Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Solutions for privacy, disclosure and encryption
1. Trend Micro
Data Protection
Solutions for
privacy, disclosure
and encryption
A Trend Micro White Paper
2. TREND MICRO DATA PROTECTION SOLUTIONS
FOR PRIVACY, DISCLOSURE, AND ENCRYPTION
I. INTRODUCTION
Enterprises are faced with addressing several common compliance requirements across multiple
geographies and industries. These include protecting confidential data in common usage scenarios,
notifying relevant parties when this data is disclosed, and securing this information with data loss prevention
and encryption technologies. Factors—such as finding accurate, usable, and cost-effective solutions to meet
these requirements—can make the difference between achieving compliance goals and leaving the
organization vulnerable to data loss and non-compliance. Trend Micro Data Protection solutions for data
loss prevention (DLP) and email encryption are designed to help organizations meet their compliance
requirements easily and cost-effectively.
II. PRIVACY, DISCLOSURE, AND ENCRYPTION
In simple terms, “compliance” is the adherence to an accepted policy or set of requirements. In terms of
meeting global compliance requirements, compliance means protecting confidential data and establishing
controls to ensure that requirements are met on an ongoing basis. For more information about the regulatory
landscape and specific requirements, please see “Regulatory Compliance – Global Privacy, Disclosure and
Encryption Issues”, a Trend Micro white paper.
Confidential Data Types Description
Social security number/national identification
PII: Personality Identifiable Information number, drivers license number, address, phone
number
Credit card numbers, Card Verification Value (CVV),
PCI: Payment Card Industry
expiration date
Medical diagnosis codes, disease names,
PHI: Protected Health Information
medication names, patient names
PFI: Personal Financial Information Financial account number, credit score
Figure 1: Protected data types and data requirements
PRIVACY REQUIREMENTS
Safeguarding the privacy of an individual’s personal, medical, and financial data is of utmost concern to
enterprises, especially when it comes to regulatory compliance. Regulations that have been put in place to
protect individuals’ privacy usually require that data associated with that individual not be visible or
accessible to unauthorized users. While requirements for HIPAA Privacy and Security Rules tend to be more
vague on implementation details, subsequent and related guidelines—such as NIST 800-66 and the
HITECH Act—have stepped in to provide more implementation guidance for enforcing privacy. Monitoring
systems for sensitive content can help enforce privacy. If sensitive content is detected, enterprises may
choose how to react, whether to report it, block the possible breach, or encrypt the data.
DISCLOSURE REQUIREMENTS
While privacy is the goal, preventative controls are not airtight and data breaches may still occur. Regulators
strive to minimize the risk of data breaches by requiring that interested parties—such as the individual
impacted by the breach—be notified. For example, the California SB 1386 law requires breach disclosure of
1 White Paper | Solutions for Privacy, Disclosure, and Encryption
3. TREND MICRO DATA PROTECTION SOLUTIONS
FOR PRIVACY, DISCLOSURE, AND ENCRYPTION
data belonging to a “resident of California whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.” To address these notification requirements,
enterprises must first be able to detect data breaches through regular monitoring of systems that handle
confidential data. A recent Massachusetts law (201 CMR 17.00) validates this approach with its requirement
for encryption and “reasonable monitoring of systems, for unauthorized use of or access to personal
information”.
ENCRYPTION REQUIREMENTS
Regulators are increasingly calling out encryption as a specific technology required for securing confidential
data. In some cases, encryption technology is also accepted as a compensating control for when data
breaches cannot be prevented, allowing organizations to avoid costly breach disclosure requirements
(exemption provisions). For common business processes such as email, DLP can be used to block
unauthorized data transmissions, while encryption can enforce the privacy of communications between
business entities and individuals—both for legitimate communications and accidental disclosure. Encryption
of confidential data sent via email is mandated by many regulations, while others strongly encourage
encryption as a means for avoiding breach disclosure requirements.
