2
TABLE OF CONTENTS
3
4
1
2
5
Imation Overview
Market Situation
Secure Removable Storage Devices
Central Management Software
Data Center Tape Protection

IMATION CORP OVERVIEW
• Leading global marketer and developer of branded products that enable people to store, protect and enrich their experiences with digital information
• Technology leadership, global distribution reach, and customer relationships make us a preferred partner for leading companies worldwide
• Broad portfolio of data storage products, consumer electronics and accessories
• Global market share leader in recordable optical media and data storage tape
• 2010 revenue $1.46 billion, >1,000 employees, serving more than 100 countries
3

4
MARKET SITUATION

MARKET SITUATION - SUMMARY
1
DATA GROWTH
The growth of digital information has rapidly surpassed expectations.
By 2011 digital universe will be 10 times size of 2006
INCREASED DATA MOBILITY
The importance of data has increased its access and mobility requirements making it more difficult to secure and protect
INCREASED DATA BREACHES
As data and its mobility grow, the amount of data breaches and data exposure has also grown
REGULATIONS INCREASING
Increased data exposure has resulted in increased regulations and reporting requirements globally
COST OF DATA BREACHES GROWS
Increased reporting requirements and increased data breaches results in increased breach costs
1 Source: IDC – The Diverse and Exploding Universe – March 2008
2 Source: Identity Theft Resource Center – 2010 Data Breach Stats January 3, 2011
3 Source: Ponemon Institute
– Fourth Annual U.S. Cost of Data Breach Study January 2009
5
U.S. 2010 > 662 Breaches
2
412 (62%) Exposed Social Security Numbers
170 (26%) Exposed Credit or Debit Cards
U.S. 2010 $214 per record
3
$7.2 Million
3
Average org. cost of data breach over 4 years

Data Breach cost by
Industry

Legislation
• 46 States with Data Breach laws
– 33 new proposed laws in 2010
• HITECH ACT of 2009 - Mandatory new regulatory requirements
– Encryption needed but not “ required” on all DAR (data at rest) devices
• severe penalties for an unsecured data breach!
– Public notification for an unsecured data breach of > 500 individuals
– Civil and federal penalties but safe harbor for encrypted data
– Patient right to receive a copy of records electronically
– 15 million in Health Care, 60% touch Patient Healthcare Information
• FTC Red Flag Statutes
– All organizations subject to the legislation must develop and implement a formal, written and revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate identity theft.
– All financial institutions (state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer)
– Solutions include encryption and multiple factor authentication
• 12/29/2010 SEC Approves Amendments to FINRA Rule 8210 to Require Encryption of Information
Provided Via Portable Media Device
– Finance Industry Regulatory Authority is the largest independent regulator for all securities firms doing business in the United States
– Rule applies to all FINRA member firms (4,570 brokerage firms)

FIPS BASICS
The Federal Information Processing Standardization (FIPS) 140-2 U.S. government security standard that specifies requirements for cryptography modules
• FIPS is required by law for U.S. government purchases
• Strictly enforced in Canada
• Gaining international recognition in Asia and Europe
• Being adopted within regulated industries (e.g. Financial, Healthcare)
FIPS 140-2 Level 1
Description of FIPS 140-2 Four Levels
The lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent
FIPS 140-2 Level 2
Adds requirements for physical tamper-evidence and role-based authentication.
8
FIPS 140-2 Level 3
Adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces
FIPS 140-2 Level 4
Makes the physical security requirements more stringent, and requires robustness against environmental attacks. Level 4 is currently not being utilized in the market
Currently, Level 3 is the Industry Standard.

Web Sites track reported data breaches
May 6 th – 3
May 5 th – 2
May 4 th – 9
May 3 rd – 4
May 2 nd – 5
May 1 st - 0

Theft
• The Family Planning Council in Philadelphia reported a data breach involving a flash drive theft, placing information on
70,000 patients at risk, April 14, 2011
• How Adrian Jones' Superstar IT Career Went Sideways, April
28, 2011, (HP Executive allegedly downloaded confidential trade secrets on a USB device that was not controlled)
Disgruntle
Employee
• Search on for memory stick missing from public school board,
April 13 th , 2011 (All the information from the computer, including employee information such as direct deposit forms, resumes, and other scanned documents, were put on the unencrypted flash drive.)
Honest Mistake

Recent Headlines – www .
HealthcareInfoSecurity.com
• 2/24/11 Mass General HIPAA Penalty: $1 Million
– Lost documents included information from infectious disease dept, including AIDS patients
– Corrective Action plan “ Develop and implement a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital”
– Mass General to take extra steps to encrypt laptops and USB drives
• 2/23/11 HIPAA Privacy Fine: $4.3 Million to Cignet Health
– First civil monetary penalty to a healthcare organization
– Cignet failed to provide 41 patients with access to medical records
– Failed to cooperate with Federal investigators
• 2/14/11 New York City Health & Hospitals Corp breach affects 1.7 million
– Largest incident reported under the HITECH Act breach notification rule
– Information lost includes names, addresses, social security numbers, patient medical histories
– Hospital Corp. offering 1 year free credit protection service to affected individuals (will cost them
Millions)
– Per the HITECH ACT, if data was encrypted then public notification would not be required
• "The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.

