SlideShare ist ein Scribd-Unternehmen logo

Solutions for privacy, disclosure and encryption

Trend Micro
Trend Micro
1 von 8
Downloaden Sie, um offline zu lesen
Trend Micro Data Protection Solutions for privacy, disclosure and encryption A Trend Micro White Paper
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION I. INTRODUCTION Enterprises are faced with addressing several common compliance requirements across multiple geographies and industries. These include protecting confidential data in common usage scenarios, notifying relevant parties when this data is disclosed, and securing this information with data loss prevention and encryption technologies. Factors—such as finding accurate, usable, and cost-effective solutions to meet these requirements—can make the difference between achieving compliance goals and leaving the organization vulnerable to data loss and non-compliance. Trend Micro Data Protection solutions for data loss prevention (DLP) and email encryption are designed to help organizations meet their compliance requirements easily and cost-effectively. II. PRIVACY, DISCLOSURE, AND ENCRYPTION In simple terms, “compliance” is the adherence to an accepted policy or set of requirements. In terms of meeting global compliance requirements, compliance means protecting confidential data and establishing controls to ensure that requirements are met on an ongoing basis. For more information about the regulatory landscape and specific requirements, please see “Regulatory Compliance – Global Privacy, Disclosure and Encryption Issues”, a Trend Micro white paper. Confidential Data Types Description Social security number/national identification PII: Personality Identifiable Information number, drivers license number, address, phone number Credit card numbers, Card Verification Value (CVV), PCI: Payment Card Industry expiration date Medical diagnosis codes, disease names, PHI: Protected Health Information medication names, patient names PFI: Personal Financial Information Financial account number, credit score Figure 1: Protected data types and data requirements PRIVACY REQUIREMENTS Safeguarding the privacy of an individual’s personal, medical, and financial data is of utmost concern to enterprises, especially when it comes to regulatory compliance. Regulations that have been put in place to protect individuals’ privacy usually require that data associated with that individual not be visible or accessible to unauthorized users. While requirements for HIPAA Privacy and Security Rules tend to be more vague on implementation details, subsequent and related guidelines—such as NIST 800-66 and the HITECH Act—have stepped in to provide more implementation guidance for enforcing privacy. Monitoring systems for sensitive content can help enforce privacy. If sensitive content is detected, enterprises may choose how to react, whether to report it, block the possible breach, or encrypt the data. DISCLOSURE REQUIREMENTS While privacy is the goal, preventative controls are not airtight and data breaches may still occur. Regulators strive to minimize the risk of data breaches by requiring that interested parties—such as the individual impacted by the breach—be notified. For example, the California SB 1386 law requires breach disclosure of 1 White Paper | Solutions for Privacy, Disclosure, and Encryption
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION data belonging to a “resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” To address these notification requirements, enterprises must first be able to detect data breaches through regular monitoring of systems that handle confidential data. A recent Massachusetts law (201 CMR 17.00) validates this approach with its requirement for encryption and “reasonable monitoring of systems, for unauthorized use of or access to personal information”. ENCRYPTION REQUIREMENTS Regulators are increasingly calling out encryption as a specific technology required for securing confidential data. In some cases, encryption technology is also accepted as a compensating control for when data breaches cannot be prevented, allowing organizations to avoid costly breach disclosure requirements (exemption provisions). For common business processes such as email, DLP can be used to block unauthorized data transmissions, while encryption can enforce the privacy of communications between business entities and individuals—both for legitimate communications and accidental disclosure. Encryption of confidential data sent via email is mandated by many regulations, while others strongly encourage encryption as a means for avoiding breach disclosure requirements. Direct mandates. PCI DSS mandates encryption of credit card data where it is transmitted (PCI DSS Req. 4) and stored (PCI DSS Req. 3). Similarly, US States including Nevada (NRS 597.970) and Massachusetts (201 CMR 17.00), require encryption of transmitted data for personal records. Exemption. The HITECH Act (US, Healthcare) states encryption as the technology that can secure PHI, or render ePHI “unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required.” III. IDENTIFYING SUSTAINABLE COMPLIANCE SOLUTIONS A good place to begin an effective compliance strategy is by following a risk-based approach to implementing and auditing IT controls. In practice, this means focusing on business systems where confidential data is likely to be handled (such as email and end user systems) and on network storage locations (such as databases and file servers). This also means focusing on employees—or insiders—who routinely download, create, paste, copy to USB, or attach sensitive data to their emails sent to internal and external users. Once these target systems and users have been identified, it is essential to educate these individuals on important practices—such as acceptable use of this confidential data, document official and ad-hoc processes, and automate controls through proven products. In fact, these areas of focus are known as the three P’s of an effective compliance strategy—people, processes, and products. Security products are necessary to safeguard confidential data, which is increasingly available in electronic format and handled through the aforementioned business systems. The healthcare industry in particular is poised to see drastic increases in confidential data records due to the recent HITECH Act of 2009, which reinforces the mandate for Electronic Medical/Health Records (EMR / EHR) by 2014. Applying encryption and DLP solutions to high-risk systems is a strong start, but it is certainly not the entire solution. Applying a single set of controls to users, data, and systems will not work for most organizations. 2 White Paper | Solutions for Privacy, Disclosure, and Encryption
