1 / 40

Data Security on Removable Media ISSA San Francisco Jason Webster jfwebster@imation.com

Data Security on Removable Media ISSA San Francisco Jason Webster jfwebster@imation.com. TABLE OF CONTENTS. 1 2 3 4 5. Imation Overview Market Situation Secure Removable Storage Devices Central Management Software Data Center Tape Protection. 2. IMATION CORP OVERVIEW.

dean
Download Presentation

Data Security on Removable Media ISSA San Francisco Jason Webster jfwebster@imation.com

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Security on Removable Media ISSA San Francisco Jason Webster jfwebster@imation.com

  2. TABLE OF CONTENTS 1 2 3 4 5 Imation Overview Market Situation Secure Removable Storage Devices Central Management Software Data Center Tape Protection 2

  3. IMATION CORP OVERVIEW Leading global marketer and developer of branded products that enable people to store, protect and enrich their experiences with digital information Technology leadership, global distribution reach, and customer relationships make us a preferred partner for leading companies worldwide Broad portfolio of data storage products, consumer electronics and accessories Global market share leader in recordable optical media and data storage tape 2010 revenue $1.46 billion, >1,000 employees, serving more than 100 countries 3

  4. MARKET SITUATION 4

  5. MARKET SITUATION - SUMMARY 1 DATA GROWTH The growth of digital information has rapidly surpassed expectations.By 2011 digital universe will be 10 times size of 2006 INCREASED DATA MOBILITY The importance of data has increased its access and mobility requirements making it more difficult to secure and protect U.S. 2010 > 662 Breaches2 INCREASED DATA BREACHES As data and its mobility grow, the amount of data breaches and data exposure has also grown 412 (62%) Exposed Social Security Numbers 170 (26%) Exposed Credit or Debit Cards REGULATIONS INCREASING Increased data exposure has resulted in increased regulations and reporting requirements globally U.S. 2010 $214 per record3 COST OF DATA BREACHES GROWS Increased reporting requirements and increased data breaches results in increased breach costs $7.2 Million3 Average org. cost of data breach over 4 years 1Source: IDC – The Diverse and Exploding Universe – March 2008 2Source: Identity Theft Resource Center – 2010 Data Breach Stats January 3, 2011 3Source: Ponemon Institute – Fourth Annual U.S. Cost of Data Breach Study January 2009 5

  6. Data Breach cost by Industry

  7. Legislation • 46 States with Data Breach laws • 33 new proposed laws in 2010 • HITECH ACT of 2009 - Mandatory new regulatory requirements • Encryption needed but not “required” on all DAR (data at rest) devices • severe penalties for an unsecured data breach! • Public notification for an unsecured data breach of > 500 individuals • Civil and federal penalties but safe harbor for encrypted data • Patient right to receive a copy of records electronically • 15 million in Health Care, 60% touch Patient Healthcare Information • FTC Red Flag Statutes • All organizations subject to the legislation must develop and implement a formal, written and revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate identity theft. • All financial institutions (state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer) • Solutions include encryption and multiple factor authentication • 12/29/2010 SEC Approves Amendments to FINRA Rule 8210 to Require Encryption of Information Provided Via Portable Media Device • Finance Industry Regulatory Authority is the largest independent regulator for all securities firms doing business in the United States • Rule applies to all FINRA member firms (4,570 brokerage firms)

  8. FIPS BASICS • The Federal Information Processing Standardization (FIPS) 140-2 U.S. government security standard that specifies requirements for cryptography modules • FIPS is required by law for U.S. government purchases • Strictly enforced in Canada • Gaining international recognition in Asia and Europe • Being adopted within regulated industries (e.g. Financial, Healthcare) Description of FIPS 140-2 Four Levels FIPS 140-2 Level 1 The lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks. Level 4 is currently not being utilized in the market Currently, Level 3 is the Industry Standard. 8

  9. Web Sites track reported data breaches May 6th – 3 May 5th – 2 May 4th – 9 May 3rd – 4 May 2nd – 5 May 1st - 0

  10. Recent Major Data Breaches Theft • The Family Planning Council in Philadelphia reported a data breach involving a flash drive theft, placing information on 70,000 patients at risk, April 14, 2011 • How Adrian Jones' Superstar IT Career Went Sideways, April 28, 2011, (HP Executive allegedly downloaded confidential trade secrets on a USB device that was not controlled) • Search on for memory stick missing from public school board, April 13th, 2011 (All the information from the computer, including employee information such as direct deposit forms, resumes, and other scanned documents, were put on the unencrypted flash drive.) Disgruntle Employee Honest Mistake

  11. Recent Headlines – www.HealthcareInfoSecurity.com 2/24/11 Mass General HIPAA Penalty: $1 Million Lost documents included information from infectious disease dept, including AIDS patients Corrective Action plan “Develop and implement a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital” Mass General to take extra steps to encrypt laptops and USB drives 2/23/11 HIPAA Privacy Fine: $4.3 Million to Cignet Health First civil monetary penalty to a healthcare organization Cignet failed to provide 41 patients with access to medical records Failed to cooperate with Federal investigators 2/14/11 New York City Health & Hospitals Corp breach affects 1.7 million Largest incident reported under the HITECH Act breach notification rule Information lost includes names, addresses, social security numbers, patient medical histories Hospital Corp. offering 1 year free credit protection service to affected individuals (will cost them Millions) Per the HITECH ACT, if data was encrypted then public notification would not be required "The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.

