4 Steps to Data Security Compliance
Technologies to Help Your Organization Comply with U.S. Data Security Regulations
�OVERVIEW
U.S. corporations that handle corporate and personal data must conform to certain government legislation to protect this private information from compromise, unauthorized access, interception, or corruption. However, organizations with little or no education of these mandates or suitable solutions will find their budgets and their manpower stretched too thin. This paper examines existing government regulations and provides an understanding of relevant security technologies so organizations will be able to make wise, costefficient decisions regarding security technology implementations.
INTRODUCTION
Legislation related to data security has taken hold fairly quickly in the United States and is still evolving at a rapid pace. Organizations are finding themselves under increasing pressure to modify business processes and IT infrastructure in a fundamental manner to meet compliance challenges. However, these organizations often lack sufficient security-specific technical knowledge and experience to design and deploy robust security solutions at maximum efficiency. Budgets and other resources have been stretched to the limit in the wake of growing internal demands for improved protections for business data and applications, external demands from customers and consumers regarding privacy and financial safety, and legislative pressure for significantly heightened controls and reporting mechanisms. The question is: How can an organization respond to the serious security threats against business systems, and employee and customer data in ways that minimize the costs of data security compliance, ensure the adaptability of security solutions over time, meet all relevant compliance requirements, and adequately reduce exposure to risk? Today’s organizations of all sizes must incorporate substantial protections across diverse IT systems and business processes, extending IT budgets and personnel to accommodate new security purchases and added security management needs for the entire enterprise infrastructure. This paper examines existing regulations and provides an understanding of the breadth and scope of relevant security technologies that can ensure your organization will be able to make wise, cost-efficient decisions regarding security strategies, policies, and technology implementations.
How can organizations respond to the serious security threats against business systems and data in ways that minimize the costs of data security compliance?
EVOLVING DATA SECURITY THREATS
Growing Number and Diversity of Attacks Years ago, only the occasional big-time computer hacker made headlines; today, data theft and attempts at data breaches are commonplace. According to the Privacy Rights Clearinghouse, between January 2005 and June 2007 over 155 million individual records in the U.S. were reported compromised through unauthorized access to data systems, insider wrongdoing, administrative incompetence or theft of computers and other storage media. Widely publicized incidents include • The 2006 disappearance of a U.S. Dept. of Veterans Affairs laptop containing sensitive information on over 28.7 million veterans.
Between January 2005 and June 2007 over 155 million individual records in the U.S. were reported compromised through unauthorized access to data systems, insider wrongdoing, administrative incompetence or theft of computers and other storage media.
2
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�• • •
A computer server containing the personal information and medical records of 930,000 customers was stolen from the New York offices of insurance giant AIG. An estimated forty million compromised credit cards at outsourcing vendor CardSystems Solutions hacked. Hundreds of thousands of Social Security numbers obtained from data aggregation company ChoicePoint.
Data breach figures swell even further if unreported incidents are also taken into account. Internal and external threats to corporate and personal data include, but are not limited to: • • • • Unauthorized access to protected information by outsiders or employees Compromised system security as a result of system access by an unauthorized person Interception of data during transmission Corruption of data or systems
Financial Consequences of Data Breaches Although the true costs of data breaches and related problems are hard to quantify precisely, some figures are available, in part due to the growing number of data breach disclosure laws that have been passed by state legislatures. In its 2006 Computer Crime and Security Survey, the Computer Security Institute (CSI), with the participation of the San Francisco FBI Computer Intrusion Squad, stated that virus attacks, unauthorized access to networks, lost and stolen laptops or mobile hardware, and theft of proprietary information or intellectual property account for more than 74 percent of financial loss. The CSI study indicated that the average reported loss for an individual company in 2006 was $167,713. However, since half of the respondents were unable or unwilling to report actual figures, aggregate loss statistics were inconclusive. By contrast, twice as many respondents provided loss figures in 2005, with total costs listed as $130,104,542 for that year. While many categories saw a decrease in reported losses (in part due to missing information from respondents), reported losses from laptop or mobile hardware theft and telecommunication fraud revealed a substantial increase. In fact telecommunication fraud losses rose more than 400 percent compared to 2005. The study took care to state that “we are suspicious that implicit losses (such as the present value of future lost profits due to diminished reputation in the wake of negative media coverage following a breach) are largely not represented in the loss numbers reported here.” (CSI) According to Darwin Professional Underwriters, key factors that contribute to the high cost of data breaches include investigation, attorney’s fees, customer notification, call center support, crisis management consulting, media management, credit monitoring fees where applicable for affected customers, regulatory investigation defense and state and federal fines and fees. Organizations may also incur losses due to successful civil suits. The organization calculates that a single data breach affecting only 1,000 customers averages $166,000, not including liability in civil suits. The Gartner Group estimates that data breaches cost $140 per customer. This figure includes direct costs (e.g., legal fees and notification costs), indirect costs such
A single data breach affecting only 1,000 customers averages $166,000, not including liability in civil suits.
