Data Protection

Document Sample
Data Protection Powered By Docstoc
					Data Security on Removable Media
ISSA San Francisco
Jason Webster

                    1   Imation Overview
                    2   Market Situation
                    3   Secure Removable Storage Devices
                    4   Central Management Software
                    5   Data Center Tape Protection


    •   Leading global marketer and developer of branded products that enable people
        to store, protect and enrich their experiences with digital information

    •   Technology leadership, global distribution reach, and customer relationships
        make us a preferred partner for leading companies worldwide

    •   Broad portfolio of data storage products, consumer electronics and accessories

    •   Global market share leader in recordable optical media and data storage tape

    •   2010 revenue $1.46 billion, >1,000 employees, serving more than 100 countries



 The growth of digital information has rapidly surpassed expectations.
 By 2011 digital universe will be 10 times size of 2006

 The importance of data has increased its access and mobility
 requirements making it more difficult to secure and protect

 INCREASED DATA BREACHES                                                                   U.S. 2010 > 662 Breaches2
 As data and its mobility grow, the amount of data breaches and data
                                                                                          412 (62%) Exposed Social Security Numbers
 exposure has also grown
                                                                                            170 (26%) Exposed Credit or Debit Cards

 Increased data exposure has resulted in increased regulations and
 reporting requirements globally

 COST OF DATA BREACHES GROWS                                                               U.S. 2010 $214 per record3
 Increased reporting requirements and increased data breaches
 results in increased breach costs                                                                  $7.2 Million3
                                                                                              Average org. cost of data breach over 4 years

 1Source: IDC – The Diverse and Exploding Universe – March 2008
 2Source: Identity Theft Resource Center – 2010 Data Breach Stats January 3, 2011
 3Source: Ponemon Institute – Fourth Annual U.S. Cost of Data Breach Study January 2009

Data Breach cost by

 •   46 States with Data Breach laws
      – 33 new proposed laws in 2010
 •   HITECH ACT of 2009 - Mandatory new regulatory requirements
      – Encryption needed but not “required” on all DAR (data at rest) devices
            • severe penalties for an unsecured data breach!
      – Public notification for an unsecured data breach of > 500 individuals
      – Civil and federal penalties but safe harbor for encrypted data
      – Patient right to receive a copy of records electronically
      – 15 million in Health Care, 60% touch Patient Healthcare Information
 •   FTC Red Flag Statutes
      – All organizations subject to the legislation must develop and implement a formal, written and
          revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate
          identity theft.
      – All financial institutions (state or national bank, a state or federal savings and loan
          association, a mutual savings bank, a state or federal credit union, or any other entity that
          holds a “transaction account” belonging to a consumer)
      – Solutions include encryption and multiple factor authentication
 •   12/29/2010 SEC Approves Amendments to FINRA Rule 8210 to Require Encryption of Information
     Provided Via Portable Media Device
      – Finance Industry Regulatory Authority is the largest independent regulator for all securities firms
          doing business in the United States
      – Rule applies to all FINRA member firms (4,570 brokerage firms)

      The Federal Information Processing Standardization (FIPS) 140-2 U.S. government
           security standard that specifies requirements for cryptography modules

      • FIPS is required by law for U.S. government purchases
      • Strictly enforced in Canada
      • Gaining international recognition in Asia and Europe
      • Being adopted within regulated industries (e.g. Financial, Healthcare)

                                       Description of FIPS 140-2 Four Levels

    FIPS 140-2 Level 1                                              FIPS 140-2 Level 2
    The lowest level, imposes very limited requirements; loosely,   Adds requirements for physical tamper-evidence and
    all components must be "production-grade" and various           role-based authentication.
    egregious kinds of insecurity must be absent

    FIPS 140-2 Level 3                                              FIPS 140-2 Level 4
    Adds requirements for physical tamper-resistance and            Makes the physical security requirements more
    identity-based authentication, and for a physical or logical    stringent, and requires robustness against
    separation between the interfaces by which "critical security   environmental attacks. Level 4 is currently not being
    parameters" enter and leave the module, and its other           utilized in the market

