FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.
1 CREDANT Confidential. 1 NLIT 2009. 2 2 CREDANT Company Overview 2007 Data Security Leadership...
-
Upload
izabella-barlet -
Category
Documents
-
view
216 -
download
2
Transcript of 1 CREDANT Confidential. 1 NLIT 2009. 2 2 CREDANT Company Overview 2007 Data Security Leadership...
1CREDANT Confidential. 1
NLIT 2009
22
CREDANT Company Overview
2007 Data Security Leadership Quadrant
2007 & 2008: #1 Fastest GrowingPrivate (Security) Company
Testergebnis: 8.6 Very Good
Founded - September 17, 2001To enable customers to manage security of data on
any device – PDA, PC, MAC, USB
Product Line - CREDANT Mobile Guardian (CMG)Data-centric, policy based, centrally managed data
protection solution that "Protects What Matters"- your
critical information
US-Based CompanyCode developed in Addison TX.
Cisco Systems & Intel Capital are key investors
AccomplishmentsMore than 775 customers, 7 million endpoints
Solution recognized by leading industry experts
INC 500 Fastest Growing Security Company 2007 &
2008
CREDANT Confidential. Subject to NDA
3
Agenda
• The Business Problem• Centralized vs. Decentralized Management• Compliance with Federal Desktop Core
Configuration (FDCC) • Supporting Imaging Across Platforms• Managing Shared PCs• Authentication Support• Roadmap
Encryption Solution Issues
4CREDANT Confidential. Subject to NDA 4
The Business Problem
Employee
ContractorPartner
Research Data
Intellectual Property
Purchasing InformationSocial Security Numbers
SBU or Classified Government Information
Airport
Internet Cafe
Home
Office
Site
Transit
Critical enterprise data resides on numerous endpoint devices — and the storage capacity and criticality of information continues to increase
Test Data
5
The Business Justification – Encryption Cost
• Assume 1000 employees/contractors• Assume 250 use laptops that need protection
The ratio of machines that need protection and that don’t need protection will vary but the business justification is the same
• Cost after discounts = $75/laptop• Internal labor/training costs to implement =
$50/laptop• Total = $125/laptop x 250 laptops = $31,250• Just to be safe – double that to $62,500 to
implement Data-at-Rest encryption solution (DAR)
CREDANT Confidential. Subject to NDA 5
6
The Business Justification – Breach Cost
• Assume 10,000 personnel records lostA 200GB HD can hold 2,000,000 100KB records
• Cost to change each bank/credit card account$15/record = $150,000
• Cost per individual for a year of credit monitoring service
$60/individual = $600,000
• TOTAL = $750,000• Does not include any legal fees, or the cost of security
implemented after the fact
• DoE data breaches carry risk that cannot be monetized
6
88
Management Choices
Automatically detect users added to
Enterprise directory and create
encryption keys and policies. Detect
media devices automatically.Encrypt and enforce encryption policies.
Manage keys for hardware-based
encryption. Control data usage outside
the enterprise.Manage and Audit – show device
state at time of loss. Adapt to
changing regulations. Securely
Automate key escrow.Operate and Support – reduce
administrative costs. Centralize key
escrow and access control (forensics).
Detect
Encrypt &
Enforce
Manage &
Audit
Operate &
Support
ReduceRisk
EnsureOperationalEfficiency
GainWorkforce
Productivity
A centrally managed solution integrates with the Enterprise directory, providing enforcement of encryption policies and reducing management
effort and cost.
CREDANT Confidential. Subject to NDA
Centralized Management
9
FDCC Compliance
• Users cannot have administrative rights on the PCImpacts removable media support most
• User cannot mount volumes• Users cannot install software
• Users file system rights should be restrictedIncompatible with some encryption solutionsPagefile must still be encrypted
• Solution must be able to run outside of user privileges
• Ports and protocols are managed/restrictedEncryption solutions must have flexible network settings
• Automated Patching and Scanning Systems deployedEncryption solution must not prevent malware detection remediation
• IDS solutions are likely in useMust be compatible with deployed IDS(s)
10
Imaging is Now the Standard Way to Deploy
This can be problematic if the DAR solution encrypts or generates keys for the image at install time
All devices may end up with same key• Changing the key requires decryption/re-encrypt
Encrypted images cannot be changed• The encrypted volume is not editable
Can add considerable time to imaging process• Requires unecessary encryption of an empty drive
Some solutions do not support standard imaging processes• Especially true if images are deployed to hard drives with
different geometries
11
Shared PCs
Multiple Users per Device Create Management and Security Issues
Will users share boot passwords?• If not, then pre-boot accounts must be managed for each user
Does data access need to be controlled across users?• Does User A need to be prevented from seeing User B’s data• All users of the device may end up with same key• Pooled-devices may need to be wiped/re-imaged between
users
Is Audit required to track system access?• Can you show who used which PC and when?
12
Authentication Support
Many organizations have multiple authentication types• UID/Password• Tokens• Smartcards (HSPD-12m PIV) • Mixed-mode authentication
Are these supported by the DAR solution?• What does it take to get a new authentication type supported?• Do code updates may require decryption/re-encryption?• What tools need to be used to upgrade?
Can users switch between authentication types?• eg: UID/Password or CryptoCard and still access data on the PC• Temporary access while a token/smartcard is being re-issued
Does data access need to be controlled across users?• Does User A need to be prevented from seeing User B’s data?• Can this be tied to the encryption solution?
All users of the device may end up with same key• Pooled-devices may need to be wiped/re-imaged between users
13CREDANT Confidential. Subject to NDA 13CREDANT Confidential
Roadmap
Full Disk
Encryption • No User Data Privacy
• Patch management issues
• System compatibility problems
• Operational & performance issues
• Dead-end Technology
Now there’s a Better Way:
Full Data Encryption
technology to solve
current and future problems
Intelligent Encryption benefits:
• User Cannot Choose – All Data Protected
• User Encrypted Data Privacy
• Single Console for all Management
• Broad ALL mobile platforms
• PC, USB Media, Handhelds
• Avoid compatibility & operational impacts
• Single agent can grow with future needs
In the past there were
two options in data
protection…
File/Folder
Encryption • User Chooses Files
to encrypt
14CREDANT Confidential. Subject to NDA 14
Management Across Platforms
Full Compliance Reporting Low Operational Impact
Transparent to End-users
All Solutions Managed within One
Console
15
Contact Information:Eric HayDirector, Federal Field EngineeringOfc: 703.532.2720
Comments/Questions/Discussion
Reduce the Risk of Data Compromise!