  12. Secure Removable Storage Devices 12

  13. USB Devices • Over 2 Billion devices sold each year (PC World Jan 2009) • According to security firm Vontu • Over 50% of 480 surveyed tech professionals had USB devices with unprotected confidential information • 1 USB drive is lost at work each month • Unlike laptop, storage devices are small and cheap. Many employees do not report them missing as they would a laptop. • According to Ponemon • Employees were less than 50% likely to report lost USB device or Optical • Most employees would knowingly break corporate policies • Sharing passwords, downloading confidential data, taking work home

  14. Physical Security Encryption Authentication Malware Protection Management USB Port Control SECURITY ELEMENTS 14

  15. Types of Security on USB Devices and Optical • Encryption • 128 bit vs 256 bit • FIPS validated only 256 bit • Hardware encryption vs Software encryption • Software uses host computer for authentication, hardware authentication occurs in device • Software encryption typically slows down performance • Software encryption (FIPS Level 1) will get you compliant, Hardware Encryption (FIPS Level 3) will give you top security • Software encryption typically Windows only • Authentication • Password • Biometrics • CAC/PIV card (upcoming) • Optical • Common method: • Encrypt files with third party software and burn onto optical media • New method: • Self-encrypting recordable CD/DVD/Blu-ray disc

  16. 128 bit vs 256 bit encryption Twice as long, twice as strong?

  17. Light years stronger 340,282,366,920,938,000,000,000,000,000,000,000,000 Equivalent to all the grains of sand on the planet or every known star in our galaxy

  18. Authentication verifies a user’s identity It’s what “unlocks” the device by validating you are who you say you are Various methods: Strong Password - A password is sent into the device, and the device verifies it’s correct Biometric - A finger is swiped across the sensor, another chip verifies it RSA SecureID - digital identity PIV - Personal Identity Verification CAC - Computer Access Card PKI - Public Key Infrastructure Hardware Encrypted devices authentication is done in Hardware The “boundary of trust” does not include the computer Authentication

  19. Our Portfolio Overview • Very Robust Device Management (Central Management) • Automatically registers user to devices and implements policies • Low System overhead and limited support staff required • Manages Multiple Device Types and Brands • Leverages existing investment • Provides Forensic Level Auditing • File level blocking by type and name • Manages Devices off the network • Remote Kill of Devices • Broadest Secure Portable Storage Portfolio: • Optical Products - CD/DVD • USB Flash Drives • External Hard Disk Drives • Multiple Authentication Methods • Password (hardware rules) • Biometric + Password • Global Government-Validated Encryption

  20. PORTFOLIO SUMMARY Managed Secure Storage & Strong Authentications with SmartCard Defender F200 +Bio Features: FIPS 140-2 L3 Managed Secure Storage & Strong Authentications Defender H100 & H200 +Bio Features: FIPS 140-2 L3 FUNCTIONALITY Defender F100 & F150 Features: FIPS 140-2 L3 Cap design Managed Secure Storage Defender F50 Features: FIPS 140-2 L1 Pivot design Defender Optical Features: FIPS 140-2 L1 Secure Storage TARGET MARKETS Large Enterprise Government/Financial Services SOHO/SMB Enterprise

  21. Device Management

  22. Management Features • Remote Kill/revocation • Addition of encryption to non-encrypted devices • Time based policies vs event based • File Level Auditing • USB Port Control- Allow, Block, Read only • File level blocking • User group policies • Ability to manage third party devices • Remote Policy Updates • User self rescue • Password complexity and interval • Remote Password update • Data Recovery • Automatic registration of devices vs issuance

  23. Why Wikileaks could have been prevented • User could have been blocked from access to removable storage devices • File types/names/contents could have blocked from the Central Management Software • Block, alarm, monitor • Auditing of activity would have shown which files were being downloaded by who from which computer • Offline usage could have been disabled • Device could have been remotely killed/disabled • Auditing would have shown which files were saved to which computer from which device

  24. StealthZone (SPD) Defender FIPS L3 Defender FIPS L1 Port Control Legacy Removable Media Cards H100/H200 +Bio F200 +Bio DefenderOptical F100/F150 F50 Pivot Laptop, Netbook, and Desktop PC Ports MediaPlayers EHDD Mobile Devices UFD Device Management Software

