–
–
–
–
2007 Estimated Cost/Lost Record
Forrester Research: $90-$305 1
Ponemon Institute: $197 2
Direct Costs
– Notification Costs - organizations can incur costs associated with legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers
– Lost Productivity Costs - organizations can incur costs when employees and contractors are diverted from their normal duties in order to address data breach controls
Fines
– Certain federal privacy statutes include fines for violations that can amount to tens of thousands of dollars 3
– In 2006, Visa and MasterCard announced levying of fines from $10K-100K against transaction processors that fail to keep transactions secure 4,5
– In 2006, the FTC issued $15 million in fines when an Atlanta-based consumer data broker lost more than 163,000 personal records to insurance and credit companies in
February 2005 6
Lost Shareholder Value and Goodwill
– Stock prices can take temporary or long term drops – eg, an Atlanta-based data broker had lost about 20% of its stock value 2 years after losing 163,000 personal records 7
Footnoted references are recorded at the end of this presentation.
Any organization can be at risk if, for instance, they lose employee records
Retailers &
Merchants
Healthcare &
Insurance
Government
Agencies
Educational
Institutions
Banking &
Brokerage
• In October 2007, a national home supply retailer announced that a laptop with the personal data of about
10,000 employees was stolen from the car of a regional manager
• In January 2007, a major national clothing retailer revealed that hackers took the credit and debit card information of customers through an unauthorized intrusion into their computer systems
• In June 2005, a regional membership warehouse retail chain on the east coast settled FTC charges stemming from lax security practices which included a failure to encrypt consumer information when it was transmitted or stored on store computers
• In March 2007, one of the nation’s largest health insurers notified 75,000 members that a compact disk holding medical and personal information had disappeared
• In August 2006, a corporate operator of hospitals and health systems reported 10 laptops with thousands of patient files had been stolen from a regional office
• In November 2007, a federal agency investigated the theft of personal computers containing the names of
12,000 veterans; in 2006, a system containing the personal details of 26.5 million veterans was stolen from the same agency
• In October 2007, a federal agency mandated that contractors must encrypt any and all data on personal computers following the loss and possible theft of two laptop computers
• In April 2006, a major state university announced that an unknown person or persons had gained unauthorized access to a large number of electronic records that included social security numbers and other biographical data
• In October 2007, a Kansas branch of a regional bank in the Midwest announced that a limited number of customers had personal data compromised in an attempted hacking of a computer system
Credit & Payment
Agencies
Accounting
• In February 2006, the FTC announced that it had settled with a third-party credit card processor for failure to provide reasonable and appropriate security for sensitive consumer information
• In November 2007, an Ohio-based accounting firm lost personal information on clients when a laptop was stolen from an automobile
Strong data encryption can protect private information from unauthorized access
Data encryption can help address federal and state privacy requirements*
– At least 39 states have enacted legislation requiring the notification of security breaches involving personal information**
– Many federal laws that have been enacted also seek to ensure protection of private information
Encryption can be hardware-based or software- based
– Hardwarebased: Seagate® Momentus® Full-Disk Encryption (FDE) drives
– Software based: Software encryption solutions exist from a variety of third-party independent software vendors
*Rigorous standards apply and can vary by state - check with a local legal expert for a complete set of requirements for your state
**According to the National Conference of State Legislatures, December 12, 2007
Items encrypted
Performance
Dell FDE Hardware Solution
(FDE + Wave)
•
Everything (boot files, all folders, etc)
•
Encryption keys stored within the drive
(closed environment = tougher encryption)
•
Encrypts as fast as the drive can write
• Doesn’t utilize system CPU/memory
•
Simple installation & deployment
•
Centralized management with purchase of
Wave ERAS software
Software Encryption
•
Some SW solutions omit boot files and possibly temp files
•
Uses system CPU power (estimated 3-4% performance degradation)
Manageability
HDD Disposal
• Quick and secure “Erase” for HDD disposal or repurpose
•
May experience issues with HDD errors and maintenance routines (i.e. defrag, bad sectors)
•
Risk that remote mgmt SW may not work well with some SW encryption solutions
•
Not available with most SW; would have to utilize current HDD destroy methods
(time consuming)
•
Many solutions support Windows 2000,
XP, and Vista®; some support Linux®
OS Support
Compliance
Certifications
Encryption Options
Deployment
• Microsoft® Windows® XP support thru Dell
• Windows Vista® supported by Wave
Systems Corporation
•
FDE drive is NOT currently FIPS 140-2 compliant (primarily a Fed certification)
•
Many solutions have been NIST Certified
FIPS 140-2 Compliant
•
Fully encrypts data stored on the hard drive
•
Full disk encryption on the hard drive
•
Full deployment requires full scale replacement of existing HDDs
•
Optional encryption for removable media
(i.e. USB keys, external HDDs, etc)
•
HW agnostic; allows full deployment across existing PC infrastructure. Does
NOT require full scale replacement of
HDDs
Dell recommends hardware encryption for new system purchases.
