Mobile Protection for Trustmark Insurance Topics External Internal Approach External Protection Protection of data on a device that has the potential to be externalized Products MDM MDP ID: 141814
Download Presentation The PPT/PDF document "Protecting the Confidentiality and Integ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Protecting the Confidentiality and Integrity of Corporate and Client Data When in the Hands of a Mobile Workforce
Mobile Protection for Trustmark InsuranceSlide2
TopicsSlide3
External / Internal Approach
External Protection – Protection of data on a device that has the potential to be externalized – Products: MDM, MDP
Internal Protection – Protection of data before it is moved to a device – Products: DLP, SIEMSlide4
Proposed Approach and Tools
Market Classification of Tools
Laptops
Data
Smart
Phones
Monitoring and Compliance
Notes: Data Loss Prevention products are sometimes referred to as Data Leak Prevention
Mobile Data Protection is sometime referred to as Endpoint Protection because they can protect both internal and externalSlide5
Mobile Data Protection
Mobile data protection
(
M
DP) is a category of products for securing
data on movable storage systems - laptops, smartphones, and
removable
media.
Provides common protection policies
across multiple platformsProvides auditable proof that data is protected.Should entail minimal support costsShould provide FIPS-140 certified encryption**Federal Information Processing Standards, issued by NSITSlide6
Mobile Device Management
Mobile Device Management (MDM) is a category of applications for managing smartphones. Includes the following functionality:
Software Distribution — The ability to manage and support
mobile application
including deploy, install, update, delete or block.
Policy Management — Development, control and operations
of enterprise
mobile policy.
Inventory Management — Beyond basic inventory
management, this includes provisioning and support.Security Management — The enforcement of standard device security, authentication and encryption.Service Management — Rating of telecom services. Slide7
Data Loss Protection
Data loss protection (DLP) is a category of tools that protects data as it leaves the network (sometimes referred to as “Content-Aware” DLP). Includes the following functionality:
Enables the dynamic application of policy based on the classification of content
Can be applied to data in rest (storage), data in use (during an operation), and data in transit (across a network)
Can dynamically apply policies , such as log, report, classify, relocate, tag , or encrypt protections.
Helps organizations develop, educate and enforce better business practices concerning the handling and transmission of sensitive data.
Designed to:
Protect customer information, HIPPA privacy, and intellectual property
Stop data leaks to media
Provide device and port control when protected data is passed to laptops, USB drives, CDs, etc.Provide endpoint auditing and discovery – where’s my data?Slide8
SIEM – Security Information and Event Management
Security Information and Event Management (SIEM) is a category of tools that aid in regulatory compliance and threat management. Includes the following functionality:
Supports
the real-time collection and analysis of events from host systems, security devices and
network devices
combined with contextual information for users, assets and data
Provides
long-term event and context data storage and
analytics
Not limited to mobile dataSlide9
FunctionsSlide10
Steps in the Mobile Protection Program
RISK
EducationSlide11
Justifying Costs to Management
Explaining to senior management the costs of doing nothing and making a case for mobile protectionSlide12
Project Phases and Estimated Costs
Total Cost of Program: 576K – 631K
Software: 136K – 191K
Consulting: 120K
Internal Costs: 320K
Estimated Duration: 4 mos.
