Downloaded 21 times
Uploaded byAndris Soroka
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
The document outlines the discussion of encryption solutions by Symantec, focusing on data lifecycle and various forms of encryption including whole disk, file, and email encryption. It details the access flow of sensitive financial data within an organization, highlighting potential risks related to data security and regulatory compliance. Additionally, it emphasizes the necessity of centralized management for encryption and the integration of existing IT infrastructure to enhance security measures.
More Related Content
Similar to DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
![Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/apachesparkgettingstarted-260203175547-8361bcc3-thumbnail.jpg?width=640&height=640&fit=bounds)
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
- 1. ARROW INSPIRATION DAY,RIGA Symantec Deepens Encryption Offerings Raivis Kalniņš
- 2. Agenda 2 Data Lifecycle Encryption canStart Anywhere Whole Disk Encryption Removable Storage Encription File and Email Encription File/Folder Encription Encyiption Management
- 3. Data Lifecycle The directorof finance downloads data from the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop PC. 3
- 4. Data Lifecycle The directorof finance downloads data from the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop PC. The director stores a copy of “Year End” results in a shared directory on a corporate server for the finance team. 4
- 5. Data Lifecycle The directorof finance downloads data from the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop PC. The director stores a copy of “Year End” results in a shared directory on a corporate server for the finance team. The finance manager accesses the “Year End” results, adjusts the numbers, and emails the file to the company’s outside accountant. 5
- 6. Data Lifecycle The directorof finance downloads data from the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop PC. The director stores a copy of “Year End” results in a shared directory on a corporate server for the finance team. The accountant accesses the email on a handheld and forwards it with comments to a colleague. She reviews “Year End” results and saves it on a laptop and a thumb drive. The finance manager accesses Year End results, adjusts the numbers, and emails the file to the company’s outside accountant. 6
- 7. Data Lifecycle The directorof finance downloads data from the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop PC. The director stores a copy of “Year End” results in a shared directory on a corporate server for the finance team. The accountant accesses the email on a handheld and forwards it with comments to a colleague. She reviews “Year End” results and saves it on a laptop and a thumb drive. The colleague gives the thumb drive to the onsite auditor, who transfers “Year End” results to his laptop so he can review it later at home. The finance manager accesses Year End results, adjusts the numbers, and emails the file to the company’s outside accountant. 7
- 8. Data Lifecycle How manypeople had access to data today? - Director of Finance - Finance Team - Outside Accountant - Outside Accountant’s Collegue - Onsite Auditor
- 9. The Encryption DiscussionCan Start Anywhere 9 Field Data Center Headquarters Field Offices What is the organizational policy on USB drives? Could there potentially be intellectual property (IP) on these drives? Email protection regulations and mandates? What is being downloaded to employee systems? Trojans, malware, unauthorized software? Tangible/intangible costs of a lost laptop – customer data? Personnel data? IP? Are there customer addresses stored on mobile phones? Data on HR/Legal/Finance/Other Shared servers residing in the clear? Nightly transactions / backups sent outside the organization?
- 10. Barriers to Saleand Value Proposition 10 Potential Barriers Description Value Proposition Encryption solutions are complex Ease of implementation, ongoing management, long-term cost of ownership Experience: Solutions are easy to deploy Limited resources Need to share IT staff across multiple activities. Endpoint encryption should integrate with existing IT infrastructure Leverage: Uses existing infrastructure architecture Substantial training required Substantial upfront and on-going investment in training costs Simple: Little or no training required for end-users Resistant end-users Need to preserve existing workflows; not change how users perform their job Transparent: User behavior need not change significantly Diverse devices Mandated to protect all devices containing sensitive data. Comprehensive: Protection across devices, platforms
- 11.
- 12. Things to remember Encryptionis not a new technology, but it is a security control that has NOT been introduced into a majority of environments. Most companies don’t have a lot of experience with Encryption and their criteria is based off of Internet research (hastily done) or a vendor. There is rarely expertise in the field. Most companies are looking at Encryption in the face of an event: lost/stolen system, audit and/or regulatory hit. Most companies are on an aggressive deployment schedule.
