Top Banner
Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC, ePlace Solutions, Inc. William Ewy, CIPP/US, ePlace Solutions, Inc.
23

Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Apr 09, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Using End User Device Encryption to

Protect Sensitive Information

April 29, 2015

Mel Jackob, CISSP, GSEC, ePlace Solutions, Inc.

William Ewy, CIPP/US, ePlace Solutions, Inc.

Page 2: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

William Ewy, BSEE, CIPP/USHost

• Privacy and Data Security Practice Manager, ePlaceSolutions, Inc.

• International Privacy Manager at Agilent Technologies

• Various positions in Marketing and Quality with Hewlett-Packard in California, Hong Kong, and Beijing

4

Page 3: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Mel Jackob, CISSP, GSEC, CISA, MCTePlace Solutions Inc.

• Senior Cyber Security Consultant ePlace Solutions, Inc.

• Director of IT/Cyber Security at L-3 Communications

• Senior Cyber Security Consultant at Microsoft

• Senior Lead Security Engineer at NMCI

5

Page 4: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Legal Compliance Materials: regulatory summaries, sample policies, procedures, plans, and agreements

Email List: monthly newsletter, privacy and data security tips, and “Data Security Alerts”

Specialist Support: by phone or email

Risk Assessment Guides: step-by-step procedures to lower risk

Training & Awareness Programs: online courses, bulletins, and webinars

Handling Data Breaches: summary of breach notification requirements, sample incident response plans, etc.

1

2

3

4

5

6

Loss prevention services and information for cyber insurance policyholders

6

Page 5: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

7

• The basics of static encryption

• Device encryption technologies/considerations

• Examples of available hardware and software-based solutions

• Conclusions

Page 6: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Encryption is Not a Silver Bullet

• Cracking the encryption algorithm. Over time, algorithms become compromised. Because of this it is important to securely remove (digitally wipe or shred) sensitive information, even if encrypted, from devices when no longer needed.

• All software, including encryption, can have defects (e.g. bugs) and backdoors that can allow unauthorized access if discovered.

8

Page 7: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Data Security Basics

• Limit sensitive personal information collected to the minimum necessary as required by organizational purposes

• Encrypt all sensitive information stored on mobile devices (laptop PC, smartphone, tablet, USB stick, DVD, etc.)

• Completely destroy sensitive information when no longer needed

9

Page 8: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Cryptography

• Cryptography hides data from unauthorized individuals

• Collection of Software, Protocols, Algorithms and Keys

• Cryptosystems draw their strength from the Algorithms, the length and Randomness of the Keys used and other Mathematical factors

10

Page 9: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Cryptography – Methods of Encryption

• Symmetric (Same key used to encrypt and decrypt)• N(N-1)/2=Number of Keys• Symmetric Encryption Algorithms

• Data Encryption Standard (DES)• Triple-DES (3DES)• Blowfish• IDEA• RC4,RC5, and RC6• Advanced Encryption Standard (AES)• (128,192, and 256 bits)

• Asymmetric (Public, Private Keys)11

Page 10: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

What is Data

• Data is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

• Users store data on variety of Endpoints

• Whatever form the Data takes, or means by which it is shared or stored, it should always be appropriately protected

12

Page 11: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Value of Data Security

• Protects information against various threats

• Ensures business continuity

• Minimizes financial losses and other impacts

• Optimizes return on investments

• Creates opportunities to do business safely

• Maintains privacy and compliance

13

Page 12: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Impact of Laptop Thefts

• www.privacyrights.org

Average 50% of reported breaches involved laptop theft

14

Page 14: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Integrity

Safeguarding the accuracy and completeness of information and

processing methods

Availability Ensuring that information is available when required

ConfidentialityMaking information accessible

only to those authorized to use it

Data Security Preserves “CIA” -

16

Page 15: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Endpoint Encryption Strategies

• Full Disk Encryption

• How Software Disk Encryption Works

• How Hardware Disk Encryption Works

• File/Folder Encryption

• How File/Folder Encryption Works

• Removable Media Encryption

• How Removable Media Encryption Works

17

Page 16: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Full Disk Encryption Recovery

• Lost or forgotten passphrase

• Self Recovery (Computer is not Managed)

• Computer has not communicated with the management server with a set communication interval

• One time Password

• Data corruption resulting from hardware failure or other factors such as a data virus

• Preinstallation Media

18

Page 17: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Folder/File/Removable Media

Encryption Recovery OptionsLost or forgotten Certificate or Password

• Automatic Key Archiving for Recovery of Encrypted Data

• Recovery Certificate

• Have a backup copy of your data

19

Page 18: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Criteria for Selecting Endpoint

Encryption Solution(s)

• Identify compliance requirements• Conduct a risk assessment• Specify requirements • Expect to support multiple endpoint

technologies• Expect to provide training • Thoroughly engineer the processes for

endpoint encryption• Test the encryption system and the procedures

for user management20

Page 19: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Criteria for Selecting Full Disk Encryption

Products

• Device deployment

• Product management

• Compatibility

• Authentication service integration

• Key recovery

• Cryptography

• Self Destruct Mechanism

21

Page 20: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Leading Full Disk Encryption Products

• Check Point Full Disk Encryption

• McAfee Endpoint Encryption

• Microsoft BitLocker Drive Encryption

• Sophos SafeGuard Enterprise

• Symantec PGP Whole Disk Encryption

• WinMagic SecureDoc Disk Encryption

• Trend Micro

22

Page 21: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Conclusion

• Changes in the endpoint landscape have an impact on endpoint encryption architectures.

• Organizations must understand the business risk and compliance requirements regarding data theft and data loss and make choices to support a wide variety of devices.

• Solutions should support a heterogeneous infrastructure that may need to include full-disk encryption software, self-encrypting drives, file/folder encryption, smartphones and tablets, and personal storage devices

23

Page 22: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Mel Jackob, CISSP

ePlace Solutions, Inc.

Senior Cyber Security Specialist

Tel.: 559-261-9293

[email protected]

William Ewy, CIPP/US

ePlace Solutions, Inc.

Privacy and Security Practice Manager

Tel.: 559-577-1252

[email protected]

25

Page 23: Using End User Device Encryption to Protect Sensitive ......Apr 29, 2015  · Using End User Device Encryption to Protect Sensitive Information April 29, 2015 Mel Jackob, CISSP, GSEC,

Using End User Device Encryption to Protect Sensitive Information