Data discovery and classification is a critical first step towards securing data in most organizations, as IT departments grapple with an explosion of digital information to store, manage and protect. This challenge is complicated by the fact that sensitive data exists in three different forms (database records; messages, such as email; and loose files) and in three different contexts (at-rest on datacenter storage; in-motion through the network; or in-use on laptops, mobile devices and portable storage). Comprehensive data discovery and classification must directly address this complexity. Data classification is necessary to determine what type of data you have, why you have it, and where it is located within your company. Monitoring multiple network channels (typically IM, FTP, HTTP and generic TCP/IP) using advanced monitoring techniques is a mature Data in Motion market space for effective tools. Newer agent-based systems are available to monitor data outside the DMZ. Current data security practice focuses on the use of data encryption to protect against the External Security Threat and then ensuring that there is efficient data monitoring and successful blocking of all channels at the end-point for the Internal Security Threat. These technologies, properly deployed, make it difficult for both Insiders and Outsiders to access the critical information that they shouldn’t really have access to . However the data is on a device outside the direct control of the organization so this really is a case of effective but PASSIVE security. Cue the change from defense to offense! The BE solution allows the organization to take an offensive approach and pursue the device and its data and put it beyond the use of the current user. For the first time the organization will know for sure what the status of the device and its data is. This is the new frontier for remote data control.
Version 3.6 Powerpoint March10
Beyond Encryption Presentation Product Version 3.6
What is the real problem? <ul><li>The most valuable item that an organisation owns is its critical data. Security has moved from managing devices to managing data. </li></ul><ul><li>Organisations are becoming more mobile and de-perimeterised. Therefore much of the critical data is now often located outside the corporate perimeter on remote user devices – Laptops, PDAs, Smart Phones, etc. </li></ul><ul><li>People are the weakest link in the security profile of any company. In general they are not incentivised to be security-aware. </li></ul>The security of the most important assets in the organisation are dependent on the weakest link in the organisation. A combination of encryption (single layer of security) and compliance (end-point control and data monitoring) is the current UNSUSTAINABLE solution.
Why is this an issue? 47% of computer security professionals surveyed reported a laptop theft over the past twelve months. FBI & CSI’s annual Computer Crime and Security Survey, 2008 From 2007 to 2008 there was an 81% increase in the number of companies reporting stolen laptops containing sensitive information. 2008 Annual Study: The Cost of Data Breach. Ponemon Institute, LLC, A third of all thefts of equipment in large businesses are carried out by employees. DTI Information Security Breaches Survey 2006, May 1st, 2007 79% of participants cite the human factor as the root cause of information security failures 2008 Global Security Survey - Deloitte Touche Tohmatsu Since early 2005, more than 200 million personal records have been exposed. Privacy Rights Clearinghouse, A Chronology of Data Breaches, April, 2008
It Happens Everyday.. Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports. 65% of those laptops are not reclaimed. About 77% of people surveyed said they had no hope of recovering a lost laptop at the airport, 16% saying they wouldn’t do anything if they lost their laptop during business travel. About 53% said that their laptops contained company confidential information. 65% said they took no steps to protect this information.
Just to reinforce the issue “ Over 80% of all enterprises suffered a laptop data loss within the last year. More than 2/3 aren’t sure what was on the laptop.” Beyond Encryption can solve this problem
Data Breach Average Costs per Incident in 2008 Customer Opportunity Costs $4.1 million $128 per record Direct Incremental Costs $1.4 million $44 per record Indirect Productivity Costs $0.8 million $25 per record $6.3 million per Breach Incident or $197 per Record indicates the size of the problem Ponemon Institute, Nov 2008
A More Complete Security Picture is Required Where is this critical data located? How sensitive is your data? How can you protect your sensitive data? How can you retain control of your sensitive data AND the device? Data at Rest Discovery Tools Data Classification Technology Encryption Tools End Point Control Beyond Encryption Cue the change from Defense to Offense How can you track your sensitive data? Data in Motion Discovery Tools
The Beyond Encryption end-point security solution enables any organization, individual or government agency to target, with pinpoint accuracy, any sensitive information on any device, regardless of location, and protect it.
<ul><li>The B.E. Server maintains policies and settings associated with each individual device that has the B.E. Client deployed on it. This server is deployed inside your organisation. </li></ul><ul><li>The B.E. Client resides on each device under management. Its job it is to maintain contact with and carry out instructions issued from the B.E. Server. The B.E. Client cannot be removed from a device by the Device User. </li></ul><ul><li>A Secure Communications Channel provides a secure, encrypted, point-to-point communication channel between the B.E. Client and the B.E. Server. </li></ul>So How Does The Beyond Encryption Security Solution Work?
