VPV Versicherungen relies on Wave Systems to protect sensitive data

Self-encrypting SSD hard drives, managed by Wave, help the VPV protect confidential data on convertible laptops.

Case Study

Branch of Industry

Insurance

Product

Wave EMBASSY Remote Administration Server (ERAS) to safeguard and manage 1,000 Fujitsu Lifebook T902 tablet PCs with self-encrypting SSD hard drives.

Client

With headquarters in Stuttgart and Cologne, VPV Versicherungen (also known by its acronym “VPV”) is a modern financial services company with more than 185 years of tradition. About 500 employees work in-house at the VPV and over 600 individuals comprise the out-of-office staff. These are supported by 250 part-time agents throughout Germany. With a balance-sheet total in excess of eight billion euros, the VPV currently numbers among Germany’s medium-size insurance companies. The VPV’s partners include Aachener Bausparkasse, Deutsche Familienversicherung, DSL Bank, Hallesche Private Krankenversicherung, HUK-Coburg and Gothaer. Trust is critical here, so the VPV places especially high priority on the reliable safeguarding of confidential customer data.

Summary of Advantages

Product: Wave ERAS (EMBASSY Remote Administration Server) for self-encrypting SSD hard drives • Access to all encrypted data is protected within minutes

• Built-in encryption minimises the costs of setup and support

• Security guidelines are centrally managed

• Audit reports provide provable compliance

Principal Characteristics • Convenient compliance on the basis of security guidelines

• Continually monitors security incidents, automatically solves problems and generates compliance reports

Data Protection • Prevents local encroachments, even by users with administrator’s rights

• Locks the hard drive when a device is in sleep mode

• Administers clients within or outside the firewall, as well as machines that don’t belong to the domain

Ingeniously Simple• All data is automatically encrypted—users no longer need to decide what data deserves protection and what does

not, increasing productivity

• Synchronisation with Windows passwords and single sign-on

• Remotely add, recover and remove users

• Administrators need less training because they’re already familiar with the Microsoft MMC Snap-In user interface

• Role management on the basis of individual or predetermined roles to delegate tasks

• Add user accounts via “Zero Touch”—neither the user nor the company’s IT is inconvenienced

No Compromises• Encryption doesn’t interfere with users’ workflow

• Allows for customisable messages on the authentication form prior to booting

The Challenge

The employees who comprise the VPV’s field staff use convertible tablets so customers can conveniently sign their signatures at home directly on the monitor. This method has proven successful—and that’s why the VPV ordered more than 1,000 new devices to coincide with a changeover to Windows 7. Self-encrypting SSD hard drives were chosen because they facilitate the fastest possible data access and encryption.

Wave Systems Corp. 480 Pleasant Street, Lee, MA 01238 (877) 228-WAVE • fax (413) 243-0045 www.wave.com

Copyright © 2014 Wave Systems Corp. All rights reserved. Wave logo is trademark of Wave Systems Corp. All other brands are the property of their respective owners. Distributed by Wave Systems Corp. Specifications are subject to change without notice.

03-000395/version 1.00 Release Date: 11-14-2014

WAVE SYSTEMS – CASE STUDY – VPV Versicherungen

The VPV reaffirmed its commitment to data protection in 2013, when it became party to the data protection code of the GDV. The VPV publicly pledged to uphold the rules of conduct for data processing in the insurance industry. To comply with the strict guidelines for the protection of stored and transmitted data, Winfried Kohles, who heads the VPV’s computer centre, sought a secure and easily administered IT solution.

“Our task is to provide new, conveniently usable tablets so our advisors can continue to work in their accustomed manner when they present the VPV’s portfolio. We wanted a tablet that would offer time-tested functions such as simple rotation of the laptop’s monitor, the convenience of being able to write one’s signature directly on the monitor, and the ability to burn CDs onsite,” Kohles says. “Even more important than this was the safeguarding of customer and contractual data on these devices. The relatively high risk of losing these devices is a challenge. Remote administration and maintenance should also be possible. And the initial installation should be uncomplicated. Other important factors were a smooth transition to Windows 7 and a management solution for SSD hard drives that wouldn’t slow the process of data provision.”

Reaching the Decision

Through Dell, the VPV became aware of the Opal standard, which was created by the Trusted Computing Group with the goal of developing, defining and promoting manufacturer-independent security standards. The hardware-based Opal encryption performed by the self-encrypting SSDs used in this project upheld the VPV’s high security standards.

