Encryption Policy Session by pnx67864


									Encryption Policy Session
August 2, 2007

Karen Sorady
NYS Office of Cyber Security and
Critical Infrastructure Coordination

Anatomy of a Recent Breach
Federal Data at Rest Awards
 Over 200 million personal records breached in US since 2004
 (70 million in US in 2007 alone)

 NYS Internet Security and Privacy Act – August 2005
 NYS Cyber Citizen’s Notification Policy – December 2005
  – Since then, over 3 million records breached in NYS

 CSCIC Internal Directive on Personal, Private and Sensitive
 Information (PPSI) – July 2006

 Revised Cyber Security Policy/New Standard – August 1, 2007
Anatomy of a Recent
 Ohio longstanding practice of allowing employees to
 take home backup devices as part of contingency plan

 In June 2007, backup device stolen from intern’s
 unlocked car

 PPSI for over a half million taxpayers put at risk
 -   72,000 current and former state employees
 -   584,000 individuals with uncashed refund checks
 -   600 lottery winners with uncashed tickets
 -   2,500 individuals with unclaimed funds
Anatomy of a Recent
Breach (continued)
 Other information compromised
 - Names and case numbers for 84,000 welfare recipients
 - Tax ID numbers of 87,000 vendors
 - Names and bank account numbers on up to 1,000 failed
   electronic bank transfers

 Jobs were lost

 Cost to State of Ohio estimated at over $2 million

 In response, Governor Strickland issued Executive
 Order requiring development of Statewide encryption
 protocol for Ohio
         Policy Changes
Added responsibility to State Entity to communicate
policy requirements to third parties and address
those requirements in third party agreements

Introduced Personal, Private and Sensitive
Information (PPSI)

Date for submission of annual Executive
Management compliance certification changed from
4/1 to 12/31
Cryptographic Controls
   Policy Statement
Encryption is just one layer of security

Risk assessment will determine proper level of protection

Longer key lengths = stronger encryption

Agencies must weigh benefits of stand-alone vs. enterprise

Attention must be given to regulations and national
restrictions that may apply
NEW Cryptographic Controls
 Standard – Data in Transit
 Encryption required when data in transit
 over SE wireless networks used to access SE
 internal networks

 Encryption required when accessing SE data
 remotely from shared network, including:
 – Connections between agencies over Internet or
 – Connections from Bluetooth device to agency
   PDA/cell phone
NEW Cryptographic Controls
Standard - Data at Rest
 Full disk encryption (FDE) of ALL laptops accessing
 or containing SE information

 Encryption for ALL PDAs

 Encryption for ALL USBs

 Encryption for removable storage devices when
 containing PPSI and not in an approved storage
 – Executive Management exemption allowed for tapes
NEW Cryptographic Controls
Standard (Continued)
 Encryption used must be FIPS 140 validated

 FDE must use pre-boot authentication

 SE must inventory encrypted devices and
 validate implementation of encryption
Key Management Policy/
NEW Standard
 Unencrypted keys must not be stored with
 encrypted data
 Protect encryption keys with passphrase of at least
 15 characters, unless:
 –   Multifactor protection
 –   Automatic deletion after 10 or less attempts to login
 –   Remote erase feature
 Compromise requires generation of a new key
 Maintain keys and encryption software for life of
 encrypted archive
Compliance Requirements

 Required as soon as possible, no later
 than December 31, 2008

 Reportable item on Gap Analysis

 CSCIC will ask for more detailed
 periodic status reports on progress
Federal Data at Rest
(DAR) Agreements
 April 2007, Federal government issued RFQ
 for encryption hardware and/or software
 103 technical/functional requirements
 May 2007, added State and local
 government to procurement
 Historic, first time vendors must give us
 same terms and conditions as Feds
 Potential for excellent pricing considering
 the potential volume
  Support from the Top

“By working with the federal government
to protect this important information we
have the ability to add another layer of
protection, to New York’s cyber security
program, in an extremely cost-effective