                               Currently, Level 3 is the Industry Standard.
Web Sites track reported
data breaches

                           May 6th – 3
                           May 5th – 2
                           May 4th – 9
                           May 3rd – 4
                           May 2nd – 5
                           May 1st - 0
Recent Major Data

 • The Family Planning Council in Philadelphia reported a data
   breach involving a flash drive theft, placing information on
   70,000 patients at risk, April 14, 2011

 •   How Adrian Jones' Superstar IT Career Went Sideways, April
     28, 2011, (HP Executive allegedly downloaded confidential trade
     secrets on a USB device that was not controlled)
 • Search on for memory stick missing from public school board,
   April 13th, 2011 (All the information from the computer,
   including employee information such as direct deposit forms,
   resumes, and other scanned documents, were put on the
   unencrypted flash drive.)
                              Honest Mistake
Recent Headlines –

•   2/24/11           Mass General HIPAA Penalty: $1 Million
     – Lost documents included information from infectious disease dept, including AIDS patients
     – Corrective Action plan “Develop and implement a comprehensive set of policies and procedures that ensure patient
          information is protected when removed from the hospital”
     –    Mass General to take extra steps to encrypt laptops and USB drives

•   2/23/11            HIPAA Privacy Fine: $4.3 Million to Cignet Health
     – First civil monetary penalty to a healthcare organization
     – Cignet failed to provide 41 patients with access to medical records
     – Failed to cooperate with Federal investigators

•   2/14/11           New York City Health & Hospitals Corp breach affects 1.7 million
     – Largest incident reported under the HITECH Act breach notification rule
     – Information lost includes names, addresses, social security numbers, patient medical histories
     – Hospital Corp. offering 1 year free credit protection service to affected individuals (will cost them
     – Per the HITECH ACT, if data was encrypted then public notification would not be required

•   "The U.S. Department of Health and Human Services is serious about enforcing individual
    rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.
Secure Removable Storage

USB Devices

 • Over 2 Billion devices sold each year (PC World Jan 2009)
 • According to security firm Vontu
    – Over 50% of 480 surveyed tech professionals had USB devices
      with unprotected confidential information
    – 1 USB drive is lost at work each month
    – Unlike laptop, storage devices are small and cheap. Many
      employees do not report them missing as they would a laptop.
 • According to Ponemon
    – Employees were less than 50% likely to report lost USB device
      or Optical
    – Most employees would knowingly break corporate policies
       • Sharing passwords, downloading confidential data, taking
          work home

     •   Physical Security

     •   Encryption

     •   Authentication

     •   Malware Protection

     •   Management

     •   USB Port Control

Types of Security on USB
Devices and Optical

 •   Encryption
      – 128 bit vs 256 bit
      – FIPS validated only 256 bit
 •   Hardware encryption vs Software encryption
      – Software uses host computer for authentication, hardware authentication occurs
         in device
      – Software encryption typically slows down performance
      – Software encryption (FIPS Level 1) will get you compliant, Hardware Encryption
         (FIPS Level 3) will give you top security
      – Software encryption typically Windows only
 •   Authentication
      – Password
      – Biometrics
      – CAC/PIV card (upcoming)
 •   Optical
      – Common method:
           • Encrypt files with third party software and burn onto optical media
      – New method:
           • Self-encrypting recordable CD/DVD/Blu-ray disc
128 bit vs 256 bit

 1   1   0   1   0   1   1   0   1   1     1      0     0      0       1   1

 1   1   1   1   0   1   0   1
                                     Twice as long, twice as strong?
Light years stronger

 Equivalent to all the grains of sand on the
 planet or every known star in our galaxy


  • Authentication verifies a user’s identity
       – It’s what “unlocks” the device by validating you are who you say you are
  • Various methods:
       – Strong Password - A password is sent into the device, and the device
          verifies it’s correct
       – Biometric - A finger is swiped across the sensor, another chip verifies it
       – RSA SecureID - digital identity
       – PIV - Personal Identity Verification
       – CAC - Computer Access Card
       – PKI - Public Key Infrastructure
  • Hardware Encrypted devices
       – authentication is done in Hardware
       – The “boundary of trust” does not include the computer
Our Portfolio Overview