3
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�as loss of employee productivity, and opportunity costs due to loss of customers and recruitment of new ones. Gartner also takes into account fines, exposure to legal action, impact on reputation, shareholder value loss, and diminished goodwill.
DATA SECURITY COMPLIANCE REQUIREMENTS
Government Mandates Federal and state governments have responded to expanding threats to data privacy and integrity with legislation targeting the ways in which private data is held, accessed, transferred and protected. Some new laws also aim to improve protections against fraud and misuse of corporate funds; these laws specify procedures for reporting, audits and so forth, but also include requirements regarding data protection. Bills such as Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act (HIPAA) have substantially increased financial and security-related reporting requirements, and have put pressure on IT organizations to implement effective security solutions on a rapid timetable. Where laws specify the consequences of failing to comply (by not instituting appropriate protections and/or not establishing adequate audit and reporting mechanisms), penalties include sizeable fines, heightened scrutiny, credit downgrading, legal prosecution and even possible imprisonment. In addition, data security laws are constantly evolving, making it essential for organizations to focus on implementing flexible, comprehensive security solutions that can ensure adaptability and compliance over the long term. Data Security Legislation at a Glance A closer look at data security laws themselves reveals that they address diverse data protection issues, ranging from the integrity of data storage media containing personal employee and consumer information (such as social security numbers) to transactions involving the transmission of private financial information across wide area networks (WANs). Regulations typically require organizations to complete and file regular audits and reports that must meet strict format and content specifications. The most influential laws affecting data security in the U.S. today are outlined in the chart below.
Federal and state governments have responded to expanding threats to data privacy and integrity with legislation targeting the ways in which private data is held, accessed, transferred and protected.
Legislation
• •
Impact on Data Security
Requires administrative, physical and technical safeguards to protect consumers’ personal information held by financial institutions. Specifies that financial institutions must: a) Ensure the security and confidentiality of customer records and information b) Protect against any anticipated threats or hazards to the security or integrity of such records c) Prevent unauthorized access to or use of records or information that could result in substantial harm or inconvenience to any customer [15 U.S.C. § 6801(b)] Penalties for non-compliance include criminal prosecution, fines and imprisonment.
Gramm-Leach Bliley Act (GLB)
(U.S. Financial Modernization Act of 1999)
•
4
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�(Continued from previous page)
Legislation
• •
Impact on Data Security
Requires that all organizations and individuals handling patient medical data must comply with strict rules designed to protect confidentiality. Requires safeguards that ensure data integrity and confidentiality, protect against reasonably anticipated threats or hazards, and prevent unauthorized use or disclosure of information (Technical Safeguards Section 164.312). Identifies four standards areas: audit controls, integrity of data, person or entity, authentication, and transmission security. Strongly recommends encryption for data transmitted over a public network (for example, e-mail), based on an entity’s risk analysis. (Note that organizations will need to implement advanced security techniques such as encryption in order to effectively protect data and to demonstrate during the extensive HIPAA reporting process that they have met the law’s demanding data protection mandates).
Health Insurance Portability and Accountability Act (HIPAA)
• •
•
• •
California Information Practice Act (SB1386)
•
Requires that organizations disclose any breach of security to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Covers any organization or individual that conducts business in California. Organizations that encrypt stored and transmitted customer information is exempt from costly notification procedures in the event of a breach. Has led to breach laws in at least 35 states, per the National Conference of State Legislatures. (Note that organizations may be subject to a particular law’s notification requirements even if corporate sites are located outside the state of the law’s origin; if a breach involves customers who are residents of a covered state, then the company will be required to notify covered individuals.)
• •
Payment Card Industry Data Security Standard (PCI DSS)
• •
Developed jointly by major credit card companies (Visa, MasterCard, American Express, Diner’s Club, Discover, JCB) to prevent credit card fraud and data breaches. Covers all members, merchants, and vendors who transmit, process, or store cardholder data. Specifies 12 requirements that include building and maintaining a secure network, protecting cardholder data and implementing strong access control measures. Specifies that encryption must be used for the transmission of cardholder data and sensitive information across public networks.
