What would that new approach look like then? What are the solutions to integrating security? There’s at least two options. The traditional approach – let’s implement security for data of each type or each type of end point or service. And then a new approach – one that spans all (data of each type or each type of end point or service).
Now the benefit in the past of taking door number one, if you will, the individual technology choice for each platform type. The benefit is that you go deep on each type of platform, and you have a lot of different service and protection offering. The challenge with it is it is really complex and expensive. And as more and more options for end-users grow, we believe this approach becomes untenable. That if you go deep on every platform and you have to have a deep kind of level code and all that goes into maintaining and managing that on every single platform and every single device, that your employees use and that your partners use that’s ultimately going to be a scenario where you can’t win.
For example a customer once said, well I want to allow my billing partners to have my data, but I want to force them to run this software that modifies all the office applications as well and I want you to build this kind of deep windows solution. The thing that I pointed out to him was every time Windows updates now you’re responsible for all the customer support for your partners, because a solution like that is so dependent and so deep into the operating system and office apps for example would no doubt be brutal and you can’t predict what Microsoft will change. The whole approach is basically flawed because now you’re going to take on the support burden for your partners, and you can’t do that. It just doesn’t make sense. It’s the right idea and the right motivation to protect the data and want the data to be safe wherever it goes. But the implementation approach of doing a particular deep solution for every platform and every place the data goes, won’t scale. It just can’t scale.
A self-encrypting drive (SED) is a disk that has built-in hardware-based encryption. It’s essentially a drive that is enabled to encrypt all the information that gets written to it and that encryption is done by specialized hardware that has a number of really important and significant implications for how to use it, where to use it, how to manage it and so on. They’re made by a number of manufacturers – Hitachi, Toshiba, Seagate, and Samsung, to name a few. There’s a number of organizations that are drive manufacturers that are building out their capability to supply self-encrypting drives. And the reason is that they are becoming very, very popular. Both from the perspective of people wanting to put them in, but also I think from the perspective of organizations looking at them for the first time or maybe coming back and revisiting them. The Trusted Computing Group, which obviously has something of a vested interest in this space, estimates that within five years pretty much all drives will have some self-encrypting capability built in, and that includes both the traditional disk drives and also solid state drives as well. Sometime over the next few years most of the drives that you encounter are going to be a self-encrypting drive of some kind.
HOW IT WORKS
So, how do they work? Very simply. Anything that gets written to the drive gets written via a hardware encryption module that encrypts it on its way onto the drive and then decrypts it on the way back. Pretty straight forward. Everything’s encrypted. Everything that gets written to the drive is encrypted – the whole thing is encrypted. It’s encrypted as far as the various standard are concerned – typically AES-128 or AES-256. Pretty industry standard, well-established encryption algorithms as you would expect, meaning the encryption is going to be solid and secure.
Obviously there are a number of caveats and the caveats must always, as they do with any kind of encryption discussion come down to what happens with the keys. And we’re going to talk about keys, because there’s a couple of keys that are very important when it comes to drives.
WHY THE INTEREST?
Why the interest? In many cases the reasons we’re seeing organizations look at self-encrypting drive technology are that they’re going through some kind of refresher or they’re re-evaluating their initial deployments or attempted deployments around software based full disk encryption. They like the idea of full disk encryption, but as I’m sure you know, full disk encryption can have some management challenges. So what we’re seeing is a sort of re-evaluation of the way in which we implement full disk encryption and self-encrypting drives. They are much faster than software based storage and they’re much more reliable. Data loss is less likely to happen with a self-encrypting drive because they’re much less sensitive to issues around bad sectors. They also take away a lot of the pain associated with the initial install when people need full disk to be done, defragmenting the drive, checking for bad sectors because some would often be fairly sensitive issues with the drive itself. In a nutshell, that’s a self-encrypting drive – and they’re simple.