  25. Case Study: US Army Base Overview: Army Support Activity supports and conducts Reserve Component Training and Mobilization/Demobilization operations. The ASA plans and executes other Army directed support missions, and, on order, establishes and operates a Joint Mobilization site • Requirements: • The ability to access sensitive mission and combat training data on secure, ruggedized and tamper-proof storage devices. • Integrated anti-malware defenses, remote kill and key management • The solution must meet DoD DAR CTO requirements Solution • Defender F150’s FIPS 140-2, level 3 drives • Each device was loaded with McAfee A/Vand Imation Device Control Applet • Central Management is performed through Imation Control Server software Result • All USB devices can be managed and used securely in compliance with the DoD CTO security requirements • DAR Approved Central Management allows for remote kill, key management and detailed forensic auditing/reporting.

  26. How to be Complaint and Secure • For non-criminal intent Data Breaches (Lost Devices – Honest Mistake) • Use AES 256 Bit Encrypted Devices • For Stolen Devices • Use AES 256 Bit Encrypted Devices with embedded Security Policies • Extra insurance • 2 factor Authentication • Remote Kill • Fips Level 3 Encryption • For Disgruntle employee • Central Management of Devices with stringent Security policies • USB Port Control • File Level Auditing capability • Blocking of files • Remote Kill • Proactive Enforcement of Policies • Central Management of devices to ensure 100% compliance to Company Security Policies to protect critical company data eg. Financials, IP, Employee or Customer information. You also will have auditing and reporting capability

  27. Digital Rights Management Prevent printing, copying, emailing Timebomb files Smart Card Integration Common Access Card (CAC) or Personal Identity Verification (PIV) Strong two and three-factor authentication No new password required -- card PIN is used Secure portable desktop allows you to boot directly from your USB drive. Turn any host computer into the user’s computer Boots directly into Windows environment “Generic mode” allows use on unknown PCs Upcoming Imation technologies

  28. Securing Traditional Storage 28

  29. Understand the Need • More data is being backed up today than ever before • More data is stored per individual cartridge • Cartridge capacities have reached 1 terabyte native • More cartridges are moving to and from more locations • Additional data centers, vault sites • More regulations on data protection and preservation exist today than ever before • Non-compliance can be very expensive

  30. Encryption of Tape • AES* 256-bit encryption available with LTO4/5, Oracle T10000 and IBM 3592 (TS1130) drives • Drive level encryption enables compression before encryption • LTO offers possibility of 3rd party key management system • <1% impact on drive performance *Advanced Encryption Standard

  31. LTO RFID CM Chip • LTO CM holds diagnostic information – eg. Error rates, data-sets written, drive utilization, number of mounts • Analyzed to determine drive/media performance trends for failure prediction • LTO CM info captured within seconds • Scan of CM does not compromise security of data

  32. Locking Features Users can choose to “Lock” their cartridges for added transport or storage security. When locked, the cartridge cannot be read from, or written to, by any LTO drive.

  33. RFID Asset Tracking 33

  34. What Customers Say • “I need to know…” • I am compliant with regulations • Where my tapes are • Within my library • In other data centers • At my vaulter • I am being as efficient as possible in my operations • If I need a tape, I will be able to find it quickly • If an auditor asks about a tape, I will be able to demonstrate chain of custody

  35. IT Asset Lifecycle Management

  36. Customer Case Study • Thousands of IT hard drives and tapes containing highly sensitive customer and corporate information • No ability to control or monitor removal of laptops from facilities • Inability to ensure end of life drives were properly destroyed created • 5 high profile breeches in 2 years, consumer outrage • Developed special use passive RFID tags to place on all hard drives and laptops • Deployed Asset Management solution to track the lifecycle of the corporate assets • Installed special use readers at various entry / exit choke points • Automated feedback from crushing to end-of-life assets • Established a corporate risk mitigation strategy to protect corporate and consumer • Greatly curtailed asset loss and ensured end of life assets were destroyed • Improved employee awareness and automated the tracking of laptops leaving a facility • Lowered corporate risk profile

  37. Customer Case Study Exiting the Secure Facility Employee association to laptop is verified by the application and an image is quickly loaded on the Exit Security Monitor for visual confirmation Employee approaches exit, where the employee badge and laptop tag are identified. Security elects may enlarge the view and may elect to review the association details .

  38. Case Study An audible sound and visual queue is given to security indicating the Employee badge is not assigned to this laptop. Employee badge and Laptop tag match. Picture Shown for additional visual security.

  39. Secure Destruction of Media • Companies will buy back tape media • Claim they recertify media and rewrite over all of the date • In truth, most write over the header or table of contents, and the rest of the data is still live • South Shore Hospital Data breach was caused by company taking media to be recertified, and tape was lost • 800,000 patients at risk • Third party was not responsible for Data- South Shore was

  40. Thank You 41

More Related