Using End User Device Encryption to

Protect Sensitive Information

April 29, 2015

Mel Jackob, CISSP, GSEC, ePlace Solutions, Inc.

William Ewy, CIPP/US, ePlace Solutions, Inc.

William Ewy, BSEE, CIPP/USHost

• Privacy and Data Security Practice Manager, ePlaceSolutions, Inc.

• International Privacy Manager at Agilent Technologies

• Various positions in Marketing and Quality with Hewlett-Packard in California, Hong Kong, and Beijing

4

Mel Jackob, CISSP, GSEC, CISA, MCTePlace Solutions Inc.

• Senior Cyber Security Consultant ePlace Solutions, Inc.

• Director of IT/Cyber Security at L-3 Communications

• Senior Cyber Security Consultant at Microsoft

• Senior Lead Security Engineer at NMCI

5

Legal Compliance Materials: regulatory summaries, sample policies, procedures, plans, and agreements

Email List: monthly newsletter, privacy and data security tips, and “Data Security Alerts”

Specialist Support: by phone or email

Risk Assessment Guides: step-by-step procedures to lower risk

Training & Awareness Programs: online courses, bulletins, and webinars

Handling Data Breaches: summary of breach notification requirements, sample incident response plans, etc.

1

2

3

4

5

6

Loss prevention services and information for cyber insurance policyholders

6

7

• The basics of static encryption

• Device encryption technologies/considerations

• Examples of available hardware and software-based solutions

• Conclusions

Encryption is Not a Silver Bullet

• Cracking the encryption algorithm. Over time, algorithms become compromised. Because of this it is important to securely remove (digitally wipe or shred) sensitive information, even if encrypted, from devices when no longer needed.

• All software, including encryption, can have defects (e.g. bugs) and backdoors that can allow unauthorized access if discovered.

8

Data Security Basics

• Limit sensitive personal information collected to the minimum necessary as required by organizational purposes

• Encrypt all sensitive information stored on mobile devices (laptop PC, smartphone, tablet, USB stick, DVD, etc.)

• Completely destroy sensitive information when no longer needed

9

Cryptography

• Cryptography hides data from unauthorized individuals

• Collection of Software, Protocols, Algorithms and Keys

• Cryptosystems draw their strength from the Algorithms, the length and Randomness of the Keys used and other Mathematical factors

10

Cryptography – Methods of Encryption

• Symmetric (Same key used to encrypt and decrypt)• N(N-1)/2=Number of Keys• Symmetric Encryption Algorithms

• Data Encryption Standard (DES)• Triple-DES (3DES)• Blowfish• IDEA• RC4,RC5, and RC6• Advanced Encryption Standard (AES)• (128,192, and 256 bits)

• Asymmetric (Public, Private Keys)11

What is Data

• Data is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

• Users store data on variety of Endpoints

• Whatever form the Data takes, or means by which it is shared or stored, it should always be appropriately protected

12

Value of Data Security

• Protects information against various threats

• Ensures business continuity

• Minimizes financial losses and other impacts

• Optimizes return on investments

• Creates opportunities to do business safely

• Maintains privacy and compliance

13

Impact of Laptop Thefts

• www.privacyrights.org

Average 50% of reported breaches involved laptop theft

14

Internet Attacks

15

• Launch video

Integrity

Safeguarding the accuracy and completeness of information and

processing methods

Availability Ensuring that information is available when required

ConfidentialityMaking information accessible

only to those authorized to use it

Data Security Preserves “CIA” -

16

Endpoint Encryption Strategies

• Full Disk Encryption

• How Software Disk Encryption Works

• How Hardware Disk Encryption Works

• File/Folder Encryption

• How File/Folder Encryption Works

• Removable Media Encryption

• How Removable Media Encryption Works

17

Full Disk Encryption Recovery

• Lost or forgotten passphrase

• Self Recovery (Computer is not Managed)

• Computer has not communicated with the management server with a set communication interval

• One time Password

• Data corruption resulting from hardware failure or other factors such as a data virus

• Preinstallation Media

18

Folder/File/Removable Media

Encryption Recovery OptionsLost or forgotten Certificate or Password

• Automatic Key Archiving for Recovery of Encrypted Data

• Recovery Certificate

• Have a backup copy of your data

19

Criteria for Selecting Endpoint

Encryption Solution(s)

• Identify compliance requirements• Conduct a risk assessment• Specify requirements • Expect to support multiple endpoint

technologies• Expect to provide training • Thoroughly engineer the processes for

endpoint encryption• Test the encryption system and the procedures

for user management20

Criteria for Selecting Full Disk Encryption

Products

• Device deployment

• Product management

• Compatibility

• Authentication service integration

• Key recovery

• Cryptography

• Self Destruct Mechanism

21

Leading Full Disk Encryption Products

• Check Point Full Disk Encryption

• McAfee Endpoint Encryption

• Microsoft BitLocker Drive Encryption

• Sophos SafeGuard Enterprise

• Symantec PGP Whole Disk Encryption

• WinMagic SecureDoc Disk Encryption

• Trend Micro

22

Conclusion

• Changes in the endpoint landscape have an impact on endpoint encryption architectures.

• Organizations must understand the business risk and compliance requirements regarding data theft and data loss and make choices to support a wide variety of devices.

• Solutions should support a heterogeneous infrastructure that may need to include full-disk encryption software, self-encrypting drives, file/folder encryption, smartphones and tablets, and personal storage devices

23

Mel Jackob, CISSP

ePlace Solutions, Inc.

Senior Cyber Security Specialist

Tel.: 559-261-9293

MJackob@eplaceinc.com

William Ewy, CIPP/US

ePlace Solutions, Inc.

Privacy and Security Practice Manager

Tel.: 559-577-1252

WEwy@eplaceinc.com

25

Using End User Device Encryption to Protect Sensitive Information