Direct mandates. PCI DSS mandates encryption of credit card data where it is transmitted (PCI DSS Req.
4) and stored (PCI DSS Req. 3). Similarly, US States including Nevada (NRS 597.970) and Massachusetts
(201 CMR 17.00), require encryption of transmitted data for personal records.
Exemption. The HITECH Act (US, Healthcare) states encryption as the technology that can secure PHI, or
render ePHI “unusable, unreadable, or indecipherable to unauthorized individuals such that breach
notification is not required.”
III. IDENTIFYING SUSTAINABLE COMPLIANCE SOLUTIONS
A good place to begin an effective compliance strategy is by following a risk-based approach to
implementing and auditing IT controls. In practice, this means focusing on business systems where
confidential data is likely to be handled (such as email and end user systems) and on network storage
locations (such as databases and file servers). This also means focusing on employees—or insiders—who
routinely download, create, paste, copy to USB, or attach sensitive data to their emails sent to internal and
external users. Once these target systems and users have been identified, it is essential to educate these
individuals on important practices—such as acceptable use of this confidential data, document official and
ad-hoc processes, and automate controls through proven products. In fact, these areas of focus are known
as the three P’s of an effective compliance strategy—people, processes, and products.
Security products are necessary to safeguard confidential data, which is increasingly available in electronic
format and handled through the aforementioned business systems. The healthcare industry in particular is
poised to see drastic increases in confidential data records due to the recent HITECH Act of 2009, which
reinforces the mandate for Electronic Medical/Health Records (EMR / EHR) by 2014.
Applying encryption and DLP solutions to high-risk systems is a strong start, but it is certainly not the entire
solution. Applying a single set of controls to users, data, and systems will not work for most organizations.
2 White Paper | Solutions for Privacy, Disclosure, and Encryption
4. TREND MICRO DATA PROTECTION SOLUTIONS
FOR PRIVACY, DISCLOSURE, AND ENCRYPTION
These challenges are further complicated by the variety of rules highlighted across global regulations and
enterprise security policies. Policy-based solutions are necessary to:
Monitor different data types such as PII, PHI, PFI, and PCI
Monitor different user activity such as email, web, instant messaging; copy/paste, printing, copy files
to USB/CD/DVD from end-user applications. These channels or protection points often fall into three
classes of data—or “data modalities”. They are Data in Motion (DIM), Data in Use (DIU), and Data at
Rest (DAR)
Monitor different types of users, to determine their authorization to handle these data types
Enforce different controls, such as audit, block, quarantine, or encrypt
Securing the sheer volume of enterprise data—especially given the distributed nature of confidential data—
can present significant operational challenges. This is why solutions that protect privacy, prevent breaches,
and encrypt email communications must be:
Accurate in their ability to detect confidential data across email, end-user systems, and network
storage systems
Usable so that both administrators and users can easily implement and use the solution
Cost-effective through integration with existing infrastructure and low overhead from previous
generation solutions
ACCURACY IS CRITICAL
The ability to detect confidential data is the core element of many regulations. Discovery and monitoring
functions must accurately detect content, while at the same time ensuring high catch rates and low false
negatives (where the system fails to recognize sensitive data). Enterprises need to be able to identify
confidential data without blocking legitimate business processes, such as emails to business partners. The
optimal solution must also be intelligent enough to detect portions of restricted content in an otherwise
approved action. For example, users often copy and paste regulated content—such as a person’s name,
address, or social security number—into emails or USB devices. Compliance solutions should be able to
detect and block these actions while allowing the legitimate copy of non-confidential data to devices.
USABILITY IS KEY TO ACHIEVING DESIRED RESULTS
Compliance solutions will not be effective if they are too difficult to use, deploy, or manage. If these solutions
are not easy to use, there is a high probability that they will:
Not be used and therefore leave the organization vulnerable
Be used incorrectly, placing the organization in danger of violation
Be used inefficiently, requiring too much time or too many resources to manage, thereby increasing
total cost of ownership beyond the solution’s value
With email encryption, for example, requiring senders and recipients to use a complicated key management
process can hamper routine business processes and cause undesirable escalations to senior management.