<ul><li>Version 3.6 of Beyond Encryption contains the following Core Security Functions </li></ul><ul><li>Freeze any sensitive data on any device so that it can never be accessed. </li></ul><ul><li>Unfreeze any sensitive data on any device. </li></ul><ul><li>Retrieve any data from any device. </li></ul><ul><li>Destroy any data on any device (exceed US Department of Defense standards for file deletion). </li></ul><ul><li>Lock down any device. </li></ul><ul><li>Unlock any device. </li></ul>Beyond Encryption Core Functionality
<ul><li>Pinpoint Accuracy – Browse the devices drive over the internet and target data in real-time. </li></ul>How can you Target and Select Data on a device? Figure 1.1 – Targeting Data <ul><li>Additional Notes </li></ul><ul><li>Target some device drivers to Disable Hardware. </li></ul><ul><li>Can Target and Freeze or Remove Software. </li></ul><ul><li>File Type – Based on type of data (example – all Microsoft Word Documents). </li></ul><ul><li>File Location – Based on location of data (example – Contents of ‘My Documents’ directory). </li></ul><ul><li>File Name – Based on name of file or files. </li></ul>
<ul><li>Version 3.6 of Beyond Encryption can execute commands in the following ways: </li></ul><ul><li>Reactive Security Instant execution if the device is connected to the Internet. </li></ul><ul><li>Timed Security Local execution if the device does not connect to the Internet. </li></ul><ul><li>Local Fencing Local Execution if the device is taken away from the office. </li></ul><ul><li>Geo Fencing Local Execution if the device leaves a Geographic location. </li></ul>How are commands Executed on a device?
<ul><li>Connect to any device over the Internet at any time. </li></ul><ul><li>Device only needs to connect for a millisecond to receive commands. </li></ul><ul><li>Full reporting when commands have been completed. </li></ul><ul><li>Easy to use Interface. </li></ul><ul><li>Target All data or Specific Data. </li></ul>Reactive Security
Timed Security <ul><li>If the device does not connect to the Internet your data is secure. </li></ul><ul><li>Set the timer anywhere from One Minute to One Year. </li></ul><ul><li>Predefined commands will execute locally when the timer reaches zero. </li></ul><ul><li>Designed to force your end users to connect to the organisation. </li></ul><ul><li>Target all data or specific data. </li></ul><ul><li>Full reporting capability. </li></ul>
Local Fencing <ul><li>Predefined local commands execute when a device leaves the company. </li></ul><ul><li>Your data cannot be used outside of your facility. </li></ul><ul><li>Multiple Fences can be setup and enforced. </li></ul><ul><li>Locally fence all data or specific data. </li></ul><ul><li>Full reporting. </li></ul>
Geo Fencing – Slide One <ul><li>Predefined local commands execute when a device leaves a Geo Zone. </li></ul><ul><li>Can support multiple Geo Zones. </li></ul><ul><li>Can set Go Zones and No Go Zones . </li></ul><ul><li>Geo Fence All data or Specific Data. </li></ul>
Geo Fencing – Slide Two Large Scale Fencing Pinpoint Fencing
<ul><li>Easy deployment using Active Directory and invisible to the End User. </li></ul><ul><li>Easily define and set policies. </li></ul><ul><li>Does not slow the device down. </li></ul><ul><li>User cannot stop commands from executing. </li></ul><ul><li>Does not impact other applications. </li></ul><ul><li>Can set a combination of commands that can execute at the same time. </li></ul><ul><li>Full reporting and audit trail. </li></ul>Further Product Information
Customer Case Studies Beyond Encryption takes customer privacy very seriously and has stringent confidentiality agreements in place with its customers around the world. As a result, we cannot name our customers as in many cases the customers do not want it to be known that they are using our applications. We can, however, provide a sample set of customers as follows:
<ul><li>Scenario: </li></ul><ul><li>A US Banking company, a leading provider in private, business and commercial banking facilities, required a solution to control their devices and the data that resides on them. The Bank has been in business for over 60 years. In the US alone it has 7,000 branches and over 60,000 employees The banks specific requirements were: </li></ul><ul><li>Control data on laptops and PCs around the US and the world </li></ul><ul><li>Protect from insider and outsider threat </li></ul><ul><li>Enable employees to access sensitive data with no risk to data </li></ul><ul><li>Enable employees to work in certain locations with no risk to data </li></ul><ul><li>Enable authorized employees to work on specific high sensitive data with no risk to data </li></ul><ul><li>Retrieve data at all times </li></ul><ul><li>Immediate reaction to compromised data. </li></ul><ul><li>Full recovery of compromised data </li></ul><ul><li>Complete destruction of data on stolen/missing devices </li></ul><ul><li>Eliminate reliance solely on encryption </li></ul><ul><li>Minimize impact on end users </li></ul><ul><li>Productivity, no extra time for the end user </li></ul><ul><li>Invisibility, ideally the correct solution would be invisible to the end user </li></ul>Major US Banking Organisation – Slide One
