a legislative, regulatory, due diligence, and civil litigation viewpoint. Although using encryption as a tool is critical, a solid strategy requires that multiple applications be protected with encryption. Every application should use appropriate encryption for every data source and method of transfer. Consider all options. Remember that if encryption is combined with good policies of data classification and sophisticated content analytics, the possibility exists of having set the bar so high in an internal network that attackers may decide to go elsewhere. PGP Corporation is the global customer standard for encryption and digital-signature solutions. There are many different ways to apply PGP security creatively to solve a variety of business needs and battle the insider threat. Summary The information security industry has matured. Today’s hackers are still concerned about taking networks down, but are more interested in figuring out how to take over functioning networks and compromise them from the inside. Organizations that believe they have found a product that is going to solve the insider threat problem do not understand this is a difficult issue that requires a comprehensive approach. Creating a sound strategy 12 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: Common Questions Question: What is the best way to control the information employees might be sending out from their company’s internal email system to webmail accounts? Answer: The most common way PGP customers control information is by blocking access to sites that offer webmail access. They also require employees to use the corporate email system for all email communication, which can then be managed centrally via PGP Universal and some of PGP partners’ gateway filtering products. Question: What is the best way to disable the email accounts created for contractors after they no longer work for an organization? Answer: PGP Universal automatically enrolls new users in the system to ensure their use does not compromise it. When a contractor leaves, his/her keys are then disabled, although the information can be accessed if the organization stores keys on the server rather than the desktop or if it uses an Additional Decryption Key. Organizations with the ability to have a provisioning system may also find helpful a directory that allows them to set temporary or time-restricted certificates. Question: Can I use PGP Universal to force the encryption of an email message sent by a specific individual such as our legal counsel? Answer: Absolutely. Setting policies by the sender or recipient is an integral part of the PGP Desktop system and can be done at the gateway of PGP Universal. Question: Is it practical to configure an email system policy to place limits on where and when someone can send file attachments? Answer: That is a very culturally sensitive issue. Given that the mobile workforce tends to work 24 hours a day, you never know from when or where a key file needs to be moved to the corporate network. Some people have been able to set limits, but they work in very secure, sensitive environments. Most IT organizations have to find another way to solve this particular problem. Question: Our company uses a lot of handheld devices, and I am struggling to discover what confidential data might be leaving the company. Can you offer any advice about how to do this? Answer: This is a common problem at organizations that end up with large BlackBerry deployments. There are some things PGP Universal can do today to secure those communications. As an industry, we have work to do in this area to provide end-to-end handheld device encryption. If you are looking at new security solutions from various providers, make absolutely certain your vendor has plans to establish that kind of end-to-end solution. Question: How do I ensure access to data, especially for mobile users? From a support standpoint, how do I ensure access to data even if users forget the password or lose their token? Answer: This was the most difficult problem to solve when developing PGP Whole Disk Encryption. How do you encrypt the disk when users can lose their keys or tokens and you may not have good network access to them when that happens? For example, suppose you have a bad phone line to a sales representative who has to give a presentation in 20 minutes to the organization’s largest account. The PGP Whole Disk Encryption product has extensive recovery mechanisms that comprehend a number of different user and IT scenarios, including the lack of network connectivity. Question: I would like to improve our company’s data classification usage policies. Is there any good source material I can review that will give me pointers? Answer: Use Google. A lot of organizations will have something online, and you are likely to find some templates, which is probably the best way to go. 13 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: About TechTarget We deliver the information IT pros need to be successful. TechTarget publishes targeted media that address your need for information and resources. Our network of industry-specific Web sites give enterprise IT professionals access to experts and peers, original content and link to relevant information from across the Internet. Our conferences give you access to vendor-neutral, expert commentary and advice on the issues and challenges you face daily. Practical technical advice and expert insights are distributed via more than 100 specialized email newsletters, and our webcasts allow IT pros to ask questions of technical experts in real time. What makes us unique TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals. We leverage the immediacy of the Web, the networking and face-to-face opportunities of conferences, the expert interaction of Webcasts and Web radio, the laser-targeting of email newsletters and the richness and depth of our print media to create compelling and actionable information for enterprise IT professionals. For more information, visit www.techtarget.com. PGP_0009_2005_0010 14 IT Briefing: The Insider Threat: Understanding the Risks & Defending the Enterprise Sponsored By: