There are hundreds of high profile cases of mobile device theft and loss reported every day. Confidential data, such as customers’ social security numbers and credit card information was lost, intensifying the impact of this customer problem.
The Identity Theft Resource Center reported 2007 that 19 people a minute become new victims of identity theft due to data breaches affecting all types of organizations.
Over 217 million Americans were victims of identity theft or exposure in a 3 year period ending January 2008.
According to the 2007 Ponemon Institute Cost of Data Breach study, each data breach costs an average of $6.3 million. A typical Fortune 1000 company can’t locate 2% of their PC’s.
A typical Fortune 1000 financial institution loses 1 laptop a day. Can you imagine how confidential information on that laptop such as personal customer records, strategic information, financial data, or personnel files could damage shareholder value?
Some highlights from the press
For another way to look at the growing problem of data loss, consider the black market value for various forms of stolen identities…
$980-$4,900 Trojan program to steal online account information
$490 Credit Card Number with PIN
$78-$294 Billing data, including account number, address, Social Security number, home address, and birthdate
$147 Driver's license
$147 Birth certificate
$98 Social Security card
$6-$24 Credit card number with security code and expiration date
$6 PayPal account logon and password
*****www.informationweek.com*****
Extra data points
$40 standard credit card number
$120 signature card (one step beyond platinum and corporate)
Or 100 in mixed batch for $30 each
The business environment has spread beyond the ‘traditional’ workplace as more employees are traveling and working offsite. The result has been an explosive growth of mobile devices including laptops, PDAs, smart phones and USB storage devices. Users and the information they carry are more portable, pushing data beyond the network perimeter.
There are a growing number of privacy regulations and laws driving organizations to employ a more stringent approach to data loss prevention. Organizations must deal with the many aspects of exposed and lost data. Yet they lack the visibility and control to prove compliance and avoid public disclosure. Disclosure of lost, unencrypted data is required even if there is no evidence that sensitive data has been accessed by unauthorized users or used in a malicious way. Publicity resulting from security breaches has led to public disclosure, financial loss, brand damage, competitive disadvantage and lost customers.
However, when encrypted, the loss of a data is not considered exposed. It doesn’t present a security or reputation risk requiring public disclosure, or result in costs associated with the loss of confidential data. It doesn’t matter how big or how small the breach – the effects on your reputation and recovery from disclosure remains the same. The laws do not differentiate based on scope of a breach.
So what exactly are the major threats to your data, especially at the endpoint with explosive growth of laptop use and mobile devices? I call the threats companies face the “unlucky 7:”
Laptops or mobile devices are lost or stolen – exposing the data on them
Users (intentionally or unintentionally) transfer sensitive data to external media devices such as iPods, smartphones, USB thumb drives
Users post sensitive information to websites, send via public e-mail accounts, etc.
Users with “super-user” or “privileged” access are able to breach large amounts of data.
Users print, burn to CD, etc. sensitive information.
Users applications are hacked.
Trojans/key loggers/malware breach sensitive information.
All of these threats put your data at risk.
Which one of these threats most keeps you up at night?
What risk level would you assign to each one of these threats?
Do you have a solution in place today to address these threats?
(quote courtesy of “Boss, I Think Someone Stole Our Data,” Harvard Business Review, September 2007).
So why is all of this happening? Why, given all the money spent on security, do these problems continue?
The answer is surprisingly simple. They exist due to “perimeter-centric” approaches to information security.
The majority of today’s security solutions are perimeter-centric in the sense that they secure
Perimeters (firewalls, VPNs, etc.)
and resources (laptops, servers).
While these solutions are necessary components of a comprehensive security strategy, they protect proxies to information, rather than the information itself.
A Perimeter-centric approaches ignores the fact that information lives and moves throughout its lifecycle.
When data leaves the protected assets, or perimeters, it is no longer secured.
What has been done to date is necessary, but insufficient.