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION These challenges are further complicated by the variety of rules highlighted across global regulations and enterprise security policies. Policy-based solutions are necessary to: Monitor different data types such as PII, PHI, PFI, and PCI Monitor different user activity such as email, web, instant messaging; copy/paste, printing, copy files to USB/CD/DVD from end-user applications. These channels or protection points often fall into three classes of data—or “data modalities”. They are Data in Motion (DIM), Data in Use (DIU), and Data at Rest (DAR) Monitor different types of users, to determine their authorization to handle these data types Enforce different controls, such as audit, block, quarantine, or encrypt Securing the sheer volume of enterprise data—especially given the distributed nature of confidential data— can present significant operational challenges. This is why solutions that protect privacy, prevent breaches, and encrypt email communications must be: Accurate in their ability to detect confidential data across email, end-user systems, and network storage systems Usable so that both administrators and users can easily implement and use the solution Cost-effective through integration with existing infrastructure and low overhead from previous generation solutions ACCURACY IS CRITICAL The ability to detect confidential data is the core element of many regulations. Discovery and monitoring functions must accurately detect content, while at the same time ensuring high catch rates and low false negatives (where the system fails to recognize sensitive data). Enterprises need to be able to identify confidential data without blocking legitimate business processes, such as emails to business partners. The optimal solution must also be intelligent enough to detect portions of restricted content in an otherwise approved action. For example, users often copy and paste regulated content—such as a person’s name, address, or social security number—into emails or USB devices. Compliance solutions should be able to detect and block these actions while allowing the legitimate copy of non-confidential data to devices. USABILITY IS KEY TO ACHIEVING DESIRED RESULTS Compliance solutions will not be effective if they are too difficult to use, deploy, or manage. If these solutions are not easy to use, there is a high probability that they will: Not be used and therefore leave the organization vulnerable Be used incorrectly, placing the organization in danger of violation Be used inefficiently, requiring too much time or too many resources to manage, thereby increasing total cost of ownership beyond the solution’s value With email encryption, for example, requiring senders and recipients to use a complicated key management process can hamper routine business processes and cause undesirable escalations to senior management. According to the IDC Encryption Usage Survey (August 2008, IDC #213646), approximately 70 percent of organizations say that cost/expense are critical to a choice of encryption product, and almost 80 percent agree that ease of use is also critical. 3 White Paper | Solutions for Privacy, Disclosure, and Encryption
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION Another challenge for encryption is making the determination of which data is confidential and which is not. It is unrealistic to expect users to make this determination in the course of conducting business, increasing the likelihood of compliance violations. To increase compliance and avoid the loss of confidential data, the compliance solution should automatically detect and encrypt confidential data prior to leaving the network perimeter. COST EFFECTIVENESS RESULTS FROM EFFICIENCY Data protection solutions that integrate with existing infrastructure can help reduce the costs associated with provisioning new data protection technologies. For example, because most enterprises already have already deployed an email antispam and antivirus solution, adding a compatible email encryption solution can avoid unnecessary hardware costs and improve application performance. This increases efficiencies of scale, since detection and encryption of confidential data are occurring in a single, seamless workflow. For cumbersome processes like encryption key management, a compliance solution that provides key management as a hosted service may be more cost-effective than an on-premise solution. This approach can be provisioned as needed and does not require the same investment in hardware and IT resources for deployment and management. IV. THE TREND MICRO ADVANTAGE Training employees and adapting processes are essential elements of a compliance strategy. Success, however, also depends on implementing proven, policy-based endpoint or network data loss prevention (DLP) and email encryption solutions—while also ensuring that they are accurate, usable, and cost-effective. Trend Micro delivers solutions that are optimized to address compliance and more, by helping to protect users and confidential data from the growing threat of web-based attacks—such as viruses, malware, and malicious techniques used to steal data. Trend Micro solutions provide layered security, whether at the gateway or endpoint, and are powered by the Trend Micro™ Smart Protection Network—a next-generation, cloud-client content security infrastructure helps detect and contain threats before they reach the business. Business Need Trend Micro Solution Educate employees on proper data usage policies, with real-time alerts Trend Micro™ Data Loss Prevention Protect confidential data from misuse by Trend Micro Email Encryption “authorized insiders”, whether accidental or malicious Trend Micro Data Loss Prevention Protect sensitive data, whether in use, at rest Trend Micro Data Loss Prevention or in motion across both endpoint and Trend Micro Email Encryption gateway layers Figure 2: Trend Micro Data Protection Solutions 4 White Paper | Solutions for Privacy, Disclosure, and Encryption