WHERE DO THEY FIT
Where do they fit? Typically organizations interested in self-encrypting drives are really driven by a couple of things. One is they want a simple solution, and one that’s simple to live with. Full disk tends to offer simplicity since everything gets encrypted. Self-encrypting drives are a very simple way to implement encryption in software. Another great feature is that you don’t need to be able to provide different encryption for different types of users. If you don’t care whether you can save in one go, then again self-encrypting drives are a great approach. Because it is a full disk, then it’ll be unlocked all in one go rather than being unlocked in different portions for different users. That’s a consideration you have to have. And, I think the other thing to think about is fairly self-evident, but self-encrypting drives are only going to encrypt the information that’s on the drive itself. You will need to think about some information as it moves off the self-encrypting drive technology. But that being said, if that matches your requirements, then SED’s may be a fit.
OPAL – CONNECTING AND PROTECTING
I want to touch on OPAL really briefly, which is the standard for self-encrypting drive technology. It is increasingly looked to by the Trusted Computing Group and defines a number of capabilities for self-encrypting drives. I don’t intend to go through all of them in any great detail, but if you come across OPAL drives then understand that that’s really what the industry is moving to for standards for SED’s. It defines the functions and it defines a lot of the way that these drives will interact with other hardware. OPAL’s an important standard. And you should expect pretty much all the devices you’re looking at in the future to be OPAL compliant.
Let’s talk about common misconceptions and areas where there may be some confusion around self-encrypting drives. We talked a little bit about security for self-encrypting drive, and while that may seem odd, it is an important consideration. Management and applicability, as in where do you use self-encrypting drives – just where is the right place, exactly? For one, pre-boot authentication. If you’ve ever dealt with pre-boot authentication, certainly in the software world, it can have some serious impacts and can be quite a headache to manage. So let’s talk about what pre-boot authentication can look like for self-encrypting drive technology and about performance, too. One of the questions that we get a lot is, “What’s the performance impact if I go to a self-encrypting drive?”
SECURE FROM DAY 1
One of the interesting things about self-encrypting drives is that everything is encrypted all the time. The entire drive is encrypted. Everything is encrypted from day one whether you want it to be or not. It’s not possible to have a self-encrypting drive that isn’t encrypted, which sounds great. The reason is that there are a couple of keys involved. The first key that you need to know about is the encryption key. That’s the key that the drive uses to encrypt information and is created when the drive is built; the encryption creates that key. It is locked away in the hardware. That’s the key for the encryption of all information saved to the drive and coming back. The problem is that that key is available all the time. So essentially it’s like having a great system of locks on your front door, but the key is in the door every time you go out. So you might have great locks, but there’s no security. That’s where the second key comes in – the authentication key. The authentication key locks away the data encryption key. It encrypts it and locks it away so that you can’t get to it unless you have the authentication key that you take with you. That’s the key that enables you to prove that you are the authorized user of this device and the information. So, like everything else in encryption, the big challenge is key management. You must secure the authentication key and manage it appropriately.
Now, the good news is that devices are encrypted from day one and there’s no sort of setup. So the device again is going to be running, encrypting everything as it gets written to the drive itself. What if I need to go and make sure that there’s nothing on there that can’t be found somewhere else. All you do is destroy the key and the information is unusable. Once you’ve got that initial key management under control.
THEY DON’T NEED MANAGEMENT
I’m sure you’re asking, “Okay, so how would I do that?” You do that by putting in management layers and this should not be a great surprise to anybody. But if you want to be able to manage all of those keys, enable people to get access to their systems without any great difficulty and ensure that they can continue to have access, you need a management layer. So, there’s technology that enables you to activate the set policies to manage which users have access, when they can have access to remove their right to have access, of course, if you need to. You really have to think about maintaining control over who has access to authentication keys, and when they need to get access. We have to consider things like user recovery, for when a user inevitably is on the other side of the planet and lost their authentication key and can’t get in. Things like this are a big challenge when you are looking at encryption technology, especially full disk encryption approaches. One of the big complaints is in the pre-boot step, in other words, the step where the user authenticates himself, if the authentication key is difficult to manage, then it has its own patch management. People have to literally leave their systems and enable that to happen in the worst case, and that’s really not ideal at all. You want to question, “Can my management layer maybe enable me to implement while having access to patch management processes?” System loss is another challenge here. One of the challenges here is if the device is lost, how do I ensure that people can’t have access to it anymore? Can I kill those keys quickly in order to prevent people from getting in? This brings up reporting and auditing and wanting to be able to assist them. I want to be able to prove that these controls are in place. I want to make sure that the information is protected at all times. Provide auditing and compliance report into my internal stakeholders, my compliance managers and so on. These are the major things that you need to think about when you’re talking about management.
