Transcript Data Protection - San Francisco Bay Area ISSA Chapter

Data Security on Removable Media
ISSA San Francisco
Jason Webster
[email protected]
TABLE OF CONTENTS
2
1
2
3
4
Imation Overview
Market Situation
Secure Removable Storage Devices
Central Management Software
5
Data Center Tape Protection
IMATION CORP OVERVIEW
3
•
Leading global marketer and developer of branded products that enable people
to store, protect and enrich their experiences with digital information
•
Technology leadership, global distribution reach, and customer relationships
make us a preferred partner for leading companies worldwide
•
Broad portfolio of data storage products, consumer electronics and accessories
•
Global market share leader in recordable optical media and data storage tape
•
2010 revenue $1.46 billion, >1,000 employees, serving more than 100 countries
MARKET SITUATION
4
MARKET SITUATION - SUMMARY
1
DATA GROWTH
The growth of digital information has rapidly surpassed expectations.
By 2011 digital universe will be 10 times size of 2006
INCREASED DATA MOBILITY
The importance of data has increased its access and mobility
requirements making it more difficult to secure and protect
INCREASED DATA BREACHES
As data and its mobility grow, the amount of data breaches and data
exposure has also grown
U.S. 2010 > 662 Breaches2
412 (62%) Exposed Social Security Numbers
170 (26%) Exposed Credit or Debit Cards
REGULATIONS INCREASING
Increased data exposure has resulted in increased regulations and
reporting requirements globally
COST OF DATA BREACHES GROWS
Increased reporting requirements and increased data breaches
results in increased breach costs
U.S. 2010 $214 per record3
$7.2 Million3
Average org. cost of data breach over 4 years
IDC – The Diverse and Exploding Universe – March 2008
Identity Theft Resource Center – 2010 Data Breach Stats January 3, 2011
3Source: Ponemon Institute – Fourth Annual U.S. Cost of Data Breach Study January 2009
1Source:
2Source:
5
Data Breach cost by
Industry
Legislation
•
•
•
•
46 States with Data Breach laws
– 33 new proposed laws in 2010
HITECH ACT of 2009 - Mandatory new regulatory requirements
– Encryption needed but not “required” on all DAR (data at rest) devices
• severe penalties for an unsecured data breach!
– Public notification for an unsecured data breach of > 500 individuals
– Civil and federal penalties but safe harbor for encrypted data
– Patient right to receive a copy of records electronically
– 15 million in Health Care, 60% touch Patient Healthcare Information
FTC Red Flag Statutes
– All organizations subject to the legislation must develop and implement a formal, written and
revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate
identity theft.
– All financial institutions (state or national bank, a state or federal savings and loan
association, a mutual savings bank, a state or federal credit union, or any other entity that
holds a “transaction account” belonging to a consumer)
– Solutions include encryption and multiple factor authentication
12/29/2010 SEC Approves Amendments to FINRA Rule 8210 to Require Encryption of Information
Provided Via Portable Media Device
– Finance Industry Regulatory Authority is the largest independent regulator for all securities firms
doing business in the United States
– Rule applies to all FINRA member firms (4,570 brokerage firms)
FIPS BASICS
The Federal Information Processing Standardization (FIPS) 140-2 U.S. government
security standard that specifies requirements for cryptography modules
• FIPS is required by law for U.S. government purchases
• Strictly enforced in Canada
• Gaining international recognition in Asia and Europe
• Being adopted within regulated industries (e.g. Financial, Healthcare)
Description of FIPS 140-2 Four Levels
8
FIPS 140-2 Level 1
FIPS 140-2 Level 2
The lowest level, imposes very limited requirements; loosely,
all components must be "production-grade" and various
egregious kinds of insecurity must be absent
Adds requirements for physical tamper-evidence and
role-based authentication.