5
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�(Continued from previous page)
Legislation
• • • •
Impact on Data Security
Enacted as Federal response to accounting scandals at companies such as Enron, Tyco International, and WorldCom, reforming the way public companies report financial information. Focuses on the effectiveness of a organization’s internal controls (Section 404) Although lacking specifics about the IT technologies required, emphasizes the need for systemic solutions such as robust access controls, data encryption, and detailed audit trails. Implies that CEOs and chief financial officers who are signing off on the validity of financial data must be sure that the systems maintaining that data are secure.
Sarbanes-Oxley (SOX)
(Public Company Accounting Reform and Investor Protection Act of 2002)
Covering All Bases The number and diversity of regulations related to data security can be overwhelming. Furthermore, these various laws are written in very different styles and refer to similar data security measures using different language, vary greatly in the extent to which controls are specified and/or recommended, and can be vague as to the particulars of what exactly constitutes a compliant IT configuration. To make matters even more complicated, most organizations will find themselves subject to several, if not all, data security laws and associated operational and technical mandates listed on the previous page. In addition, most organizations face all types of data security issues, and may not have the luxury of picking and choosing which types of information or data access scenarios to protect. Taking these factors into account — the overall vagueness and inconsistency of data security legislation, the broad range of mandates applicable to an individual enterprise, and the diversity of data security scenarios requiring compliant data protection — a comprehensive data security policy that addresses the full range of data security issues within a single strategic plan and system is the most robust, efficient, and in the long run most costeffective response to the compliance challenge.
Most organizations face all types of data security issues, and may not have the luxury of picking and choosing which types of information or data access scenarios to protect.
DEPLOYING DATA ENCRYPTION FOR COMPLIANCE
The good news is that comprehensive, yet cost-effective data security technologies are already available to aid organizations in protecting information assets, minimizing business risk and achieving compliance goals. Properly layered and combined, these technologies can satisfy many relevant regulatory requirements simultaneously. Compliance with data security requirements centers on fully protecting data assets while facilitating secure access by authorized people and entities. While many traditional security methods focus on network perimeter protection (“keeping the bad guys out”), comprehensive data security must also protect information at the asset level (the data itself) against both internal and external
Encryption is the most robust, comprehensive, and cost effective solution for data privacy.
6
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�threats. Encryption is the most robust, comprehensive, and cost effective solution for data privacy. Where data is effectively encrypted, it is useless to unauthorized parties, even if all network perimeter protection fails. Only authorized users with the proper credentials can unlock and use the protected data. A comprehensive encryption policy involves four types of technologies that together protect information and access to information at the data asset level: • • • • Data in Motion: Securing data while it is being transmitted over private and public networks Data at Rest: Protecting data in storage on PCs, laptops, and portable devices Access Controls: Authenticating people who request access to encrypted data Data Integrity Controls: Protecting the encryption keys used by cryptographic security systems
The following section outlines the key criteria for selecting encryption technologies that together create a comprehensive solution that provides robust data security. What to Look for in a Data Security Solution In today’s complex IT environments, it is almost impossible to ensure total protection — and therefore total compliance — without implementing all of these solutions to some degree. For example, no matter how effectively a particular application is protected against unauthorized access, if the application data resides in an unencrypted database or travels over a partially or completely unprotected network, the data itself remains vulnerable. Fortunately, careful selection of appropriate products, tailored to the size and complexity of a particular enterprise infrastructure, can enable efficient and cost-effective compliance, while providing an appropriate balance between an unhindered flow of data between authorized parties and adequate protection of sensitive information. Technologies available to ensure data security compliance include strong authentication solutions, comprehensive disk and file encryption, high-speed encryption for WAN networks, and hardware security modules that provide a flexible, highly reliable solution for maintaining the integrity of data and applications. All of these technologies must also include audit trails and simplified reporting in order to ensure that organizations can clearly demonstrate the effectiveness of their data security solutions to regulatory agencies as well as internal auditors.
In today’s complex IT environments, it is almost impossible to ensure total protection — and total compliance — without implementing all data security solutions to some degree.
Step 1 - Secure Data in Motion Protecting data transmitted over high-speed WAN networks Organizations requiring high-performance, low-latency WAN solutions — for data transmission over private corporate networks or the public Internet — typically use dedicated transmission circuits that are provided by telecom carriers and service providers. The appeal of the high-speed WAN is the volume of data that it can handle (up to 10 Gbps), the Quality of Service levels that service providers offer (99.999% uptime), and the perceived increase in security as compared to a dedicated “private” circuit that isn’t shared with
High-speed encryption fully satisfies companies’ security needs for data in motion while meeting the requirements of multiple security mandates simultaneously.
