"Data Security Solutions" (Riga, Latvia) is is known as IT security specialist with international experience who defends its customers against the greatest threat of the 21st century - cyber-criminals and as well against disloyal employees by using the most innovative data security solutions from global IT market. In this presentation DSS presents one of the world leading solutions in encryption area - Symantec.
2. Agenda
2
Data Lifecycle
Encryption can Start Anywhere
Whole Disk Encryption
Removable Storage Encription
File and Email Encription
File/Folder Encription
Encyiption Management
3. Data Lifecycle
The director of finance
downloads data from the
customer database. He drafts
the “Year End” results
spreadsheet and saves it on
his desktop PC.
3
4. Data Lifecycle
The director of finance
downloads data from the
customer database. He drafts
the “Year End” results
spreadsheet and saves it on
his desktop PC.
The director stores a copy
of “Year End” results in a
shared directory on a
corporate server for the
finance team.
4
5. Data Lifecycle
The director of finance
downloads data from the
customer database. He drafts
the “Year End” results
spreadsheet and saves it on
his desktop PC.
The director stores a copy
of “Year End” results in a
shared directory on a
corporate server for the
finance team.
The finance manager accesses the “Year End”
results, adjusts the numbers, and emails the file to
the company’s outside accountant.
5
6. Data Lifecycle
The director of finance
downloads data from the
customer database. He drafts
the “Year End” results
spreadsheet and saves it on
his desktop PC.
The director stores a copy
of “Year End” results in a
shared directory on a
corporate server for the
finance team.
The accountant accesses the
email on a handheld and
forwards it with comments
to a colleague. She reviews
“Year End” results and saves
it on a laptop and a thumb
drive.
The finance manager accesses Year End results,
adjusts the numbers, and emails the file to the
company’s outside accountant.
6
7. Data Lifecycle
The director of finance
downloads data from the
customer database. He drafts
the “Year End” results
spreadsheet and saves it on
his desktop PC.
The director stores a copy
of “Year End” results in a
shared directory on a
corporate server for the
finance team.
The accountant accesses the
email on a handheld and
forwards it with comments
to a colleague. She reviews
“Year End” results and saves
it on a laptop and a thumb
drive.
The colleague gives the thumb
drive to the onsite auditor, who
transfers “Year End” results to
his laptop so he can review it
later at home.
The finance manager accesses Year End results,
adjusts the numbers, and emails the file to the
company’s outside accountant.
7
8. Data Lifecycle
How many people had access to data today?
- Director of Finance
- Finance Team
- Outside Accountant
- Outside Accountant’s Collegue
- Onsite Auditor
9. The Encryption Discussion Can Start Anywhere
9
Field
Data Center
Headquarters
Field Offices
What is the
organizational
policy on USB
drives? Could there
potentially be
intellectual property
(IP) on these drives?
Email protection regulations and
mandates?
What is being downloaded to employee
systems? Trojans, malware, unauthorized
software?
Tangible/intangible
costs of a lost
laptop – customer
data? Personnel
data? IP?
Are there customer
addresses stored on
mobile phones?
Data on HR/Legal/Finance/Other
Shared servers residing in the clear?
Nightly transactions / backups sent
outside the organization?
10. Barriers to Sale and Value Proposition
10
Potential Barriers Description Value Proposition
Encryption solutions
are complex
Ease of implementation, ongoing
management, long-term cost of
ownership
Experience: Solutions are
easy to deploy
Limited resources
Need to share IT staff across
multiple activities. Endpoint
encryption should integrate with
existing IT infrastructure
Leverage: Uses existing
infrastructure architecture
Substantial training
required
Substantial upfront and on-going
investment in training costs
Simple: Little or no training
required for end-users
Resistant end-users
Need to preserve existing
workflows; not change how users
perform their job
Transparent: User behavior
need not change
significantly
Diverse devices
Mandated to protect all devices
containing sensitive data.
Comprehensive: Protection
across devices, platforms
12. Things to remember
Encryption is not a new technology, but it is a security control
that has NOT been introduced into a majority of environments.
Most companies don’t have a lot of experience with Encryption
and their criteria is based off of Internet research (hastily done) or
a vendor. There is rarely expertise in the field.
Most companies are looking at Encryption in the face of an
event: lost/stolen system, audit and/or regulatory hit.
Most companies are on an aggressive deployment schedule.
14. PGP – Whole Disk Encryption
Whole disk encryption for desktops, laptops, and Windows®
servers. Supports Windows®, Mac OS® X, and Linux® platforms
Encrypts desktops, laptops, and USB drives
Protects against personal computer loss, theft, compromise and
improper disposal
Reduces risk of loss of PII (Personally Identifiable Information) and
other sensitive data
Protects against reputation damage
Demonstrates compliance to regulatory standards
Supports Windows, Mac OS X, and Linux
16. Symantec EE Management System
High availability
Web services transport, communications
Database server mirroring, failover and HA
Active Directory replication, failover
Supports Windows cluster services
Seamless integration
Directory services
Software deployment
User authentication
Workgroup encryption
Wake on LAN
Leverages familiar, proven technologies
Active Directory, IIS, SQL Server, Linux, ASP.NET, PKI, and so on
Simple to deploy, easy to learn and support
Scalable >100,000 endpoints per server
16
17. Symantec Endpoint Encryption – Full Disk
17
Policies Auditing
Full-Disk
Encryption
Opal Self-
Encrypting
Drives
High-performance, true full disk
encryption
Pre-boot user authentication
Rapid deployment and activation
Extensive support for smart cards,
CAC, and PIV
Non-disruptive maintenance and
patching
Supports Windows and Mac OS X
18. Symantec EE – Removable Storage
Secure portable data at rest
– Enforce mandatory removable storage
encryption policies
– Access and re-encrypt data from any PC or
Mac
Granular file and folder based
encryption
– Allow encrypted and unencrypted data on
user devices
– Enforce policy-controlled exemptions by file
type and device
18
Centralized – Integrated
Management Console
Policies Auditing
Removable
Media
Encryption
23. File/Folder Encryption
23
User file protection
Shared file protection
Distributed file protection
Protect shared files and folders
Protect transferred files and folders
Protect individual files and folders
PGP NetShare, PGP Command Line
24. PGP NetShare
24
Client-based Protected File Sharing
?
Finance encrypts a file
on the server using
PGP NetShare
11
Finance allows HR to
view/edit the file on
the server
22
HR can view and edit the
file on the server33
HR saves the file to the
server and PGP NetShare
maintains protection
44 55 Sales tries to view the
document and the
document is unreadable
When the document is copied
to backup tape, it remains
protected
66
25. PGP Command Line
Scriptable Encription
– A complete library of encryption commands
– Simplifies encryption integration into business practices
Wide Range of Platforms
– Supported on over 35 supported operating systems
Windows, Linux, Solaris, Mac OS X, HP-UX, IBM AIX, iSeries, zSeries
– Runs with most scripting languages, such as Perl, Python, JavaScript, and more
Many Uses
– End-to-end protection for the internal or external transfer of files
– SDA enabled distribution of files via CD, DVD or file servers lockboxes
– Encryption protection and recovery of backed-up and archived files
25
File encryption for server protection & file transfer
26. PGP Command Line – How it Works
26
Data DistributionData Distribution
File TransferFile Transfer
Data BackupData Backup
> pgp –es dbdump.sql – r admin@company_a.com
dbdump.sql:encrypt (0:output file dbdump.sql.pgp)
> pgp –es dbdump.sql – r admin@company_a.com
dbdump.sql:encrypt (0:output file dbdump.sql.pgp)
27. Encryption Management
Centralized management for all of the PGP® Applications
27
Central Administration
- Manages users from a central location. Supports LDAP
integration
- Provides tools to help manage and deploy clients
Policy Enforcement
- Controls when encryption must be used
Reporting and Logging
- Tracks device and data encryption and user events
Key Management
- Ensures that keys stay protected with proper access
controls, along with mechanisms available for safe data
recovery
[Important points to remember] This slide covers the common concerns that Symantec (and PGP and GuardianEdge) heard from other customers (which should be similar to the audience’s concern) The point of this slide is to engage the audience for their validation and affirmation of each of these points. Ideally, this section should be covered like a dialogue, not a lecture Empathize as these are the challenges that your audience will invariably face Symantec has had many years of experience working with organizations like yours and we understand the practical concerns that they faced when it came to deploying an endpoint encryption and data protection solution. We found that while many IT organizations realized the business need to implement an endpoint encryption and data protection solution immediately, but had real-world concerns about the ease of implementation, ongoing management, and long-term cost of ownership. Every IT organizations faces a challenge of limited resources that must be shared across competing priorities and projects . This creates conflict and contention for resources which only serves to delay the actual implementation. Not surprisingly, organizations strive to address their data protection problems in a manner that doesn’t require new staff. Ideally, this means that the architecture of the endpoint encryption and data protection solution should be congruent with existing IT architectures . It should also avoid introducing a significant new burden on IT staff for initial deployment as well as on-going management and maintenance. We also found that IT organizations like yours do not necessarily acquire additional budget for the incremental infrastructure that’s needed to support an endpoint encryption and data protection solution. All IT organizations these days are under pressure to “do more with less” . Not surprisingly, we found that our customers prioritized solutions that could leverage existing infrastructure and mitigate the need for excessive build-out. There are other reasons why it’s preferable to leverage existing infrastructure; not the least of which being that it’s time-consuming and expensive to train IT staff on new, proprietary management technologies let alone overlay this proprietary infrastructure atop an existing IT architecture. Organizations should strongly consider an endpoint data protection solution that fits neatly into an existing IT architecture and leverages established operating procedures. Not only will this simplify and accelerate the deployment of the solution, but it will also help mitigate the substantial upfront and on-going costs for IT staff training . One of the most overlooked aspects of an endpoint encryption and data protection deployment is anticipating how end-users will react to the implementation of the solution. End-users can be highly resistant to new security measures, especially if they impact existing workflows or fundamentally change the way they must perform their job. As a result, the best security measures to implement are the ones that minimize impact on the end-user. This not only ensures user acceptance of your data protection rollout, but it also minimizes the possibility that savvy users will intentionally circumvent the security measures. After all, a bypassed security measure is a failed security measure . Finally, IT organizations are increasingly realizing and appreciating the scope of the problem they’re being asked to address: governing a very diverse collection of endpoint devices that reside both on and off the enterprise network. As a result, the right endpoint encryption and data protection solution must support all of the devices that IT is mandated to protect. This means more than just support for notebooks and desktops, but support for all the devices where sensitive corporate data may reside and a data breach could occur. Symantec Endpoint Encryption solves these practical problems with a combination of broad device support, a full set of data protection controls and enterprise class management that seamlessly integrates with customers’ existing infrastructure. [Discussion questions] Which of these issues or factors are the most important to your organization? Are there others? How many laptops, desktops, and storage devices reside in your organization? Do you use Active Directory to manage users, devices, and policies? Another directory services technology?