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION Business Need Trend Micro Solution Protect datacenter servers from attack, regardless of whether they are physical or Trend Micro Deep Security virtual Continuously monitor for active, data-stealing malware infections and receive early warning Trend Micro Threat Management notifications of malware outbreaks Services Trend Micro OfficeScan™ Trend Micro Endpoint Security Platform Protect user endpoints with antivirus, anti- malware, anti-spyware, personal firewall, and Trend Micro Threat Management host intrusion prevention system Services Trend Micro Deep Security Trend Micro Enterprise Security Suite Provide messaging, web, and endpoint security; Protection against inappropriate Trend Micro ScanMail™ for content, spam and phishing, spyware, rootkits, Exchange/Domino bots, viruses and trojans, web threats, worms, Trend Micro InterScan™ Web/Messaging and network attacks Security Figure 3: Trend Micro Data Protection Solutions – Extended TREND MICRO DATA LOSS PREVENTION Data loss prevention (DLP) solutions are designed to protect sensitive information such as customer, employee, and patient data as well as intellectual property. This is generally accomplished by monitoring and preventing information leaks across multiple threat vectors, including email, webmail, instant messaging, USB drives, and CD/DVDs. However, many solutions that are designed to monitor and block sensitive data have shortcomings. Less than ideal solutions will: Scan data at endpoints too slowly Handle a limited number of documents Fail to detect data in multiple languages Do not support partial data matching Cannot identify and protect sensitive data when users are offline Trend Micro Data Loss Prevention prevents data loss with a unique approach that combines endpoint-based policy enforcement with highly accurate DataDNA™ fingerprinting and content matching technology. Trend Micro DLP includes pre-configured templates and validation modules for privacy data, such as those defined by PII, PHI, and PCI regulations. These features help to simplify the process of detection and enforcement for IT administrators. The fingerprinting technology supports full or partial matches using a language- independent technology, with ultra-small, locally-stored signatures that enable policy enforcement for endpoints—whether they are on or off the network. 5 White Paper | Solutions for Privacy, Disclosure, and Encryption
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION It is important to secure protection points that cover three data modalities: Data at Rest. The Trend Micro solution scans endpoints and file systems for confidential data, giving enterprises visibility into where their confidential data is being stored and accessed. Data in Use. Trend Micro DLP also monitors data in use across numerous communications channels such as USB-based removable storage, CDs, DVDs, and printers. Data in Motion. Trend Micro DLP provides protection for channels that include email, webmail, instant messaging, and FTP. These protection points can be enabled at the endpoint or network and can include the following actions: log, warn user, capture forensic data, require user justification, or block. This helps to improve compliance over time, as users are educated at the point of the violation—a pop-up screen explains the organization’s policy and prompts for justification of the prohibited action. While implementing controls is part of the compliance challenge, validating these controls against the data protection policy plays an even bigger role: it’s core to the audit process. Compliance audits, such as those required by PCI DSS, require tamper-proof activity logs to prove that controls are in place and are effective for protecting confidential data. Trend Micro DLP provides these logs, as well as compliance reports that highlight violations and the confidential data that was detected. This helps to greatly mitigate risk over time. TREND MICRO EMAIL ENCRYPTION Email encryption solutions enable organizations to enforce compliance requirements and to ensure that confidential information is delivered securely. However, using traditional encryption solutions to protect email and attachments from unwanted eavesdropping, tampering, and spoofing is often complex—placing additional burdens on IT management. Trend Micro Email Encryption solutions are easy to use within an existing email infrastructure. They provide universal reach by allowing organizations to deliver private email to any recipient without burdensome recipient pre-registration or certificate management of Public Key Infrastructure (PKI) technology. Encrypted content is simply pushed from senders to recipients like any other email. While the solution is offered in both hosted and on-premise versions, hosted encryption goes further in maintaining public keys, securing private keys, and managing certificate revocation lists on behalf of customers. The Trend Micro hosted service enables even small or medium-sized businesses to cost-effectively address encryption requirements. Trend Micro also addresses usability and accuracy concerns by removing the dependence on end users to enforce the encryption of their confidential emails. Policy-based email encryption automatically encrypts and decrypts emails based on administrator-defined policies—using content filtering capabilities from a messaging security gateway solution, such as Trend Micro Hosted Email Security. To support audit requirements, Trend Micro Email Encryption also provides tamper-proof activity logs and compliance reports that highlight violations and any detected confidential data. 6 White Paper | Solutions for Privacy, Disclosure, and Encryption
TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION V. TRUST A SECURITY INDUSTRY LEADER Trend Micro data protection solutions address privacy, breach disclosure, and encryption requirements with Email Encryption and Data Loss Prevention solutions. These solutions address common IT compliance challenges with accuracy, usability, and cost-effectiveness. As a global leader in Internet content security, Trend Micro focuses on securing the exchange of digital information. Based on extensive content security expertise, Trend Micro correlates threat data from an average of more than 5 billion dynamically rated websites, spam sources, and files every day. Thousands of companies continue to trust their data protection to Trend Micro—a company with 20 years of experience dedicated to content security and expertise based on a history of innovation. To learn more about Trend Micro solutions for addressing regulatory compliance, contact your Trend Micro representative or visit www.trendmicro.com. © 2010 Trend Micro, Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. WP01_DLP-compliance_100224US 7 White Paper | Solutions for Privacy, Disclosure, and Encryption