Phase 1 Assumptions: 2 implementation consultants for 3 weeks at $1600/day;
4 hours of security and tool training per employee at internal cost of $40/hour
Phase 2 Assumptions: 1 implementation consultant for 4 weeks at $1600/day
4 hours of security and tool training per employee at internal cost of $40/hour
Phase 3 Assumptions: 1 implementation consultant for 8 weeks at $1600/day8 hours of security and tool training per employee at internal cost of $
40/hourAdditional servers can be created through virtualization at minimal costSlide13
Justifying Costs to Management
Leakage of personally identifiable information (PII) and personal health information (PHI), direct costs:
The average cost per record associated with a leak to make affected parties whole
Fees for legal representation
Engaging a PR firm to minimize damage and restore reputation to the extent possible
Consumer credit monitoring for all customers (not necessarily only those affected by the leak)
Up to five years of system and process audits conducted by an independent third party
Forrester estimates $218 per leaked record, so a leak of 100,000 records would cost $21.8M
Source: Trends
: Calculating the Cost of a Security Breach. Forrester Research, Inc. April 10, 2007.Slide14
Justifying Costs to Management
Intellectual property, direct costs
:
Fees for legal recourse to address who leaked the data and discover if it is being used inappropriately
Short-term impact to R&D cost recuperation
Long-term impact to profitability/revenue projections
System and process audits to identify and correct the source of the leak
Forrester estimates the average leak results in $1.5M loss
Most IP data losses go unreported
because there are no public disclosure laws that apply to intellectual property and the impact on valuation from a publicized loss would likely be tremendous.Slide15
Justifying Costs to Management
Total economic impact in one lost laptop: $49,256
(incl. replacement cost, detection, forensics, data breach, lost intellectual
property costs
, lost productivity and legal, consulting and regulatory
expenses)
Occurrence of data breach represents 80 % of cost; intellectual property loss is 59% of cost
If the company discovers the loss in one day, it is $8,950. After one week, it is $115,849
Average cost for senior management is $28,449. For a manager or director it is about $61,000
Productivity loss is only about 1% of the costLoss if laptop is encrypted: $29,256 (> $20,000 less) Loss varies by industry – financial services: $112, 853, healthcare: $67,873, manufacturing: $2,184Loss of intellectual property for healthcare is quite high - $17,999 Source: The Cost of a Lost Laptop, Ponemon Institute (sponsored by Intel), February 9, 2009Slide16
Justifying Costs to Management
Seven cost components
Average Cost
Laptop replacement cost
$1,582
Detection & escalation cost
$262
Forensics & investigation cost
$814
Data breach cost
$39,297Intellectual property loss
$5,871Lost productivity cost
$243Other legal or regulatory costs
$1,177Total
$49,246
Source: The Cost of a Lost Laptop, Ponemon Institute (sponsored by Intel), February 9, 2009Slide17
Current Trustmark Security Profile
Availability
Confidentiality
Physical
Integrity
Authentication
Host Platform
End User
Application
Network
Door Locks
Security Guards
Device Protection
McAfee Anti-Virus
SunGard Disaster Recovery
Subscription levels?
GFI LANGuard Patch Mgmt
Cisco uRPF
McAfee Anti-Spyware
RAID-5/RAID-6
Database Security
Single-Factor Authentication
ID Badges
Two-Factor Authentication
CCTV
Mantrap
Hardware Security Token
Proxy Server
IPsec
Internet Content Filter
RADIUS
Firewall
PEAP
LDAP Server
Secure Paper Documents
Edifecs EDI Translator
NAC
VLANs
NAT
Border Router
PKIs
P-Synch
Microsoft Certificate Server
Business Application Level Security
WS-Security
VPN
CO2 Fire Suppression System
PPTP
Enterprise SANs
Verizon MPLS
GlobalSCAPE FTP server
S-FTP
HTTPS
PPTP
OpenPGP
EMC Key Mgmt Appliance
Iron Mountain
Departmental VLANs
Laptop Biometrics
Laptop Automated Backup to Network
Role-Based Access Control
Security Policy Refresher Training
VMware
Encrypted Tape Backups
MS WSUS
Confidentiality
Integrity
Host Platform
End User
Network/
Application
Device Protection
McAfee Anti-Virus
McAfee Anti-Spyware
Laptop Automated Backup to Network
Security Policy Refresher Training
Data Loss ProtectionSlide18
User View of Situation
End User
IT
Auditor
Management
Lost Laptop
Are there copies of my files?
Is our network vulnerable?
What client/patient data was on the laptop?
What trade secrets were on the laptop? What’s the productivity loss?
Sensitive Information
I need the data if I’m expected to work off-site.
I’m told which users should have access to the application.
Personally identifiable data is governed by regulation, such as PCI and HIPPA.
Employees can’t be productive if they don’t have what they need to work.
Corporate Smartphone
The smartphone my company gives shouldn’t be a pain to use.
How should the phones be provisioned? I don’t have time for this.
Need to be prepared with users access lists and activity logs for an audit.
Need to control costs.
Proliferation of Tools
I want any tool that makes my job easier.
I know that 3
rd
party tools like flash drives can make our network vulnerable.
If we have audits on laptops for personally identifiable information, shouldn’t other sources of leaks be examined too?