- 13. Encryption on theEndpoint
- 14. PGP – WholeDisk Encryption Whole disk encryption for desktops, laptops, and Windows® servers. Supports Windows®, Mac OS® X, and Linux® platforms Encrypts desktops, laptops, and USB drives Protects against personal computer loss, theft, compromise and improper disposal Reduces risk of loss of PII (Personally Identifiable Information) and other sensitive data Protects against reputation damage Demonstrates compliance to regulatory standards Supports Windows, Mac OS X, and Linux
- 15. Whole Disk Encryption– How it Works
- 16. Symantec EE ManagementSystem High availability Web services transport, communications Database server mirroring, failover and HA Active Directory replication, failover Supports Windows cluster services Seamless integration Directory services Software deployment User authentication Workgroup encryption Wake on LAN Leverages familiar, proven technologies Active Directory, IIS, SQL Server, Linux, ASP.NET, PKI, and so on Simple to deploy, easy to learn and support Scalable >100,000 endpoints per server 16
- 17. Symantec Endpoint Encryption– Full Disk 17 Policies Auditing Full-Disk Encryption Opal Self- Encrypting Drives High-performance, true full disk encryption Pre-boot user authentication Rapid deployment and activation Extensive support for smart cards, CAC, and PIV Non-disruptive maintenance and patching Supports Windows and Mac OS X
- 18. Symantec EE –Removable Storage Secure portable data at rest – Enforce mandatory removable storage encryption policies – Access and re-encrypt data from any PC or Mac Granular file and folder based encryption – Allow encrypted and unencrypted data on user devices – Enforce policy-controlled exemptions by file type and device 18 Centralized – Integrated Management Console Policies Auditing Removable Media Encryption
- 19. File and EmailEncryption
- 20. Where Is SensitiveData at Risk?
- 21. Gateway Email Encryption– How it Works
- 22. Desktop Email Encryption– How it Works
- 23. File/Folder Encryption 23 User fileprotection Shared file protection Distributed file protection Protect shared files and folders Protect transferred files and folders Protect individual files and folders PGP NetShare, PGP Command Line
- 24. PGP NetShare 24 Client-based ProtectedFile Sharing ? Finance encrypts a file on the server using PGP NetShare 11 Finance allows HR to view/edit the file on the server 22 HR can view and edit the file on the server33 HR saves the file to the server and PGP NetShare maintains protection 44 55 Sales tries to view the document and the document is unreadable When the document is copied to backup tape, it remains protected 66
- 25. PGP Command Line ScriptableEncription – A complete library of encryption commands – Simplifies encryption integration into business practices Wide Range of Platforms – Supported on over 35 supported operating systems Windows, Linux, Solaris, Mac OS X, HP-UX, IBM AIX, iSeries, zSeries – Runs with most scripting languages, such as Perl, Python, JavaScript, and more Many Uses – End-to-end protection for the internal or external transfer of files – SDA enabled distribution of files via CD, DVD or file servers lockboxes – Encryption protection and recovery of backed-up and archived files 25 File encryption for server protection & file transfer
- 26. PGP Command Line– How it Works 26 Data DistributionData Distribution File TransferFile Transfer Data BackupData Backup > pgp –es dbdump.sql – r admin@company_a.com dbdump.sql:encrypt (0:output file dbdump.sql.pgp) > pgp –es dbdump.sql – r admin@company_a.com dbdump.sql:encrypt (0:output file dbdump.sql.pgp)
- 27. Encryption Management Centralized managementfor all of the PGP® Applications 27 Central Administration - Manages users from a central location. Supports LDAP integration - Provides tools to help manage and deploy clients Policy Enforcement - Controls when encryption must be used Reporting and Logging - Tracks device and data encryption and user events Key Management - Ensures that keys stay protected with proper access controls, along with mechanisms available for safe data recovery
- 28.