 - Governor Eliot Spitzer
              Federal Data at Rest
                 (DAR) Awards
Reseller                    Publisher                          FDE/FES

HI TECH SERVICE INC         Encryption Solutions Inc           FES

MERLIN INTERNATIONAL INC    GuardianEdge Technologies Inc      FDE

CARAHSOFT TECHNOLOGY CORP   Information Security Corporation   FES

MTM TECHNOLOGIES INC.       Mobile Armor LLC                   FDE

IMMIX TECHNOLOGIES          Pointsec/Checkpoint                FDE

ROCKY MOUNTAIN RAM LLC      Safeboot Mobile Data Security      FDE/FES

SPECTRUM SYSTEMS INC        Safeboot Corp                      FDE/FES

SAFENET INC                 SafeNet Inc                        FDE

AUTONOMIC RESOURCES         SPYRUS Inc & WinMagic Inc          FDE/FES

GOVBUYS INC                 WinMagic Inc                       FDE/FES
     Representative Pricing
     (License - PC)
Product                         10K    33K      100K

GuardianEdge Encryption
   Anywhere Hard Disk         $44.36   $38.81   $25.88

Pointsec for PC               $81.03   $49.50   $33.00

Safeboot Device\
   Content Encryption         $19.00   $14.00   $6.00

WinMagic SecureDoc*           $54.84   $44.03   $30.02

*Pricing includes server component
          Representative Pricing
          (License – Removable Media)

Product                     10K                    33K                     100K

GuardianEdge Encryption
   Plus Anywhere
   Removable Storage        $12.67                 $11.09                  $7.39
Pointsec Media Encryption   $16.39                 $11.00                  $8.25
Safeboot Port Control       $10.00                 $6.00                   $2.00
WinMagic SecureDoc RME      Bundled pricing given; unable to determine individual pricing
          Representative Pricing
Product                       10K      33K     100K
GuardianEdge Encryption
   Anywhere Hard Disk         $10.73   $9.39   $6.26
Pointsec for PC               $16.73   $7.43   $4.95
Safeboot Device\
   Content Encryption         $3.99    $3.00   $1.50

WinMagic SecureDoc*           $10.97   $8.81   $6.00

*Pricing includes server component
Our Goal
 Our goal is to maximize the number of
 agencies buying the same product to
 achieve the greatest discount.
    Aggregate Buy Example
INDIVIDUAL PURCHASES                                        STATE AGGREGATE BUY
            #    Unit Cost    Total Cost                               #    Unit Cost   Total Cost     Savings
Agency A     500  $108.90       $54,450.00                  Agency A    500   $92.70      $46,350.00    $8,100.00
Agency B   1,000    $99.00      $99,000.00                  Agency B  1,000   $92.70      $92,700.00    $6,300.00
Agency C   3,000    $92.70     $278,100.00                  Agency C  3,000   $92.70     $278,100.00        $0.00
Subtotal                       $431,550.00                  Subtotal  4,500              $417,150.00   $14,400.00

Federal   29,000     $75.57   $2,191,530.00

           #    Unit Cost     Total Cost       Savings
Agency A    500    $49.50       $24,750.00     $29,700.00
Agency B  1,000    $49.50       $49,500.00     $49,500.00
Agency C  3,000    $49.50      $148,500.00    $129,600.00
Subtotal                       $222,750.00    $208,800.00

Federal   29,000     $49.50   $1,435,500.00   $756,030.00
Total     33,500                              $964,830.00

Using Pointsec Pricing from NYS OGS Contract PT55645 and Federal BPA FA8771-07-A-0307
Next Steps
 CSCIC is working with OGS to put DAR
 contracts on State contract.

 CSCIC is working to coordinate an
 aggregate buy.

 Commitment (including product and number
 of licenses) needed from agency purchasing
 authority to participate in aggregate buy.
Additional Information




To top