Secure Removable Storage
Devices
12

USB Devices
• Over 2 Billion devices sold each year (PC World Jan 2009)
• According to security firm Vontu
– Over 50% of 480 surveyed tech professionals had USB devices with unprotected confidential information
– 1 USB drive is lost at work each month
– Unlike laptop, storage devices are small and cheap. Many employees do not report them missing as they would a laptop.
• According to Ponemon
– Employees were less than 50% likely to report lost USB device or Optical
– Most employees would knowingly break corporate policies
• Sharing passwords, downloading confidential data, taking work home

SECURITY ELEMENTS
• Physical Security
• Encryption
• Authentication
• Malware Protection
• Management
• USB Port Control
14

Types of Security on USB
Devices and Optical
•
Encryption
– 128 bit vs 256 bit
– FIPS validated only 256 bit
• Hardware encryption vs Software encryption
– Software uses host computer for authentication, hardware authentication occurs in device
– Software encryption typically slows down performance
– Software encryption (FIPS Level 1) will get you compliant, Hardware Encryption
(FIPS Level 3) will give you top security
– Software encryption typically Windows only
• Authentication
– Password
– Biometrics
– CAC/PIV card (upcoming)
•
Optical
– Common method:
• Encrypt files with third party software and burn onto optical media
– New method:
• Self-encrypting recordable CD/DVD/Blu-ray disc

128 bit vs 256 bit encryption
1 1 0 1 0 1 1 0 1 1 1 0 0 0 1 1
1 1 1 1 0 1 0 1
Twice as long, twice as strong?

Light years stronger
340,282,366,920,938,000,000,000,000,000,000,000,000

Authentication
• Authentication verifies a user’s identity
– It’s what “unlocks” the device by validating you are who you say you are
• Various methods:
– Strong Password - A password is sent into the device, and the device verifies it’s correct
– Biometric - A finger is swiped across the sensor, another chip verifies it
– RSA SecureID - digital identity
– PIV - Personal Identity Verification
– CAC - Computer Access Card
– PKI - Public Key Infrastructure
• Hardware Encrypted devices
– authentication is done in Hardware
– The “boundary of trust” does not include the computer

Our Portfolio Overview
• Very Robust Device Management (Central Management)
– Automatically registers user to devices and implements policies
• Low System overhead and limited support staff required
– Manages Multiple Device Types and Brands
• Leverages existing investment
– Provides Forensic Level Auditing
– File level blocking by type and name
– Manages Devices off the network
– Remote Kill of Devices
• Broadest Secure Portable Storage Portfolio :
– Optical Products - CD/DVD
– USB Flash Drives
– External Hard Disk Drives
• Multiple Authentication Methods
– Password (hardware rules)
– Biometric + Password
• Global Government-Validated Encryption

PORTFOLIO SUMMARY
Managed
Secure Storage
& Strong
Authentications with SmartCard
Managed
Secure Storage
& Strong
Authentications
Managed
Secure Storage
Secure Storage
Defender F50
Features:
FIPS 140-2 L1
Pivot design
SOHO/SMB
Defender F200 +Bio
Features:
FIPS 140-2 L3
Defender H100 &
H200 +Bio
Features:
FIPS 140-2 L3
Defender
F100 & F150
Features:
FIPS 140-2 L3
Cap design
TARGET MARKETS
Enterprise
Defender Optical
Features:
FIPS 140-2 L1
Large Enterprise
Government/Financial Services

Management Features
• Remote Kill/revocation
• Addition of encryption to non-encrypted devices
• Time based policies vs event based
• File Level Auditing
• USB Port Control- Allow, Block, Read only
• File level blocking
• User group policies
• Ability to manage third party devices
• Remote Policy Updates
• User self rescue
• Password complexity and interval
• Remote Password update
• Data Recovery
• Automatic registration of devices vs issuance

Why Wikileaks could have been prevented
• User could have been blocked from access to removable storage devices
• File types/names/contents could have blocked from the Central Management Software
– Block, alarm, monitor
• Auditing of activity would have shown which files were being downloaded by who from which computer
• Offline usage could have been disabled
• Device could have been remotely killed/disabled
• Auditing would have shown which files were saved to which computer from which device

Device Management Software
StealthZone (SPD)
Port Control Legacy Removable Media Defender FIPS L1 Defender FIPS L3
Cards
Laptop, Netbook, and
Desktop PC Ports
UFD EHDD Mobile
Devices
Media
Players
Defender
Optical
F50 Pivot F100/F150 F200 +Bio H100/
H200 +Bio