Empfohlen

Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic Relationships
Jeremy Hilton
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
RSIS International
 
Responsible for information
Responsible for informationResponsible for information
Responsible for information
Dunton Environmental
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trust
lmgangi
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 

Empfohlen

Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic Relationships
Jeremy Hilton
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
RSIS International
 
Responsible for information
Responsible for informationResponsible for information
Responsible for information
Dunton Environmental
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trust
lmgangi
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
Ss
SsSs
Ss
DukeLss
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process Information
Cristina Villavicencio
 
Data protection process information
Data protection process informationData protection process information
Data protection process information
yourlegalconsultants
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record management
GreenLeafInst
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
David Cunningham
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
Davis Wright Tremaine LLP
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information Protection
PECB
 
Data Security
Data SecurityData Security
Data Security
ankita_kashyap
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacy
Solix Technologies, Inc
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
Data goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copyData goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copy
Sandra (Sandy) Dunn
 
TITUS - Top Reasons For Data Classification
TITUS - Top Reasons For Data ClassificationTITUS - Top Reasons For Data Classification
TITUS - Top Reasons For Data Classification
John Timmerman
 
Securing Business-Information from Microsoft -Presented by Atidan
Securing Business-Information from Microsoft -Presented by AtidanSecuring Business-Information from Microsoft -Presented by Atidan
Securing Business-Information from Microsoft -Presented by Atidan
David J Rosenthal
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10
Pimsat University
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Using an Information Asset Register for the GDPR
Using an Information Asset Register for the GDPRUsing an Information Asset Register for the GDPR
Using an Information Asset Register for the GDPR
Reynold Leming
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
Jasleen Khalsa
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 

Weitere ähnliche Inhalte

Was ist angesagt?