Standardisation without vendor lock-in was an important factor. The selection of potential devices wasn’t narrowed and no curtailments had to be made with regard to security. The same holds true for ERAS from Wave Systems: this security-management software can be used to manage any self-encrypting drive that’s manufactured to the Opal standard.

The VPV decided in favour of the Fujitsu T902 tablet, a so-called “convertible laptop.” The combined solution of Wave and Fujitsu was practical—the tablet PCs were delivered with the desired hard drives and with pre-installed software. Pre-installation of ERAS kept costs low and didn’t unnecessarily occupy the capacities of the IT division.

The decision-makers opted for the FDE (full disk encryption) offered by self-encrypting drives in order to protect personal data. A user doesn’t have to decide which data should be encrypted—this solution is not only user friendly, it’s also especially secure from the company’s perspective. “It is our responsibility to prevent confidential data from falling into the wrong hands. At the same time, we must also enable our colleagues to work efficiently,” says Jürgen Reinsch, IT director at the VPV. “With complete and centrally administered encryption, we harmonise security and convenience.”

Simple Administration and Strong Protection

Software-based solutions, which are logistically complicated to deploy, are also less secure than ERAS-managed self-encrypting drives (SEDs). SEDs store the encryption key in a special area of the drive’s hardware, so data is not as vulnerable to software attacks, malware and rootkits, because the encryption key is not kept in the operating system. The installation and administration of security software would have been a more laborious undertaking. There is no initial encryption with ERAS-managed SEDs, so Wave’s solution secures the data within minutes. Software-based solutions can easily be ten times as expensive as a hardware-based solution. Furthermore, compared to the speedy SSD flash-storage technology, one

would suffer a loss of performance with the use of software solutions. A hardware-based solution is therefore less costly and simpler to administer because it doesn’t impose limitations on the performance of the devices.

ERAS’s protection begins even before the device boots. A user must enter a password before he can access data. ERAS supports password synchronisation and single sign-on for Windows—only one password needs to be entered. ERAS is based on the familiar Microsoft management console, thus easing the transition from BitLocker to SEDs and requiring little training. ERAS also uses existing directory functions and mechanisms to manage security guidelines such as the assignment of users and policies directly in the directory framework.

With ERAS, the loss of a device is not a critical issue. A thief would not be able to bypass the Wave authentication security. If someone did attempt to use a stolen device to access the network, ERAS would detect the unauthorised access and the administrator could delete the encryption key, rendering the device and data inaccessible. This is also practical when devices or hard drives are decommissioned.

The SEDs are centrally managed: this is necessary when protecting the data of the VPV’s out-of-office employees, who are deployed throughout Germany. Support and troubleshooting (e.g. erasure or addition of users and data, backups, and password recovery) occur remotely: this is convenient for the users and it reduces the workload in the IT division.

In addition, ERAS makes it possible to generate compliance reports. These can prove that the data which the VPV has collected, stored and transmitted are securely protected. Security profiles are not only important for the VPV: they’re also required by law. ERAS optimally assures both internal and industry-specific compliance.

Deployment

The chosen solution proved totally convincing during a test phase. The only delay occurred when VPV chose to wait for a new chip configuration from the manufacturer. The basic tests were therefore conducted on the old devices. Further tests on the new generation of devices ran without any problems. Approximately 1,000 convertible tablets were delivered with the desired self-encrypting solid-state drives. Thanks to fully automatic software installation via SCCM, the configuration didn’t place an unnecessarily heavy burden on the daily workflow in the IT division—despite the large number of new devices. “The setup of the devices ran smoothly—the assignment of users and policies in the Active Directory framework was very easy,” Kohles recalls with satisfaction.

Summary

Wave ERAS assures that all data, without any exceptions, is immediately protected on the VPV’s tablets. Automatic administration of hard drives via ERAS reduces the workload for the internal IT division and saves money. Thanks to the Opal SED standard, field staff can use whichever devices they prefer. After having successfully implemented this project, Winfried Kohles is now also responsible for looking after the deployment of ERAS on the Ultrabooks of the VPV’s executives. Alongside the administration of self-encrypting hard drives, Wave also makes it possible to manage devices with the TPM (Trusted Platform Module)—another hardware component with open industry standards. One emerging use case of the TPM is Wave Virtual Smart Card, which is used to provide a low-cost, token-based two-factor authentication solution for Windows, VPN, Outlook, and more.