If it ain't broke, don’t fix it.Slide19
Vision for What to AccomplishSlide20
Key Questions
Since we are not starting from a clean slate:
How is the organization using McAfee and will the mobile security products we select be compatible with McAfee?
Utimaco SafeGuard is being used to manage laptop hard drive encryption, lock down, and auditability:
How is it being used specifically?
Are there other products that may be better choices?Slide21
Phase 1 Product Selection
Identifying vendor products, comparing features, developing final selection pros and consSlide22
Phase 1 – MDP Selection
McAfee
Sophos
Symantec
Check Point Software Technologies
MDP – Gartner Magic QuadrantSlide23
MDP Product Comparison
Feature
McAfee
Sophos
Symantec
Check Point
Poison pill
Management console
Audit reports
Windows and Mac
Support
FIPS 140-2 supported
Protection for removable media
Trusted Platform Module (TPM) support
Supports tokens
Encryption
Strength
+
Offers Cloud service
Supports self-encrypting
drives
Integration with file sharing products
- meets criteria; + - exceeds criteria; ++ greatly exceeds criteriaSlide24
Phase 1 – DLP Selection
Symantec
McAfee
Websense
Verdasys
DL
P – Gartner Magic QuadrantSlide25
DLP Product Comparison
Feature
Symantec
McAfee
Websense
Verdasys
Content-aware – can
classify information
Offers non-transparent control
Manages endpoints
Workflow and case management
+
Secure email gateway integration
Webmail
and web controls
+
USB controls
+
+
Applies
policy on public network
Advanced Intellectual property controls
+
- meets criteria; + - exceeds criteria; ++ greatly exceeds criteriaSlide26
Most Suitable Product - MDP
Winner of MDP Category – Sophos
Pros
Content-aware,
integrated DLP to help decide when to enforce encryption
on information
being written to external devices.
Platform support is provided for Windows 2000 through 64-bit Windows 7, Mac OS X, and
Linux.
Embedded system support includes TPM, TCG encrypting drives, Intel vPro and UEFI.Smaller mobile devices to be separately supported under an MDM product include iPhone, iPad, and Android.ConsNorth American penetration and brand recognition needs to improve Slide27
Most Feature-Rich Product - DLP
Winner of feature-Rich DLP Category – Verdasys
Pros
Offers strongest
controls for the protection
of sensitive
information.
Has strong
workflow and case
managementSimple and easy-to-use process for creating custom dashboards and reports.Can audit every access to (and control the movement of) files that contain sensitive data (sought after by IP firms and organizations fearing WikiLeaks-type data disclosures)Sensitive files are encrypted when copied to mobile media and devices.
ConsHigh-end controls and complexityPriced at premium marketLimited
RBAC (role-based access control) capabilitiesOffers just endpoint DLPSlide28
Best DLP for Trustmark
Best DLP for
T
rustmark – Websense
Pros
Less costlyEasier to implement
“Fast
, effective security leak prevention without a lot of
hassle” (Forrester)
Offers both network and endpoint DLPConsLess robust solution for complex business processesSlide29
Question and AnswerSlide30
Extra Slides
NOT IN PRESENTATIONSlide31
Mobile Data VulnerabilitiesOriginal Scope
Loss/ Theft
Data Corruption
Unauthorized Physical Access
Attacks
Laptops
Tablets
Smartphones
USB Drives
N/A
N/A
?
Confidentiality and Integrity
Authentication & AvailabilitySlide32
Mobile Data Vulnerabilities:Is that everything?
Confidentiality
Integrity
Laptops
Smartphones
N/A
USB Drives
N/A
External Media (CDs)
N/A
Paper
N/ASlide33
User View of Situation
Presenting ‘as is’ and ‘to be’ situations and a vision for the future
DSlide34
Vision for What to Accomplish
End User
IT
Auditor
Management
Lost Laptop
At least my data is protected.
Another laptop gets the poison pill.
We have a record of what was on the laptop and the data was encrypted.
Damn employees. At least trade secrets are protected.
Sensitive Information
Reminder of what data is sensitive and limits on quantity.
I’m told what the policies are and given tools to enforce it.
I can establish enforceable policies in compliance with regulation.
Employees can get access to the data they need to work, but not in excess.