Symantec Endpoint Encryption extends granular, policy-based controls to removable media and devices. In this manner, the Symantec Endpoint Encryption Removable Storage Edition and Device Control provide information security managers with peace of mind that this particular threat vector can be effectively monitored and controlled. Symantec Endpoint Encryption Removable Storage Edition adds a layer of data encryption to removable storage devices ensuring that in the event that an external hard drive, CD or DVD, or USB flash drive is lost, the data that resides on the device is not compromised. This package can be used in conjunction with Device Control to further safeguard against inadvertent data leakage , d evice and port access controls prevent unauthorized transfer of sensitive information between devices and wireless networks as well as preventing unauthorized devices from connecting. The operation of Symantec Endpoint Encryption Removable Storage Edition is largely transparent to end-users on managed systems; providing file-level encryption for maximum performance and interoperability . For devices like flash drives and external hard drives which mount like a standard disk, file encryption occurs discretely in the background using either unique, password-protected encryption keys or a default encrypted key for more transparent and seamless operation. To ensure data portability with non-managed devices, Symantec Endpoint Encryption Removable Storage Edition includes an Access Utility that allows users to access encrypted files on devices where the Symantec Endpoint Encryption client software doesn’t reside . Symantec Endpoint Encryption Removable Storage Edition also includes special CD/DVD burner software to ensure that data burned to optical storage remains encrypted as well. Symantec Endpoint Encryption Device Control e nsures that only authorized, trusted devices can connect to enterprise managed endpoints. It also provides a deep layer of device- and endpoint-level visibility allowing IT administrators to identify device usage patterns through an agent-less auditor tool , monitor and control the flow of data via granular policy-based access controls, and enforce the secure transfer of data through mandatory enforcement of encryption policies. Device Control employs numerous sophisticated policy-driven capabilities, such as file-type inspection, activity logging, and file shadowing to extend IT’s visibility and control on the endpoint, which is especially important for forensic analysis. In addition to visibility and control, the Symantec Endpoint Encryption Device Control package adds critical capabilities to mitigate the spread and prevent the outbreak of device-borne malware . These capabilities include blocking self-executing code (especially autorun code that resides on CDs, DVDs, and USB flash drives); detection and disablement of keyloggers ; and control of endpoint association with rogue wireless LANs .
The Symantec Endpoint Encryption Management System is designed to be a direct extension of a customer’s existing infrastructure. By leveraging and building atop standards-based , widely-deployed technologies, such as Active Directory, IIS, SQL Server, and Linux , SEEMS minimizes deployment, management, training, rollout, and support costs. Among the many benefits of a standards-based approach is an architecture based on a familiar, proven technologies which ultimately flatten the training curve for new administrators while ensuring fewer problems and consistent troubleshooting. For enterprises using Active Directory as their principle directory services infrastructure, the Symantec Endpoint Encryption platform natively integrates and makes direct use of existing servers, datastores, replication schemes, and policy management frameworks . Since most organizations already have measures in place to ensure the scalability, resiliency, and fault-tolerance of their Active Directory services infrastructure, this is one less consideration to worry about when deploying the Symantec Endpoint Encryption Management Systems. In fact, integrating with Active Directory completely eliminates the need for a separate infrastructure or for deploying a new management tool . Active Directory already provides the ability to manage security applications the same way it manages other programs and policies. Policy for the Symantec Endpoint Encryption platform is managed centrally using Group Policy Objects and applied to users and devices that reside within Organization Units of the directory. Occasionally, some organizations have deployed a directory services infrastructure built around Novell eDirectory. SEEMS also supports eDirectory making it easy for Novell customers to take advantage of their existing infrastructure. Similarly, many enterprises also have devices on their network that are not part of their Windows domain infrastructure or reside “unregistered”. For instance, these devices might include employee-purchased PCs for enterprise-wide BYOPC initiatives, employee home computers that periodically access the corporate network via remote access connection, or devices belonging to independent agents or contractors. SEEMS allows these machines to be managed from the same console as machines registered within the corporate domain . Operationally, the environment for policy management and reporting within the Symantec Endpoint Encryption platform is implemented directly using an MMC (Microsoft Management Console) snap-in (with a connector to the Symantec Altiris management platform). This familiar interface makes it possible for administrators to implement data protection policies with minimal training within a single console . Policy deployment is performed using standard Windows Group Policy Objects (GPOs) which leverage existing directory services groupings for users and machines. Administrative privileges and security policies are native and directly supported with no need for synchronization or operation within another management console. The benefit of this architecture is a highly scalable system, easily scalable to hundreds of thousands of endpoints, as well as in-built high availability and server failover. The system also provides true, end-to-end, enterprise-class, granular auditing and reporting as well as strong, two-factor, advanced authentication capabilities. SEEMS, as well as its constituent packages, provide comprehensive support for PKI and a plethora of smart cards, such as the Common Access Card and PIV .