•   Very Robust Device Management (Central Management)
     –   Automatically registers user to devices and implements policies
            • Low System overhead and limited support staff required
     –   Manages Multiple Device Types and Brands
            • Leverages existing investment
     –   Provides Forensic Level Auditing
     –   File level blocking by type and name
     –   Manages Devices off the network
     –   Remote Kill of Devices

•   Broadest Secure Portable Storage Portfolio:
     –   Optical Products - CD/DVD
     –   USB Flash Drives
     –   External Hard Disk Drives

•   Multiple Authentication Methods
     –   Password (hardware rules)
     –   Biometric + Password

•   Global Government-Validated Encryption

Secure Storage
      & Strong
with SmartCard
                                                                                                            Defender F200 +Bio
                                                                                                              FIPS 140-2 L3

Secure Storage                                                               Defender H100 &
      & Strong                                                                  H200 +Bio
Authentications                                                                 Features:

                                                                              FIPS 140-2 L3

                                                   F100 & F150
     Managed                                        Features:
Secure Storage                                    FIPS 140-2 L3
                                                   Cap design
                                  Defender F50
                                  FIPS 140-2 L1
                                  Pivot design                                   Defender Optical
Secure Storage                                                                    FIPS 140-2 L1

                                                            TARGET MARKETS
                                                                                        Large Enterprise
                                   SOHO/SMB                   Enterprise
                                                                                        Government/Financial Services
Management Features
 •   Remote Kill/revocation
 •   Addition of encryption to non-encrypted devices
 •   Time based policies vs event based
 •   File Level Auditing
 •   USB Port Control- Allow, Block, Read only
 •   File level blocking
 •   User group policies
 •   Ability to manage third party devices
 •   Remote Policy Updates
 •   User self rescue
 •   Password complexity and interval
 •   Remote Password update
 •   Data Recovery
 •   Automatic registration of devices vs issuance
Why Wikileaks could have
been prevented

 • User could have been blocked from access to
   removable storage devices
 • File types/names/contents could have blocked from
   the Central Management Software
    – Block, alarm, monitor
 • Auditing of activity would have shown which files
   were being downloaded by who from which
 • Offline usage could have been disabled
 • Device could have been remotely killed/disabled
 • Auditing would have shown which files were saved
   to which computer from which device
  Device Management Software

                                                                                            StealthZone (SPD)

  Port Control          Legacy Removable Media          Defender FIPS L1               Defender FIPS L3


                                                         Defender   F50 Pivot   F100/F150     F200 +Bio      H100/
Laptop, Netbook, and   UFD   EHDD   Mobile    Media                                                         H200 +Bio
  Desktop PC Ports                                        Optical
                                    Devices   Players
Case Study:
US Army Base

Overview: Army Support Activity supports and conducts Reserve Component
  Training and Mobilization/Demobilization operations. The ASA plans and
  executes other Army directed support missions, and, on order, establishes
  and operates a Joint Mobilization site

• The ability to access sensitive mission and combat training data on secure,
  ruggedized and tamper-proof storage devices.
• Integrated anti-malware defenses, remote kill and key management
• The solution must meet DoD DAR CTO requirements
• Defender F150’s FIPS 140-2, level 3 drives
• Each device was loaded with McAfee A/V and Imation Device Control Applet
• Central Management is performed through Imation Control Server software
• All USB devices can be managed and used securely in compliance with the
  DoD CTO security requirements
• DAR Approved Central Management allows for remote kill, key management
  and detailed forensic auditing/reporting.
How to be Complaint and

•   For non-criminal intent Data Breaches (Lost Devices – Honest Mistake)
     – Use AES 256 Bit Encrypted Devices
•   For Stolen Devices
     – Use AES 256 Bit Encrypted Devices with embedded Security Policies
     – Extra insurance
          • 2 factor Authentication
          • Remote Kill
          • Fips Level 3 Encryption
•   For Disgruntle employee
     – Central Management of Devices with stringent Security policies
          • USB Port Control
          • File Level Auditing capability
          • Blocking of files
          • Remote Kill
•   Proactive Enforcement of Policies
     – Central Management of devices to ensure 100% compliance to Company Security
        Policies to protect critical company data eg. Financials, IP, Employee or Customer
        information. You also will have auditing and reporting capability
Upcoming Imation