<ul><li>Utilisation: </li></ul><ul><li>The B.E. Solution was chosen by the Bank as the product of choice to control their data, based on a number of unique features. The B.E. Solution addressed all the obstacles that the Bank needed to overcome and also offered further solutions to additional potential threats initially un-identified by the Bank. </li></ul><ul><li>Control data on laptops and PC’s – Nationwide </li></ul><ul><li>File Retrieval with pinpoint accuracy, targeted by file type, name, location on device, geographical location </li></ul><ul><li>Freeze Data, using any of the above target methods </li></ul><ul><li>Lock Data, using any of the above target methods </li></ul><ul><li>Destroy Data, using any of the above targets </li></ul><ul><li>All of the above actions can be reversed if required </li></ul><ul><li>Commands target one file /groups of files/ENTIRE devices </li></ul><ul><li>Commands can be specific to certain users or groups </li></ul><ul><li>Immediate reaction to compromised data. </li></ul><ul><li>File Retrieval, Freeze, Lock, Destroy data and/or device </li></ul><ul><li>Automatic Time-based command execution </li></ul><ul><li>Automatic Geographic-based command execution </li></ul><ul><li>Manual command execution if and when required </li></ul><ul><li>Minimize impact on administrator and end users </li></ul><ul><li>Active directory deployment </li></ul><ul><li>Automated time and location reactive security commands </li></ul><ul><li>No input requirement from the end user. </li></ul><ul><li>Software is invisible to the end user </li></ul>Major US Banking Organisation – Slide Two
Scenario: The organisation has over 3,000 suppliers and consultants that access its internal servers using their own devices. Managing the level of access by these external suppliers to corporate data was becoming increasingly difficult. The third-party users needed access to perform their roles but there was a serious concern regarding the security of data on these devices. Utilisation: The organisation installed the B.E. Client on a limited number for devices for each third-party user. Only these devices are allowed to connect to the data servers. The organisation is using another DLP Vendor’s document scanning solution to monitor how the supplier/consultant uses the data that it accesses. The B.E. solution is utilised to control the device and the data on the device. Any data that should not be there is remotely retrieved and deleted and the device is remotely deep-cleaned at the end of the third-party contract. Since July 2009, the organisation has used Beyond Encryption to successfully take control of data on several compromised devices and enforce data control, using a combination of B.E. security functions. Major Consultancy Organisation in New York, USA
Scenario: The hospital is moving its patient record keeping from paper-based to electronic data, using always-connected Tablet devices. This presents a large data security issue, due to the volume of devices and the ease of theft. Utilisation: The hospital has installed the B.E. Client on every data device. As long as the device is connected to the hospital LAN it can connect to the hospital servers and perform its function. If a device is stolen and leaves the hospital it leaves the range of the hospital LAN and any data on the device is immediately securely deleted. In addition the hospital has requested the B.E. upgrade that will allow it to schedule a data clean on the device in the early morning each day, so that any cached data on the device is automatically and securely cleaned. Major hospital in Boston, USA
Scenario: The organisation has over 1,000 desktops which its employees use from 0800 to 1800 each day. There are no employees authorised to be in the office after 1800 and there was concern that the employees were not logging out of their systems at the end of the day. In addition several devices had either been misplaced or stolen in the previous six months and the company was concerned that sensitive customer data could be exposed. Utilisation: The company is now using the B.E. solution to remotely lock down the devices from 1800 to 0800 each night. This is done automatically, so that there is no unauthorised use of the organisation’s desktops during the night, thereby guaranteeing data security on the devices. In addition, the company has several policies in place using B.E. to enforce the control of data on devices, both inside and outside their organisation. Accountancy Company in the UK
Scenario: This Police department has over 20,000 employees accessing sensitive data in a variety of ways and from a variety of devices. In addition to looking for a security solution to enable the department to enforce data security control on all of it devices, they also needed a solution that could automatically lock/freeze/destroy sensitive data if the device is stolen or removed from a remote police car. Utilisation: In addition to using the security features available in Version 3.6 of Beyond Encryption to enforce data security and control, the Police department has installed wireless routers inside each police car. As long at the device can communicate with the IP address of the router it will remain in an unlocked state but as soon as it moved outside of the range of the router (moved away from the car) the device will locally run a predefined security action, thus guaranteeing the security of the device and the data that resides on it. In addition this Police Department is using Beyond Encryptions Geo Tracking capability to track where the devices are at all times. Police Department