local data protection (ldp) a case study laptop data encryption eric v. leighninger chief security...
TRANSCRIPT
Local Data Protection (LDP)
A Case StudyLaptop Data Encryption
Eric V. LeighningerChief Security Architect
Allstate Insurance CompanyJune 20, 2008
©2008 Allstate Insurance Company
©2008 Allstate Insurance Company
Agenda
• Allstate and Information Security – A Snapshot View
• Laptop Encryption – Goals, Expectations, Priorities
• Technology Acquisition – Vendor Selection Process
• Vender Solution Deployment• Lessons Learned
©2008 Allstate Insurance Company
Allstate At A Glance• The Allstate Corporation is the nation’s largest publicly
held personal lines insurer. • A fortune 100 company with $156.4 billion in assets.• Allstate sells 13 major lines of insurance, including auto,
property, life and commercial. Allstate also offers retirement and investment products and banking services.
• Allstate is widely known through the “You’re In Good Hands With Allstate®” slogan.
• The Allstate Corporation encompasses more than 70,000 professionals with technology operations located around the globe.
• More than 17 million customers in the U.S. and Canada.• Allstate’s strategic vision is to reinvent protection and
retirement for the consumer.
©2008 Allstate Insurance Company
Allstate’s Vision for Information Security
• Aligned with Corporate and Technology Strategy
• Security Solutions Prioritized Based Upon Risk• Operational Excellence – Security as a Service
Comprising People, Processes, and Technology
©2008 Allstate Insurance Company
Local Data Protection Goals
• Reduce Risk of Exposure• Minimize Recovery and Support Costs• Ensure Compliance• Enable Productivity and Ease of Use• Leverage Investment in Existing IT
Infrastructure
©2008 Allstate Insurance Company
Local Data Protection Priorities
• Policy Holder and Applicant Data• Employee Data• PHI• Credit Card Numbers• Confidential Data• Financial Information – Pre Earnings Release• Communications to Competitors, Partners and
Suppliers• Source Code• Competitive Sensitive Information
©2008 Allstate Insurance Company
Local Data Protection Approaches• File Encryption
• Laptops• Desktops
• Full Disk Encryption• Laptops• Desktops
• Encryption of Removable Media• USB-enabled Devices – Flash Drives, iPods, Bluetooth Devices,
Thumb Drives, Hard Disks• CD/DVD Writers
• Password and PIN Controls• Blackberry• Other PDA Devices
• Standards and Guidelines for Data Classification, Usage and Protection, Access Control and Encryption
©2008 Allstate Insurance Company
Laptop Full Disk Encryption Evaluation
• Step 1: Using the local data protection goals and solution selection criteria• Performed paper analysis of top disk encryption vendors• Interviewed vendors regarding respective product
functionality
• Step 2: Performed hands-on product evaluation per our technology evaluation process at Allstate for candidate vendor ranked highest in Step 1
• Step 3: Based on in-house product and process evaluation results Allstate acquired the vendor’s encryption product
©2008 Allstate Insurance Company
Laptop Encryption Product Criteria
• FIPS 140-2 Approved Encryption
• Full Disk Encryption• Strong Key Management• Storage of Encrypted Keys
Separate from Encrypted Data
• Controlled Views to Keying Material – MAC and Separation of Duties
• Key Recovery – Onsite, Off-site and DR
• Centralized Management• Interoperable With
Enterprise Software• Removable Media Encryption
Support
• Low Performance Degradation
• Fast, Robust and Reliable Initial Encryption
• SMS Package Support• Throttled Background
Encryption Processing Capability
• Fault Tolerance – Power Outages or User Shutdown Does Not Affect Encryption Process
• Support for Suspend and Hibernation States
• Mouse Support
©2008 Allstate Insurance Company
Laptop Full Disk Encryption Benefits
• The selected encryption product provides Allstate the following advantages:• Strong security model• Efficient key management• Ability to leverage our current SMS infrastructure for
deployment and management• Compatibility with Allstate’s current Image and Break-Fix
processes• Does not require alteration or replacement of key Windows
components: Windows Master Boot Record and the Windows GINA
• High confidence due to the type and number of the vendor’s installed base of users
• Attractive product TCO
©2008 Allstate Insurance Company
Full Disk Encryption Security Model
File-level Encryption
System Files DataOperating System
Full Disk Encryption
System Files DataOperating System
AuthenticationBoot Sector
(BS)
Master Boot
Record(MBR)
Boot Sector(BS)
Master Boot
Record(MBR)
Unprotected Files
Boot Sector(BS)
Master Boot
Record(MBR)
System Files DataOperating System
©2008 Allstate Insurance Company
Laptop Full Disk Encryption Deployment A pilot was completed successfully for over 60
users from our information security, internal audit, claims, enterprise technology and infrastructure, and officer groups
Final pre-deployment enterprise testing was conducted to test product enhancements and updates
Production rollout is being accomplished in a 3 phase fashion Phase 1 is complete Phase 2 is scheduled this year Phase 3 is pending
©2008 Allstate Insurance Company
Laptop Full Disk Encryption Deployment
• Phase 1: Full disk encryption was deployed to approximately 10,000 laptops in areas within the company identified as handling sensitive data e.g.,• Senior Management• Legal• Claims• Investments
• Phase 2: Full disk encryption will be deployed this year to all Allstate owned and managed laptops running latest base image, approximately18,500 laptops
• Phase 3: Laptops running earlier base image and Desktops, an approximate total of 70,000 machines, will be addressed at a future time
©2008 Allstate Insurance Company
Laptop Full Disk Encryption Timeline
Start
Phase 1 laptop rollout complete
Enterprise base application testing
beginsUpdated package integration testing
begins Applicationperformance testing
beginsEnterprise rollout
by business units continues
Full-pilot for business unit
begins
Production rollout for
business unit begins
Mini-pilot for business unit
begins
Testing and Integration
Test the latest update with the Build process
Test the latest update with the Break-Fix process
Test the latest update with the delta process
Retest the selected product with the base OS
Retest the selected product with core applications
Determine deployment methodology
Product Rollout
Execute rollout communications plan
Rollout product
Support rollout
Monitor rollout
Review rollout results
Rollout Planning:
Identify target business units
Identify target laptops
Coordinate testing with business units
Business unit integration testing
Determine rollout schedule
Create processes for rollout support
Create rollout communications plan
4 months5 months
©2008 Allstate Insurance Company
Lessons Allstate Learned• Encryption can be a timely and beneficial technology
• Laptop encryption has provided increased data protection and has helped us reduce the risk associated with laptop loss or compromise
• Three suggestions to consider• Establish clear data protection goals, criteria and policies for
encryption and key management• Establish a communications plan for systematic and smooth
deployment of encryption software• Do your homework on vendor capabilities versus organizational
needs• Most significant lesson:
• Ours was a rapid pilot to production deployment for pragmatic and regulatory reasons. We found such a deployment is possible, albeit not without some bumps in the road, when requirements are well defined, there is clear alignment of technology strategy and management objectives, and cooperation and flexibility across organizational boundaries
Thank You!
Questions?