Data Security on Removable Media ISSA San Francisco Jason Webster [email protected].

Data Security on Removable Media

ISSA San Francisco

Jason Webster

[email protected]

2

TABLE OF CONTENTS

Imation Overview

Market Situation

Secure Removable Storage Devices

Central Management Software

Data Center Tape Protection

1

2

3

4

5

3

IMATION CORP OVERVIEW

• Leading global marketer and developer of branded products that enable people to store, protect and enrich their experiences with digital information

• Technology leadership, global distribution reach, and customer relationships make us a preferred partner for leading companies worldwide

• Broad portfolio of data storage products, consumer electronics and accessories

• Global market share leader in recordable optical media and data storage tape

• 2010 revenue $1.46 billion, >1,000 employees, serving more than 100 countries

MARKET SITUATION

4

MARKET SITUATION - SUMMARY

5

DATA GROWTHThe growth of digital information has rapidly surpassed expectations.By 2011 digital universe will be 10 times size of 2006

INCREASED DATA MOBILITYThe importance of data has increased its access and mobility requirements making it more difficult to secure and protect

INCREASED DATA BREACHESAs data and its mobility grow, the amount of data breaches and data exposure has also grown

REGULATIONS INCREASINGIncreased data exposure has resulted in increased regulations and reporting requirements globally

U.S. 2010 > 662 Breaches2

COST OF DATA BREACHES GROWSIncreased reporting requirements and increased data breaches results in increased breach costs

U.S. 2010

$7.2 Million3

Average org. cost of data breach over 4 years

$214 per record3

1Source: IDC – The Diverse and Exploding Universe – March 20082Source: Identity Theft Resource Center – 2010 Data Breach Stats January 3, 20113Source: Ponemon Institute – Fourth Annual U.S. Cost of Data Breach Study January 2009

1

412 (62%) Exposed Social Security Numbers170 (26%) Exposed Credit or Debit Cards

Data Breach cost by Industry

Legislation

• 46 States with Data Breach laws– 33 new proposed laws in 2010

• HITECH ACT of 2009 - Mandatory new regulatory requirements – Encryption needed but not “required” on all DAR (data at rest) devices

• severe penalties for an unsecured data breach!– Public notification for an unsecured data breach of > 500 individuals– Civil and federal penalties but safe harbor for encrypted data– Patient right to receive a copy of records electronically – 15 million in Health Care, 60% touch Patient Healthcare Information

• FTC Red Flag Statutes – All organizations subject to the legislation must develop and implement a formal, written and

revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate identity theft.

– All financial institutions (state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer)

– Solutions include encryption and multiple factor authentication• 12/29/2010 SEC Approves Amendments to FINRA Rule 8210 to Require

Encryption of Information Provided Via Portable Media Device– Finance Industry Regulatory Authority is the largest independent regulator for all

securities firms doing business in the United States– Rule applies to all FINRA member firms (4,570 brokerage firms)

8

The Federal Information Processing Standardization (FIPS) 140-2 U.S. government security standard that specifies requirements for cryptography modules

• FIPS is required by law for U.S. government purchases

• Strictly enforced in Canada

• Gaining international recognition in Asia and Europe

• Being adopted within regulated industries (e.g. Financial, Healthcare)

FIPS 140-2 Level 1 The lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent

FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces

FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication.

FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks. Level 4 is currently not being utilized in the market

Description of FIPS 140-2 Four Levels

FIPS BASICS

Currently, Level 3 is the Industry Standard.

Web Sites track reported data breaches

May 6th – 3May 5th – 2May 4th – 9May 3rd – 4May 2nd – 5May 1st - 0

Recent Major Data Breaches

• The Family Planning Council in Philadelphia reported a data breach involving a flash drive theft, placing information on 70,000 patients at risk, April 14, 2011

• How Adrian Jones' Superstar IT Career Went Sideways, April 28, 2011, (HP Executive allegedly downloaded confidential trade secrets on a USB device that was not controlled)

• Search on for memory stick missing from public school board, April 13th, 2011 (All the information from the computer, including employee information such as direct deposit forms, resumes, and other scanned documents, were put on the unencrypted flash drive.)

Theft

Disgruntle Employee

Honest Mistake

Recent Headlines – www.HealthcareInfoSecurity.com

• 2/24/11 Mass General HIPAA Penalty: $1 Million– Lost documents included information from infectious disease dept, including AIDS

patients– Corrective Action plan “Develop and implement a comprehensive set of policies and procedures

that ensure patient information is protected when removed from the hospital”– Mass General to take extra steps to encrypt laptops and USB drives

• 2/23/11 HIPAA Privacy Fine: $4.3 Million to Cignet Health– First civil monetary penalty to a healthcare organization– Cignet failed to provide 41 patients with access to medical records – Failed to cooperate with Federal investigators

• 2/14/11 New York City Health & Hospitals Corp breach affects 1.7 million

– Largest incident reported under the HITECH Act breach notification rule– Information lost includes names, addresses, social security numbers, patient medical

histories– Hospital Corp. offering 1 year free credit protection service to affected individuals (will

cost them Millions)– Per the HITECH ACT, if data was encrypted then public notification would not be

required

• "The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.