Symantec Endpoint Encryption Full Disk Edition helps mitigate business risk in the event of the loss or theft of laptops that contain sensitive data. Symantec Endpoint Encryption uses high-performance, full disk encryption technology to safeguard data from physical loss or theft. This true full disk encryption is augmented by a series of management, security, and usability features including: Pre-boot user authentication to allow users to authenticate to their device before accessing the operating system. This provides the most thorough degree of security; ensuring complete full disk encryption of the data stored on the device. Rapid software deployment and activation leveraging standard methods for deploying endpoint software clients as well as non-disruptive background encryption . This speeds the time to deployment while avoiding disruption to end-user workflows. Extensive support for smart cards , including CAC and PIV cards currently employed by the US gov’t. Smart card support allows users to log on the preboot environment on their encrypted system with a smart card thus completely bypassing the need for single-factor, password-based authentication. Non-disruptive software maintenance and patching. Symantec has paid particular attention to ensuring the highest full disk encryption deployment success rates in the industry. Some of the ways that we accomplish this include: Other than an initial logon procedure, users are not impacted during or after deployment of full disk encryption Security applications that must reside on end-user devices are packaged in standard formats, such as MSI , and can be pushed to devices using Altiris, Group Policy, or other standard software deployment tools When users log onto their system via the Symantec Endpoint Encryption pre-boot environment, their credentials are automatically passed to Windows for single sign-on Users always have the option to register a series of “help” questions . If users forget their passwords, they are simply prompted to answer the questions and, assuming they provide the correct answers, are then able to regain access to their machine and can reset the password. All of this occurs without help desk or administrator intervention. Failing this self-service mechanism, complete help desk recovery capabilities are available. Symantec Endpoint Encryption Encrypted Drive Edition , our newest endpoint encryption product, adds a layer of enterprise-class management capabilities onto TCG (Trusted Computing Group) Opal-compliant self-encrypting drives . These management capabilities augment the in-built encryption capabilities by providing robust reporting, comprehensive key escrow and recovery, policy management, and end-to-end rollout services . Like Symantec Endpoint Encryption Full Disk Edition, Symantec Endpoint Encryption Encrypted Drive Edition is managed through the Symantec Endpoint Encryption Management System which provides a single console for managing drive encryption in hybrid environments . As you can see, encryption is only part of the solution; end-to-end management capabilities are integral to ensure low-cost operations and sufficient IT governance and control. From rapid deployment and activation to comprehensive end-user self-service recovery capabilities, administrators can assert complete data protection controls over laptops and netbooks using either software-based full disk encryption or hardware-based self-encrypting drives.
Symantec Endpoint Encryption extends granular, policy-based controls to removable media and devices. In this manner, the Symantec Endpoint Encryption Removable Storage Edition and Device Control provide information security managers with peace of mind that this particular threat vector can be effectively monitored and controlled. Symantec Endpoint Encryption Removable Storage Edition adds a layer of data encryption to removable storage devices ensuring that in the event that an external hard drive, CD or DVD, or USB flash drive is lost, the data that resides on the device is not compromised. This package can be used in conjunction with Device Control to further safeguard against inadvertent data leakage , d evice and port access controls prevent unauthorized transfer of sensitive information between devices and wireless networks as well as preventing unauthorized devices from connecting. The operation of Symantec Endpoint Encryption Removable Storage Edition is largely transparent to end-users on managed systems; providing file-level encryption for maximum performance and interoperability . For devices like flash drives and external hard drives which mount like a standard disk, file encryption occurs discretely in the background using either unique, password-protected encryption keys or a default encrypted key for more transparent and seamless operation. To ensure data portability with non-managed devices, Symantec Endpoint Encryption Removable Storage Edition includes an Access Utility that allows users to access encrypted files on devices where the Symantec Endpoint Encryption client software doesn’t reside . Symantec Endpoint Encryption Removable Storage Edition also includes special CD/DVD burner software to ensure that data burned to optical storage remains encrypted as well.