2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
David Cunningham
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
TITUS - Top Reasons For Data Classification
TITUS - Top Reasons For Data ClassificationTITUS - Top Reasons For Data Classification
TITUS - Top Reasons For Data Classification
John Timmerman
 
Securing Business-Information from Microsoft -Presented by Atidan
Securing Business-Information from Microsoft -Presented by AtidanSecuring Business-Information from Microsoft -Presented by Atidan
Securing Business-Information from Microsoft -Presented by Atidan
David J Rosenthal
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 

Was ist angesagt? (20)

Ss
SsSs
Ss
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process Information
 
Data protection process information
Data protection process informationData protection process information
Data protection process information
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record management
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information Protection
 
Data Security
Data SecurityData Security
Data Security
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacy
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Data goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copyData goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copy
 
TITUS - Top Reasons For Data Classification
TITUS - Top Reasons For Data ClassificationTITUS - Top Reasons For Data Classification
TITUS - Top Reasons For Data Classification
 
Securing Business-Information from Microsoft -Presented by Atidan
Securing Business-Information from Microsoft -Presented by AtidanSecuring Business-Information from Microsoft -Presented by Atidan
Securing Business-Information from Microsoft -Presented by Atidan
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Using an Information Asset Register for the GDPR
Using an Information Asset Register for the GDPRUsing an Information Asset Register for the GDPR
Using an Information Asset Register for the GDPR
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_security
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 

Ähnlich wie Solutions for privacy, disclosure and encryption

Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix LLC
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
madamseane
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
IlonaThornburg83
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 

Ähnlich wie Solutions for privacy, disclosure and encryption (20)

Information security
Information securityInformation security
Information security
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShieldHXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Information security
Information securityInformation security
Information security
 
Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Untitled document (4).docx
Untitled document (4).docxUntitled document (4).docx
Untitled document (4).docx
 
Is it time for an IT Assessment?
Is it time for an IT Assessment?Is it time for an IT Assessment?
Is it time for an IT Assessment?
 

Mehr von Trend Micro

Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
Trend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
Trend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Trend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
Trend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Trend Micro
 

Mehr von Trend Micro (20)

Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, Vulnerabilities
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at Large
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in Asia
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 

