ARROW INSPIRATION DAY, RIGA

Symantec Deepens

Encryption Offerings

Raivis Kalniņš

Agenda

2

Data LifecycleEncryption can Start AnywhereWhole Disk EncryptionRemovable Storage EncriptionFile and Email EncriptionFile/Folder EncriptionEncyiption Management

Data Lifecycle

The director of finance downloads data from

the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop

PC.

3

Data Lifecycle

The director of finance downloads data from

the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop

PC.

The director stores a copy of “Year End” results in a shared

directory on a corporate server for

the finance team.

4

Data Lifecycle

The director of finance downloads data from

the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop

PC.

The director stores a copy of “Year End” results in a shared

directory on a corporate server for

the finance team.

The finance manager accesses the “Year End” results, adjusts the numbers, and

emails the file to the company’s outside accountant.

5

Data Lifecycle

The director of finance downloads data from

the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop

PC.

The director stores a copy of “Year End” results in a shared

directory on a corporate server for

the finance team.

The accountant accesses the email on a handheld and forwards it with comments to a colleague. She reviews “Year End” results and saves it on a laptop and a thumb drive.

The finance manager accesses Year End results, adjusts the numbers, and emails

the file to the company’s outside accountant.

6

Data Lifecycle

The director of finance downloads data from

the customer database. He drafts the “Year End” results spreadsheet and saves it on his desktop

PC.

The director stores a copy of “Year End” results in a shared

directory on a corporate server for

the finance team.

The accountant accesses the email on a handheld and forwards it with comments to a colleague. She reviews “Year End” results and saves it on a laptop and a thumb drive.

The colleague gives the thumb drive to the onsite auditor, who transfers “Year End” results to his laptop so he can review it later at home.

The finance manager accesses Year End results, adjusts the numbers, and emails

the file to the company’s outside accountant.

7

Data Lifecycle

How many people had access to data today?

- Director of Finance- Finance Team- Outside Accountant- Outside Accountant’s Collegue- Onsite Auditor

The Encryption Discussion Can Start Anywhere

9

Field

Data Center Headquarters

Field Offices

What is the organizational policy on USB drives? Could there potentially be intellectual property (IP) on these drives?

Email protection regulations and mandates?

What is being downloaded to employee systems? Trojans, malware,

unauthorized software?

Tangible/intangible costs of a lost laptop – customer data? Personnel data? IP?

Are there customeraddresses stored on mobile phones?

Data on HR/Legal/Finance/Other Shared servers residing in the

clear?

Nightly transactions / backups sent outside the organization?

Barriers to Sale and Value Proposition

10

Potential Barriers Description Value Proposition

Encryption solutions are complex

Ease of implementation, ongoing management, long-term cost of ownership

Experience: Solutions are easy to deploy

Limited resources

Need to share IT staff across multiple activities. Endpoint encryption should integrate with existing IT infrastructure

Leverage: Uses existing infrastructure architecture

Substantial training required

Substantial upfront and on-going investment in training costs

Simple: Little or no training required for end-users

Resistant end-usersNeed to preserve existing workflows; not change how users perform their job

Transparent: User behavior need not change significantly

Diverse devicesMandated to protect all devices containing sensitive data.

Comprehensive: Protection across devices, platforms

Symantec Strategy

Things to rememberEncryption is not a new technology, but it is a

security control that has NOT been introduced into a majority of environments.

Most companies don’t have a lot of experience with Encryption and their criteria is based off of Internet research (hastily done) or a vendor. There is rarely expertise in the field.

Most companies are looking at Encryption in the face of an event: lost/stolen system, audit and/or regulatory hit.

Most companies are on an aggressive deployment schedule.

Encryption on the Endpoint

PGP – Whole Disk Encryption

Whole disk encryption for desktops, laptops, and Windows® servers. Supports Windows®, Mac OS® X, and Linux® platforms

Encrypts desktops, laptops, and USB drives

Protects against personal computer loss, theft,

compromise and improper disposal

Reduces risk of loss of PII (Personally Identifiable

Information) and other sensitive data

Protects against reputation damage

Demonstrates compliance to regulatory standards

Supports Windows, Mac OS X, and Linux

Whole Disk Encryption – How it Works

Symantec EE Management System

High availability Web services transport, communications

Database server mirroring, failover and HA

Active Directory replication, failover

Supports Windows cluster services

Seamless integrationDirectory services

Software deployment

User authentication

Workgroup encryption

Wake on LAN

Leverages familiar, proven technologiesActive Directory, IIS, SQL Server, Linux, ASP.NET, PKI, and so on

Simple to deploy, easy to learn and support

Scalable >100,000 endpoints per server

16

Symantec Endpoint Encryption – Full Disk

17

Policies Auditing

Full-Disk Encryptio

n

Opal Self-Encrypting Drives

High-performance, true full disk encryption

Pre-boot user authenticationRapid deployment and

activationExtensive support for smart

cards, CAC, and PIVNon-disruptive maintenance

and patchingSupports Windows and Mac

OS X

Symantec EE – Removable Storage

Secure portable data at rest– Enforce mandatory removable

storage encryption policies

– Access and re-encrypt data from any PC or Mac

Granular file and folder based encryption– Allow encrypted and unencrypted

data on user devices

– Enforce policy-controlled exemptions by file type and device

18

Centralized – IntegratedManagement Console

Policies Auditing

Removable MediaEncryption

File and Email Encryption

Where Is Sensitive Data at Risk?

Gateway Email Encryption – How it Works

Desktop Email Encryption – How it Works

File/Folder Encryption

23

User file protection

Shared file protection

Distributed file protection

Protect shared files and folders

Protect transferred files and folders

Protect individual files and folders

PGP NetShare, PGP Command Line

PGP NetShare

24

Client-based Protected File Sharing

?

Finance encrypts a file on the server using PGP NetShare

11Finance allows HR to view/edit the file on the server

22HR can view and edit the file on the server 33

HR saves the file to the server and PGP NetShare maintains protection

44 55 Sales tries to view the document and the document is unreadable

When the document is copied to backup tape, it remains protected

66

PGP Command Line

Scriptable Encription– A complete library of encryption commands – Simplifies encryption integration into business practices

Wide Range of Platforms– Supported on over 35 supported operating systems

Windows, Linux, Solaris, Mac OS X, HP-UX, IBM AIX, iSeries, zSeries– Runs with most scripting languages, such as Perl, Python,

JavaScript, and more

Many Uses– End-to-end protection for the internal or external transfer of files– SDA enabled distribution of files via CD, DVD or file servers

lockboxes– Encryption protection and recovery of backed-up and archived

files

25

File encryption for server protection & file transfer

PGP Command Line – How it Works

26

Data Distribution

Data Distribution

File TransferFile Transfer

Data BackupData Backup

> pgp –es dbdump.sql – r admin@company_a.comdbdump.sql:encrypt (0:output file dbdump.sql.pgp)

> pgp –es dbdump.sql – r admin@company_a.comdbdump.sql:encrypt (0:output file dbdump.sql.pgp)

Encryption Management

Centralized management for all of the PGP® Applications

27

Central Administration- Manages users from a central location.

Supports LDAP integration- Provides tools to help manage and deploy

clientsPolicy Enforcement

- Controls when encryption must be usedReporting and Logging

- Tracks device and data encryption and user events

Key Management- Ensures that keys stay protected with proper

access controls, along with mechanisms available for safe data recovery

Defense-In-Depth: Encription + DLP

28

Encryption Management

29

Thank you!

Raivis Kalniņšraivis@dss.lvinfo@dss.lv GSM: +37129162784GSM: +37126113545