- 29. Encryption Management 29 Thank you! RaivisKalniņš raivis@dss.lv info@dss.lv GSM: +37129162784 GSM: +37126113545
Editor's Notes
- #11 [Important points to remember] This slide covers the common concerns that Symantec (and PGP and GuardianEdge) heard from other customers (which should be similar to the audience’s concern) The point of this slide is to engage the audience for their validation and affirmation of each of these points. Ideally, this section should be covered like a dialogue, not a lecture Empathize as these are the challenges that your audience will invariably face Symantec has had many years of experience working with organizations like yours and we understand the practical concerns that they faced when it came to deploying an endpoint encryption and data protection solution. We found that while many IT organizations realized the business need to implement an endpoint encryption and data protection solution immediately, but had real-world concerns about the ease of implementation, ongoing management, and long-term cost of ownership. Every IT organizations faces a challenge of limited resources that must be shared across competing priorities and projects . This creates conflict and contention for resources which only serves to delay the actual implementation. Not surprisingly, organizations strive to address their data protection problems in a manner that doesn’t require new staff. Ideally, this means that the architecture of the endpoint encryption and data protection solution should be congruent with existing IT architectures . It should also avoid introducing a significant new burden on IT staff for initial deployment as well as on-going management and maintenance. We also found that IT organizations like yours do not necessarily acquire additional budget for the incremental infrastructure that’s needed to support an endpoint encryption and data protection solution. All IT organizations these days are under pressure to “do more with less” . Not surprisingly, we found that our customers prioritized solutions that could leverage existing infrastructure and mitigate the need for excessive build-out. There are other reasons why it’s preferable to leverage existing infrastructure; not the least of which being that it’s time-consuming and expensive to train IT staff on new, proprietary management technologies let alone overlay this proprietary infrastructure atop an existing IT architecture. Organizations should strongly consider an endpoint data protection solution that fits neatly into an existing IT architecture and leverages established operating procedures. Not only will this simplify and accelerate the deployment of the solution, but it will also help mitigate the substantial upfront and on-going costs for IT staff training . One of the most overlooked aspects of an endpoint encryption and data protection deployment is anticipating how end-users will react to the implementation of the solution. End-users can be highly resistant to new security measures, especially if they impact existing workflows or fundamentally change the way they must perform their job. As a result, the best security measures to implement are the ones that minimize impact on the end-user. This not only ensures user acceptance of your data protection rollout, but it also minimizes the possibility that savvy users will intentionally circumvent the security measures. After all, a bypassed security measure is a failed security measure . Finally, IT organizations are increasingly realizing and appreciating the scope of the problem they’re being asked to address: governing a very diverse collection of endpoint devices that reside both on and off the enterprise network. As a result, the right endpoint encryption and data protection solution must support all of the devices that IT is mandated to protect. This means more than just support for notebooks and desktops, but support for all the devices where sensitive corporate data may reside and a data breach could occur. Symantec Endpoint Encryption solves these practical problems with a combination of broad device support, a full set of data protection controls and enterprise class management that seamlessly integrates with customers’ existing infrastructure. [Discussion questions] Which of these issues or factors are the most important to your organization? Are there others? How many laptops, desktops, and storage devices reside in your organization? Do you use Active Directory to manage users, devices, and policies? Another directory services technology?