Solution Components
1.
Select Dell™ Latitude™ Dseries notebooks*, with
• Seagate Momentus
5400 FDE.2 hard drive
• Dell Embassy Security
Center with Wave
Trusted Drive manager
2.
Wave Embassy Remote
Administration Server
Software (running on your
Dell server)
3.
Implementation of Dell’s
Security Best Practices
http://www.dell.com/secur ity/bestpractices/
Seagate
®
DriveTrust
™
Technology
Embassy
®
Trusted Drive
Manager
Embassy ®
Remote
Administration
Server
Implementation of Dell’s Security Best Practices
* Seagate Momentus hard drives and Dell Embassy Security Center are also available on select Precision mobile workstations
Dell Embassy Security Center
Factory-installed software
Single-user Solution
This offering allows individual users to configure and control their personal access to encrypted data on their hard drive. The offering provides the following features
• Authenticate user in BIOS
• Simple Sign On capability
• Single-user passwords management
• Manual backup and restore for keys
Key Components
• Seagate Momentus FDE hard drive
• Factory-installed Dell Security
Center with Trusted Drive Manager
Single-user
Solution
Embassy
Remote
Administration
Server
(ERAS)
Managed Enterprise Solution
Using the ERAS software, IT departments can remotely manage clients with FDE hard drives, providing documentation on the state of a drive when a system has been lost or stolen. With
ERAS server software, you can…
• Enable remote deployment & management of
FDE hard drives
• Take ownership of TPMs
• Enable identity & authorization provisioning from Active Directory
* Note: Additional Wave security solutions detailed in backup slides
Program
Program Scope
Key Features
Cross-over
Network cable
Reviewer’s
Guide
“Client” System with
Dell Embassy Security Center
“Server” System with
Embassy Remote Administration Server
Client Full-Disk Encryption Evaluation Program
14-day technology evaluation program
Two systems:
“Client” system with Dell Embassy Security Center
“Server” system with Embassy Remote Administration Server
Step-bystep Reviewer’s Guide, showing how…
- To initialize and enable drives
- To add/remove users
- To remotely manage credentials
- The FDE drive is protected from a hacker
- To decommission or recommission a drive using “Erase” function
1.
“Calculating the Cost of a Security Breach" Khalid Kark, Forrester Research, April 10, 2007.
2.
"2007 Annual Study: U.S. Cost of a Data Breach," The Ponemon Institute.
3.
Health Insurance Portability and Accountability Act of 1996 - Public Law 104-191, 104th
U. S. Congress, August 21, 1996
4.
“Visa and MasterCard take new steps to stop credit card fraud,” Jeremy Simon,
Creditcards.com Article , November 27, 2006 ( http://www.creditcards.com/visa-andmastercard-take-new-steps-to-stop-credit-card-fraud.php
)
5.
“Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data”, Visa Corporate
Press Release , December 12, 2006 ( http://corporate.visa.com/md/nr/press667.jsp
)
6.
ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5
Million for Consumer Redress, Federal Trade Commission Press Release, January 26,
2006
7.
“The Hidden Cost of IT Security,” Network Security Journal , Cindy Waxer, April 16, 2006 http://www.networksecurityjournal.com/features/hidden-cost-of-IT-security-041607/