According to the IDC Encryption Usage Survey (August 2008, IDC #213646), approximately 70 percent of
organizations say that cost/expense are critical to a choice of encryption product, and almost 80 percent
agree that ease of use is also critical.
3 White Paper | Solutions for Privacy, Disclosure, and Encryption
5. TREND MICRO DATA PROTECTION SOLUTIONS
FOR PRIVACY, DISCLOSURE, AND ENCRYPTION
Another challenge for encryption is making the determination of which data is confidential and which is not. It
is unrealistic to expect users to make this determination in the course of conducting business, increasing the
likelihood of compliance violations. To increase compliance and avoid the loss of confidential data, the
compliance solution should automatically detect and encrypt confidential data prior to leaving the network
perimeter.
COST EFFECTIVENESS RESULTS FROM EFFICIENCY
Data protection solutions that integrate with existing infrastructure can help reduce the costs associated with
provisioning new data protection technologies. For example, because most enterprises already have already
deployed an email antispam and antivirus solution, adding a compatible email encryption solution can avoid
unnecessary hardware costs and improve application performance. This increases efficiencies of scale,
since detection and encryption of confidential data are occurring in a single, seamless workflow.
For cumbersome processes like encryption key management, a compliance solution that provides key
management as a hosted service may be more cost-effective than an on-premise solution. This approach
can be provisioned as needed and does not require the same investment in hardware and IT resources for
deployment and management.
IV. THE TREND MICRO ADVANTAGE
Training employees and adapting processes are essential elements of a compliance strategy. Success,
however, also depends on implementing proven, policy-based endpoint or network data loss prevention
(DLP) and email encryption solutions—while also ensuring that they are accurate, usable, and cost-effective.
Trend Micro delivers solutions that are optimized to address compliance and more, by helping to protect
users and confidential data from the growing threat of web-based attacks—such as viruses, malware, and
malicious techniques used to steal data. Trend Micro solutions provide layered security, whether at the
gateway or endpoint, and are powered by the Trend Micro™ Smart Protection Network—a next-generation,
cloud-client content security infrastructure helps detect and contain threats before they reach the business.
Business Need Trend Micro Solution
Educate employees on proper data usage
policies, with real-time alerts Trend Micro™ Data Loss Prevention
Protect confidential data from misuse by Trend Micro Email Encryption
“authorized insiders”, whether accidental or
malicious Trend Micro Data Loss Prevention
Protect sensitive data, whether in use, at rest Trend Micro Data Loss Prevention
or in motion across both endpoint and
Trend Micro Email Encryption
gateway layers
Figure 2: Trend Micro Data Protection Solutions
4 White Paper | Solutions for Privacy, Disclosure, and Encryption
6. TREND MICRO DATA PROTECTION SOLUTIONS
FOR PRIVACY, DISCLOSURE, AND ENCRYPTION
Business Need Trend Micro Solution
Protect datacenter servers from attack,
regardless of whether they are physical or Trend Micro Deep Security
virtual
Continuously monitor for active, data-stealing
malware infections and receive early warning Trend Micro Threat Management
notifications of malware outbreaks Services
Trend Micro OfficeScan™
Trend Micro Endpoint Security Platform
Protect user endpoints with antivirus, anti-
malware, anti-spyware, personal firewall, and Trend Micro Threat Management
host intrusion prevention system Services
Trend Micro Deep Security
Trend Micro Enterprise Security Suite
Provide messaging, web, and endpoint
security; Protection against inappropriate Trend Micro ScanMail™ for
content, spam and phishing, spyware, rootkits, Exchange/Domino
bots, viruses and trojans, web threats, worms, Trend Micro InterScan™ Web/Messaging
and network attacks Security
Figure 3: Trend Micro Data Protection Solutions – Extended
TREND MICRO DATA LOSS PREVENTION
Data loss prevention (DLP) solutions are designed to protect sensitive information such as customer,
employee, and patient data as well as intellectual property. This is generally accomplished by monitoring