Secure Removable Storage Devices

12

USB Devices

• Over 2 Billion devices sold each year (PC World Jan 2009)• According to security firm Vontu

– Over 50% of 480 surveyed tech professionals had USB devices with unprotected confidential information

– 1 USB drive is lost at work each month– Unlike laptop, storage devices are small and cheap. Many

employees do not report them missing as they would a laptop.• According to Ponemon

– Employees were less than 50% likely to report lost USB device or Optical

– Most employees would knowingly break corporate policies• Sharing passwords, downloading confidential data, taking

work home

14

• Physical Security

• Encryption

• Authentication

• Malware Protection

• Management

• USB Port Control

SECURITY ELEMENTS

Types of Security on USB Devices and Optical

• Encryption– 128 bit vs 256 bit– FIPS validated only 256 bit

• Hardware encryption vs Software encryption– Software uses host computer for authentication, hardware authentication occurs

in device– Software encryption typically slows down performance– Software encryption (FIPS Level 1) will get you compliant, Hardware Encryption

(FIPS Level 3) will give you top security– Software encryption typically Windows only

• Authentication– Password – Biometrics– CAC/PIV card (upcoming)

• Optical– Common method:

• Encrypt files with third party software and burn onto optical media– New method:

• Self-encrypting recordable CD/DVD/Blu-ray disc

128 bit vs 256 bit encryption

1 1 0 1 0 1 1 0 1 1 1 0 0 0 1 1

1 1 1 1 0 1 0 1

Twice as long, twice as strong?

Light years stronger

340,282,366,920,938,000,000,000,000,000,000,000,000

Equivalent to all the grains of sand on the planet or every known star in our galaxy

• Authentication verifies a user’s identity– It’s what “unlocks” the device by validating you are who

you say you are• Various methods:

– Strong Password - A password is sent into the device, and the device verifies it’s correct

– Biometric - A finger is swiped across the sensor, another chip verifies it

– RSA SecureID - digital identity– PIV - Personal Identity Verification– CAC - Computer Access Card– PKI - Public Key Infrastructure

• Hardware Encrypted devices– authentication is done in Hardware– The “boundary of trust” does not include the computer

Authentication

Our Portfolio Overview

• Very Robust Device Management (Central Management)– Automatically registers user to devices and implements policies

• Low System overhead and limited support staff required – Manages Multiple Device Types and Brands

• Leverages existing investment– Provides Forensic Level Auditing – File level blocking by type and name– Manages Devices off the network– Remote Kill of Devices

• Broadest Secure Portable Storage Portfolio:– Optical Products - CD/DVD

– USB Flash Drives

– External Hard Disk Drives

• Multiple Authentication Methods– Password (hardware rules)

– Biometric + Password

• Global Government-Validated Encryption

PORTFOLIO SUMMARY

SOHO/SMB EnterpriseLarge EnterpriseGovernment/Financial Services

TARGET MARKETS

Secure Storage

ManagedSecure Storage

ManagedSecure Storage

& Strong Authentications

ManagedSecure Storage

& Strong Authenticationswith SmartCard

FU

NC

TIO

NA

LIT

Y

Defender F100 & F150

Features:FIPS 140-2 L3Cap design

Defender F50Features:

FIPS 140-2 L1Pivot design

Defender H100 &H200 +BioFeatures:

FIPS 140-2 L3

Defender F200 +BioFeatures:

FIPS 140-2 L3

Defender OpticalFeatures:

FIPS 140-2 L1

Device Device ManagementManagement

Management Features

• Remote Kill/revocation• Addition of encryption to non-encrypted devices• Time based policies vs event based• File Level Auditing• USB Port Control- Allow, Block, Read only• File level blocking• User group policies• Ability to manage third party devices• Remote Policy Updates• User self rescue• Password complexity and interval• Remote Password update• Data Recovery• Automatic registration of devices vs issuance

Why Wikileaks could have been prevented

• User could have been blocked from access to removable storage devices

• File types/names/contents could have blocked from the Central Management Software – Block, alarm, monitor

• Auditing of activity would have shown which files were being downloaded by who from which computer

• Offline usage could have been disabled • Device could have been remotely killed/disabled• Auditing would have shown which files were saved

to which computer from which device

Device Management Software

F50 PivotDefenderOptical

Defender FIPS L1

F100/F150 H100/H200 +Bio

F200 +Bio

Defender FIPS L3Port Control

Laptop, Netbook, and Desktop PC Ports

Legacy Removable Media

UFD EHDD MediaPlayers

Mobile Devices

Cards

StealthZone (SPD)

Case Study: US Army Base

Overview: Army Support Activity supports and conducts Reserve Component Training and Mobilization/Demobilization operations. The ASA plans and executes other Army directed support missions, and, on order, establishes and operates a Joint Mobilization site

Solution• Defender F150’s FIPS 140-2, level 3 drives

• Each device was loaded with McAfee A/V and Imation Device Control Applet

• Central Management is performed through Imation Control Server software

Result• All USB devices can be managed and used securely in compliance with the

DoD CTO security requirements

• DAR Approved Central Management allows for remote kill, key management and detailed forensic auditing/reporting.