- #15 Symantec Endpoint Encryption extends granular, policy-based controls to removable media and devices. In this manner, the Symantec Endpoint Encryption Removable Storage Edition and Device Control provide information security managers with peace of mind that this particular threat vector can be effectively monitored and controlled. Symantec Endpoint Encryption Removable Storage Edition adds a layer of data encryption to removable storage devices ensuring that in the event that an external hard drive, CD or DVD, or USB flash drive is lost, the data that resides on the device is not compromised. This package can be used in conjunction with Device Control to further safeguard against inadvertent data leakage , d evice and port access controls prevent unauthorized transfer of sensitive information between devices and wireless networks as well as preventing unauthorized devices from connecting. The operation of Symantec Endpoint Encryption Removable Storage Edition is largely transparent to end-users on managed systems; providing file-level encryption for maximum performance and interoperability . For devices like flash drives and external hard drives which mount like a standard disk, file encryption occurs discretely in the background using either unique, password-protected encryption keys or a default encrypted key for more transparent and seamless operation. To ensure data portability with non-managed devices, Symantec Endpoint Encryption Removable Storage Edition includes an Access Utility that allows users to access encrypted files on devices where the Symantec Endpoint Encryption client software doesn’t reside . Symantec Endpoint Encryption Removable Storage Edition also includes special CD/DVD burner software to ensure that data burned to optical storage remains encrypted as well. Symantec Endpoint Encryption Device Control e nsures that only authorized, trusted devices can connect to enterprise managed endpoints. It also provides a deep layer of device- and endpoint-level visibility allowing IT administrators to identify device usage patterns through an agent-less auditor tool , monitor and control the flow of data via granular policy-based access controls, and enforce the secure transfer of data through mandatory enforcement of encryption policies. Device Control employs numerous sophisticated policy-driven capabilities, such as file-type inspection, activity logging, and file shadowing to extend IT’s visibility and control on the endpoint, which is especially important for forensic analysis. In addition to visibility and control, the Symantec Endpoint Encryption Device Control package adds critical capabilities to mitigate the spread and prevent the outbreak of device-borne malware . These capabilities include blocking self-executing code (especially autorun code that resides on CDs, DVDs, and USB flash drives); detection and disablement of keyloggers ; and control of endpoint association with rogue wireless LANs .
- #17 The Symantec Endpoint Encryption Management System is designed to be a direct extension of a customer’s existing infrastructure. By leveraging and building atop standards-based , widely-deployed technologies, such as Active Directory, IIS, SQL Server, and Linux , SEEMS minimizes deployment, management, training, rollout, and support costs. Among the many benefits of a standards-based approach is an architecture based on a familiar, proven technologies which ultimately flatten the training curve for new administrators while ensuring fewer problems and consistent troubleshooting. For enterprises using Active Directory as their principle directory services infrastructure, the Symantec Endpoint Encryption platform natively integrates and makes direct use of existing servers, datastores, replication schemes, and policy management frameworks . Since most organizations already have measures in place to ensure the scalability, resiliency, and fault-tolerance of their Active Directory services infrastructure, this is one less consideration to worry about when deploying the Symantec Endpoint Encryption Management Systems. In fact, integrating with Active Directory completely eliminates the need for a separate infrastructure or for deploying a new management tool . Active Directory already provides the ability to manage security applications the same way it manages other programs and policies. Policy for the Symantec Endpoint Encryption platform is managed centrally using Group Policy Objects and applied to users and devices that reside within Organization Units of the directory. Occasionally, some organizations have deployed a directory services infrastructure built around Novell eDirectory. SEEMS also supports eDirectory making it easy for Novell customers to take advantage of their existing infrastructure. Similarly, many enterprises also have devices on their network that are not part of their Windows domain infrastructure or reside “unregistered”. For instance, these devices might include employee-purchased PCs for enterprise-wide BYOPC initiatives, employee home computers that periodically access the corporate network via remote access connection, or devices belonging to independent agents or contractors. SEEMS allows these machines to be managed from the same console as machines registered within the corporate domain . Operationally, the environment for policy management and reporting within the Symantec Endpoint Encryption platform is implemented directly using an MMC (Microsoft Management Console) snap-in (with a connector to the Symantec Altiris management platform). This familiar interface makes it possible for administrators to implement data protection policies with minimal training within a single console . Policy deployment is performed using standard Windows Group Policy Objects (GPOs) which leverage existing directory services groupings for users and machines. Administrative privileges and security policies are native and directly supported with no need for synchronization or operation within another management console. The benefit of this architecture is a highly scalable system, easily scalable to hundreds of thousands of endpoints, as well as in-built high availability and server failover. The system also provides true, end-to-end, enterprise-class, granular auditing and reporting as well as strong, two-factor, advanced authentication capabilities. SEEMS, as well as its constituent packages, provide comprehensive support for PKI and a plethora of smart cards, such as the Common Access Card and PIV .