Case Study:
US Army Base
Overview: Army Support Activity supports and conducts Reserve Component
Training and Mobilization/Demobilization operations. The ASA plans and executes other Army directed support missions, and, on order, establishes and operates a Joint Mobilization site
Requirements:
• The ability to access sensitive mission and combat training data on secure, ruggedized and tamper-proof storage devices.
• Integrated anti-malware defenses, remote kill and key management
• The solution must meet DoD DAR CTO requirements
Solution
• Defender F150’s FIPS 140-2, level 3 drives
• Each device was loaded with McAfee A/V and Imation Device Control Applet
• Central Management is performed through Imation Control Server software
Result
• All USB devices can be managed and used securely in compliance with the
DoD CTO security requirements
• DAR Approved Central Management allows for remote kill, key management and detailed forensic auditing/reporting.

How to be Complaint and
Secure
• For non-criminal intent Data Breaches (Lost Devices – Honest Mistake)
– Use AES 256 Bit Encrypted Devices
•
For Stolen Devices
– Use AES 256 Bit Encrypted Devices with embedded Security Policies
– Extra insurance
• 2 factor Authentication
• Remote Kill
• Fips Level 3 Encryption
•
For Disgruntle employee
– Central Management of Devices with stringent Security policies
• USB Port Control
• File Level Auditing capability
• Blocking of files
• Remote Kill
•
Proactive Enforcement of Policies
– Central Management of devices to ensure 100% compliance to Company Security
Policies to protect critical company data eg. Financials, IP, Employee or Customer information. You also will have auditing and reporting capability

• Digital Rights Management
– Prevent printing, copying, emailing
– Timebomb files
•
Smart Card Integration
– Common Access Card (CAC) or Personal
Identity Verification (PIV)
– Strong two and three-factor authentication
– No new password required -- card PIN is used
• Secure portable desktop
– allows you to boot directly from your USB drive.
– Turn any host computer into the user’s computer
– Boots directly into Windows environment
– “Generic mode” allows use on unknown
PCs

Securing Traditional Storage
28

Understand the Need
• More data is being backed up today than ever before
• More data is stored per individual cartridge
– Cartridge capacities have reached 1 terabyte native
• More cartridges are moving to and from more locations
– Additional data centers, vault sites
• More regulations on data protection and preservation exist today than ever before
– Non-compliance can be very expensive

Encryption of Tape
• AES* 256-bit encryption available with LTO4/5, Oracle T10000 and
IBM 3592 (TS1130) drives
• Drive level encryption enables compression before encryption
•
LTO offers possibility of 3rd party key management system
• <1% impact on drive performance
*Advanced Encryption Standard

LTO RFID CM Chip

LTO CM holds diagnostic information
– eg. Error rates, data-sets written, drive utilization, number of mounts
 Analyzed to determine drive/media performance trends for failure prediction
 LTO CM info captured within seconds
 Scan of CM does not compromise security of data

Locking Features
Users can choose to “Lock” their cartridges for added transport or storage security.
When locked, the cartridge cannot be read from, or written to, by any LTO drive.

33
RFID Asset Tracking

What Customers Say
• “I need to know…”
– I am compliant with regulations
– Where my tapes are
• Within my library
• In other data centers
• At my vaulter
– I am being as efficient as possible in my operations
– If I need a tape, I will be able to find it quickly
– If an auditor asks about a tape, I will be able to demonstrate chain of custody

IT Asset Lifecycle Management

Customer Case Study




Thousands of IT hard drives and tapes containing highly sensitive customer and corporate information
No ability to control or monitor removal of laptops from facilities
Inability to ensure end of life drives were properly destroyed created
5 high profile breeches in 2 years, consumer outra ge




Developed special use passive RFID tags to place on all hard drives and laptops
Deployed Asset Management solution to track the lifecycle of the corporate assets
Installed special use readers at various entry / exit choke points
Automated feedback from crushing to end-of-life assets




Established a corporate risk mitigation strategy to protect corporate and consumer
Greatly curtailed asset loss and ensured end of life assets were destroyed
Improved employee awareness and automated the tracking of laptops leaving a facility
Lowered corporate risk profile

Customer Case Study
Exiting the Secure Facility
Employee association to laptop is verified by the application and an image is quickly loaded on the Exit
Security Monitor for visual confirmation
Security elects may enlarge the view and may elect to review the association details .
Employee approaches exit, where the employee badge and laptop tag are identified.

Case Study
An audible sound and visual queue is given to security indicating the Employee badge is not assigned to this laptop.
Employee badge and Laptop tag match.
Picture Shown for additional visual security.

Secure Destruction of
Media
• Companies will buy back tape media
• Claim they recertify media and rewrite over all of the date
• In truth, most write over the header or table of contents, and the rest of the data is still live
• South Shore Hospital Data breach was caused by company taking media to be recertified, and tape was lost
– 800,000 patients at risk
– Third party was not responsible for Data- South Shore was

41