Solutions for privacy, disclosure and encryption

  • 1. Trend Micro Data Protection Solutions for privacy, disclosure and encryption A Trend Micro White Paper
  • 2. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION I. INTRODUCTION Enterprises are faced with addressing several common compliance requirements across multiple geographies and industries. These include protecting confidential data in common usage scenarios, notifying relevant parties when this data is disclosed, and securing this information with data loss prevention and encryption technologies. Factors—such as finding accurate, usable, and cost-effective solutions to meet these requirements—can make the difference between achieving compliance goals and leaving the organization vulnerable to data loss and non-compliance. Trend Micro Data Protection solutions for data loss prevention (DLP) and email encryption are designed to help organizations meet their compliance requirements easily and cost-effectively. II. PRIVACY, DISCLOSURE, AND ENCRYPTION In simple terms, “compliance” is the adherence to an accepted policy or set of requirements. In terms of meeting global compliance requirements, compliance means protecting confidential data and establishing controls to ensure that requirements are met on an ongoing basis. For more information about the regulatory landscape and specific requirements, please see “Regulatory Compliance – Global Privacy, Disclosure and Encryption Issues”, a Trend Micro white paper. Confidential Data Types Description Social security number/national identification PII: Personality Identifiable Information number, drivers license number, address, phone number Credit card numbers, Card Verification Value (CVV), PCI: Payment Card Industry expiration date Medical diagnosis codes, disease names, PHI: Protected Health Information medication names, patient names PFI: Personal Financial Information Financial account number, credit score Figure 1: Protected data types and data requirements PRIVACY REQUIREMENTS Safeguarding the privacy of an individual’s personal, medical, and financial data is of utmost concern to enterprises, especially when it comes to regulatory compliance. Regulations that have been put in place to protect individuals’ privacy usually require that data associated with that individual not be visible or accessible to unauthorized users. While requirements for HIPAA Privacy and Security Rules tend to be more vague on implementation details, subsequent and related guidelines—such as NIST 800-66 and the HITECH Act—have stepped in to provide more implementation guidance for enforcing privacy. Monitoring systems for sensitive content can help enforce privacy. If sensitive content is detected, enterprises may choose how to react, whether to report it, block the possible breach, or encrypt the data. DISCLOSURE REQUIREMENTS While privacy is the goal, preventative controls are not airtight and data breaches may still occur. Regulators strive to minimize the risk of data breaches by requiring that interested parties—such as the individual impacted by the breach—be notified. For example, the California SB 1386 law requires breach disclosure of 1 White Paper | Solutions for Privacy, Disclosure, and Encryption
  • 3. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION data belonging to a “resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” To address these notification requirements, enterprises must first be able to detect data breaches through regular monitoring of systems that handle confidential data. A recent Massachusetts law (201 CMR 17.00) validates this approach with its requirement for encryption and “reasonable monitoring of systems, for unauthorized use of or access to personal information”. ENCRYPTION REQUIREMENTS Regulators are increasingly calling out encryption as a specific technology required for securing confidential data. In some cases, encryption technology is also accepted as a compensating control for when data breaches cannot be prevented, allowing organizations to avoid costly breach disclosure requirements (exemption provisions). For common business processes such as email, DLP can be used to block unauthorized data transmissions, while encryption can enforce the privacy of communications between business entities and individuals—both for legitimate communications and accidental disclosure. Encryption of confidential data sent via email is mandated by many regulations, while others strongly encourage encryption as a means for avoiding breach disclosure requirements. Direct mandates. PCI DSS mandates encryption of credit card data where it is transmitted (PCI DSS Req. 4) and stored (PCI DSS Req. 3). Similarly, US States including Nevada (NRS 597.970) and Massachusetts (201 CMR 17.00), require encryption of transmitted data for personal records. Exemption. The HITECH Act (US, Healthcare) states encryption as the technology that can secure PHI, or render ePHI “unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required.” III. IDENTIFYING SUSTAINABLE COMPLIANCE SOLUTIONS A good place to begin an effective compliance strategy is by following a risk-based approach to implementing and auditing IT controls. In practice, this means focusing on business systems where confidential data is likely to be handled (such as email and end user systems) and on network storage locations (such as databases and file servers). This also means focusing on employees—or insiders—who routinely download, create, paste, copy to USB, or attach sensitive data to their emails sent to internal and external users. Once these target systems and users have been identified, it is essential to educate these individuals on important practices—such as acceptable use of this confidential data, document official and ad-hoc processes, and automate controls through proven products. In fact, these areas of focus are known as the three P’s of an effective compliance strategy—people, processes, and products. Security products are necessary to safeguard confidential data, which is increasingly available in electronic format and handled through the aforementioned business systems. The healthcare industry in particular is poised to see drastic increases in confidential data records due to the recent HITECH Act of 2009, which reinforces the mandate for Electronic Medical/Health Records (EMR / EHR) by 2014. Applying encryption and DLP solutions to high-risk systems is a strong start, but it is certainly not the entire solution. Applying a single set of controls to users, data, and systems will not work for most organizations. 2 White Paper | Solutions for Privacy, Disclosure, and Encryption