Corporate Smartphone
My smartphone allows access to the applications and data I need
Easy provisioning and support.
User activity is auditable for smartphones.
I know where the money is going and my costs are predictable.
Proliferation of Tools
I am reminded of the risks of using certain tools.
Flash drives and portable hard drives no longer frighten us.
We have logs of where sensitive and personally identifiable information goes.
If it ain't broke, don’t fix it.Slide35
Mobile Security Program Management
Defining solution categories and putting the initiative within a project frameworkSlide36
Tool Descriptions
Mobile Device Protection
(Endpoint Protection)
Data Loss Protection
(Endpoint Protection)Slide37
Preparing the Users and Infrastructure
Putting it all together:
How do we select compatible products and vendors?
What will it cost to buy and implement?
How should we roll it out to the organization?
How do we justify the costs to management?Slide38
Selecting Potential Products
# of vendors:
25
Source: Gartner Group
# of vendors:
13
# of vendors:
14
# of vendors:
23
Classifications of ProductsSlide39
Selecting the Best Products
Data Loss Protection – DLP
Symantec
McAfee
Verdasys
Websense
RSA (EMC)
CA Technologies
Market Leaders or Visionaries
Security Information Event Mgmt - SIEM
HP/ArcSight
Q1 Labs
RSA (RMC)
Symantec
NitroSecurity (McAfee)
LogLogic
Novell
Mobile Device Management - MDM
Good Technology
Sybase
AirWatch
MobileIron
Mobile Data Protection - MDP
McAfee
Sophos*
CheckPoint Software Technologies
Symantec
*Trustmark uses Utimaco SafeGuard Enterprise, which was purchased by SophosSlide40
Selecting the Best Products
For everything except MDM, trend is for vendor consolidation in the marketplace, so that vendor can be “one-stop shop”. Example:
McAfee bought NitroSecurity
Sophos bought Utimaco
Symantec already has products in MDP, DLP, and SIEM categories
Selection should follow a disciplined process for evaluation examining comparative features, ease of configuration, price, and vendor support Slide41
Scope of VisionSlide42
Mobile Data ProtectionSecurity Features
Desired security features for a MDP product:
Central console features:
Controls client activations
Pushes data protection policies
Interfaces with the help desk
Acts as a key management facility
Generates alerts and compliance reports.
Endpoint device features:
Encryption managementDevice lockouts, i.e. “Poison Pill”VendorsSeveral niche vendors, but just a few market leadersTrustmark’s current product, Utimaco SafeGuard Enterprise, is now owned by SophosSlide43
Causes of Security BreachesSlide44
The Mobile Workforce
75%
of US workers are mobile; One billion mobile workers worldwide*
12,000 laptop were lost in US airports**; 10,000 cell phones are left in London taxis per month***
62%
of
mobile devices
that were lost or stolen
contained
sensitive or confidential information**35% of organizations report that a lost or stolen mobile device caused the data breach they experienced**Sources:* IDC** Ponemon Institute*** The RegisterSlide45
Data Loss ProtectionSecurity Features
Desired security features for a LDP product:
Content-aware
Advanced content inspection and analysis techniques
Ability to define data policies
W
hat
data is
governed?
How it can be moved outside the network to external media?Ability take action when a policy violate is detectedLog, block, encrypt, etc.Can also be triggered based on data quantityVendorsSeveral well-known vendors are considered market leadersSlide46
Mobile Device ManagementSecurity Features
Desired security features for a MDM product:
Enforced
password
Device wipe
Remote lock
Audit trail/logging
"Jailbreak" detection
Vendors:
Very crowded marketplace, but most vendors are considered niche playersSlide47
SEIM Compliance/Security Features
Desired compliance/security features for a SEIM product:
Security information management (SIM) — log management and compliance reporting
Security event management (SEM) — real-time monitoring and incident management for security-related events from networks, security devices, systems, and applications
Primary uses:
Compliance — log management and regulatory compliance reporting
External Threat management — real-time monitoring of user activity, data access, and application activity and incident management
Internal
Threat Management
- authorized user misuses of electronic health records (employee, partners, contractors). Medical record snooping, internal identity theft, internal medical identity theftVendorsMany vendors to choose from; healthcare specialized features may limit the field