encrytpion information security last stand

1

Electronic Crime Prevention Tactics

Data encryption: Information security last standfor the enterprise

George DelikourasAthens International Airport S.A.

Head IT Architecture & Network SecurityInformation Technologies & Telecommunications Dept.

[email protected]

January 15, 2009

mailto:[email protected]

2

Contents

Our everyday environmente-mail and Christmas postcardsI lost my laptop!Some myths about encryptionSome truths about encryptionStrong encryption demystifiedChoosing an encryption platformCase studies from Athens International AirportQuestions & answers

3

Introduction

The global trend for information security during 2008: Enterprises gradually abandon the perimeter security model and start focusing on data protection in the internal environment.The problem: Enterprises need to secure data that have value, data at rest or data in transit to and from the companyThe requirements: Protect data, comply with laws and regulations, do not increase complexity, do not affect productivity, do it “yesterday”

4

Our everyday environment

1 out of every 500 email messages contains confidential information1

43% of messages that violate security policies contain private customer data or intellectual property1

84% of high-cost security incidents occur when insiders send confidential data outside the company2

95% of risk comes from faulty business processes and untrained users1

1Source: Vontu Risk Assessment

2Source: Gartner

5

e-mail and Christmas postcards

e-mail is at risk ( ) at multiple points

Internet

Recipient’s SystemsClient Systems

Corporate Mail Server

Recipient’s Mail Server

In Transit

e-mail is vulnerable at multiple points. SSL/TLS security alone is not sufficient.

6

I lost my laptop!

Risk is inevitable, but must be anticipated & mitigatedComputing devices are lost & stolen every dayIntrusions & breaches on the rise

Passwords become weaker as code crackers proliferate

One laptop contains:

4,000 files

700 valuable documents

60 critical pieces of data

25 proprietary, confidential files

7


Source: The Ponemon Institude, 2008 Annual Study, UK enterprise encryption trends

8



9



10



11

Some myths about encryption

Myth #1Encryption is too complex and difficult to plan, deploy and use

In truth, well-designed encryption solutions emphasize simplicity in planning, deployment and use. Encryption can be transparent to the end user

12


Myth #2Encryption is a great way to protect data on a notebook computer or corporate server, but it can’t help protect data on a PDA or smartphone.

Fortunately, a number of application solutions now specifically support data encryption for information stored on mobile computing devices.

13


Myth #3The state and federal regulations with which my organization must comply don’t say anything specifically about data encryption.

Most regulatory mandates do not specify particular technologies that must be deployed to ensure secure communications, data privacy, accountability or transaction tracking – however data encryption is often the easiest and most fail-safe method of meeting these requirements.

14

Strong encryption demystified

Myth #4Encryption will significantly slow down my system or impact network performance.

In truth, new application designs use available computing cycles efficiently and take advantage of background processing to perform tasks. As a rough guideline, a well-designed encryption product should typically have a performance impact in the range of 2%-5% for standard uses.

15


Myth #5It will take a tremendous amount of training for company employees to begin using data encryption.

In truth, in most cases, staff members using data encryption on personal computers will require no training at all. Encryption is transparent as complexity goes behind the scene in modern applications.

16


Myth #6

My organization already uses an operating system with encryption built in, we don’t need any additional encryption tools.

Operating system encryption generally lacks central management capabilities and they also lack reporting and logging features necessary for regulatory compliance.

17


Myth #7Encryption can’t be that secure if someone can just steal the keys from a server and break into any affected system.

The theft of cryptographic keys is certainly a risk, however isolating the functionality of key protection in a dedicated hardware security module can offer stronger protection than a software only solution.

18

Some truths about encryption

Truth #1Business data is everywhere and it’s on the move

Some motion terms: laptops, USB flash drives, mobile phones, Internet e-mail, remote users, branch offices, consultants, outsourcing, remote technical support.

19


Truth #2Exposed data carries high costs and consequences

Between 2005 and 2007 the cost of data breaches rose 43% and the per record cost is now close to $200*

*The Ponemon Institude, 2007 Annual study: U.S. cost of a data breach

20


Truth #3Only encryption can secure all your data, wherever it is

No firewall, single agent or security point solution is able to protect a file wherever it goes. Only encryption protects data itself so the business data goes its protection is built in.

21


Truth #4An enterprise-wide data encryption strategy reduces the risk of data breaches

Instead of following the silo approach of acquiring and managing multiple and disparate encryption solutions, the organization can deploy a single enterprise-wide data encryption platform.

22


Truth #5Enterprise data protection liberates your business

Enterprise data protection is a strong security system comprising of 4 components:

Protect data

Detect Risk

Control access

Manage data

23


Cryptographic strength is measured in the time andresources it would require to recover the plaintext. The result of strong cryptography is ciphertext that is very difficult to decipher without possession of the appropriate decoding tool. How difficult?

Given all of today’s computing power and available time -even a billion computers doing a billion checks a second - it is not possible to decipher the result of strong cryptography before the end of the universe.