  • 4. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION These challenges are further complicated by the variety of rules highlighted across global regulations and enterprise security policies. Policy-based solutions are necessary to: Monitor different data types such as PII, PHI, PFI, and PCI Monitor different user activity such as email, web, instant messaging; copy/paste, printing, copy files to USB/CD/DVD from end-user applications. These channels or protection points often fall into three classes of data—or “data modalities”. They are Data in Motion (DIM), Data in Use (DIU), and Data at Rest (DAR) Monitor different types of users, to determine their authorization to handle these data types Enforce different controls, such as audit, block, quarantine, or encrypt Securing the sheer volume of enterprise data—especially given the distributed nature of confidential data— can present significant operational challenges. This is why solutions that protect privacy, prevent breaches, and encrypt email communications must be: Accurate in their ability to detect confidential data across email, end-user systems, and network storage systems Usable so that both administrators and users can easily implement and use the solution Cost-effective through integration with existing infrastructure and low overhead from previous generation solutions ACCURACY IS CRITICAL The ability to detect confidential data is the core element of many regulations. Discovery and monitoring functions must accurately detect content, while at the same time ensuring high catch rates and low false negatives (where the system fails to recognize sensitive data). Enterprises need to be able to identify confidential data without blocking legitimate business processes, such as emails to business partners. The optimal solution must also be intelligent enough to detect portions of restricted content in an otherwise approved action. For example, users often copy and paste regulated content—such as a person’s name, address, or social security number—into emails or USB devices. Compliance solutions should be able to detect and block these actions while allowing the legitimate copy of non-confidential data to devices. USABILITY IS KEY TO ACHIEVING DESIRED RESULTS Compliance solutions will not be effective if they are too difficult to use, deploy, or manage. If these solutions are not easy to use, there is a high probability that they will: Not be used and therefore leave the organization vulnerable Be used incorrectly, placing the organization in danger of violation Be used inefficiently, requiring too much time or too many resources to manage, thereby increasing total cost of ownership beyond the solution’s value With email encryption, for example, requiring senders and recipients to use a complicated key management process can hamper routine business processes and cause undesirable escalations to senior management. According to the IDC Encryption Usage Survey (August 2008, IDC #213646), approximately 70 percent of organizations say that cost/expense are critical to a choice of encryption product, and almost 80 percent agree that ease of use is also critical. 3 White Paper | Solutions for Privacy, Disclosure, and Encryption
  • 5. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION Another challenge for encryption is making the determination of which data is confidential and which is not. It is unrealistic to expect users to make this determination in the course of conducting business, increasing the likelihood of compliance violations. To increase compliance and avoid the loss of confidential data, the compliance solution should automatically detect and encrypt confidential data prior to leaving the network perimeter. COST EFFECTIVENESS RESULTS FROM EFFICIENCY Data protection solutions that integrate with existing infrastructure can help reduce the costs associated with provisioning new data protection technologies. For example, because most enterprises already have already deployed an email antispam and antivirus solution, adding a compatible email encryption solution can avoid unnecessary hardware costs and improve application performance. This increases efficiencies of scale, since detection and encryption of confidential data are occurring in a single, seamless workflow. For cumbersome processes like encryption key management, a compliance solution that provides key management as a hosted service may be more cost-effective than an on-premise solution. This approach can be provisioned as needed and does not require the same investment in hardware and IT resources for deployment and management. IV. THE TREND MICRO ADVANTAGE Training employees and adapting processes are essential elements of a compliance strategy. Success, however, also depends on implementing proven, policy-based endpoint or network data loss prevention (DLP) and email encryption solutions—while also ensuring that they are accurate, usable, and cost-effective. Trend Micro delivers solutions that are optimized to address compliance and more, by helping to protect users and confidential data from the growing threat of web-based attacks—such as viruses, malware, and malicious techniques used to steal data. Trend Micro solutions provide layered security, whether at the gateway or endpoint, and are powered by the Trend Micro™ Smart Protection Network—a next-generation, cloud-client content security infrastructure helps detect and contain threats before they reach the business. Business Need Trend Micro Solution Educate employees on proper data usage policies, with real-time alerts Trend Micro™ Data Loss Prevention Protect confidential data from misuse by Trend Micro Email Encryption “authorized insiders”, whether accidental or malicious Trend Micro Data Loss Prevention Protect sensitive data, whether in use, at rest Trend Micro Data Loss Prevention or in motion across both endpoint and Trend Micro Email Encryption gateway layers Figure 2: Trend Micro Data Protection Solutions 4 White Paper | Solutions for Privacy, Disclosure, and Encryption
