slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
CREDANT Confidential. PowerPoint Presentation
Download Presentation
CREDANT Confidential.

CREDANT Confidential.

155 Views Download Presentation
Download Presentation

CREDANT Confidential.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. NLIT 2009 CREDANT Confidential. 1

  2. CREDANT Company Overview • Founded - September 17, 2001 • To enable customers to manage security of data on any device – PDA, PC, MAC, USB • Product Line - CREDANT Mobile Guardian (CMG) • Data-centric, policy based, centrally managed data protection solution that "Protects What Matters"- your critical information • US-Based Company • Code developed in Addison TX. • Cisco Systems & IntelCapital are key investors • Accomplishments • More than 775 customers, 7 million endpoints • Solution recognized by leading industry experts • INC 500 Fastest Growing Security Company 2007 & 2008 2007 & 2008: #1 Fastest Growing Private (Security) Company 2007 Data Security Leadership Quadrant Testergebnis: 8.6 Very Good CREDANT Confidential. Subject to NDA 2

  3. Agenda • The Business Problem • Centralized vs. Decentralized Management • Compliance with Federal Desktop Core Configuration (FDCC) • Supporting Imaging Across Platforms • Managing Shared PCs • Authentication Support • Roadmap Encryption Solution Issues

  4. The Business Problem Employee Transit Internet Cafe Site Home Contractor Partner Airport Office Test Data Research Data Purchasing Information Social Security Numbers SBU or Classified Government Information Intellectual Property Critical enterprise data resides on numerous endpoint devices — and the storage capacity and criticality of information continues to increase CREDANT Confidential. Subject to NDA 4

  5. The Business Justification – Encryption Cost • Assume 1000 employees/contractors • Assume 250 use laptops that need protection • The ratio of machines that need protection and that don’t need protection will vary but the business justification is the same • Cost after discounts = $75/laptop • Internal labor/training costs to implement = $50/laptop • Total = $125/laptop x 250 laptops = $31,250 • Just to be safe – double that to $62,500 to implement Data-at-Rest encryption solution (DAR) CREDANT Confidential. Subject to NDA 5

  6. The Business Justification – Breach Cost • Assume 10,000 personnel records lost • A 200GB HD can hold 2,000,000 100KB records • Cost to change each bank/credit card account • $15/record = $150,000 • Cost per individual for a year of credit monitoring service • $60/individual = $600,000 • TOTAL = $750,000 • Does not include any legal fees, or the cost of security implemented after the fact • DoE data breaches carry risk that cannot be monetized 6

  7. Management Choices Automatically detect users added to Enterprise directory and create encryption keys and policies. Detect media devices automatically. Centralized Management Detect Encrypt and enforce encryption policies. Manage keys for hardware-based encryption. Control data usage outside the enterprise. Reduce Risk Manage and Audit – show device state at time of loss. Adapt to changing regulations. Securely Automate key escrow. Encrypt & Enforce Operate & Support Gain Workforce Productivity Ensure Operational Efficiency Operate and Support – reduce administrative costs. Centralize key escrow and access control (forensics). Manage & Audit A centrally managed solution integrates with the Enterprise directory, providing enforcement of encryption policies and reducing management effort and cost. CREDANT Confidential. Subject to NDA 8

  8. FDCC Compliance • Users cannot have administrative rights on the PC • Impacts removable media support most • User cannot mount volumes • Users cannot install software • Users file system rights should be restricted • Incompatible with some encryption solutions • Pagefile must still be encrypted • Solution must be able to run outside of user privileges • Ports and protocols are managed/restricted • Encryption solutions must have flexible network settings • Automated Patching and Scanning Systems deployed • Encryption solution must not prevent malware detection remediation • IDS solutions are likely in use • Must be compatible with deployed IDS(s)

  9. Imaging is Now the Standard Way to Deploy This can be problematic if the DAR solution encrypts or generates keys for the image at install time • All devices may end up with same key • Changing the key requires decryption/re-encrypt • Encrypted images cannot be changed • The encrypted volume is not editable • Can add considerable time to imaging process • Requires unecessary encryption of an empty drive • Some solutions do not support standard imaging processes • Especially true if images are deployed to hard drives with different geometries

  10. Shared PCs Multiple Users per Device Create Management and Security Issues • Will users share boot passwords? • If not, then pre-boot accounts must be managed for each user • Does data access need to be controlled across users? • Does User A need to be prevented from seeing User B’s data • All users of the device may end up with same key • Pooled-devices may need to be wiped/re-imaged between users • Is Audit required to track system access? • Can you show who used which PC and when?

  11. Authentication Support Many organizations have multiple authentication types • UID/Password • Tokens • Smartcards (HSPD-12m PIV) • Mixed-mode authentication • Are these supported by the DAR solution? • What does it take to get a new authentication type supported? • Do code updates may require decryption/re-encryption? • What tools need to be used to upgrade? • Can users switch between authentication types? • eg: UID/Password or CryptoCard and still access data on the PC • Temporary access while a token/smartcard is being re-issued • Does data access need to be controlled across users? • Does User A need to be prevented from seeing User B’s data? • Can this be tied to the encryption solution? • All users of the device may end up with same key • Pooled-devices may need to be wiped/re-imaged between users

  12. Roadmap Now there’s a Better Way: Full Data Encryption technology to solve current and future problems • Intelligent Encryption benefits: • User Cannot Choose – All Data Protected • User Encrypted Data Privacy • Single Console for all Management • Broad ALL mobile platforms • PC, USB Media, Handhelds • Avoid compatibility & operational impacts • Single agent can grow with future needs In the past there were two options in data protection… File/Folder Encryption • User Chooses Files • to encrypt Full Disk Encryption • No User Data Privacy • Patch management issues • System compatibility problems • Operational & performance issues • Dead-end Technology CREDANT Confidential. Subject to NDA 13 CREDANT Confidential

  13. Management Across Platforms Full Compliance Reporting Low Operational Impact All Solutions Managed within One Console Transparent to End-users CREDANT Confidential. Subject to NDA 14

  14. Comments/Questions/Discussion Contact Information: Eric Hay Director, Federal Field Engineering Ofc: 703.532.2720 Reduce the Risk of Data Compromise!