7
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�others. However, the privacy of these circuits only extends to dedicated switching or virtual circuit connections, which fails to guarantee data integrity or security. Since many service providers fail to offer guarantees regarding data integrity for high-speed networking, there is no outside accountability relating to the security of data in transit. Thus, organizations must implement their own network security solutions, even for dedicated WAN circuits. High-speed encryption of network traffic is the most effective method for protecting sensitive data traveling over WANs. High-speed encryption fully satisfies companies’ security needs for data in motion while meeting the requirements of multiple security mandates simultaneously. For example, both HIPAA and PCI DSS specifically target encryption as the technology of choice for protecting data that travels across public networks. High-speed encryption is a highly effective approach that satisfies a range of regulatory requirements at reasonable cost. What to look for: • • • Easy integration: Versatile, standards-based HSE solutions permit network administrators to integrate high-speed encryption without having to alter the existing network infrastructure. Efficient bandwidth use: Cost-effective high-speed encryptors will use bandwidth very efficiently, providing high performance at lower cost. Administrative ease of use: High-speed HSE solutions should be fast and easy to implement without disrupting operations. With the right management tools, an HSE solution can be remotely configured, monitored and updated. Audit trail: A complete data security audit trail is a must, since this is usually a mandatory reporting requirement.
•
Step 2 - Secure Data at Rest Protecting data stored on PCs, laptops, and portable devices Mobile computing devices such as laptops and USB drives are quickly emerging as the industry standard for increasing user productivity and efficiency. The portable nature of these devices increases the possibility of loss or theft. Without strong data protection, sensitive data is at risk from corporate espionage, accidental loss, or theft, potentially resulting in significant financial loss, legal ramifications, and brand damage. Incidents of this type also jeopardize compliance with industry and legislative mandates and can trigger penalties. Full disk encryption is the most effective method available for protecting sensitive data on servers, workstations, laptops and removable media devices such as flash drives, memory cards, and CDs. It usually satisfies multiple regulations simultaneously, thereby lowering compliance costs. Disk encryption is also highly reliable; even in a situation where a hacker manages to penetrate other layers of enterprise security, sophisticated encryption algorithms ensure that stored data remains secure. What to look for: • Robust Security: Look for disk encryption solutions that meet the most stringent security standards including FIPS 140-2, Level 2, Common Criteria (CC) EAL2/EAL4.
Full disk encryption is the most effective method available for protecting sensitive data on servers, workstations, laptops and removable media devices such as flash drives, memory cards, and CDs.
8
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�•
Manageability: To maximize flexibility and achieve lowest total cost of ownership, look for solutions that integrate into existing management platforms such as Active Directory which allows administrators to centrally assign security policies, deploy software, and apply critical updates to an entire organization, saving time, resources and man-power.
Step 3 – Provide Access Controls Authenticating people who request access to sensitive data By encrypting data at rest and data in motion, organizations go only half the way toward fully protecting sensitive data and thereby meeting legislative demands. The reason for the shortfall is that security systems must also ensure that only authorized users—properly identified and admitted—can access and use encrypted information. Authentication is based on a digital identity, which consists of who one is (the identity) and the “credentials” that one holds (attributes of that identity). Credentials can include passwords, keys, digital certificates, and biometrics (such as a fingerprint or retinal scan). The use of a single credential only— generally a password—is considered a weak authentication methodology, and is one of the main causes for security breaches because passwords are often easily obtained. Strong authentication (or multifactor authentication) requires the use of more than one credential. Strong hardware-based authentication is the most direct and cost-effective way to ensure that any user attempting to access sensitive applications and data is an authorized party with appropriate permissions to view, copy, and modify that data. Authentication hardware includes security tokens and smart cards, which are small, secure physical devices that hold users’ credentials, with data access protected by two-factor authentication. Flexibility is another major factor in a comprehensive authentication solution. Authentication methodologies must be flexible enough to ensure that data is immediately and easily available to the authorized users who need it, while also preventing access by those without proper identification. What to look for: • Integration and interoperability: Devices built on an open, standardsbased platform permit seamless interoperation with applications and products from leading authentication and information security companies. Customization: Token and smart card solutions should be highly flexible and allow for easy configurability, so that they can easily support application-specific requirements. Proven performance: Well-tested solutions keep administrative costs under control and ensure the reliability of security procedures. Highest security: To ensure the highest levels of protection and security, look for token and smart card solutions that have gone through stringent FIPS and other regulatory testing.
Strong hardware-based authentication is the most direct and costeffective way to ensure that any user attempting to access sensitive applications and data is an authorized party with appropriate permissions to view, copy, and modify that data.