FIPS 140-2 Level 3
FIPS 140-2 Level 4
Adds requirements for physical tamper-resistance and
identity-based authentication, and for a physical or logical
separation between the interfaces by which "critical security
parameters" enter and leave the module, and its other
interfaces
Makes the physical security requirements more
stringent, and requires robustness against
environmental attacks. Level 4 is currently not being
utilized in the market
Currently, Level 3 is the Industry Standard.
Web Sites track reported
data breaches
May 6th – 3
May 5th – 2
May 4th – 9
May 3rd – 4
May 2nd – 5
May 1st - 0
Recent Major Data
Breaches
Theft
• The Family Planning Council in Philadelphia reported a data
breach involving a flash drive theft, placing information on
70,000 patients at risk, April 14, 2011
•
How Adrian Jones' Superstar IT Career Went Sideways, April
28, 2011, (HP Executive allegedly downloaded confidential trade
secrets on a USB device that was not controlled)
Disgruntle
Employee
• Search on for memory stick missing from public school board,
April 13th, 2011 (All the information from the computer,
including employee information such as direct deposit forms,
resumes, and other scanned documents, were put on the
unencrypted flash drive.)
Honest Mistake
Recent Headlines – www.HealthcareInfoSecurity.com
•
2/24/11
Mass General HIPAA Penalty: $1 Million
– Lost documents included information from infectious disease dept, including AIDS patients
– Corrective Action plan “Develop and implement a comprehensive set of policies and procedures that ensure patient
information is protected when removed from the hospital”
–
Mass General to take extra steps to encrypt laptops and USB drives
•
2/23/11
HIPAA Privacy Fine: $4.3 Million to Cignet Health
– First civil monetary penalty to a healthcare organization
– Cignet failed to provide 41 patients with access to medical records
– Failed to cooperate with Federal investigators
•
2/14/11
New York City Health & Hospitals Corp breach affects 1.7 million
– Largest incident reported under the HITECH Act breach notification rule
– Information lost includes names, addresses, social security numbers, patient medical histories
– Hospital Corp. offering 1 year free credit protection service to affected individuals (will cost them
Millions)
– Per the HITECH ACT, if data was encrypted then public notification would not be required
•
"The U.S. Department of Health and Human Services is serious about enforcing individual
rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.
Secure Removable Storage
Devices
12
USB Devices
• Over 2 Billion devices sold each year (PC World Jan 2009)
• According to security firm Vontu
– Over 50% of 480 surveyed tech professionals had USB devices
with unprotected confidential information
– 1 USB drive is lost at work each month
– Unlike laptop, storage devices are small and cheap. Many
employees do not report them missing as they would a laptop.
• According to Ponemon
– Employees were less than 50% likely to report lost USB device
or Optical
– Most employees would knowingly break corporate policies
• Sharing passwords, downloading confidential data, taking
work home
SECURITY ELEMENTS
14
•
Physical Security
•
Encryption
•
Authentication
•
Malware Protection
•
Management
•
USB Port Control
Types of Security on USB
Devices and Optical
•
•
•
•
Encryption
– 128 bit vs 256 bit
– FIPS validated only 256 bit
Hardware encryption vs Software encryption
– Software uses host computer for authentication, hardware authentication occurs
in device
– Software encryption typically slows down performance
– Software encryption (FIPS Level 1) will get you compliant, Hardware Encryption
(FIPS Level 3) will give you top security
– Software encryption typically Windows only
Authentication
– Password
– Biometrics
– CAC/PIV card (upcoming)
Optical
– Common method:
• Encrypt files with third party software and burn onto optical media
– New method:
• Self-encrypting recordable CD/DVD/Blu-ray disc
128 bit vs 256 bit
encryption
1
1
0
1
0
1
1
0
1
1
1
1
0
1
0
1
1
1
1
0
0
0
Twice as long, twice as strong?