  • 6. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION Business Need Trend Micro Solution Protect datacenter servers from attack, regardless of whether they are physical or Trend Micro Deep Security virtual Continuously monitor for active, data-stealing malware infections and receive early warning Trend Micro Threat Management notifications of malware outbreaks Services Trend Micro OfficeScan™ Trend Micro Endpoint Security Platform Protect user endpoints with antivirus, anti- malware, anti-spyware, personal firewall, and Trend Micro Threat Management host intrusion prevention system Services Trend Micro Deep Security Trend Micro Enterprise Security Suite Provide messaging, web, and endpoint security; Protection against inappropriate Trend Micro ScanMail™ for content, spam and phishing, spyware, rootkits, Exchange/Domino bots, viruses and trojans, web threats, worms, Trend Micro InterScan™ Web/Messaging and network attacks Security Figure 3: Trend Micro Data Protection Solutions – Extended TREND MICRO DATA LOSS PREVENTION Data loss prevention (DLP) solutions are designed to protect sensitive information such as customer, employee, and patient data as well as intellectual property. This is generally accomplished by monitoring and preventing information leaks across multiple threat vectors, including email, webmail, instant messaging, USB drives, and CD/DVDs. However, many solutions that are designed to monitor and block sensitive data have shortcomings. Less than ideal solutions will: Scan data at endpoints too slowly Handle a limited number of documents Fail to detect data in multiple languages Do not support partial data matching Cannot identify and protect sensitive data when users are offline Trend Micro Data Loss Prevention prevents data loss with a unique approach that combines endpoint-based policy enforcement with highly accurate DataDNA™ fingerprinting and content matching technology. Trend Micro DLP includes pre-configured templates and validation modules for privacy data, such as those defined by PII, PHI, and PCI regulations. These features help to simplify the process of detection and enforcement for IT administrators. The fingerprinting technology supports full or partial matches using a language- independent technology, with ultra-small, locally-stored signatures that enable policy enforcement for endpoints—whether they are on or off the network. 5 White Paper | Solutions for Privacy, Disclosure, and Encryption
  • 7. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION It is important to secure protection points that cover three data modalities: Data at Rest. The Trend Micro solution scans endpoints and file systems for confidential data, giving enterprises visibility into where their confidential data is being stored and accessed. Data in Use. Trend Micro DLP also monitors data in use across numerous communications channels such as USB-based removable storage, CDs, DVDs, and printers. Data in Motion. Trend Micro DLP provides protection for channels that include email, webmail, instant messaging, and FTP. These protection points can be enabled at the endpoint or network and can include the following actions: log, warn user, capture forensic data, require user justification, or block. This helps to improve compliance over time, as users are educated at the point of the violation—a pop-up screen explains the organization’s policy and prompts for justification of the prohibited action. While implementing controls is part of the compliance challenge, validating these controls against the data protection policy plays an even bigger role: it’s core to the audit process. Compliance audits, such as those required by PCI DSS, require tamper-proof activity logs to prove that controls are in place and are effective for protecting confidential data. Trend Micro DLP provides these logs, as well as compliance reports that highlight violations and the confidential data that was detected. This helps to greatly mitigate risk over time. TREND MICRO EMAIL ENCRYPTION Email encryption solutions enable organizations to enforce compliance requirements and to ensure that confidential information is delivered securely. However, using traditional encryption solutions to protect email and attachments from unwanted eavesdropping, tampering, and spoofing is often complex—placing additional burdens on IT management. Trend Micro Email Encryption solutions are easy to use within an existing email infrastructure. They provide universal reach by allowing organizations to deliver private email to any recipient without burdensome recipient pre-registration or certificate management of Public Key Infrastructure (PKI) technology. Encrypted content is simply pushed from senders to recipients like any other email. While the solution is offered in both hosted and on-premise versions, hosted encryption goes further in maintaining public keys, securing private keys, and managing certificate revocation lists on behalf of customers. The Trend Micro hosted service enables even small or medium-sized businesses to cost-effectively address encryption requirements. Trend Micro also addresses usability and accuracy concerns by removing the dependence on end users to enforce the encryption of their confidential emails. Policy-based email encryption automatically encrypts and decrypts emails based on administrator-defined policies—using content filtering capabilities from a messaging security gateway solution, such as Trend Micro Hosted Email Security. To support audit requirements, Trend Micro Email Encryption also provides tamper-proof activity logs and compliance reports that highlight violations and any detected confidential data. 6 White Paper | Solutions for Privacy, Disclosure, and Encryption
  • 8. TREND MICRO DATA PROTECTION SOLUTIONS FOR PRIVACY, DISCLOSURE, AND ENCRYPTION V. TRUST A SECURITY INDUSTRY LEADER Trend Micro data protection solutions address privacy, breach disclosure, and encryption requirements with Email Encryption and Data Loss Prevention solutions. These solutions address common IT compliance challenges with accuracy, usability, and cost-effectiveness. As a global leader in Internet content security, Trend Micro focuses on securing the exchange of digital information. Based on extensive content security expertise, Trend Micro correlates threat data from an average of more than 5 billion dynamically rated websites, spam sources, and files every day. Thousands of companies continue to trust their data protection to Trend Micro—a company with 20 years of experience dedicated to content security and expertise based on a history of innovation. To learn more about Trend Micro solutions for addressing regulatory compliance, contact your Trend Micro representative or visit www.trendmicro.com. © 2010 Trend Micro, Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. WP01_DLP-compliance_100224US 7 White Paper | Solutions for Privacy, Disclosure, and Encryption