- #18 Symantec Endpoint Encryption Full Disk Edition helps mitigate business risk in the event of the loss or theft of laptops that contain sensitive data. Symantec Endpoint Encryption uses high-performance, full disk encryption technology to safeguard data from physical loss or theft. This true full disk encryption is augmented by a series of management, security, and usability features including: Pre-boot user authentication to allow users to authenticate to their device before accessing the operating system. This provides the most thorough degree of security; ensuring complete full disk encryption of the data stored on the device. Rapid software deployment and activation leveraging standard methods for deploying endpoint software clients as well as non-disruptive background encryption . This speeds the time to deployment while avoiding disruption to end-user workflows. Extensive support for smart cards , including CAC and PIV cards currently employed by the US gov’t. Smart card support allows users to log on the preboot environment on their encrypted system with a smart card thus completely bypassing the need for single-factor, password-based authentication. Non-disruptive software maintenance and patching. Symantec has paid particular attention to ensuring the highest full disk encryption deployment success rates in the industry. Some of the ways that we accomplish this include: Other than an initial logon procedure, users are not impacted during or after deployment of full disk encryption Security applications that must reside on end-user devices are packaged in standard formats, such as MSI , and can be pushed to devices using Altiris, Group Policy, or other standard software deployment tools When users log onto their system via the Symantec Endpoint Encryption pre-boot environment, their credentials are automatically passed to Windows for single sign-on Users always have the option to register a series of “help” questions . If users forget their passwords, they are simply prompted to answer the questions and, assuming they provide the correct answers, are then able to regain access to their machine and can reset the password. All of this occurs without help desk or administrator intervention. Failing this self-service mechanism, complete help desk recovery capabilities are available. Symantec Endpoint Encryption Encrypted Drive Edition , our newest endpoint encryption product, adds a layer of enterprise-class management capabilities onto TCG (Trusted Computing Group) Opal-compliant self-encrypting drives . These management capabilities augment the in-built encryption capabilities by providing robust reporting, comprehensive key escrow and recovery, policy management, and end-to-end rollout services . Like Symantec Endpoint Encryption Full Disk Edition, Symantec Endpoint Encryption Encrypted Drive Edition is managed through the Symantec Endpoint Encryption Management System which provides a single console for managing drive encryption in hybrid environments . As you can see, encryption is only part of the solution; end-to-end management capabilities are integral to ensure low-cost operations and sufficient IT governance and control. From rapid deployment and activation to comprehensive end-user self-service recovery capabilities, administrators can assert complete data protection controls over laptops and netbooks using either software-based full disk encryption or hardware-based self-encrypting drives.
- #19 Symantec Endpoint Encryption extends granular, policy-based controls to removable media and devices. In this manner, the Symantec Endpoint Encryption Removable Storage Edition and Device Control provide information security managers with peace of mind that this particular threat vector can be effectively monitored and controlled. Symantec Endpoint Encryption Removable Storage Edition adds a layer of data encryption to removable storage devices ensuring that in the event that an external hard drive, CD or DVD, or USB flash drive is lost, the data that resides on the device is not compromised. This package can be used in conjunction with Device Control to further safeguard against inadvertent data leakage , d evice and port access controls prevent unauthorized transfer of sensitive information between devices and wireless networks as well as preventing unauthorized devices from connecting. The operation of Symantec Endpoint Encryption Removable Storage Edition is largely transparent to end-users on managed systems; providing file-level encryption for maximum performance and interoperability . For devices like flash drives and external hard drives which mount like a standard disk, file encryption occurs discretely in the background using either unique, password-protected encryption keys or a default encrypted key for more transparent and seamless operation. To ensure data portability with non-managed devices, Symantec Endpoint Encryption Removable Storage Edition includes an Access Utility that allows users to access encrypted files on devices where the Symantec Endpoint Encryption client software doesn’t reside . Symantec Endpoint Encryption Removable Storage Edition also includes special CD/DVD burner software to ensure that data burned to optical storage remains encrypted as well.