24


Public-key cryptography uses a pair of keys: a public key, which encrypts data, and a corresponding private key, for decryption. Because it uses two keys, it is sometimes called asymmetric cryptography.

You publish your public key to the world while keeping your private key secret.

Anyone with a copy of your public key can then encrypt information that only you can read, even people you have never met.

25


Anyone who has a public key can encrypt information but cannot decrypt it. Only the person who has the corresponding private key can decrypt the information.

An example of confidentiality

26


Only the person who has the private key can encrypt the information. Anyone who has the corresponding public key can decrypt it.

An example of authenticity

27

Strong encryption demystified: How things work

28

Strong encryption demystified: How things work

29

Choosing an encryption platform

Can the solution protect all the organization data?

Vendors tell us that their product only protects “all the data” contained on specific devices such as laptops, USB flash drives or PDAs. This is not enough. We must protect all data in rest or during transmission. Businesses need a strategic framework that supports a consistent key and user management and policy support across multiple encryption apps.

30


Is the solution flexible enough to meet the needs of a growing business?

When vendors say their solution is scalable they mean it can support more end-users and devices. The problem is that today’s business growth is rarely that simple. New partners, branch or international offices, mobile workers, outsourced contractors and new technologies are the tip of the iceberg in the challenges enterprises face. The solution would be rather an encryption framework than a single app.

31


How fast can my organization deploy encryption?

Usually deployment speed comes at a price. If we need to add another encryption product or technology and have to repeat the time consuming and costly testing, training and implementation steps that we completed in the first place then we have paid the price. It is the classic story of taking the time to do the job right the first time, or suffer unforesen consequences at a later date.

32


How difficult is to manage data encryption?

Encryption requires skilled personnel to manage and this is easy to understand. What vendors don’t tell you is that encryption management becomes exponentially more complicated and costly for multiple point solutions. Additional encryption products require more IT staff to handle integration, more updates and upgrqades and more maintenance.

33


How will data encryption solution affect my organization's productivity?

Vendors always claim that their solutions increase productivity. Problems start if the enterprise requires more than one solution for end points or data transmission. Increased complexity and data unavailability when you need it leads to user frustration . Enterprise-wide encryption policy and key management is a very important selection factor for productivity reasons mainly.

34


Does the solution provide a platform approach to data encryption?

The term “platform” is widely used. Platform-based enterprise data encryption should include: centralized key management, integration with third party apps and centralized reporting across all apps. These three elements provide data access, integration with existing infrastructure and data protection wherever it resides and however it is transmitted.

35


How well does the proposed encryption solution integrate with my organizations existing applications?

A typical point product does integrate well enough into the infrastructure to install and run the application. It may not integrate with additional encryption applications that you may need down the road. Additionally it may not integrate with your existing PKI solution, meaning you may have to throw away your investment.

36


Will encryption help my organization comply with legal and regulatory requirements?

Unfortunately businesses concerned about these requirements often focus on a single data vulnerability, such as laptops. This thinking leads to disjoined and siloed encryption deployments that leave many companies vulnerable to data breaches and compliance violations. When you use an encryption platform to protect all data at rest and the data in transit, it addresses all the threats to your data.

37

Case studies from Athens airport

The request: Secure the minutes of meetings of the Board of Directors (BoD). Secure papers distribution via Internet e-mail without installing additional software to the BoD members’ computers.

Technologies used: PGP Desktop, PGP Web Messenger

38


The request: Secure specific managers’ laptops so that even if they are stolen, data breach must be impossible.

Technologies used: PGP Desktop, PGP Whole Disk Encryption (WDE)

39


The request: Secure the e-mail messages and attachments with the monthly bills distributed to all Athens International Airport tenants. Make sure e-mail has reached destination and keep proof of receipt with legal validity.

Technologies used: PGP Desktop, PGP PDF Messenger

40


The request: Secure the Athens International Airport Business Plan Excel worksheets in a way that only the authorized people will have access to them.

Technologies used: PGP Desktop, PGP NetShare

41


The request: Secure the Athens International Airport external and internal correspondence for specific users during specific process development (procurement tenders and evaluation, personnel evaluation, salary increases and bonus definition, etc)

Technologies used: PGP Desktop, PGP NetShare

42

Case studies from the UK market

Enterprise encryption use by application type

Source: The Ponemon Institude, 2008 Annual Study, U.K. enterprise encryption trends

43

Case studies from the US market

Enterprise encryption use by application type

Source: The Ponemon Institude, 2008 Annual Study, U.S. enterprise encryption trends

44

Information security last stand

Two simple laws for information security to remember:

1. We apply best practices to protect unauthorized access to our systems and information.

2. In case security is compromised and unauthorized access is achieved, information must be inaccessible.

45

Questions & answers

46

Athens International Airport

Thank you for your attention!

George DelikourasHead IT Architecture and Network Security Information Technologies &

Telecommunications [email protected]

encrytpion information security last stand

Documents