• • •
At the heart of any data security solution are the secret cryptographic keys used for encrypting and decrypting sensitive data. Protection of encryption keys is an essential part of the compliance program.
9
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�Step 4 – Provide Data Integrity Controls Protecting the cryptographic keys used by the security systems At the heart of any data security solution are the secret cryptographic keys used for encrypting and decrypting sensitive data. If a cryptographic key gets into the wrong hands, the entire data security infrastructure—no matter how costly or sophisticated—will be rendered useless. For this reason, protection of encryption keys can be considered an essential part of the compliance program. Maintaining the secrecy of cryptographic keys often poses a complex challenge. Hardware security modules (HSMs) are special hardware devices designed to securely generate, store and protect sensitive encryption keys. They also provide the audit trail necessary for critical material. HSMs provide a highly flexible solution that can be implemented for a broad range of applications in almost any industry. They offer compliance benefits across diverse regulations, providing affordable, highly secure options that meet diverse regulatory requirements. The two most typical categories of HSM-based applications are public key infrastructure (PKI) certification authorities and electronic funds transfer (EFT). PKI is a system devised for the deployment and management of digital identities. A public key is used to encrypt information before transmission, while a corresponding private key is used to decrypt the information upon arrival. Public keys are published; private keys remain secret. EFT is a system for securing sensitive financial transactions and protecting digital identities across networks. Sample applications for HSMs include transaction processing, document signing, database encryption, smart card issuance, bank PIN management, time stamping, e-passports, online banking, database encryption,, and many others. What to look for: • Keys in hardware: The HSM should allow all keys to be stored and algorithms to be performed within the hardware confines of the HSM. Since keys never leave the hardware module, they are much harder to compromise. Audit trail: A comprehensive audit trail should fully support tracking and reporting for compliance purposes. Administrative ease of use: Desirable features include simplified installation and integration, a broad range of API’s, flexible configuration, easy remote administration, and centralized key management. Performance and scalability: A proven platform that can support the highest number of key operations per second ensures high-availability and continued reliability of an enterprise security environment. Highest security: To ensure the highest levels of protection and security, look for HSM solutions that have gone through stringent FIPS, Common Criteria, and other testing.
• • • •
Putting it all together The easiest way to ensure total compliance and complete security of your data is to entrust your needs with a single company that can handle all four steps of
10
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�data security. Used by companies worldwide, SafeNet's enterprise products form a comprehensive security solution that secures communications, transactions, data, and identities. Data security solutions from SafeNet include: • • • High-speed encryptors that provide the fastest and easiest way to integrate robust FIPS-certified network security to protect mission-critical data for enterprise and government agencies. Disk and file/folder encryption solutions that provide robust data-at-rest security with easy management and lower cost of ownership for medium to large organizations. Smart Cards and iKey USB authentication tokens that provide strong, two-factor authentication for both physical and logical access. Designed with the most advanced level of encryption, our authentication devices support e-mail authentication and encryption, digital signatures, remote access, and more. Hardware Security Modules (HSMs) – the fastest, most secure, and easiest to integrate application security solution for enterprise and government organizations.
•
A strategic approach to data security within the context of expanding governmental mandates not only keeps enterprise security costs under control but also provides robust protections for employees, customers and consumers.
For more information on compliance and SafeNet solutions, visit www.safenetinc.com/compliance.
SUMMARY The compliance maze may appear to be complex and expensive to navigate, but careful selection of comprehensive encryption technologies can simplify the compliance process and substantially reduce financial, operational and business risk. These data security solutions deliver solid protection across a wide range of threats while providing an easily managed, scalable and adaptable platform for meeting legislative requirements. A strategic approach to data security within the context of expanding governmental mandates not only keeps enterprise security costs under control but also provides robust protections for employees, customers and consumers.
About SafeNet, Inc. SafeNet is a global leader in information security. Founded more than 20 years ago, the company provides complete security utilizing its encryption technologies to protect communications, intellectual property and digital identities, and offers a full spectrum of products including hardware, software, and chips. UBS, Nokia, Fujitsu, Hitachi, Bank of America, Adobe, Cisco Systems, Microsoft, Samsung, Texas Instruments, the U.S. Departments of Defense and Homeland Security, the U.S. Internal Revenue Service and scores of other customers entrust their security needs to SafeNet. In 2007, SafeNet was taken private by Vector Capital. For more information about SafeNet’s solutions for data security compliance, please visit www.safenet-inc.com/compliance.
11
SafeNet White Paper – 4 Steps 4 Steps to Data Security Compliance