Requirements:• The ability to access sensitive mission and combat training data on secure,

ruggedized and tamper-proof storage devices.• Integrated anti-malware defenses, remote kill and key management• The solution must meet DoD DAR CTO requirements

How to be Complaint and Secure

• For non-criminal intent Data Breaches (Lost Devices – Honest Mistake)– Use AES 256 Bit Encrypted Devices

• For Stolen Devices– Use AES 256 Bit Encrypted Devices with embedded Security Policies– Extra insurance

• 2 factor Authentication• Remote Kill• Fips Level 3 Encryption

• For Disgruntle employee– Central Management of Devices with stringent Security policies

• USB Port Control• File Level Auditing capability• Blocking of files• Remote Kill

• Proactive Enforcement of Policies– Central Management of devices to ensure 100% compliance to Company Security

Policies to protect critical company data eg. Financials, IP, Employee or Customer information. You also will have auditing and reporting capability

• Digital Rights Management– Prevent printing, copying, emailing– Timebomb files

• Smart Card Integration– Common Access Card (CAC) or Personal

Identity Verification (PIV) – Strong two and three-factor authentication– No new password required -- card PIN is

used • Secure portable desktop

– allows you to boot directly from your USB drive.

– Turn any host computer into the user’s computer

– Boots directly into Windows environment– “Generic mode” allows use on unknown

PCs

Upcoming Imation technologies

Securing Traditional Storage

28

Understand the Need

• More data is being backed up today than ever before• More data is stored per individual cartridge

– Cartridge capacities have reached 1 terabyte native• More cartridges are moving to and from more locations

– Additional data centers, vault sites• More regulations on data protection and preservation exist

today than ever before– Non-compliance can be very expensive

Encryption of Tape

• AES* 256-bit encryption available with LTO4/5, Oracle T10000 and IBM 3592 (TS1130) drives

• Drive level encryption enables compression before encryption

• LTO offers possibility of 3rd party key management system

• <1% impact on drive performance

*Advanced Encryption Standard

LTO CM holds diagnostic information – eg. Error rates, data-sets written, drive utilization, number of mountsAnalyzed to determine drive/media performance trends for failure predictionLTO CM info captured within secondsScan of CM does not compromise security of data

LTO RFID CM Chip

Locking Features

Users can choose to “Lock” their cartridges for added transport or storage security.

When locked, the cartridge cannot be read from, or written to, by any LTO drive.

RFID Asset Tracking

33

What Customers Say

• “I need to know…”– I am compliant with regulations– Where my tapes are

• Within my library• In other data centers• At my vaulter

– I am being as efficient as possible in my operations– If I need a tape, I will be able to find it quickly– If an auditor asks about a tape, I will be able to demonstrate

chain of custody

IT Asset Lifecycle Management

Established a corporate risk mitigation strategy to protect corporate and consumer

Greatly curtailed asset loss and ensured end of life assets were destroyed

Improved employee awareness and automated the tracking of laptops leaving a facility

Lowered corporate risk profile

Developed special use passive RFID tags to place on all hard drives and laptops

Deployed Asset Management solution to track the lifecycle of the corporate assets

Installed special use readers at various entry / exit choke points

Automated feedback from crushing to end-of-life assets

Thousands of IT hard drives and tapes containing highly sensitive customer and corporate information

No ability to control or monitor removal of laptops from facilities

Inability to ensure end of life drives were properly destroyed created

5 high profile breeches in 2 years, consumer outrage

Customer Case Study

Customer Case Study Exiting the Secure Facility

Employee approaches exit,

where the employee badge

and laptop tag are identified.

Employee association to

laptop is verified by the application and an image is

quickly loaded on the Exit Security Monitor for visual

confirmation

Security elects may enlarge the

view and may elect to review the association

details .

Case Study

An audible sound and visual queue is given to security indicating the Employee badge is not assigned to this laptop.

Employee badge and Laptop tag match.Picture Shown for

additional visual security.

Secure Destruction of Media

• Companies will buy back tape media• Claim they recertify media and rewrite over all of the

date• In truth, most write over the header or table of

contents, and the rest of the data is still live• South Shore Hospital Data breach was caused by

company taking media to be recertified, and tape was lost– 800,000 patients at risk– Third party was not responsible for Data- South Shore

was

41

Thank You