1
1
Light years stronger
Equivalent to all the grains of sand on the
planet or every known star in our galaxy
340,282,366,920,938,000,000,000,000,000,000,000,000
Authentication
• Authentication verifies a user’s identity
– It’s what “unlocks” the device by validating you are who you say you are
• Various methods:
– Strong Password - A password is sent into the device, and the device
verifies it’s correct
– Biometric - A finger is swiped across the sensor, another chip verifies it
– RSA SecureID - digital identity
– PIV - Personal Identity Verification
– CAC - Computer Access Card
– PKI - Public Key Infrastructure
• Hardware Encrypted devices
– authentication is done in Hardware
– The “boundary of trust” does not include the computer
Our Portfolio Overview
•
Very Robust Device Management (Central Management)
–
–
–
–
–
–
•
Broadest Secure Portable Storage Portfolio:
–
–
–
•
Optical Products - CD/DVD
USB Flash Drives
External Hard Disk Drives
Multiple Authentication Methods
–
–
•
Automatically registers user to devices and implements policies
• Low System overhead and limited support staff required
Manages Multiple Device Types and Brands
• Leverages existing investment
Provides Forensic Level Auditing
File level blocking by type and name
Manages Devices off the network
Remote Kill of Devices
Password (hardware rules)
Biometric + Password
Global Government-Validated Encryption
PORTFOLIO SUMMARY
Managed
Secure Storage
& Strong
Authentications
with SmartCard
Managed
Secure Storage
Defender H100 &
H200 +Bio
Features:
FIPS 140-2 L3
FUNCTIONALITY
Managed
Secure Storage
& Strong
Authentications
Defender F200 +Bio
Features:
FIPS 140-2 L3
Defender
F100 & F150
Features:
FIPS 140-2 L3
Cap design
Defender F50
Features:
FIPS 140-2 L1
Pivot design
Defender Optical
Features:
FIPS 140-2 L1
Secure Storage
SOHO/SMB
TARGET MARKETS
Enterprise
Large Enterprise
Government/Financial Services
Device
Management
Management Features
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Remote Kill/revocation
Addition of encryption to non-encrypted devices
Time based policies vs event based
File Level Auditing
USB Port Control- Allow, Block, Read only
File level blocking
User group policies
Ability to manage third party devices
Remote Policy Updates
User self rescue
Password complexity and interval
Remote Password update
Data Recovery
Automatic registration of devices vs issuance
Why Wikileaks could have
been prevented
• User could have been blocked from access to
removable storage devices
• File types/names/contents could have blocked from
the Central Management Software
– Block, alarm, monitor
• Auditing of activity would have shown which files
were being downloaded by who from which
computer
• Offline usage could have been disabled
• Device could have been remotely killed/disabled
• Auditing would have shown which files were saved
to which computer from which device
Device Management Software
StealthZone (SPD)
Port Control
Legacy Removable Media
Defender FIPS L1
Defender FIPS L3
Cards
Laptop, Netbook, and
Desktop PC Ports
UFD
EHDD
Mobile
Devices
Media
Players
Defender
Optical
F50 Pivot
F100/F150
F200 +Bio
H100/
H200 +Bio
Case Study:
US Army Base
Overview: Army Support Activity supports and conducts Reserve Component
Training and Mobilization/Demobilization operations. The ASA plans and
executes other Army directed support missions, and, on order, establishes
and operates a Joint Mobilization site
Requirements:
• The ability to access sensitive mission and combat training data on secure,
ruggedized and tamper-proof storage devices.
• Integrated anti-malware defenses, remote kill and key management
• The solution must meet DoD DAR CTO requirements
Solution
• Defender F150’s FIPS 140-2, level 3 drives
• Each device was loaded with McAfee A/V and Imation Device Control Applet
• Central Management is performed through Imation Control Server software
Result
• All USB devices can be managed and used securely in compliance with the
DoD CTO security requirements
• DAR Approved Central Management allows for remote kill, key management
and detailed forensic auditing/reporting.