ONE SIZE FITS ALL
One of the other things is to bear in mind is the idea of one size fits all. SED’s are great and extremely effective. They are becoming increasingly more affordable as price points are coming down, but they’re still not necessarily going to be the right solution for everything. Think about the challenges with any full disk approach is that once you unlock it, it is unlocked for good. For example, if I have sensitive information on my direct device and I need to give it to an administrator or contract organization for them to work on, I need to have that drive unlocked. That could be a concern that they have access to any information that’s on that system. Another option is to provide access to what I would call “non-authorized” users. That’s also something to think about. So they’re great tools, but use them in the right place. There are always things to consider: “What happens when I’m moving onto a different system without an SED on it? What happens when I move it out into a cloud environment?” They’re a great solution, yes, but you obviously have to think beyond just that device.
Stay tuned as we shift gears to pre-boot authentication and a well-rounded SED solution.
Let’s get back to looking at some of the biggest perceived data threats coming our way in 2012. Data is now increasingly mobile, but that mobility is coming at a cost. Taking a look at the Department of Health and Human Services, 39 percent of all of the protective healthcare breaches covered by HIPAA and HITECH occurred on a laptop or other portable device. Naturally, more people are going to portable devices because they’re easy to move around and easy to move information to and from. However, they’re difficult to manage especially when they’re owned by someone other than the organization. And they’re very, very, very easy to lose. CREDANT recently conducted a hotel survey that found that of the thousands of devices that are lost, 81 percent are smart phones or tablets. Interestingly, 45 percent of lost devices were never claimed. Data is more readily lost and is extraordinarily difficult to recover. This is a significant problem, one of those things a lot of organizations are talking about these days. How do we deal with removable media, with laptops with external storage devices? How do we track information to and from? The Bring Your Own Device revolution is underway that is really causing some challenges to the way that IT security and best practices get applied across the organization.
The “Aftermath of a Data Breach” study showed that only in about a quarter of the times that customer data was lost due to a breach, it was definitively encrypted. In fact, 60 percent of the time it was definitely not encrypted. Sixteen percent weren’t really sure. That’s where CREDANT comes in, it’s one of the core things that we do. We help customers manage encryption.
Of course now, more and more devices are being shipped with self-encrypting drive technology built in. The challenge is not that the capability is there. The challenge is how do I turn it on, how do I manage it, how do I ensure that I can prove that it was on at the time that the device was lost or a breach occurred. These are real headaches when you think about encryption.
What are the causes of breaches? It’s not terribly surprising that a third of the breaches in the Aftermath of a Data Breach study were caused by “negligent insiders.” You know, negligent is a fairly strong word. I mean, these are not people that are somehow criminally negligent, they are simply doing their job and they copy something onto a CD, or they move something to a thumb drive, or they leave their laptop in the trunk of their car or something gets lost, something gets stolen, something gets exposed somehow. It’s unfortunate that so many breaches occur that way because it’s essentially the low hanging fruit of data security.
So, after a breach occurs, what happens next? One of the questions asked in the study was “What steps do you believe were most helpful reducing the negative consequences of a data breach?” The number one answer is “retain an outside legal counsel.” It might sound kind of cynical, but there are actually some interesting trends occurring that are a bit more hopeful.
The second highest answer was “assess harm to victims” which I personally think is entirely the right thing to do. There was also a huge jump in the number of companies that hired external forensic experts to investigate the breach. That’s a huge step forward, because as we all know that during the initial investigation period it’s very easy for information to get lost. We’ve all heard stories of the first knee jerk reaction to a system that’s been breached is to turn it off. When really, that’s the last thing anyone should do. You don’t go shutting down systems that have been breached. You bring in forensic teams to investigate those systems.
Looking at how consumers prefer to be notified about a data breach, not one wants to pick up the phone anymore. It used to be that people thought the best way to handle notification was to quickly notify via letter or telephone, but that has fallen out of favor.
I think what we’re seeing here is a realization on the part of organizations as a whole that a breach is a bad thing. It is no longer an “oops, our bad,” kind of a hiccup. Breaches are significant things. On top of fines, we’re talking about corporate embarrassment and damage to brand. Not to mention class action law suits.