 •   Digital Rights Management
      – Prevent printing, copying, emailing
      – Timebomb files
 •   Smart Card Integration
      – Common Access Card (CAC) or Personal
         Identity Verification (PIV)
      – Strong two and three-factor authentication
      – No new password required -- card PIN is
 •   Secure portable desktop
      – allows you to boot directly from your USB
      – Turn any host computer into the user’s
      – Boots directly into Windows environment
      – “Generic mode” allows use on unknown
Securing Traditional Storage

Understand the Need

 • More data is being backed up today than ever before
 • More data is stored per individual cartridge
    – Cartridge capacities have reached 1 terabyte native
 • More cartridges are moving to and from more locations
    – Additional data centers, vault sites
 • More regulations on data protection and preservation exist
   today than ever before
    – Non-compliance can be very expensive
Encryption of Tape

 •   AES* 256-bit encryption available with LTO4/5, Oracle T10000 and
     IBM 3592 (TS1130) drives
 •   Drive level encryption enables compression before encryption
 •   LTO offers possibility of 3rd party key management system
 •   <1% impact on drive performance

                           *Advanced Encryption Standard

      LTO CM holds diagnostic information
       – eg. Error rates, data-sets written, drive utilization, number of mounts
      Analyzed to determine drive/media performance trends for failure prediction
      LTO CM info captured within seconds
      Scan of CM does not compromise security of data
Locking Features

   Users can choose to “Lock” their cartridges for added transport or storage

   When locked, the cartridge cannot be read from, or written to,
   by any LTO drive.
     RFID Asset Tracking

What Customers Say

 • “I need to know…”
    – I am compliant with regulations
    – Where my tapes are
        • Within my library
        • In other data centers
        • At my vaulter

    – I am being as efficient as possible in my operations
    – If I need a tape, I will be able to find it quickly
    – If an auditor asks about a tape, I will be able to demonstrate
      chain of custody
IT Asset Lifecycle Management
Customer Case Study

   Thousands of IT hard drives           Developed special use                Established a corporate risk
    and tapes containing highly            passive RFID tags to place on         mitigation strategy to protect
    sensitive customer and                 all hard drives and laptops           corporate and consumer
    corporate information                 Deployed Asset Management            Greatly curtailed asset loss
   No ability to control or monitor       solution to track the lifecycle       and ensured end of life
    removal of laptops from                of the corporate assets               assets were destroyed
    facilities                             Installed special use readers
                                                                               Improved employee
   Inability to ensure end of life        at various entry / exit choke         awareness and automated
    drives were properly destroyed         points                                the tracking of laptops
    created                               Automated feedback from               leaving a facility
   5 high profile breeches in 2           crushing to end-of-life assets       Lowered corporate risk
    years, consumer outrage                                                      profile
Customer Case Study
Exiting the Secure Facility

 association to laptop
    is verified by the                                    Employee
  application and an                                   approaches exit,
     image is quickly                                where the employee
   loaded on the Exit                                badge and laptop tag
 Security Monitor for                                   are identified.
  visual confirmation

                               Security elects may
                              enlarge the view and
                              may elect to review
                                 the association
                                     details .
  Case Study

An audible sound and visual
 queue is given to security
 indicating the Employee
badge is not assigned to this

                                Employee badge and Laptop
                                         tag match.
                                Picture Shown for additional
                                       visual security.
Secure Destruction of

 • Companies will buy back tape media
 • Claim they recertify media and rewrite over all of the
 • In truth, most write over the header or table of
   contents, and the rest of the data is still live
 • South Shore Hospital Data breach was caused by
   company taking media to be recertified, and tape
   was lost
    – 800,000 patients at risk
    – Third party was not responsible for Data- South Shore
 Thank You