How to be Complaint and
Secure
•
•
•
•
For non-criminal intent Data Breaches (Lost Devices – Honest Mistake)
– Use AES 256 Bit Encrypted Devices
For Stolen Devices
– Use AES 256 Bit Encrypted Devices with embedded Security Policies
– Extra insurance
• 2 factor Authentication
• Remote Kill
• Fips Level 3 Encryption
For Disgruntle employee
– Central Management of Devices with stringent Security policies
• USB Port Control
• File Level Auditing capability
• Blocking of files
• Remote Kill
Proactive Enforcement of Policies
– Central Management of devices to ensure 100% compliance to Company Security
Policies to protect critical company data eg. Financials, IP, Employee or Customer
information. You also will have auditing and reporting capability
Upcoming Imation
technologies
•
•
•
Digital Rights Management
– Prevent printing, copying, emailing
– Timebomb files
Smart Card Integration
– Common Access Card (CAC) or Personal
Identity Verification (PIV)
– Strong two and three-factor authentication
– No new password required -- card PIN is
used
Secure portable desktop
– allows you to boot directly from your USB
drive.
– Turn any host computer into the user’s
computer
– Boots directly into Windows environment
– “Generic mode” allows use on unknown
PCs
Securing Traditional Storage
28
Understand the Need
• More data is being backed up today than ever before
• More data is stored per individual cartridge
– Cartridge capacities have reached 1 terabyte native
• More cartridges are moving to and from more locations
– Additional data centers, vault sites
• More regulations on data protection and preservation exist
today than ever before
– Non-compliance can be very expensive
Encryption of Tape
•
•
•
•
AES* 256-bit encryption available with LTO4/5, Oracle T10000 and
IBM 3592 (TS1130) drives
Drive level encryption enables compression before encryption
LTO offers possibility of 3rd party key management system
<1% impact on drive performance
*Advanced Encryption Standard
LTO RFID CM Chip
LTO CM holds diagnostic information
– eg. Error rates, data-sets written, drive utilization, number of mounts
Analyzed to determine drive/media performance trends for failure prediction
LTO CM info captured within seconds
Scan of CM does not compromise security of data
Locking Features
Users can choose to “Lock” their cartridges for added transport or storage
security.
When locked, the cartridge cannot be read from, or written to,
by any LTO drive.
RFID Asset Tracking
33
What Customers Say
• “I need to know…”
– I am compliant with regulations
– Where my tapes are
• Within my library
• In other data centers
• At my vaulter
– I am being as efficient as possible in my operations
– If I need a tape, I will be able to find it quickly
– If an auditor asks about a tape, I will be able to demonstrate
chain of custody
IT Asset Lifecycle Management
Customer Case Study




Thousands of IT hard drives
and tapes containing highly
sensitive customer and
corporate information
No ability to control or monitor
removal of laptops from
facilities
Inability to ensure end of life
drives were properly destroyed
created
5 high profile breeches in 2
years, consumer outrage




Developed special use
passive RFID tags to place on
all hard drives and laptops
Deployed Asset Management
solution to track the lifecycle
of the corporate assets
Installed special use readers
at various entry / exit choke
points
Automated feedback from
crushing to end-of-life assets




Established a corporate risk
mitigation strategy to protect
corporate and consumer
Greatly curtailed asset loss
and ensured end of life
assets were destroyed
Improved employee
awareness and automated
the tracking of laptops
leaving a facility
Lowered corporate risk
profile
Customer Case Study
Exiting the Secure Facility
Employee
association to laptop
is verified by the
application and an
image is quickly
loaded on the Exit
Security Monitor for
visual confirmation
Employee
approaches exit,
where the employee
badge and laptop tag
are identified.
Security elects may
enlarge the view and
may elect to review
the association
details .
Case Study
An audible sound and visual
queue is given to security
indicating the Employee
badge is not assigned to this
laptop.
Employee badge and Laptop
tag match.
Picture Shown for additional
visual security.
Secure Destruction of
Media
• Companies will buy back tape media
• Claim they recertify media and rewrite over all of the
date
• In truth, most write over the header or table of
contents, and the rest of the data is still live
• South Shore Hospital Data breach was caused by
company taking media to be recertified, and tape
was lost
– 800,000 patients at risk
– Third party was not responsible for Data- South Shore
was
Thank You
41