I think what we’re seeing here is an organizational shift to be more proactive. Organizations are saying, “Let us retain it. Let’s get some experts in. Let’s get some legal counsel. Let’s take things slowly and do the right things here.” That’s good news from an information security perspective because it means that that, these events are now becoming something of a boarding discussion. It’s getting elevated and over time, will be a major benefit.
Stay tuned for Monday’s final post in this series.
We’ve recently added some videos where I cover a number of the key questions we see coming up when we talk to both our current customers and organizations that are starting to think about the best approaches to protecting sensitive information.
So the first question really revolves around the role of encryption in the event of a breach. As I say in the video it’s an unfortunate fact, but breaches are going to happen to even the best protected organization. Laptops get stolen, removable media gets lost, and people make mistakes. So the question then is, what happens next? And that’s where we see the real value of encryption. Because even if a breach occurs, encrypted data is still safe data. Encryption may not stop the breach from occurring, but it will certainly eliminate much of the pain (and cost) when one does.
In the second video I address one of the more frequent questions we hear – around the consumerization of IT. Ultimately what is happening is that the range of devices in the enterprise is growing incredibly rapidly and in a way that is often beyond the control of the IT organization. As more and more people bring their own devices into the network, so the complexity of keeping it all secure and compliant is growing- and increasing complexity is never a good thing in the case of security.
Part of the problem in keeping data safe is also keeping control over who has access to it. That’s why CREDANT has adopted an approach to encryption management that is a little different from what you might see normally. Rather than use a single key to encrypt everything on a device, we actually enable the use of multiple keys. That means that, as an organization, I have much greater flexibility in deciding who can see what data. For example, I can allow an administrator to work on a system while still keeping the actual user data (say that of my CFO) safely encrypted. It’s that kind of flexibility that really allows our users to tune their security policies to match their needs – and their risk appetite.
In the last video I talk a little bit about removable media. This is a huge problem for most organizations (especially those that haven’t thought about it yet.) Removable media devices, such as flash drives, are everywhere. They are cheap, have very large capacity, and are often used in a way that can compromise data security. As such, if you want to quickly reduce the risk to your business of a breach occurring, you should start by thinking about removable media – what is being copied on to it, by whom, and most importantly, is it secure?
I hope the videos are interesting, and I’d love to get your feedback. Let me know if there are other topics we should explore on keeping your information safe and secure- we’re all in this together after all!
If you think the holiday shopping frenzy has died down until the day after Christmas, you may want to stay away from any sort of establishment where you receive things in exchange for cash or the swipe of a card. Because the truth is, you’re sadly mistaken. But, you’re not alone. Most holiday shoppers think that Black Friday is the busiest shopping day of the year, however, the weekend before Christmas Day is actually the busiest, with sales nearly four times as large as those on Black Friday.
Let’s admit it: we’re a society of chronic procrastinators. So naturally, many people wait until the last couple of days in the holiday shopping season to buy gifts. Along with crowded department stores and jam-packed malls, Internet connections are getting a run for their money this time of year, too, whether shoppers are at home, in the office, or on the go.
With the holiday spike of ecommerce and in-store sales also comes the increase of lost wireless devices. As people are scurrying around malls and department stores trying to finish up their last bit of shopping for the year, they often misplace or lose personal belongings like bags, purses, wallets and keys in the process. These belongings often house wireless devices like smartphones, USB storage drives, and even tablet and laptop computers.
In fact, a recent survey we conducted shows just how many devices end up at the lost and found department of several different local shopping malls. If these devices end up, or even the hands of a bored mall employee, any sensitive information stored on the device—whether it’s employee-owned or not—is fair game to the user.
As the end of the holiday season is nearing, but the biggest shopping days are still to come. Make sure you keep track of your wireless devices and protect the data before you decide to brave the mall.
One of the key responsibilities of a CFO is to identify the risks of an organization, assess the potential impact of these risks to the organization and weigh the costs and benefits of taking steps to minimize the risks. A typical example of this is insurance policies. There are risks to the organization due to workers compensation claims and property damage. As a result, CFOs commonly purchase insurance policies to minimize the risk of these activities having a negative impact to the organization.