What we need is a new approach that also secures the information itself, complementing the perimeter-centric approach
Provides layered protection that defends in depth
Keeps security decisions in the hands of security experts
Enables your data and infrastructure to protect itself against security threats
Most companies do a very good job at authentication and access control – and this has been their security solution to solving data protection issues. However, the breaches keep mounting and its obvious this approach is not working. Your data and infrastructure need to be able to protect themselves – you cannot depend on your users to become security experts!
Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
In the absence of a comprehensive, centrally-managed solution, you end up with 5 major issues:
High management cost – you end up having a lot of non security staff managing a myriad of point security systems. And think about how that problem is compounded as systems change, as personnel changes.
No alignment policy – think back to that policy that we defined earlier in this discussion. How on earth do we correlate the configuration and settings of all these point tools back to that policy.
Life cycle vulnerabilities – you end up not properly implementing life cycling of of your security rules and policies
Broken business processes – Data is often shared across the infrastructure. Applications share data. We often share data with 3rd parties and partners. We replicate data. Point tools can further complicate and eventually break your business processes.
Data loss risk – this is top of mind. I don’t encrypt my least valuable data --- I encrypt my most valuable data. I don’t prevent behavior that enables my business – I prevent behavior that damages my business.
Today, over 30% of organizations are recording keys manually in Excel spreadsheets or in various isolated systems all around the enterprise. This is a big risk.
Protecting your data effectively requires different thinking. Data is easy to lose, easy to transfer, and very enticing to steal. Your security infrastructure must enable your data to protect itself regardless of how it is used, where it is located, what devices access it, and how users access it.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
The McAfee Data Protection Solution includes four major components:
McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
McAfee Data Loss Prevention: visibility and control over user behavior.
McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.
McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).
NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
McAfee’s data protection offerings enable you to phase your implementation of data protection over time to meet the specific needs of your business. McAfee is your trusted advisor to help you define your risk and implement the data protection solution that is going to be most appropriate to your needs.
Encryption of the full-disk happens transparently to users in the background. Performance impact is minimal and all data on disk is rendered useless in the event of loss or theft.
More granular encryption of individual files and folders to provide flexibility to encrypt only the most critical information versus entire disks. Most useful in workgroup environments.
Creates encrypted space on both internal and removable storage on mobile devices, protected by strong authentication. Managed centrally and renders sensitive data on the device useless in the event of device loss or theft.
Confidential data classification
By location (file server, shared drives, etc.)
By content characteristics (keywords, regular expressions, even setting of thresholds—i.e. if more than 5 credit card numbers in an email)
By file-type (specifically if a specific application generated data—i.e. SAP, BusinessObjects, etc.)
By fingerprint (unique digital signature, hash)
Content-based, reaction rules
Monitor sensitive data transfer
Prevent confidential data from leaving the enterprise
Notify administrator and end users
Quarantine confidential data
Enforce encryption (send to encryption service)
Data loss prevention visibility
Forensic logs, analysis, and event monitoring
Real time end user alerts (education and training)
“Bypass” option and policy exceptions
Network Associate10/7/2007
There is more to the story than just enabling the use of authorized devices. While that is important, organizations need to still enforce control over what data actually gets onto these authorized devices. Our combined solution of SafeBoot and DLP makes us unique in enabling this to happen. Caveat, we need DLP and SafeBoot integration to have this work so it is \"futures\" in terms of capabilities. I have included my positioning on this: MFE is the first to safely enable (or unlock) the use of valuable employee productivity tools such as USB drives by offering granular control over which devices are allowed to connect while at the same time enfocring control over what data can be copied onto them.
Prevents sensitive information from being transferred or copied to external devices such as iPods, smartphones, USB sticks, etc. Controls user behavior with these devices and prevents unauthorized devices from connecting to user systems. Makes use of DLP’s content tagging technology to provide more granular policy control.
McAfee Encrypted USB devices are centrally managed and deployed easily on an enterprise-wide scale. Administrators can easily track devices through one back-end database. This helps to streamline the workflow to save customers time and money. Encrypted USB can leverage Active Directory to match users and devices and will support any organization from 10 to an unlimited number of users.