and preventing information leaks across multiple threat vectors, including email, webmail, instant messaging,
USB drives, and CD/DVDs. However, many solutions that are designed to monitor and block sensitive data
have shortcomings. Less than ideal solutions will:
Scan data at endpoints too slowly
Handle a limited number of documents
Fail to detect data in multiple languages
Do not support partial data matching
Cannot identify and protect sensitive data when users are offline
Trend Micro Data Loss Prevention prevents data loss with a unique approach that combines endpoint-based
policy enforcement with highly accurate DataDNA™ fingerprinting and content matching technology. Trend
Micro DLP includes pre-configured templates and validation modules for privacy data, such as those defined
by PII, PHI, and PCI regulations. These features help to simplify the process of detection and enforcement
for IT administrators. The fingerprinting technology supports full or partial matches using a language-
independent technology, with ultra-small, locally-stored signatures that enable policy enforcement for
endpoints—whether they are on or off the network.
5 White Paper | Solutions for Privacy, Disclosure, and Encryption
7. TREND MICRO DATA PROTECTION SOLUTIONS
FOR PRIVACY, DISCLOSURE, AND ENCRYPTION
It is important to secure protection points that cover three data modalities:
Data at Rest. The Trend Micro solution scans endpoints and file systems for confidential data, giving
enterprises visibility into where their confidential data is being stored and accessed.
Data in Use. Trend Micro DLP also monitors data in use across numerous communications channels
such as USB-based removable storage, CDs, DVDs, and printers.
Data in Motion. Trend Micro DLP provides protection for channels that include email, webmail,
instant messaging, and FTP.
These protection points can be enabled at the endpoint or network and can include the following actions: log,
warn user, capture forensic data, require user justification, or block. This helps to improve compliance over
time, as users are educated at the point of the violation—a pop-up screen explains the organization’s policy
and prompts for justification of the prohibited action.
While implementing controls is part of the compliance challenge, validating these controls against the data
protection policy plays an even bigger role: it’s core to the audit process. Compliance audits, such as those
required by PCI DSS, require tamper-proof activity logs to prove that controls are in place and are effective
for protecting confidential data. Trend Micro DLP provides these logs, as well as compliance reports that
highlight violations and the confidential data that was detected. This helps to greatly mitigate risk over time.
TREND MICRO EMAIL ENCRYPTION
Email encryption solutions enable organizations to enforce compliance requirements and to ensure that
confidential information is delivered securely. However, using traditional encryption solutions to protect email
and attachments from unwanted eavesdropping, tampering, and spoofing is often complex—placing
additional burdens on IT management.
Trend Micro Email Encryption solutions are easy to use within an existing email infrastructure. They provide
universal reach by allowing organizations to deliver private email to any recipient without burdensome
recipient pre-registration or certificate management of Public Key Infrastructure (PKI) technology. Encrypted
content is simply pushed from senders to recipients like any other email. While the solution is offered in both
hosted and on-premise versions, hosted encryption goes further in maintaining public keys, securing private
keys, and managing certificate revocation lists on behalf of customers. The Trend Micro hosted service
enables even small or medium-sized businesses to cost-effectively address encryption requirements.
Trend Micro also addresses usability and accuracy concerns by removing the dependence on end users to
enforce the encryption of their confidential emails. Policy-based email encryption automatically encrypts and
decrypts emails based on administrator-defined policies—using content filtering capabilities from a
messaging security gateway solution, such as Trend Micro Hosted Email Security.
To support audit requirements, Trend Micro Email Encryption also provides tamper-proof activity logs and
compliance reports that highlight violations and any detected confidential data.
6 White Paper | Solutions for Privacy, Disclosure, and Encryption