So how do CFOs view the risks of the data? Some of you may be questioning the “risk of data.” You may be saying:
“Data is not a risk.”
“It is the lifeblood of our company.”
“Our IT organization spends lots of money to make sure people have access to the information they need to perform their job.”
“The CIO or CISO is responsible for ensuring the protection of our data.”
Although these may all be the case, the data in your organization is still a significant financial risk to your organization unless it is secured. A property insurance policy may provide your company with ability to replace damaged or stolen equipment, however, the actual data on mobile devices is much more valuable than the cost of the device itself. A $1,000 computer can cost a company millions of dollars if the data on that computer is exposed.
There are no insurance policies to cover you for the damages incurred by losing your data. An increasing challenge for organizations is that your company data is also no longer just behind your firewalls—it’s on the move and being stored on devices like USB sticks, home computers, personally-owned smart phones, tablets and now even the cloud (i.e. Dropbox).
Data protection is no longer just an issue for CIOs and CISOs; it’s important for CFOs to include data protection in their risk assessment, too. So, make sure the necessary steps are taken to mitigate the risk that your data provides.
For those sale fiends that didn’t get their fix on Black Friday—or maybe for the ones that have a phobia of large, hostile crowds—there is Cyber Monday. Coined in 2005, this virtual holiday happens the Monday after Black Friday, giving holiday shoppers one last holiday shopping hurrah before December. And boy do they take it. Sales have steadily increased each year during Cyber Monday, going beyond the $1 billion mark in 2010.
One reason that Cyber Monday has picked up steam in just a few short years? Convenience.
In today’s digital world, not only has online shopping increased in environments like corporate offices, school classrooms and the living room sofa, it’s gaining popularity on-the-go, with technology advances in smartphones, tablets and laptops. Ecommerce is happening in taxis, on sidewalks, in restaurants and everywhere else there is wireless reception—especially on Cyber Monday.
Additionally, many devices used for ecommerce are either company-owned, or they’ve been brought into the corporate walls due to IT Consumerization. Nonetheless, when a device is brought into work, it often leaves with sensitive company datastored on it, whether it’s in the form of an app, an email attachment, or stored on the device itself. Many of these devices—especially employee-owned devices—aren’t protected, leaving their contents a free-for-all in the event that the device is misplaced or lost.
For instance, let’s say an employee at your organization places a bid on eBay for a really cool garment they’ve been wanting. It’s in the last hour and they need to place a higher bid, so they pull out their smartphone at lunch, tap the eBay app, place a bid and put the phone back on the table. In a rush to get back to the office, they leave their phone on the table, loaded with several accounts opened, exposing not only their personal information, but sensitive company information in their work email account as well. If this phone were to fall into the wrong hands, not only has the employee put themselves at risk of several accounts of personal data breach, but your organization’s data as well. With the holiday season in full swing, this risk will only increase, especially during Cyber Monday.
As the holiday shopping arrives, it’s not a bad idea to being thinking about ways to protect the data that gets circulated on wireless devices, employee-owned or not.
As many people are sleeping off their food comas in the wee hours of the morning post-Thanksgiving, many others are waiting in long, winding lines in the parking lots of various department stores, calculating how they’ll get their mitts on a limited number of heavily-discounted toys, electronics, housewares, and other goods of the sort in less than two minutes.
And, at the strike of the opening hour, these shoppers—most of them well-versed in strategic crowd surfing—stampede through store doors like wild animals, maneuvering shopping carts like bulldozers, knocking over displays, losing their children and belongings—all for a good bargain.
In the bowels of the mayhem, many personal belongings like bags, purses, wallets and keys are often misplaced, dropped and eventually lost. These belongings all-too-often contain smartphones, USB drives, and even tablet and laptop computers that are often used at work and loaded with sensitive data.
And, what’s more, based off of the findings of our recent survey, around 68% of these lost devices never get claimed by their owners. Left unprotected, the data stored on them is at large risk of exposure, which can result in expensive remediation fees and reputation damage to the owner of the data if a breach occurs.
So, if you’re a fan of fighting thick swarms of sale enthusiasts this holiday shopping season, know that the loss of wireless devices spikes this time of year, and the potential repercussions of losing your smartphone or USB drive could far outweigh the money that you saved on gifts this Black Friday.